integration guide for configuring cisco unified presence ... · 1 integration guide for configuring...

Integration Guide for Configuring Cisco Unified Presence Release 8.5 for Interdomain Federation April 4, 2011

Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706 USAhttp://www.cisco.comTel: 408 526-4000

800 553-NETS (6387)Fax: 408 527-0883

http://www.cisco.com

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)

Integration Guide for Configuring Cisco Unified Presence Release 8.5 for Interdomain Federation © 2011 Cisco Systems, Inc. All rights reserved.

Integration Guid

C O N T E N T S

C H A P T E R 1 Overview of this Integration 1-1

Basic Federated Network 1-1

About SIP Federation with AOL 1-4

Intercluster Deployments and SIP Federation with AOL 1-4

Limitation with AOL Federation 1-5

About Intercluster and Multi-node Deployments 1-5

SIP Federation Deployments 1-6

XMPP Federation Deployments 1-6

About High Availability and Federation 1-7

High Availability for SIP Federation 1-7

High Availability for XMPP Federation 1-8

Cisco Adaptive Security Appliance Deployment Options 1-10

Presence Subscriptions and Blocking Levels 1-12

About Availability State Mappings 1-14

Availability State Mappings for Microsoft OCS 1-15

Availability State Mappings for Microsoft Lync 1-16

Availability State Mappings for AOL Instant Messenger 1-17

Availability State Mappings for XMPP Federation 1-18

About Instant Messaging 1-21

Instant Message Flow for SIP Federation 1-21

Availability and Instant Message Flow for XMPP Federation 1-22

Federation and Subdomains 1-24

C H A P T E R 2 Planning for this Integration 2-1

Supported Interdomain Federation Integrations 2-1

Hardware Requirements 2-2

Software Requirements 2-2

About Integration Preparation 2-3

Routing Configuration 2-3

Public IP Address 2-4

Public FQDN 2-5

AOL SIP Access Gateway 2-5

Redundancy/High Availability 2-5

1e for Configuring Cisco Unified Presence Release 8.5 for Interdomain Federation

Contents

DNS Configuration 2-6

Certificate Authority (CA) Server 2-6

About Prerequisite Configuration Tasks for this Integration 2-7

Prerequisite Configuration for Cisco Unified Presence 2-7

Prerequisite Configuration for Cisco Adaptive Security Appliance 2-7

C H A P T E R 3 Configuration Workflows for Interdomain Federation 3-1

Configuration Workflow for SIP Federation with Microsoft OCS 3-1

Configuration Workflow for SIP Federation with Microsoft Lync 3-2

Configuration Workflow for SIP Federation with AOL 3-2

Configuration Workflow for XMPP Federation 3-3

Configuration Workflow for Direct SIP Federation with Microsoft OCS 3-3

Configuration Workflow for Cisco Adaptive Security Appliance for SIP Federation 3-3

C H A P T E R 4 Configuring Cisco Unified Presence for SIP Federation 4-1

SIP Proxy Domain on Cisco Unified Presence 4-1

Adding a SIP Federated Domain 4-2

How to Configure the Routing Configuration on Cisco Unified Presence 4-3

DNS Configuration for SIP Federation 4-3

Configuring Static Routes Using TLS 4-3

Configuring the Cisco Unified Presence Domain from the CLI 4-4

Configuring the Federation Routing Parameter 4-5

How to Configure the Security Settings on Cisco Unified Presence 4-5

Creating a new TLS Peer Subject 4-6

Adding the TLS Peer to the Selected TLS Peer Subjects List 4-6

How to Configure the Routing Information for AOL Federation 4-7

Routing SIP Requests for SIP Federation with AOL 4-7

Verifying or Changing the Default Federation Routing Domain for SIP Federation with AOL 4-8

How To Configure Email Address for Federation 4-9

Email Address for Federation Feature 4-9

Email Domain for Federation 4-9

Information to Provide to Administrator of the Foreign Domain 4-10

Information to Provide to Cisco Unified Presence Users 4-10

Turning On Email for Federation 4-10

Turning On the SIP Federation Service 4-11

2Integration Guide for Configuring Cisco Unified Presence Release 8.5 for Interdomain Federation

Contents

C H A P T E R 5 Configuring Security Certificates for SIP Federation (with Cisco Adaptive Security Appliance) 5-1

How to Configure Security Certificate Exchange Between Cisco Unified Presence and Cisco Adaptive Security Appliance 5-1

Generating the Key Pair and Trustpoints on Cisco Adaptive Security Appliance 5-2

Generating a Self-Signed Certificate on Cisco Adaptive Security Appliance 5-2

Importing the Self Signed Certificate onto Cisco Unified Presence 5-3

Generating a New Certificate on Cisco Unified Presence 5-4

Importing the Cisco Unified Presence Certificate onto Cisco Adaptive Security Appliance 5-4

How to Configure Security Certificate Exchange Between Cisco Adaptive Security Appliance and Microsoft Access Edge (External Interface) Using a Microsoft CA 5-5

CA Trustpoints 5-6

Configuring the Certificate on Cisco Adaptive Security Appliance using SCEP Enrollment 5-6

Configuring the Certificate on Cisco Adaptive Security Appliance using Manual Enrollment 5-8

How to Configure the Certificate for External Access Edge Interface 5-9

Creating a Custom Certificate for Access Edge Using an Enterprise Certificate Authority 5-13

Security Certificate Exchange Between Cisco Adaptive Security Appliance and AOL SIP Access Gateway 5-14

C H A P T E R 6 Configuring Cisco Adaptive Security Appliance for SIP Federation 6-1

Cisco Adaptive Security Appliance Unified Communication Wizard 6-1

External and Internal Interface Configuration 6-1

Configuring the Static IP Routes 6-2

About Port Address Translation (PAT) 6-3

Port Address Translation for This Integration 6-3

PAT for Private to Public Requests 6-6

Static PAT for New Requests 6-7

NAT Rules in ASDM 6-7

About Sample Static PAT Commands 6-8

PAT Configuration for Routing Cisco Unified Presence Release 8.x Node 6-9

PAT Configuration for Intercluster or Intracluster Cisco Unified Presence Release 8.x Nodes 6-11

PAT Configuration for Intercluster Cisco Unified Presence Release 7.x Nodes 6-13

Failover on Cisco Adaptive Security Appliance 6-14

Cisco Adaptive Security Appliance Upgrade Options for Existing Deployments 6-15

C H A P T E R 7 Configuring the TLS Proxy on Cisco Adaptive Security Appliance 7-1

TLS Proxy 7-1

Access List Configuration Requirements 7-2

Configuring the TLS Proxy Instances 7-4


Contents

Associating an Access List with a TLS Proxy Instance Using Class Maps 7-5

Enabling the TLS Proxy 7-6

Configuring Cisco Adaptive Security Appliance for an Intercluster Deployment 7-6

C H A P T E R 8 Configuring Interdomain Federation to Microsoft OCS within an Enterprise 8-1

How to Configure Static Routes Using TCP for Federation with Microsoft OCS Domain 8-1

Configuring a Static Route on Cisco Unified Presence for the OCS Server 8-2

Configuring a Static Route on OCS for the Cisco Unified Presence server 8-2

Adding a Host Authorization entry for the Cisco Unified Presence server 8-3

Enabling Port 5060 on the OCS Server 8-3

How to Configure Static Routes Using TLS for Federation with Microsoft OCS Domain 8-4

C H A P T E R 9 Configuring the Foreign Server Components for SIP Federation 9-1

Microsoft Component Configuration for SIP Federation 9-1

About the Requirements for SIP Federation with AOL 9-4

License Requirements for AOL Federation 9-4

AOL Routing Information Requirements 9-5

AOL Provisioning Information Requirements 9-5

C H A P T E R 10 Configuring the Load Balancer for Redundancy for SIP Federation 10-1

About the Load Balancer 10-1

Updating the Cisco Unified Presence Servers 10-2

How to Update the Cisco Adaptive Security Appliance 10-3

Updating the Static PAT Messages 10-3

Updating the Access Lists 10-4

Updating the TLS Proxy Instances 10-6

How to Update the CA-Signed Security Certificates 10-6

Configuring the Security Certificate between the Load Balancer and the Cisco Adaptive Security Appliance 10-7

Configuring the Security Certificate between the Load Balancer and the Cisco Unified Presence Server 10-8

Updating the Microsoft Components 10-8

Updating the AOL Components 10-8

Configuring the Load Balancer 10-9

C H A P T E R 11 Configuring Cisco Unified Presence for XMPP Federation 11-1

How to Configure the General Settings for XMPP Federation 11-1

XMPP Federation Overview 11-1


Contents

Important Notes About Restarting Services for XMPP Federation 11-2

Turning on XMPP Federation on a Node 11-2

Configuring the Security Settings for XMPP Federation 11-3

Configuring the XMPP Federated Domains for Cisco Unified Personal Communicator Release 7.x Users 11-4

How to Configure DNS for XMPP Federation 11-4

DNS SRV Records for XMPP Federation 11-5

DNS SRV Records for Chat Feature for XMPP Federation 11-7

Configuring DNS SRV Record for Chat Node for XMPP Federation 11-7

How To Configuring the Policy Settings for XMPP Federation 11-9

Policy Exception Configuration 11-9

Configuring the Policy for XMPP Federation 11-10

Configuring Cisco Adaptive Security Appliance for XMPP Federation 11-10

Turning On Email for XMPP Federation 11-12

Turning On the XMPP Federation Service 11-12

C H A P T E R 12 Configuring Security Certificates for XMPP Federation 12-1

Configuring the Domain for XMPP Certificate 12-1

How to Upload the XMPP Trust Certificates to Cisco Unified Presence 12-2

Importing the Root CA Certificate for XMPP Federation 12-2

Generating a Certificate Signing Request for XMPP Federation 12-3

Uploading the CA-Signed Certificate for XMPP Federation 12-4

C H A P T E R 13 Configuring Serviceability for Federation 13-1

How To Turn on and Capture Logging for Federation 13-1

Location of Log Files for SIP Federation 13-1

Location of Log Files for XMPP Federation 13-1

Turning On Logging for Federation 13-1

How To Restart the Cisco UP XCP Router 13-2

About the Cisco UP XCP Router 13-2

Restating the Cisco UP XCP Router 13-2

C H A P T E R 14 Verifying the Federation Integration 14-1

Verifying the SIP Federation Configuration 14-1

Verifying the XMPP Federation Configuration 14-2

C H A P T E R 15 Troubleshooting a SIP Federation Integration 15-1

Common Cisco Adaptive Security Appliance Problems and Recommended Actions 15-1


Contents

Certificate Configuration Problems 15-1

Errors When Creating the TLS Proxy Class Maps 15-3

Subscriptions Don’t Reach Access Edge 15-3

Problems With Cisco Adaptive Security Appliance After Upgrade 15-4

Common Integration Problems and Recommended Actions 15-4

Unable to get Availability Exchange 15-5

Problems Sending and Receiving IMs 15-6

Losing Availability and IM Exchange After a Short Period 15-7

Delay in Availability State Changes and IM Delivery Time 15-7

403 FORBIDDEN Returned Following a Presence Subscription Attempt 15-8

Time Out on NOTIFY Message 15-8

Cisco Unified Presence Certificate Not Accepted 15-8

Problems Starting the Front-End Server on OCS 15-9

Cisco Unified Personal Communicator Not Online after Login 15-10

Unable to Remote Desktop to Access Edge 15-10

C H A P T E R 16 Troubleshooting an XMPP Federation Integration 16-1

Checking the System Troubleshooter 16-1

A P P E N D I X A Sample Cisco Adaptive Security Appliance Configuration A-1

Sample PAT Commands and Access List Configuration for SIP Federation A-1

Sample Access List Configuration for XMPP Federation A-3

Sample NAT Configuration for XMPP Federation A-4

A P P E N D I X B Configuring Security Certificate Exchange Between Cisco Adaptive Security Appliance and Microsoft Access Edge Using VeriSign B-1

How to Configure the Security Certificates on Cisco Adaptive Security Appliance B-1

Deleting the Old Certificates and Trustpoints B-1

Generating a New Trustpoint for VeriSign B-2

Importing the Root Certificate B-3

Generating the Certificate Signing Request B-4

Submitting the Certificate Signing Request to VeriSign B-4

Deleting the Certificate Used for the Certificate Signing Request B-5

Importing the Intermediate Certificate B-6

Creating a Trustpoint for the Root Certificate B-6

Importing the Root Certificate B-7

Importing the Signed Certificate B-7

Importing the VeriSign Certificates onto Microsoft Access Edge B-8


Contents

A P P E N D I X C Integration Debugging Information C-1

Debugging Information for Cisco Adaptive Security Appliance C-1

Cisco Adaptive Security Appliance Debugging Commands C-1

Capturing the Output on the Internal and External Interfaces C-3

TLS Proxy Debugging Commands C-3

Debugging Access Edge and OCS Server C-5

Initiating a Debug Session on OCS/Access Edge C-5

Verifying the DNS Configuration on Access Edge C-5


Contents


C H A P T E R

1-1Integration Guide for Configuring Cisco Unified Presence Release 8.5 for Interdomain Federation

1Overview of this Integration

April 4, 2011

• Basic Federated Network, page 1-1

• About SIP Federation with AOL, page 1-4

• About Intercluster and Multi-node Deployments, page 1-5

• High Availability for SIP Federation, page 1-7

• Cisco Adaptive Security Appliance Deployment Options, page 1-10

• Presence Subscriptions and Blocking Levels, page 1-12

• About Availability State Mappings, page 1-14

• About Instant Messaging, page 1-21

• Federation and Subdomains, page 1-24

Basic Federated NetworkThis integration enables Cisco Unified Presence users in one enterprise domain to exchange presence information and Instant Messaging (IM) with users in foreign domains. Cisco Unified Presence uses different protocols to federate with different foreign domains.

Cisco Unified Presence uses the standard Session Initiation Protocol (SIP RFC 3261) to federate with:

• Microsoft Office Communications Server Release 2 (OCS R2), OCS 2007, Microsoft Lync 2010

Note Only Cisco Unified Presence Release 8.5(2) or higher supports interdomain federation with Microsoft Lync. For Cisco Unified Presence Release 8.5(2) or higher, any reference to interdomain federation with OCS also includes Microsoft Lync, unless explicitly stated otherwise.

• AOL SIP Access Gateway (SAG)

Note Only Cisco Unified Presence Release 8.5.x or higher supports interdomain federation with AOL.

SIP federation with AOL enables Cisco Unified Presence users to federate with the following users:


Chapter 1 Overview of this IntegrationBasic Federated Network

– Users of AOL public communities, for example, aim.com, aol.com.

– Users of an enterprise whose domain is hosted by AOL.

– Users of a foreign enterprise that federate with AOL. Cisco Unified Presence could use AOL as a clearing house to federate with these foreign enterprises.

Cisco Unified Presence uses the Extensible Messaging and Presence Protocol (XMPP) to federate with:

• IBM Sametime Server 8.2 and 8.5

• Cisco Webex Connect Release 6

• GoogleTalk

• Cisco Unified Presence Release 8.x

Note • Cisco Unified Presence does not support federation between a Cisco Unified Presence Release 8.x enterprise, and a Cisco Unified Presence Release 7.0(x) enterprise.

• Cisco Unified Presence supports XMPP federation with GoogleTalk over TCP. XMPP federation with GoogleTalk over TLS is not supported.

Figure 1-1 provides an example of a SIP federated network between Cisco Unified Presence enterprise deployment and Microsoft OCS enterprise deployment.


Chapter 1 Overview of this IntegrationBasic Federated Network

Figure 1-1 Basic SIP Federated Network between Cisco Unified Presence and Microsoft OCS

In Figure 1-1, each internal enterprise domain interconnects over the public internet using its DMZ edge server using a secure TLS connection. Within the internal Cisco Unified Presence enterprise deployment, the Cisco Adaptive Security Appliance provides firewall, Port Address Translation (PAT) and TLS proxy functionality. The Cisco Adaptive Security Appliance routes all incoming traffic initiated from the foreign domain to a designated Cisco Unified Presence server.

Figure 1-2 provides an example of an XMPP federated network between Cisco Unified Presence enterprise deployment and an IBM Sametime enterprise deployment. TLS is optional for XMPP federation. Cisco Adaptive Security Appliance acts only as a firewall for XMPP federation; it does not provide TLS proxy functionality or PAT for XMPP federation.

2715

21

InternetAccessEdge

CUCM

CUPC(Ann)

MOC(Yao)

MOC(Zak)

CUCM

AD

Enterprise X Enterprise Y

DMZ DMZprivate private network

ASA functions as:• TLS Proxy• PAT• Firewall

Terminate TLSconnection

*ASA OCSSIP

CUP (US)

CUP

CUP

CUP (UK)

CUP

CUP

Inter-clustercommunication

*Cisco Adaptive Security Appliance


Chapter 1 Overview of this IntegrationAbout SIP Federation with AOL

Figure 1-2 Basic XMPP Federated Network between Cisco Unified Presence and IBM Sametime

There are two DNS servers within the internal Cisco Unified Presence enterprise deployment. One DNS server hosts the Cisco Unified Presence private address. The other DNS server hosts the Cisco Unified Presence public address and a DNS SRV records for SIP federation (_sipfederationtls), and XMPP federation (_xmpp-server) with Cisco Unified Presence. The DNS server that hosts the Cisco Unified Presence public address is located in the local DMZ.

About SIP Federation with AOL • Intercluster Deployments and SIP Federation with AOL, page 1-4

• Limitation with AOL Federation, page 1-5

Intercluster Deployments and SIP Federation with AOLIf you have an intercluster deployment that contains Cisco Unified Presence Release 7.x nodes, and Cisco Unified Presence Release 8.5 nodes, you can only configure the Cisco Unified Presence Release 8.5 nodes to federate with AOL.

Note the following points:

• An AOL user may see availability status of a Cisco Unified Presence Release 7.x intercluster contact. The Available state displays correctly, but all other states display as offline.

XMPPClient(Tom)

2778

87

InternetCUCM

CUCM

Enterprise X Enterprise Z


ASA functions as:• Firewall• Open Port 5269

Pass-through forXMPP RequestsNo Terminationof connections

*ASA XMPP

CUP (US)

CUP

CUP

CUP (UK)

CUP

CUP



Sametime(Bob)

Sametime(Bill)

IBMSametimeGateway

Directory

IBMSametimeGateway

IBMSametime

Server

XMPPClient(Ann)


Chapter 1 Overview of this IntegrationAbout Intercluster and Multi-node Deployments

• A Cisco Unified Presence Release 7.x intercluster user cannot see the availability status of AOL contacts.

• AOL users and Cisco Unified Presence Release 7.x intercluster contacts cannot exchange instant messages.

• We recommend that you do not configure AOL as a federated domain on Cisco Unified Presence Release 7.x. This configuration is not supported. Consequently, on Cisco Unified Presence Release 7.x, Cisco Unified Personal Communicator users cannot add federated AOL contacts.

Limitation with AOL FederationUsers in the AOL community (aol.com, aim.com) can use an existing email address as their screen name in AOL. This is existing email address that the user holds with any other public email provider, for example gmail.com, yahoo.com, msn.com and so on. In this scenario AOL expects a mapped JID when it addresses these users,, for example user(gmail.com)@aol.com, and similarly AOL sends out a modified JID.

For example, AOL addresses the user with this screenname‘[email protected] as follows:

SUBSCRIBE sip:user(gmail.com)@aol.com SIP/2.0From: sip:[email protected];tag=To: sip:user(gmail.com)@aol.com

AOL sends out this modified JID for this user:

SUBSCRIBE sip:[email protected] SIP/2.0From: sip:user(gmail.com)@aol.com ;tag=To: sip:[email protected]

If you deploy SIP federation with AOL, Cisco Unified Presence does not support these AOL users whose screen names are an email address, and not a userID.

Note that AOL routing is different to OCS routing in that AOL does not obey the SIP record-route;all requests from AOL are sent to the routing Cisco Unified Presence server, even if the original request was initiated from one of the other Cisco Unified Presence nodes. As a result, when you configure AOL federation, the federation routing Cisco Unified Presence may experience more load than it would when it federates with OCS.

About Intercluster and Multi-node Deployments • SIP Federation Deployments, page 1-6

• XMPP Federation Deployments, page 1-6

Note Any configuration procedures in this document that relate to intercluster Cisco Unified Presence deployments, you can also apply these procedures to multi-node Cisco Unified Presence deployments.


Chapter 1 Overview of this IntegrationAbout Intercluster and Multi-node Deployments

SIP Federation DeploymentsIn an intercluster and a multi-node cluster Cisco Unified Presence deployment, when a foreign domain initiates a new session, Cisco Adaptive Security Appliance routes all messages to a Cisco Unified Presence server that is designated for routing purposes. If the Cisco Unified Presence routing server does not host the recipient user, it routes the message via intercluster communication to the appropriate Cisco Unified Presence server within the cluster. The system routes all responses that are associated with this request through the routing Cisco Unified Presence server.

Any Cisco Unified Presence server can initiate a message to a foreign domain via Cisco Adaptive Security Appliance. On OCS, when the foreign domain replies to these messages, the replies are sent directly back to the Cisco Unified Presence server that initiated the message via Cisco Adaptive Security Appliance. You enable this behavior when you configure Port Address Translation (PAT) on Cisco Adaptive Security Appliance. However, for AOL federation, all responses will be routed through the routing Cisco Unified Presence routing server. We recommend that you configure PAT on Cisco Adaptive Security Appliance as PAT is required for the 200 ok response messages.

Related Topics

• About Port Address Translation (PAT), page 6-3

• Intercluster Deployments and SIP Federation with AOL, page 1-4

XMPP Federation DeploymentsFor a single cluster, you only need to enable XMPP federation on one node in the cluster. A single DNS SRV record is published for the enterprise in the public DNS. This DNS SRV record maps to the Cisco Unified Presence node that is enabled for XMPP Federation. All incoming requests from foreign domains will be routed to the node running XMPP federation, based on the published SRV record. Internally Cisco Unified Presence reroutes the requests to the correct node for the user. Cisco Unified Presence also routes all outgoing requests via the node running XMPP federation.

You can also publish multiple DNS SRV records, for example, for scale purposes, or if you have multiple Cisco Unified Presence clusters and you must enable XMPP federation at least once per cluster. Unlike SIP federation, XMPP federation does not require a single point of entry for the Cisco Unified Presence enterprise domain. As a result, Cisco Unified Presence can route incoming requests to any one of the published nodes that you enable for XMPP federation.

In an intercluster and a multi-node cluster Cisco Unified Presence deployment, when a foreign XMPP federated domain initiates a new session, it performs a DNS SRV lookup to determine where to route the request. If you publish multiple DNS SRV records, the DNS lookup returns multiple results; Cisco Unified Presence can route the request to any of the servers that DNS publishes. Internally Cisco Unified Presence reroutes the requests to the correct node for the user. Cisco Unified Presence routes outgoing requests to any of the nodes running XMPP federation within the cluster.

If you have multiple nodes running XMPP federation, you can still choose to publish only one node in the public DNS. With this configuration, Cisco Unified Presence routes all incoming requests via that single node, rather than load-balancing the incoming requests across the nodes running XMPP federation. Cisco Unified Presence will load-balance outgoing requests and send outgoing request via any of the nodes running XMPP federation within the cluster.


Chapter 1 Overview of this IntegrationAbout High Availability and Federation

About High Availability and Federation • High Availability for SIP Federation, page 1-7

• High Availability for XMPP Federation, page 1-8

High Availability for SIP Federation

Note Only Cisco Unified Presence Release 8.5 or higher supports high availability.

If you are federating with a Microsoft OCS enterprise, the Microsoft Access Edge server only supports the return of a single hostname and server address in the DNS SRV lookup. Also the Microsoft Access Edge server only supports the manual provisioning of a single IP address.

Therefore, in order to achieve high availability when federating with Microsoft OCS, you must incorporate a load balancer between the Cisco Unified Presence server and Cisco Adaptive Security Appliance, as shown in Figure 1-3. The load balancer terminates incoming TLS connections from Cisco Adaptive Security Appliance, and initiates a new TLS connection to route the content to the appropriate backend Cisco Unified Presence server. Currently only the Cisco CSS11506 Content Services Switch supports TLS.

Similarly, in order to achieve high availability when federating with AOL, you must incorporate a load balancer between the Cisco Unified Presence server and Cisco Adaptive Security Appliance, as shown in Figure 1-3.



Figure 1-3 Federated Network between Cisco Unified Presence and Microsoft OCS with High

Availability

Related Topics

Configuring the Load Balancer for Redundancy for SIP Federation, page 10-1

High Availability for XMPP Federation

Note Only Cisco Unified Presence Release 8.5 or higher supports high availability.

High availability for XMPP federation differs from the high availability model for other Cisco Unified Presence features because it is not tied to the two node sub-cluster model.

To provide high availability for XMPP federation, you must enable two or more Cisco Unified Presence nodes in your cluster for XMPP federation; having multiple nodes enabled for XMPP federation not only adds scale but it also provides redundancy in the event that any node fails.

High Availability for Outbound Request Routing

Cisco Unified Presence evenly load balances outbound requests from users within that cluster across all the XMPP federation enabled nodes in the cluster. If any node fails, Cisco Unified Presence dynamically spreads the outbound traffic across the remaining active nodes within the cluster.

2715

23

InternetAccessEdge

CUCM

CUPC(Ann)

MOC(Yao)

MOC(Zak)

CUCM

AD


DMZ DMZ private networkprivatenetwork

LoadBalancer OCSSIP

CUP (US)

CUP

CUP

CUP (UK)

CUP

CUP

*ASA




High Availability for Inbound Request Routing

An additional step is required to provide high availability for inbound request routing. To allow a foreign domain to discover the local Cisco Unified Presence deployment, a DNS SRV record must be published on a public DNS server. This record resolves to an XMPP federation enabled node. The foreign domain then connects to the resolved address.

To provide high availability in this model, multiple DNS SRV records must be published for the local Cisco Unified Presence deployment. Each of these records will resolve to one of the XMPP Federation enabled nodes within the local Cisco Unified Presence deployment.

These records provide a choice of DNS SRV records for the local deployment. If an XMPP federation enabled node fails, the foreign system will have other options from which to connect to the local Cisco Unified Presence Deployment.

Note • Each published DNS SRV records must have the same priority and weight. This will allow for an spread of load across all published records, and will also allow for the foreign system to correctly reconnect to one of the other nodes with a DNS SRV record in the event of a failure.

• DNS SRV records may be published for all or just a subset of XMPP federation enabled nodes. The greater the number of records published, the greater the redundancy in the system for inbound request handling.

• If you configure the Chat feature on a Cisco Unified Presence server in an XMPP federation deployment, you can publish multiple DNS SRV records for chat node aliases also. This will allow the foreign system to find another inbound route to that specific chat node through another XMPP federation node, should any XMPP Federation enabled node fail. Note that this is not high availability for the Chat feature itself, but an extension of the XMPP Federation high availability feature for inbound requests addressed to chat node aliases.

IBM Sametime Federation

Cisco Unified Presence Release 8.5 does not support high availability for interdomain federation between a Cisco Unified Presence Release 8.5 enterprise and an IBM Sametime enterprise. This is because IBM Sametime does not retry other records that are returned in a DNS SRV lookup. It only tries the first DNS SRV record found, and if the connection attempt fails, it does not retry to lower weighted nodes.

Note There is one situation where XMMP Federation high availability may appear to occur on Cisco Unified Presence in an IBM Sametime federation deployment. If users have failed over to the backup node due to critical services failing, but the Cisco UP XCP XMPP Federation Connection Manager remains running on the primary node. In this case, incoming traffic is still directed to the primary node, and then redirected to the backup node using the router to router connection. However, in this scenario XMPP Federation has not failed and can continue to operate as normal.

GoogleTalk Federation

Cisco Unified Presence Release 8.5 does not support high availability for interdomain federation between a Cisco Unified Presence Release 8.5 enterprise and GoogleTalk.

Related Topics

• How to Configure DNS for XMPP Federation, page 11-4

• Turning on XMPP Federation on a Node, page 11-2


Chapter 1 Overview of this IntegrationCisco Adaptive Security Appliance Deployment Options

Cisco Adaptive Security Appliance Deployment OptionsWithin the internal Cisco Unified Presence enterprise deployment, the Cisco Adaptive Security Appliance provides firewall, Port Address Translation (PAT) and TLS proxy functionality in the DMZ to terminate the incoming connections from the public internet, and permit traffic from specific federated domains.

Note In an XMPP federation deployment, Cisco Adaptive Security Appliance provides firewall functionality only. If you already deploy a firewall, you do not require an extra Cisco Adaptive Security Appliance for XMPP federation.

You can deploy the Cisco Adaptive Security Appliance in a number of different ways, depending on your existing network and the type of firewall functionality you want to deploy. This section contains only an overview of the deployment models we recommend. For further details please refer to the deployment guidelines in the Cisco Adaptive Security Appliance documentation. The Cisco Adaptive Security Appliance deployment options we describe here apply to SIP federation only.

You can deploy the Cisco Adaptive Security Appliance as the enterprise firewall that protects Instant Messaging (IM) traffic, Presence traffic and other traffic, as illustrated in Figure 1-1 and Figure 1-4. This is the most cost-effective deployment, and the one we recommend for new and existing networks. You can also deploy the Cisco Adaptive Security Appliance in parallel to the existing firewall, as illustrated in Figure 1-4. In this deployment Cisco Adaptive Security Appliance handles the IM and Presence traffic between Cisco Unified Presence and the public internet, and the pre-existing traffic continues to use any existing firewall. In Figure 1-4 Cisco Adaptive Security Appliance is also deployed as a gateway for the Cisco Unified Presence server, which means that you do not require a separate router to direct traffic to Cisco Adaptive Security Appliance.


Chapter 1 Overview of this IntegrationCisco Adaptive Security Appliance Deployment Options

Figure 1-4 Cisco ASA 5500 Deployed in Parallel to Existing NAT/Firewall

You can also deploy the Cisco Adaptive Security Appliance behind an existing firewall. In this case, you configure the existing firewall to allow traffic destined for Cisco Unified Presence to reach the Cisco Adaptive Security Appliance, as illustrated in Figure 1-5. In this type of deployment the Cisco Adaptive Security Appliance is functioning as a gateway for the Cisco Unified Presence server.

2715

19

Internet

AccessEdge

CUCM

CUCM

CUP(US)

*ASA

NAT/FW

CUPC(Ann)

MOC(Yao)

MOC(Zak)

CUP(UK) AD

SIP



OCS

Pre-existingnon-CiscoUnifiedPresencetraffic

Cisco UnifiedPresenceIM/P trafficrouted to ASA



Chapter 1 Overview of this IntegrationPresence Subscriptions and Blocking Levels

Figure 1-5 Cisco ASA 5500 Deployed Behind Existing NAT/Firewall

Presence Subscriptions and Blocking LevelsAll new presence subscriptions from “[email protected]” to “[email protected]”are sent via the Cisco Adaptive Security Appliance, as illustrated in Figure 1-6. Cisco Adaptive Security Appliance checks the inbound SIP subscriptions against the list of permitted foreign domains. If the domain is not permitted, Cisco Adaptive Security Appliance denies the presence subscription.

Note In an XMPP federation deployment, Cisco Adaptive Security Appliance does not perform any domain checks.

On receipt of the inbound subscription, Cisco Unified Presence verifies that the foreign domain is one of the permitted federated domains that you define at the administration level on the Cisco Unified Presence server. For SIP federation, you configure a federated domain. For XMPP federation, you define the administrator policy for XMPP federation. If the subscription is not from a permitted domain, Cisco Unified Presence denies the subscription (without contacting the local user).

If the subscription is from a permitted domain, Cisco Unified Presence checks the authorization policies of the local user to verify that the local user has not previously blocked or allowed either the federated domain or the user sending the presence subscription. Cisco Unified Presence then accepts the incoming subscription and places it in a pending state.

2715

20

Internet

AccessEdge

CUCM

CUCM

CUP(US)

CUPC(Ann)

MOC(Yao)

MOC(Zak)

CUP(UK) AD



Pre-existingnon-Cuptraffic

IM/P trafficfor ASA/CUPpasses throughhole opened inexisting FW

NAT/FW

OCSSIP*ASA



Chapter 1 Overview of this IntegrationPresence Subscriptions and Blocking Levels

Cisco Unified Presence notifies the local user that “[email protected]” wants to watch their presence by sending the client application a notification message for the subscription. This triggers a dialog box on the client application that enables the local user to allow or deny the subscription. Once the user has made an authorization decision, the client application communicates that decision back to Cisco Unified Presence. The authorization decision is added to the policy list of the user stored on Cisco Unified Presence.

Note Third-party XMPP clients do not update the policy list of the user, they just accept the subscription. The user can manually update their privacy list in the Cisco Unified Presence User Options interface.

A deny decision is handled using polite blocking, which means that the presence state of the user appears offline on the foreign client. If the local user allows the subscription, Cisco Unified Presence sends a presence updates to the foreign watcher.

The user can also block subscriptions on a per user and a per domain basis. This can be configured via the Cisco Unified Presence User Options interface, and the Cisco Unified Personal Communicator client.

Figure 1-6 Inbound SIP Presence Message Flow

Cisco Unified Presence sends all outgoing subscriptions through Cisco Adaptive Security Appliance, and Cisco Adaptive Security Appliance forwards these subscriptions to the foreign domain. Cisco Unified Presence sends an outgoing subscription even if an active subscription already exists between a different local user to the same foreign user in the same foreign domain. Figure 1-7 illustrates an outgoing presence subscription flow.

The foreign user is added to the contact list on the client application and the Cisco Unified Presence User Options interface as “[email protected]”.

Note The domain level authentication check is not applied on Cisco Adaptive Security Appliance for XMPP federation.

2779

93

ForeignGateway


DMZ DMZ private networkprivate network

*ASA


ForeignServer

Client(Yao)

Client(Ann)

Watcher InfoNOTIFY Ann

NOTIFY Yao with Ann’sPresence status

AuthorizationPolicy Updates

via SOAPYao initiates anIM session with local user Ann (INVITE)

1Domainlevelauthorizationcheck

2Admin levelauthorizationcheckUser levelauthorizationcheck

3

4Allow/DenyPolicy

CUP Internet


Chapter 1 Overview of this IntegrationAbout Availability State Mappings

Figure 1-7 Outbound Presence Request Flow

Note • Microsoft OCS performs a refresh subscribe every one hour and 45 minutes. Therefore, if a Cisco Unified Presence server restarts, the maximum duration a Microsoft Office Communicator client will be without the presence status of Cisco Unified Presence contacts is approximately two hours.

• If Microsoft OCS restarts, the maximum duration a Cisco Unified Presence client will be without presence status of Microsoft Office Communicator contacts is approximately two hours.

Related Topics

• About Availability State Mappings, page 1-14

• About Instant Messaging, page 1-21

About Availability State Mappings • Availability State Mappings for Microsoft OCS, page 1-15

• Availability State Mappings for Microsoft Lync, page 1-16

• Availability State Mappings for AOL Instant Messenger, page 1-17

• Availability State Mappings for XMPP Federation, page 1-18

2779

94



*ASA


ForeignServer

Client(Matt)

Ann sends requestto subscribe to presenceof foreign user Matt

CUPForeignGateway

Client(Ann)


1Admin levelauthorizationcheck

ContactUpdatesvia SOAP

Internet



Availability State Mappings for Microsoft OCSTable 1-1 shows the availability mapping states from Microsoft Office Communicator to Cisco Unified Presence, third-party XMPP clients and Cisco Unified Personal Communicator.

In Table 1-1, Microsoft Office Communicator ‘Busy’ and ‘Do Not Disturb’ states map to ‘Away’ with a status text of "Busy" on a third-party XMPP client. XMPP clients differ in how they render this ‘Away’ status, for example, certain XMPP clients will show the "Away" icon with no text. Other XMPP clients will render the "Away" icon with "Busy" text annotation alongside.

Table 1-2 shows the availability mapping states from Cisco Unified Personal Communicator Release 7.x to Microsoft Office Communicator.

Table 1-3 shows the availability mapping states from Cisco Unified Personal Communicator Release 8.x to Microsoft Office Communicator.

Table 1-1 Availability Mapping States from Microsoft Office Communicator

Microsoft Office Communicator Setting

Third-party XMPP Client Setting (connected to Cisco Unified Presence)

Cisco Unified Personal Communicator Release 7.x Setting


Available Available Available Available

Busy Away Away Busy

Do Not Disturb Away Away Busy

Be Right Back Away Away Away

Away Away Away Away

Offline Offline Offline Offline

Table 1-2 Availability Mapping States from Cisco Unified Personal Communicator Release 7.x



Available Available

Away Away

Do Not Disturb Busy

Offline Offline

Invisible Away




Available Available

Busy Busy

Do Not Disturb Busy

Offline Offline



Table 1-4 shows the availability mapping states from third-party XMPP clients, that are connected to Cisco Unified Presence, to Microsoft Office Communicator.

Related Topics

Presence Subscriptions and Blocking Levels, page 1-12

Availability State Mappings for Microsoft LyncTable 1-5 shows the availability mapping states from Microsoft Lync to Cisco Unified Presence, third-party XMPP clients and Cisco Unified Personal Communicator.

In Table 1-5, Lync Client ‘Busy’ and ‘Do Not Disturb’ states map to ‘Away’ with a status text of "Busy" on a third-party XMPP client. XMPP clients differ in how they render this ‘Away’ status, for example, certain XMPP clients will show the "Away" icon with no text. Other XMPP clients will render the "Away" icon with "Busy" text annotation alongside.

Table 1-6 shows the availability mapping states from Cisco Unified Personal Communicator Release 7.x to a Lync client.

Table 1-4 Availability Mapping States from Third-party XMPP Client



Available Available

Away Away

Extended Away Away

Do Not Disturb Busy

Offline Offline

Table 1-5 Availability Mapping States from Microsoft Lync

Microsoft Lync Setting





Busy Away Away Busy

Do Not Disturb Away Away Busy

Be Right Back Away Away Away

Away Away Away Away




Table 1-7 shows the availability mapping states from Cisco Unified Personal Communicator Release 8.x to a Lync client.

Table 1-8 shows the availability mapping states from third-party XMPP clients, that are connected to Cisco Unified Presence, to a Lync client.

Related Topics


Availability State Mappings for AOL Instant MessengerTable 1-9 shows the availability mapping states from AOL Instant Messenger to Cisco Unified Personal Communicator.




Available Available

Away Away

Do Not Disturb Busy

Offline Offline

Invisible Away




Available Available

Busy Busy

Do Not Disturb Busy

Offline Offline

Table 1-8 Availability Mapping States from Third-party XMPP Client



Available Available

Away Away

Extended Away Away

Do Not Disturb Busy

Offline Offline



Table 1-10 shows the availability mapping states from Cisco Unified Personal Communicator to AOL Instant Messenger.

Related Topics


Availability State Mappings for XMPP FederationTable 1-11 shows the availability mapping states from IBM Sametime 8.2 to a third-party XMPP client on Cisco Unified Presence, and to Cisco Unified Personal Communicator.

Table 1-9 Availability Mapping States from AOL Instant Messenger to Cisco Unified Personal Communicator

AOL Instant MessengerSetting



Available Available Available

Away Away Away

Invisible Offline Offline

Offline Offline Offline

Table 1-10 Availability Mapping States from Cisco Unified Personal Communicator to AOL Instant Messenger


Cisco Unified Personal Communicator Release 8.xSetting AOL Instant

Messenger

Available Available Available

Do Not Disturb Do Not Disturb Away

Away Busy Away

Idle Idle Away

Offline Offline Offline

Table 1-11 Availability Mapping States from IBM Sametime 8.2 client

IBM Sametime Client Setting


Cisco Unified Personal Communicator Setting Release 7.x


Available Available Available Available with status message

Do Not Disturb Do Not Disturb Do Not Disturb Do Not Disturb with status message

Available with status “In a meeting”



Available with status message



Table 1-12 shows the availability mapping states from webex Connect to a third-party XMPP client on Cisco Unified Presence, and to Cisco Unified Personal Communicator.

Table 1-13 shows the availability mapping states from Cisco Unified Personal Communicator Release 7.x to other federated clients.

Away Away Away Away with status message


Table 1-12 Availability Mapping States from Webex Connect

Webex Connect Setting





Do Not Disturb Do Not Disturb Do Not Disturb Do Not Disturb

Away with status “In a meeting”




Away Away Away Away


Table 1-11 Availability Mapping States from IBM Sametime 8.2 client

IBM Sametime Client Setting






Federated Cisco Unified Personal Communicator Release 7.xSetting


Federated Third-party XMPP Client Setting (connected to Cisco Unified Presence)

Webex Connect Client Setting

IBM Sametime Client Server

Available Available Available Available Available Available


Do Not Disturb

Do Not Disturb

Away Away Away Away Away Away

Idle Idle Idle Away with status “Idle”

Away with status “Idle”

Extended Away

Offline Offline Offline Offline Offline Offline



Table 1-14 shows the availability mapping states from Cisco Unified Personal Communicator Release 8.x to other federated clients.

Table 1-15 shows the availability mapping states from a third-party XMPP client on Cisco Unified Presence to other federated clients.


Cisco Unified Personal Communicator Release 8.xSetting



Federated Third-party XMPP Client Setting (connected to Cisco Unified Presence)





Do Not Disturb

Do Not Disturb

Busy Away Busy Away Idle Away

Idle Idle Idle Idle Idle Idle


Table 1-15 Availability Mapping States from XMPP Client Connected to Cisco Unified Presence




Federated XMPP Client Setting (connected to Cisco Unified Presence)




Do Not Disturb


Do Not Disturb

Away Away Away Away Away Away

Extended Away

Away Away Extended Away Extended Away

Away


Idle Idle Away with status “Idle”





Chapter 1 Overview of this IntegrationAbout Instant Messaging

About Instant Messaging • Instant Message Flow for SIP Federation, page 1-21

• Availability and Instant Message Flow for XMPP Federation, page 1-22

Instant Message Flow for SIP FederationInstant Messages (IMs) that are sent between two enterprise deployments use Session Mode. When a user in a foreign domain sends an IM to a local user in the Cisco Unified Presence domain, the foreign server sends an INVITE message, as illustrated in Figure 1-8. Cisco Adaptive Security Appliance forwards the INVITE message to Cisco Unified Presence. Cisco Unified Presence replies with a 200 OK message to the foreign server, and the foreign server sends a SIP MESSAGE containing the text data. Cisco Unified Presence forwards the text data to the client application of the local user, using the appropriate protocol.

Figure 1-8 Inbound Instant Messaging Flow

When a local user in the Cisco Unified Presence domain sends an IM to a user in a foreign domain, the IM is sent to the Cisco Unified Presence server. If no existing IM session is established between these two users, Cisco Unified Presence sends an INVITE message to the foreign domain to establish a new session. Figure 1-9 illustrates this flow. Cisco Unified Presence uses this session for any subsequent MESSAGE traffic from either of these two users. Note that users of Cisco Unified Personal Communicator Release 8.x and third-party XMPP clients can initiate an IM even if they do not have availability.

2715

24

InternetAccessEdge



OCSSIP

MOC(Yao)

CUPCUPC(Ann)

IM sent to client(SIP message)

Yao initiates anIM session with local user Ann (INVITE)


2Admin levelauthorizationcheck

3Allow/DenyPolicy

*ASA




Figure 1-9 Outbound Instant Message Flow

Note Cisco Unified Presence does not support a three-way IM session (group chat) with a Microsoft OCS contact.

Related Topics

• Presence Subscriptions and Blocking Levels, page 1-12

Availability and Instant Message Flow for XMPP FederationThe flow of incoming and outgoing availability and IM requests for XMPP federation can vary in a multi-node Cisco Unified Presence deployment.

In a multi-node deployment, you can enable XMPP federation on each node in the cluster, or just on a single node in a cluster. In addition, you can decide to publish only a single DNS SRV record, or publish multiple DNS SRV records (one record for each node on which you enable XMPP Federation).

If you only publish a single DNS SRV record, the system routes all inbound requests to that single node, and internally Cisco Unified Presence routes the traffic to the correct node using intercluster routing, as illustrated in Figure 1-10. If you publish multiple DNS SRV records, depending on how you configure the SRV records, the system could load-balance inbound requests across each node.

2715

27

InternetAccessEdge



ASA OCSSIP

MOC(Matt)

If Ann has presence for Matt, she can initiate an IM to Matt

Ann initiates anIM session with foreign user Matt

CUP

CUPC(Ann)




Figure 1-10 XMPP Inbound Request Flow

Cisco Unified Presence routes outbound requests to any node in the cluster on which you enable XMPP Federation, even if that node is not the home node for the user that initiates the request, as illustrated in Figure 1-11.

Internet

2778

88

CUCM

CUPC(Ann)

Third-partyXMPPClient(Tom)

Sametime(Bill)

CUCM

Directory



Incoming all requests are directed tothe node where XMPP Federation isenabled and published in public DNS.

IBMSametimeGateway

CUP (US)

CUP

CUP (UK)

CUP

CUP

nter-clustercommunication


CUP

*ASAIBM

SametimeGateway

XMPP

Sametime(Bob)

IBMSametime

Server


Chapter 1 Overview of this IntegrationFederation and Subdomains

Figure 1-11 XMPP Outbound Request Flow

Related Topics

High Availability for XMPP Federation, page 1-8

Federation and SubdomainsCisco Unified Presence supports the following subdomain scenarios:

• Cisco Unified Presence belongs to a subdomain of the foreign domain. For example, Cisco Unified Presence belongs to the subdomain "cup.cisco.com". Cisco Unified Presence federates with a foreign enterprise that belongs to the domain "cisco.com". In this case, the Cisco Unified Presence user is assigned the URI “[email protected]”, and the foreign user has the URI “[email protected]”.

• Cisco Unified Presence belongs to a parent domain, and the foreign enterprise belongs to a subdomain of that parent domain. For example, Cisco Unified Presence belongs to the domain "cisco.com". Cisco Unified Presence federates with a foreign enterprise that belongs to the subdomain "foreign.cisco.com". In this case, the Cisco Unified Presence user is assigned the URI “[email protected]”, and the foreign user is assigned the URI “[email protected]”.

Internet

2778

84

IBMSametimeGateway

CUCM

CUPC(Ann)

Sametime(Bob)

Sametime(Bill)

CUCM

Directory



Outbound requests can bedirected outwards via any nodewithin the cluster which hasXMPP federation enabled.

IBMSametimeGateway

IBMSametime

Server

CUP (US)

CUP

CUP (UK)

CUP

CUP



CUP

*ASA

Third-partyXMPPClient(Tom)



• Cisco Unified Presence and the foreign enterprise each belong to different subdomains, but both of these subdomains belong to the same parent domain. For example, Cisco Unified Presence belongs to the subdomain "cup.cisco.com" and the foreign enterprise belongs to the subdomain "foreign.cisco.com". Both of these subdomains belong to the parent domain "cisco.com". In this case, the Cisco Unified Presence user is assigned the URI “[email protected]” and the foreign user is assigned the URI “[email protected]”.

If you federate with subdomains, you only need to configure separate DNS domains; there is no requirement to split your Active Directory. If you configure federation within the enterprise, Cisco Unified Presence users or foreign users can belong to the same Active Directory domain. For example, in the third scenario above, the Active Directory can belong to the parent domain “cisco.com”. You can configure all users under the “cisco.com” domain in Active Directory, even though a user may belong to the subdomain "cup.cisco.com" or "foreign.cisco.com", and may have the URI “[email protected]“ or “[email protected]”.

Note that even though an LDAP search from Cisco Unified Personal Communicator may return users in the other domain, or subdomain, a Cisco Unified Personal Communicator user cannot add these federated users from the LDAP lookup on Cisco Unified Personal Communicator. The Cisco Unified Personal Communicator user must add these users as external (federated) contacts so that the Cisco Unified Presence applies the correct domain and not the local domain.

Note Cisco Unified Presence also supports the scenarios above if you configure federation between two Cisco Unified Presence enterprise deployments.

C H A P T E R


2Planning for this Integration

April 4, 2011

• Supported Interdomain Federation Integrations, page 2-1

• Hardware Requirements, page 2-2

• Software Requirements, page 2-2

• About Integration Preparation, page 2-3

• About Prerequisite Configuration Tasks for this Integration, page 2-7

Supported Interdomain Federation IntegrationsThis document describes the configuration steps for setting up a federated network between Cisco Unified Presence server and a foreign domain.

The supported foreign domains that a Cisco Unified Presence server can federate with are:

• Microsoft Office Communications Server Releases 2007, R2, Microsoft Lync 2010 over SIP


• AOL over SIP

• Cisco Webex Connect Release 6.x over XMPP

• IBM Sametime Server Release 8.2, 8.5 over XMPP

• GoogleTalk over XMPP

• Cisco Unified Presence Release 8.x over XMPP

Note If you federate between one Cisco Unified Presence enterprise and another, follow the procedures that describe how to configure XMPP Federation.

Related Topics

• Hardware Requirements, page 2-2


Chapter 2 Planning for this IntegrationHardware Requirements

• Software Requirements, page 2-2

Hardware RequirementsCisco Hardware

• Cisco Unified Presence server. For Cisco Unified Presence hardware support, refer to the Cisco Unified Presence compatibility matrix

• Cisco Unified Communications Manager server. For Cisco Unified Communications Manager hardware support, refer to the Cisco Unified Communications Manager compatibility matrix

• Two DNS servers within the Cisco Unified Presence enterprise

• Cisco Adaptive Security Appliance 5500 Series

• (Optional) Cisco CSS11506 Content Services Switch

Note • We only recommend the Cisco Adaptive Security Appliance for SIP federation as it provides the TLS proxy functionality. For XMPP federation, any firewall is sufficient.

• When selecting a Cisco Adaptive Security Appliance model, go to: http://www.cisco.com/en/US/products/ps6120/prod_models_home.html. The TLS proxy component is available on all 5500 models.

• Make sure you use the correct version of Cisco Adaptive Security Appliance software for your deployment. If you are configuring a new interdomain federation deployment, refer to the Cisco Unified Presence compatibility matrix for the correct version of Cisco Adaptive Security Appliance software.

Related Topics

• Hardware and Software Compatibility Information for Cisco Unified Presence:

http://www.cisco.com/en/US/products/ps6837/products_device_support_tables_list.html

• Cisco Unified Communications Manager Hardware Compatibility Matrix:

http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_device_support_tables_list.html

Software Requirements, page 2-2

Software Requirements

Note You require Cisco Unified Presence Release 8.5 or higher to configure SIP federation with AOL.

Cisco Software

• Cisco Unified Presence Server Release 8.5

• Cisco Unified Communications Manager Server Release 6.x+

• Cisco Unified Personal Communicator Release 7.x (7.03.13742 or later) - SIP client

http://www.cisco.com/en/US/products/ps6837/products_device_support_tables_list.html

http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_device_support_tables_list.html

http://www.cisco.com/en/US/products/ps6120/prod_models_home.html


Chapter 2 Planning for this IntegrationAbout Integration Preparation

• Cisco Unified Personal Communicator Release 8.0 - XMPP client

• Cisco Adaptive Security Appliance v8.3(1)

• Cisco Adaptive Security Device Manager (ASDM) v6.3

Microsoft Software for SIP Federation

• Microsoft Lync 2010

• Microsoft OCS 2007 Release 2 Server Standard or Enterprise

• Microsoft Office Communicator 2007 Release 2

• Microsoft Active Directory

AOL Software for SIP Federation

• AOL SIP Access Gateway (SAG)

• AOL Instant Messenger Release 7.2.6.1 or later

Software for XMPP Federation

• Cisco Webex Connect Release 6.x

• IBM Sametime Server Release 8.2

• GoogleTalk

Related Topics

Hardware Requirements, page 2-2

About Integration PreparationIt is essential that you plan carefully for this integration. Read the items in this section before you commence any configuration for this integration.

• Routing Configuration, page 2-3

• Public IP Address, page 2-4

• Public FQDN, page 2-5

• AOL SIP Access Gateway, page 2-5

• Redundancy/High Availability, page 2-5

• DNS Configuration, page 2-6

• Certificate Authority (CA) Server, page 2-6

Routing ConfigurationConsider how you are going to set up routing in your federated network. Consider how you route messages that are destined for a foreign domain address from Cisco Unified Presence through the Cisco Adaptive Security Appliance to the foreign domain. You could consider deploying a routing entity (router, switch or gateway) between the Cisco Unified Presence enterprise deployment and Cisco Adaptive Security Appliance. The routing entity routes messages to the Cisco Adaptive Security Appliance, and Cisco Adaptive Security Appliance routes these messages to the foreign domain.



You can also deploy Cisco Adaptive Security Appliance as a gateway between Cisco Unified Presence and the foreign domain. If you use Cisco Adaptive Security Appliance as a gateway for Cisco Unified Presence, within your local enterprise deployment you must consider how Cisco Unified Communications Manager, and the Cisco Unified Presence client will access the Cisco Unified Presence server. If Cisco Unified Communications Manager and the Cisco Unified Presence clients are in a different subnet from Cisco Unified Presence, they will need to access the Cisco Unified Presence using Cisco Adaptive Security Appliance.

If you deploy Cisco Adaptive Security Appliance behind an existing firewall in your network, consider how you route traffic to Cisco Adaptive Security Appliance and to Cisco Unified Presence. On the existing firewall, configure routes and access lists to route traffic to the public Cisco Unified Presence address. You must also configure routes to the foreign domain using the existing firewall.

Related Topics

• Cisco Adaptive Security Appliance Deployment Options, page 1-10

• Configuring Cisco Adaptive Security Appliance for SIP Federation, page 6-1

Public IP AddressFor SIP federation, you require a publicly accessible IP address for the public Cisco Unified Presence address. If you do not have an IP address that you can assign, use the outside interface of the Cisco Adaptive Security Appliance as the public Cisco Unified Presence address (once you only use the Cisco Adaptive Security Appliance for availability and IM traffic).

For SIP federation with Microsoft OCS R2, you require a single public IP address, even if you deploy multiple Cisco Unified Presence servers. Cisco Adaptive Security Appliance routes the requests from OCS to the correct Cisco Unified Presence server using Port Address Translation (PAT).

For XMPP federation, you can choose to either expose a public IP address for each Cisco Unified Presence server on which you enable XMPP federation, or expose a single public IP address:

• If you expose multiple IP addresses, you use NAT on Cisco Adaptive Security Appliance to convert the public addresses to private addresses. For example, you can use NAT to convert the public addresses x.x.x.x:5269 and y.y.y.y:5269 to the private addresses a.a.a.a:5269 and b.b.b.b:5269 respectively.

• If you expose a single IP address, you use PAT on Cisco Adaptive Security Appliance to map to the correct Cisco Unified Presence server. For example, the public IP address in your deployment is x.x.x.x, and there are multiple DNS SRV records for _xmpp-server. Each record has a different port, but all records resolve to x.x.x.x. The foreign servers sends requests to x.x.x.x:5269, x.x.x.x:15269, x.x.x.x.25269 through Cisco Adaptive Security Appliance. Cisco Adaptive Security Appliance performs PAT on the IP addresses, whereby it maps each address to the corresponding internal IP address for each Cisco Unified Presence server.

For example, the public IP address x.x.x.x:5269 maps to the private IP address a.a.a.a:5269, the public IP address x.x.x.x:15269 maps to the private IP address a.b.b.b.b:5269, and the public IP address x.x.x.x:25269 maps to the private IP address c.c.c.c:5269, and so on. All IP addresses map internally to the same port (5269) on Cisco Unified Presence.

Related Topics

• External and Internal Interface Configuration, page 6-1

• DNS Configuration, page 2-6



Public FQDNFor SIP federation, request messages are routed based on the FQDN. Therefore, the FQDN of the routing Cisco Unified Presence server (publisher) must be publicly resolvable.

AOL SIP Access GatewayThe AOL SIP Access Gateway provides federated services, which permit a company’s SIP/SIMPLE-based instant messaging servers to communicate with other instant messaging users on the network. Using the AOL SIP Access Gateway, it is possible for users of a company’s SIP/SIMPLE-based messaging server to obtain availability information for, and hold conversations with, public users of the AIM or AOL services. The AOL SIP Access Gateway also enables users of the AIM or AOL systems to send instant messages and to display availability information for users of the company’s internal SIP/SIMPLE-based system.

The AOL SIP Access Gateway acts as the front end to a translator for internal AOL protocols. All communications between the company server and AOL will use SIP. The AOL SIP Access Gateway handles the translation into the protocols needed by internal AOL systems. It is not necessary to add any translation capabilities to external servers; from that perspective the AOL protocols are hidden. If the company server communicates using SIP/SIMPLE, it should still be possible to connect to AOL via the AOL SIP Access Gateway.

The AOL SIP Access Gateway supports connections via TLS over TCP only. The AOL SIP Access Gateway server should be defined within your instant messaging servers or proxies with this address:

Server Name: sip.oscar.aol.com

Server Port: 5061

The server name sip.oscar.aol.com resolves to 205.188.153.55 & 64.12.162.248.

Note • If you configure these IP addresses statically anywhere in your network, we recommend that you periodically check with AOL for potential changes to these addresses.

• We recommend that you ping the FQDN of AOL SIP Access Gateway (sip.oscar.aol.com) to confirm the IP address as it may be subject to change, for example ping sip.oscar.aol.com.

Redundancy/High Availability You need to consider how you are going to configure redundancy in your federated network. Cisco Adaptive Security Appliance supports redundancy by providing the Active/Standby (A/S) deployment model.

If you wish to make your Cisco Unified Presence federation capability highly available you can deploy a load balancer in front of your designated (federation) Cisco Unified Presence cluster. Cisco recommends you use the Cisco CSS 11500 Content Services Switch.

The Cisco CSS 11500 Content Services Switch documentation is available at the following URL:

http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_installation_and_configuration_guides_list.html




DNS ConfigurationIn the local Cisco Unified Presence enterprise deployment, Cisco Unified Presence must publish a DNS SRV record for the Cisco Unified Presence domain to make it possible for other domains to discover the Cisco Unified Presence server through DNS SRV. The DNS SRV records reside on the DNS server in the enterprise DMZ.

For SIP federation with Microsoft OCS R2, you must publish the DNS SRV record _sipfederationtls. The Microsoft enterprise deployment requires this record because you configure Cisco Unified Presence as a Public IM Provider on the Access Edge server. In the external enterprise deployment, in order for Cisco Unified Presence to discover the Microsoft domain, a DNS SRV record must exist that points to this external domain. If the Cisco Unified Presence server cannot discover the Microsoft domain using DNS SRV, you must configure a static route on Cisco Unified Presence that points to the public interface of this external domain.

For AOL federation, AOL publishes the DNS SRV record _sipfederationtls_tcp.aol.com in their public DNS server for the domain ‘aol.com’. This resolves to sip.oscar.aol.com which is the AOL SIP Access Gateway.

Because DNS SRV records are publicly resolvable, if you turn on DNS forwarding in the local enterprise, DNS queries retrieve information about public domains outside of the local enterprise. If the DNS queries rely completely on DNS information within the local enterprise (you do not turn on DNS forwarding in the local enterprise), you will need to publish DNS SRV record/FQDN/IP address that points to the external domain. Alternatively. you can configure static routes.

For XMPP federation, you must publish the DNS SRV record _xmpp-server. This record enables federated XMPP domains to discover the Cisco Unified Presence domain so users in both domains can exchange IM and availability information over XMPP. Similarly, foreign domains must publish the _xmpp-server record in their public DNS server to enable Cisco Unified Presence to discover the foreign domain.

Related Topics

• Routing SIP Requests for SIP Federation with AOL, page 4-7

• Verifying or Changing the Default Federation Routing Domain for SIP Federation with AOL, page 4-8

Certificate Authority (CA) Server For SIP federation, the Cisco Adaptive Security Appliance in the Cisco Unified Presence enterprise deployment, and the foreign enterprise deployment, share IM and availability over a secure SSL/TLS connection.

Each enterprise deployment must present a certificate that is signed by an external CA, however each enterprise deployment may using a different CA. Therefore each enterprise deployment must download the root certificate from the external CA of the other enterprise deployment to achieve a mutual trust between the two enterprise deployments.

For XMPP federation, you can choose whether or not to configure a secure TLS connection. If you configure TLS, on Cisco Unified Presence you need to upload the root certificate of the Certificate Authority (CA) that signs the certificate of the foreign enterprise. This certificate must exist in the certificate trust store on Cisco Unified Presence because the Cisco Adaptive Security Appliance does not terminate the TLS connections for XMPP federation; Cisco Adaptive Security Appliance acts as a firewall for XMPP federation.


Chapter 2 Planning for this IntegrationAbout Prerequisite Configuration Tasks for this Integration

About Prerequisite Configuration Tasks for this Integration • Prerequisite Configuration for Cisco Unified Presence, page 2-7

• Prerequisite Configuration for Cisco Adaptive Security Appliance, page 2-7

Prerequisite Configuration for Cisco Unified Presence

Note These prerequisite tasks apply to both SIP and XMPP federation.

1. Install and configure Cisco Unified Presence as described in the Deployment Guide for Cisco Unified Presence.

At this point, perform the following checks to ensure that your Cisco Unified Presence is operating properly:

• Run the Cisco Unified Presence Troubleshooter.

• Check that you can add local contacts to Cisco Unified Presence.

• Check that your clients are receiving availability states from the Cisco Unified Presence server.

2. Configure Cisco Unified Presence server with a Cisco Unified Communications Manager (CUCM) server as described in the Deployment Guide for Cisco Unified Presence. Ensure that the Cisco Unified Presence server is working without any issues.

Related Topics

• Deployment Guide for Cisco Unified Presence:

http://www.cisco.com/en/US/products/ps6837/tsd_products_support_series_home.html

• Prerequisite Configuration for Cisco Adaptive Security Appliance, page 2-7

Prerequisite Configuration for Cisco Adaptive Security Appliance

Note • For SIP federation, you require Cisco Adaptive Security Appliance.

• For XMPP federation, you require a firewall. You can use any firewall, including Cisco Adaptive Security Appliance for basic firewall/NAT/PAT functionality. For XMPP federation you do not use Cisco Adaptive Security Appliance for TLS proxy functionality.

Install and configure Cisco Adaptive Security Appliance. Perform the following basic configuration checks on the Cisco Adaptive Security Appliance:

1. Access Cisco Adaptive Security Appliance either via console though a hyperterminal, or via the web-based Adaptive Security Device Manager (ASDM).

2. Obtain the appropriate licenses for Cisco Adaptive Security Appliance. Note that you will require a license for the TLS proxy on Cisco Adaptive Security Appliance. Contact your Cisco representative for license information.

3. Upgrade the software (if necessary).



Chapter 2 Planning for this IntegrationAbout Prerequisite Configuration Tasks for this Integration

4. Configure the hostname using the command:

(config)# hostname name

5. Set the timezone, date and time in ASDM by selecting Device Setup > System Time > Clock, or via the CLI using the clock set command. Note the following:

• Set the clock on the Cisco ASA 5500 before configuring the TLS proxy.

• We recommend that Cisco Adaptive Security Appliance use the same NTP server as the Cisco Unified Presence cluster. The TLS connections may fail due to certificate validation failure if clock is out of sync between Cisco Adaptive Security Appliance and the Cisco Unified Presence server.

• Use the command ntp server <server_address> to view the NTP server address, and the command show ntp associat | status to view the status of the NTP server.

6. Check the Cisco ASA 5500 modes. The Cisco ASA 5500 is configured to use single mode and routed mode by default.

• Check the current mode. This value is single mode by default.

(config)# show mode

• Check the current firewall mode. This is routed mode by default.

(config)# show firewall

• Set up the external and internal interfaces.

• Set up the basic IP routes.

Related Topics:

• Cisco Adaptive Security Appliance documentation:


• Cisco Adaptive Security Appliance Command Line Reference Guides:

http://www.cisco.com/en/US/products/ps6120/tsd_products_support_reference_guides.html

• Cisco Adaptive Security Appliance Configuration Guide:

http://www.cisco.com/en/US/products/ps6120/tsd_products_support_configure.html

• ASDM 6.0 User Guide:

http://www.cisco.com/en/US/products/ps6120/tsd_products_support_maintain_and_operate.html


• Configuring the Static IP Routes, page 6-2

• Prerequisite Configuration for Cisco Unified Presence, page 2-7


http://www.cisco.com/en/US/products/ps6120/tsd_products_support_reference_guides.html


http://www.cisco.com/en/US/products/ps6120/tsd_products_support_maintain_and_operate.html

C H A P T E R


3Configuration Workflows for Interdomain Federation

April 4, 2011

• Configuration Workflow for SIP Federation with Microsoft OCS, page 3-1

• Configuration Workflow for SIP Federation with Microsoft Lync, page 3-2

• Configuration Workflow for SIP Federation with AOL, page 3-2

• Configuration Workflow for XMPP Federation, page 3-3

• Configuration Workflow for Direct SIP Federation with Microsoft OCS, page 3-3

• Configuration Workflow for Cisco Adaptive Security Appliance for SIP Federation, page 3-3


Configuration Workflow for SIP Federation with Microsoft OCS • Configure a federated domain on Cisco Unified Presence for Microsoft OCS federation, see Adding

a SIP Federated Domain, page 4-2.

• Configure the DNS SRV records, see DNS Configuration for SIP Federation, page 4-3.

• Configure the routing on Cisco Unified Presencefor Microsoft OCS federation, see How to Configure the Routing Configuration on Cisco Unified Presence, page 4-3

• (Optional) Configure the email address for federation feature, see How To Configure Email Address for Federation, page 4-9.

• Configure the TLS security settings on Cisco Unified Presence, see How to Configure the Security Settings on Cisco Unified Presence, page 4-5

• Configure the Cisco Adaptive Security Appliance for Microsoft OCS federation, see Configuring Cisco Adaptive Security Appliance for SIP Federation, page 6-1 and Configuring the TLS Proxy on Cisco Adaptive Security Appliance, page 7-1.

• Configure certificate exchange for Microsoft OCS federation, see Configuring Security Certificates for SIP Federation (with Cisco Adaptive Security Appliance), page 5-1


Chapter 3 Configuration Workflows for Interdomain FederationConfiguration Workflow for SIP Federation with Microsoft Lync

• Configure the Microsoft OCS server, see Configuring a Static Route on OCS for the Cisco Unified Presence server, page 8-2 and Adding a Host Authorization entry for the Cisco Unified Presence server, page 8-3

• (Optional) Configure a load balancer for redundancy, see Configuring the Load Balancer for Redundancy for SIP Federation, page 10-1

• For troubleshooting information on Microsoft OCS federation, see Troubleshooting a SIP Federation Integration, page 15-1

Configuration Workflow for SIP Federation with Microsoft Lync • Configure a federated domain on Cisco Unified Presence for Microsoft Lync federation, see Adding

a SIP Federated Domain, page 4-2.

• Configure the DNS SRV records, see DNS Configuration for SIP Federation, page 4-3.

• Configure the routing on Cisco Unified Presence for Microsoft Lync federation, see How to Configure the Routing Configuration on Cisco Unified Presence, page 4-3


• Configure the TLS security settings on Cisco Unified Presence, see How to Configure the Security Settings on Cisco Unified Presence, page 4-5

• Configure the Cisco Adaptive Security Appliance for Microsoft Lync federation, see Configuring Cisco Adaptive Security Appliance for SIP Federation, page 6-1 and Configuring the TLS Proxy on Cisco Adaptive Security Appliance, page 7-1.

• Configure certificate exchange for Microsoft Lync federation, see Configuring Security Certificates for SIP Federation (with Cisco Adaptive Security Appliance), page 5-1

• Configuration of Lync Server 2010 and Edge Servers for interdomain federation differs from that outlined within this guide for OCS. For information on configuring the Lync enterprise for interdomain federation with Cisco Unified Presence, see Microsoft documentation http://technet.microsoft.com/en-us/library/gg399048.aspx

Configuration Workflow for SIP Federation with AOL • Establish an AOL license to enable AOL Federation, see License Requirements for AOL Federation,

page 9-4, AOL Routing Information Requirements, page 9-5 and AOL Provisioning Information Requirements, page 9-5.

• Configure federated domains on Cisco Unified Presence for AOL federation, see Adding a SIP Federated Domain, page 4-2.

• Configure DNS SRV records, see DNS Configuration for SIP Federation, page 4-3. If you are not using DNS, see the next step).

• Configure the routing for AOL federation, see Configuring Static Routes Using TLS, page 4-3.

• (Optional) Verify and configure the Default Federation Routing Domain for AOL hosted domains, see How to Configure the Routing Information for AOL Federation, page 4-7.



Chapter 3 Configuration Workflows for Interdomain FederationConfiguration Workflow for XMPP Federation

• Configure the TLS security settings and certificates on Cisco Unified Presence, see How to Configure the Security Settings on Cisco Unified Presence, page 4-5 and Security Certificate Exchange Between Cisco Adaptive Security Appliance and AOL SIP Access Gateway, page 5-14.

• Configure Cisco Adaptive Security Appliance for AOL, see AOL SIP Access Gateway, page 2-5 for information on AOL FQDN, server port, and the public IP address.

• (Optional) Configure a load balancer for redundancy, see Configuring the Load Balancer for Redundancy for SIP Federation, page 10-1.

Configuration Workflow for XMPP Federation

Note Follow this workflow for Webex, Cisco Unified Presence, IBM Sametime and GoogleTalk federation.

• Configure Cisco Unified Presence for XMPP federation, see Configuring Cisco Unified Presence for XMPP Federation, page 11-1.

• Configure security for XMPP federation (not applicable for GoogleTalk), see Configuring Security Certificates for XMPP Federation, page 12-1.

• (Optional) Configure the email address for federation feature, see Turning On Email for XMPP Federation, page 11-12 and How To Configure Email Address for Federation, page 4-9.

• Turn on the XMPP Federation service, see Turning On the XMPP Federation Service, page 11-12.

• Configure Cisco Adaptive Security Appliance for XMPP federation, see Configuring Cisco Adaptive Security Appliance for XMPP Federation, page 11-10.

• For troubleshooting information on XMPP federation, see Troubleshooting an XMPP Federation Integration, page 16-1

Configuration Workflow for Direct SIP Federation with Microsoft OCS

• Configure a federated domains on Cisco Unified Presence for Microsoft OCS federation, see Adding a SIP Federated Domain, page 4-2.

• Configure static Routes for direct Microsoft OCS federation, see Configuring Interdomain Federation to Microsoft OCS within an Enterprise, page 8-1.

• (Optional) Configure the TLS security settings and certificates on Cisco Unified Presence, see How to Configure Static Routes Using TLS for Federation with Microsoft OCS Domain, page 8-4.

Configuration Workflow for Cisco Adaptive Security Appliance for SIP Federation

• Configure certificates between Cisco Adaptive Security Appliance and Cisco Unified Presence (inside interface), see How to Configure Security Certificate Exchange Between Cisco Unified Presence and Cisco Adaptive Security Appliance, page 5-1.


Chapter 3 Configuration Workflows for Interdomain FederationConfiguration Workflow for Cisco Adaptive Security Appliance for SIP Federation

• Configure certificates between Cisco Adaptive Security Appliance and the federated domain (outside Interface), see How to Configure Security Certificate Exchange Between Cisco Adaptive Security Appliance and Microsoft Access Edge (External Interface) Using a Microsoft CA, page 5-5 and Security Certificate Exchange Between Cisco Adaptive Security Appliance and AOL SIP Access Gateway, page 5-14.

• Configure PAT rules for private to public messaging, see About Port Address Translation (PAT), page 6-3.

• Configure static PAT for public to private messaging, see About Sample Static PAT Commands, page 6-8.

• Configure the required access lists, see Access List Configuration Requirements, page 7-2.

• Configure the TLS proxy instances, see Configuring the TLS Proxy Instances, page 7-4.

• Associate the access lists with the TLS proxy, see Associating an Access List with a TLS Proxy Instance Using Class Maps, page 7-5.

C H A P T E R


4Configuring Cisco Unified Presence for SIP Federation

April 4, 2011

• SIP Proxy Domain on Cisco Unified Presence, page 4-1

• Adding a SIP Federated Domain, page 4-2

• How to Configure the Routing Configuration on Cisco Unified Presence, page 4-3

• Configuring the Federation Routing Parameter, page 4-5

• How to Configure the Security Settings on Cisco Unified Presence, page 4-5

• How to Configure the Routing Information for AOL Federation, page 4-7

• How To Configure Email Address for Federation, page 4-9

• Turning On the SIP Federation Service, page 4-11


SIP Proxy Domain on Cisco Unified PresenceIf you change the SIP proxy domain on Cisco Unified Presence before you configure federation, as part of the SIP proxy domain change procedure you must also change the Federation Routing CUP FQDN parameter. Refer to the Deployment Guide for Cisco Unified Presence for the correct sequence of steps for changing the SIP proxy domain on Cisco Unified Presence.

Related Topics

• Deployment Guide for Cisco Unified Presence:

http://www.cisco.com/en/US/products/ps6837/products_installation_and_configuration_guides_list.html




Chapter 4 Configuring Cisco Unified Presence for SIP FederationAdding a SIP Federated Domain

Adding a SIP Federated Domain

Note Only Cisco Unified Presence Release 8.5.x or later releases support SIP federation with AOL.

When you configure a federated domain entry, Cisco Unified Presence automatically adds the incoming ACL for the federated domain entry. You can see the incoming ACL associated with a federated domain on Cisco Unified Presence Administration, but you cannot modify or delete it. You can only delete the incoming ACL when you delete the (associated) federated domain entry.

If you are configuring SIP federation with AOL, note the following:

• The AOL network can comprise of both public communities and hosted networks. You must configure each of these domains as SIP federated domain of type AOL on Cisco Unified Presence.

• To handle users in a hosted domain such as [email protected], you must configure a SIP federated domain of type AOL on Cisco Unified Presence for ‘acompany.com’.

• To handle users in domains ‘aol.com’ and ‘aim.com’, you only need to add one SIP federated domain for ‘aol.com’ on Cisco Unified Presence. The AOL network allows you to address ‘[email protected]’ as ‘[email protected]’.

Procedure

Step 1 Select Cisco Unified Presence Administration > Presence > Inter Domain Federation > SIP Federation.

Step 2 Select Add New.

Step 3 Enter the federated domain name in the Domain Name field.

Step 4 Enter a description that identifies the federated domain in the Description field.

Step 5 Select one of these integrations:

• Inter-domain to OCS

• Inter-domain to AOL

Note For Cisco Unified Presence Release 8.5(2) or higher, you must select Inter-domain to OCS if you are federating with a Microsoft Lync enterprise.

Step 6 Select Save.

Step 7 After you add, edit or delete a SIP federated domain, restart the Cisco UP XCP Router by selecting Tools > Control Center - Network Services in Cisco Unified Serviceability. When you restart Cisco UP XCP Router, this causes a restart of all XCP services on Cisco Unified Presence.

Troubleshooting Tips

The text string you enter in the Description field is displayed to the user in the Cisco Unified Personal Communicator Release 7.x privacy preferences available from the Manage Domains tab. Therefore make sure you enter a domain name that is easily-recognizable to the user.


Chapter 4 Configuring Cisco Unified Presence for SIP FederationHow to Configure the Routing Configuration on Cisco Unified Presence

How to Configure the Routing Configuration on Cisco Unified Presence

• DNS Configuration for SIP Federation, page 4-3

• Configuring Static Routes Using TLS, page 4-3

• Configuring the Cisco Unified Presence Domain from the CLI, page 4-4

DNS Configuration for SIP FederationIn the local Cisco Unified Presence enterprise, Cisco Unified Presence must publish a DNS SRV record for the Cisco Unified Presence domain to make it possible for other domains to discover the Cisco Unified Presence server through DNS SRV.

The Microsoft enterprise deployment requires Cisco Unified Presence to publish a DNS SRV record for the Cisco Unified Presence domain because you configure Cisco Unified Presence as a Public IM Provider on the Access Edge server.

In the Cisco Unified Presence enterprise deployment, you need to configure a DNS SRV record that points to _sipfederationtls._tcp.<CUP_domain> over port 5061where <CUP_domain> is the name of the Cisco Unified Presence domain. This DNS SRV should point to the public FQDN of the routing Cisco Unified Presence server. This FQDN must be publicly resolvable.

In order for Cisco Unified Presence to discover the foreign domain, a DNS SRV record must exist in the DNS server of the foreign domain that points to the FQDN of the external interface of the foreign domain.

If you configure SIP federation with AOL, AOL routes based on FQDN, so you just require the FQDN of the routing Cisco Unified Presence server to be publicly resolvable. AOL does not perform a DNS SRV lookup; instead it statically configures the FQDN of Cisco Unified Presence so it requires this FQDN to be publicly resolvable.

Tip Use this sequence of commands for performing a DNS SRV lookup:

nslookupset type=srv_sipfederationtls._tcp.<domain>

If Cisco Unified Presence cannot resolve the foreign enterprise via public DNS lookup, you must configure static routes in your deployment.

Related Topics

Configuring Static Routes Using TLS, page 4-3

Configuring Static Routes Using TLS

Note Static route configuration is only applicable to SIP federation.


Chapter 4 Configuring Cisco Unified Presence for SIP FederationHow to Configure the Routing Configuration on Cisco Unified Presence

If the Cisco Unified Presence server cannot discover the external domain using DNS SRV, you must configure a static route on Cisco Unified Presence that points to the external interface of the foreign domain.

Procedure

Step 1 Select Cisco Unified Presence Administration > Presence > Routing > Static Routes.

Step 2 Configure the static route parameters as follows:

• The destination pattern value must be configured such that the foreign enterprise domain is reversed. For example if the domain is "domaina.com" then the Destination Pattern value must be ".com.domaina.*".

• The Next Hop value is the FQDN or IP address of the external Access Edge for federation with Microsoft OCS, or the FQDN or IP address of the AOL SIP Access Gateway for federation with AOL.

• The Next Hop Port number is 5061.

• The Route Type value is domain.

• The Protocol Type is TLS.

Step 3 Click Save.

Related Topics

Configuring the Cisco Unified Presence Domain from the CLI, page 4-4

Configuring the Cisco Unified Presence Domain from the CLIIf you do not enable DHCP, use this procedure to configure the Cisco Unified Presence domain from the CLI.

Procedure

Step 1 Log in to the administrator CLI on Cisco Unified Presence.

Enter this command to display the current network settings:

show network eth0

Step 2 If no domain exists and you do not enable DHCP, configure the domain to be the same as the Cisco Unified Presence proxy domain. Enter this command:

set network domain <domain name>.

Step 3 Enter y at the prompt to confirm the changes.

The server automatically restarts. This can take up to 5 minutes.

Step 4 When the sever restarts, enter this command to confirm you have configured the domain:

show network eth0


Chapter 4 Configuring Cisco Unified Presence for SIP FederationConfiguring the Federation Routing Parameter

Configuring the Federation Routing ParameterBefore You Begin

When you first install Cisco Unified Presence, the federation routing parameter is automatically set to the FDQN of the publisher node, and Cisco Unified Presence passes this value to each subscriber node.

Procedure

Step 1 Select Cisco Unified Presence Administration > System > Service Parameters.

Step 2 Select the Cisco Unified Presence server from the Server menu.

Step 3 Select Cisco UP SIP Proxy from the Service menu.

Step 4 Enter the public FQDN value for the Federation Routing CUP FQDN parameter in the Federation Routing Parameters (Clusterwide) section.

Note • This FQDN value must correspond to the _sipfederationtls entry in the public DNS for that Cisco Unified Presence domain.

• If you assign users to the routing Cisco Unified Presence server, this FQDN value cannot be the same as the actual FQDN of the routing Cisco Unified Presence server.

Step 5 Select Save.

Step 6 After you add, edit or delete a SIP federated domain, restart the Cisco UP XCP Router by selecting Tools > Control Center - Network Services in Cisco Unified Serviceability. When you restart Cisco UP XCP Router, this causes a restart of all XCP services on Cisco Unified Presence.

Related Topics

Turning On Email for Federation, page 4-10

How to Configure the Security Settings on Cisco Unified Presence

Note This procedure is only applicable if you do not have Cisco Adaptive Security Appliance in your federation deployment, for example, if you deploy federation within your enterprise and you want a secure TLS connection.

• Creating a new TLS Peer Subject, page 4-6

• Adding the TLS Peer to the Selected TLS Peer Subjects List, page 4-6


Chapter 4 Configuring Cisco Unified Presence for SIP FederationHow to Configure the Security Settings on Cisco Unified Presence

Creating a new TLS Peer SubjectWhen you import the Cisco Adaptive Security Appliance security certificate to Cisco Unified Presence, Cisco Unified Presence automatically adds Cisco Adaptive Security Appliance as a TLS peer subject. Therefore you do not need to manually add Cisco Adaptive Security Appliance as a TLS peer subject on Cisco Unified Presence.

Procedure

Step 1 Select Cisco Unified Presence Administration > System > Security > TLS Peer Subjects.

Step 2 Click Add New.

Step 3 Enter one of the following values:

a. If you configure SIP federation with Microsoft OCS, enter the external FQDN of the Access Edge Server in the Peer Subject Name field. This value must match the subject CN of the certificate that the Microsoft Access Edge server presents.

b. If you configure SIP federation with AOL, enter the external FQDN of the AOL SIP Access Gateway. This value must match the subject CN of the certificate that the AOL SIP Access Gateway presents

Step 4 Enter the name of the foreign server in the Description field.

Step 5 Click Save.

What To Do Next

Adding the TLS Peer to the Selected TLS Peer Subjects List, page 4-6

Related Topics

Importing the Self Signed Certificate onto Cisco Unified Presence, page 5-3

Adding the TLS Peer to the Selected TLS Peer Subjects List

Before You Begin

Create a new TLS peer subject.

Procedure

Step 1 Select Cisco Unified Presence Administration > System > Security > TLS Context Configuration.

Step 2 Click Find.

Step 3 Click Default_Cisco_UP_SIP_Proxy_Peer_Auth_TLS_Context.

Step 4 Select all ciphers from the list of available TLS ciphers.

Step 5 Click the down arrow to move these cipher selections to Selected TLS Ciphers.

Step 6 From the list of available TLS peer subjects, click the TLS peer subject that you configured in the previous section.

Step 7 Click the down arrow to move the selected TLS peer subject to Selected TLS Peer Subjects.


Chapter 4 Configuring Cisco Unified Presence for SIP FederationHow to Configure the Routing Information for AOL Federation

Step 8 Check Disable Empty TLS Fragments when you federate with Microsoft OCS.

Step 9 Click Save.

Step 10 Restart the Cisco UP SIP Proxy service.

Note If you deploy AOL and Microsoft OCS federation on the same Cisco Unified Presence node, checking the Disable Empty TLS Fragments setting will not impact AOL federation.

Related Topics

Creating a new TLS Peer Subject, page 4-6

How to Configure the Routing Information for AOL Federation • Routing SIP Requests for SIP Federation with AOL, page 4-7

• Verifying or Changing the Default Federation Routing Domain for SIP Federation with AOL, page 4-8

Routing SIP Requests for SIP Federation with AOL


SIP federation with AOL enables Cisco Unified Presence users to federate with the following users:

• Users of AOL public communities, for example, aim.com, aol.com.

• Users of an enterprise whose domain is hosted by AOL.

• Users of a foreign enterprise that federates with AOL. Cisco Unified Presence could use AOL as a clearing house to federate with these foreign enterprises.

For example, AOL hosts an enterprise with a domain called ‘hosteddomain.com’, and there is an enterprise federating with AOL with a domain called ‘acompany.com’. You can add a SIP federation domain entry for each of these domains on Cisco Unified Presence to allow Cisco Unified Presence users to federate with [email protected] and [email protected].

The routing logic on Cisco Unified Presence is enhanced to support routing to domains that federate through AOL. When you configure SIP federation with AOL, Cisco Unified Presence routes messages based on the default federation routing domain. The default value for this domain is ‘aol.com’.

Note The routing described here is only applicable when you configure a federated domain of type ‘Inter-domain to AOL’.

If the federated user belongs to one of the hosted domains in AOL (a domain other than aol.com), Cisco Unified Presence performs the following steps:

1. Performs a lookup for a static route for the hosted domain. If no static route exists, Cisco Unified Presence will,


Chapter 4 Configuring Cisco Unified Presence for SIP FederationHow to Configure the Routing Information for AOL Federation

2. Perform a DNS SRV lookup for hosted domain. If the lookup returns nothing, Cisco Unified Presence will,

3. Perform a lookup for a static route for the default federation routing domain (aol.com by default). If no static route exists, Cisco Unified Presence will,

4. Perform a DNS SRV lookup for the default federation routing domain (aol.com by default).

If the federated user is in the default AOL domain ([email protected]), Cisco Unified Presence performs the following steps:

1. Performs a lookup for a static route for default AOL domain (aol.com by default). If no static route exists Cisco Unified Presence will,

2. Perform a DNS SRV lookup for default federation routing domain (aol.com by default).

Related Topics

Verifying or Changing the Default Federation Routing Domain for SIP Federation with AOL, page 4-8

Verifying or Changing the Default Federation Routing Domain for SIP Federation with AOL


Generally you should not need to change the value of the default federation routing domain, unless the AOL enterprise changes the domain that the AOL server resolves to.

Before You Begin

Read the topic on routing SIP requests for SIP Federation with AOL

Procedure


Step 2 Select the Cisco Unified Presence server from the Server menu.

Step 3 Select Cisco UP SIP Proxy from the Service menu.

Step 4 Verify or edit the value of the Default Federation Routing Domain parameter in the Federation Routing Parameters (Clusterwide) section.

Step 5 Select Save if you change the value of the Default Federation Routing Domain parameter.

Step 6 You need to restart the Cisco UP XCP Router if you change the value of the Default Federation Routing Domain parameter. In Cisco Unified Serviceability, select Tools > Control Center - Network Services to restart the Cisco UP XCP Router.

Related Topics

Routing SIP Requests for SIP Federation with AOL, page 4-7


Chapter 4 Configuring Cisco Unified Presence for SIP FederationHow To Configure Email Address for Federation

How To Configure Email Address for Federation

Note • This section is only applicable to Cisco Unified Presence Release 8.5 or later releases.

• This section applies to both SIP and XMPP federation.

• Email Address for Federation Feature, page 4-9

• Email Domain for Federation, page 4-9

• Information to Provide to Administrator of the Foreign Domain, page 4-10

• Information to Provide to Cisco Unified Presence Users, page 4-10

• Turning On Email for Federation, page 4-10

Email Address for Federation FeatureWhen you turn on Cisco Unified Presence to use the email address for SIP federation, Cisco Unified Presence changes the SIP URI of each federated contact from `userid@domain' to the email address of the contact.

Before you turn on email address for interdomain federation, note the following:

• If you have not yet attempted to federate with the foreign domain, and you wish to turn on email for federation, we recommend that you turn on this setting before users begin to add any federated contacts.

• If you turn on email address for federation, and a user does not have an email address configured in Active Directory, Cisco Unified Presence uses the JID of the user for federation.

• If you turn on email address for federation, and a federated contact uses the JID of a Cisco Unified Presence user rather than using the email address, Cisco Unified Presence drops these requests (even if a valid email address is configured for the user).

• Cisco Unified Presence does not support email aliases for the email address for federation feature.

Email Domain for FederationIf the email domain for federation is different to the SIP Proxy domain value that you configure on the Cluster Topology Settings page on the Cisco Unified Presence Administration interface, follow these steps:

• Configure the Federation Routing CUP FQDN parameter value under Proxy Service Parameters to contain the email domain for federation rather than the SIP Proxy domain. Note that this step applies to both XMPP and SIP federation.

• Make sure that you publish the email domain for the federation DNS SRV records in the public DNS server:

– _xmpp-server._tcp.<email-domain>

– _sipfederationtls._tcp.<email-domain>


Chapter 4 Configuring Cisco Unified Presence for SIP FederationHow To Configure Email Address for Federation

Information to Provide to Administrator of the Foreign DomainBefore you turn on email address for federation, you must alert the system administrator of the foreign domain to the following:

• You are using email address for federation, and that the users in the foreign domain must specify an email address when adding a federated contact to their contact list.

• If you are already federating with the foreign domain, and you wish to turn on email for federation, users in the foreign domain must remove the existing federated contacts in their contact list, and add these federated contacts again specifying an email address.

Information to Provide to Cisco Unified Presence UsersWhen you turn on email address for federation, you must notify all Cisco Unified Presence users of the following:

• Federated contacts will now use email address rather than the user_id@domain address.

• When adding new contacts to their contact list, federated contacts must now use the email address for Cisco Unified Presence users, rather than the user_id@domain.

• Existing Cisco Unified Presence contacts (on the federated watcher's contact list) that were added with user_id@domain must be removed, and added again using the email address for the Cisco Unified Presence user.

• Any messages that Cisco Unified Presence receives from federated contacts to the user_id@domain address will be dropped (unless it happens to be the same as the email address configured in Active Directory, and the address configured in the users table on Cisco Unified Presence).

• If Cisco Unified Presence users already have federated contacts on their contact list, when these users sign in to the client again, the federated contact may get a pop-up containing the email address.

Note When you turn on email address for federation, the Cisco Unified Presence user does NOT need to change anything on the client when they connect to Cisco Unified Presence, nor do they interact any differently with the Cisco Unified Presence server.

Turning On Email for Federation

Note If you have an intercluster deployment, you must turn on the email address for federation on any intercluster nodes in your deployment.

Procedure

Step 1 Select Cisco Unified Presence Administration > Presence > Settings.

Step 2 Check Enable use of Email Address when Federating.

Step 3 Read the warning message, and click OK.

Step 4 Click Save.


Chapter 4 Configuring Cisco Unified Presence for SIP FederationTurning On the SIP Federation Service

Step 5 After you turn on email for federation, restart the Cisco UP XCP Router in Cisco Unified Serviceability. Select Tools > Control Center - Network Services.

Related Topics

Configuring the Federation Routing Parameter, page 4-5

Turning On the SIP Federation ServiceYou need to turn on the Cisco UP XCP SIP Federation Connection Manager service on each Cisco Unified Presence node. This turns on the SIP Federation feature for each user that you provision on the node. You must perform this procedure on each node in the cluster.

Procedure

Step 1 Select Cisco Unified Serviceability > Tools > Service Activation.

Step 2 Select the server from the Server list box.

Step 3 Select Go.

Step 4 Select the radio button next to the Cisco UP XCP SIP Federation Connection Manager service in the CUP Services section.

Step 5 Select Save.

Step 6 The Cisco UP SIP Proxy service must be running for SIP federation to work. Select Cisco Unified Serviceability > Tools > Feature Services and verify that the Cisco UP SIP Proxy service is running.

Related Topics

How To Turn on and Capture Logging for Federation, page 13-1


Chapter 4 Configuring Cisco Unified Presence for SIP FederationTurning On the SIP Federation Service

C H A P T E R


5Configuring Security Certificates for SIP Federation (with Cisco Adaptive Security Appliance)

April 4, 2011

• How to Configure Security Certificate Exchange Between Cisco Unified Presence and Cisco Adaptive Security Appliance, page 5-1

• How to Configure Security Certificate Exchange Between Cisco Adaptive Security Appliance and Microsoft Access Edge (External Interface) Using a Microsoft CA, page 5-5

• Security Certificate Exchange Between Cisco Adaptive Security Appliance and AOL SIP Access Gateway, page 5-14


How to Configure Security Certificate Exchange Between Cisco Unified Presence and Cisco Adaptive Security Appliance

• Generating the Key Pair and Trustpoints on Cisco Adaptive Security Appliance, page 5-2

• Generating a Self-Signed Certificate on Cisco Adaptive Security Appliance, page 5-2

• Importing the Self Signed Certificate onto Cisco Unified Presence, page 5-3

• Generating a New Certificate on Cisco Unified Presence, page 5-4

• Importing the Cisco Unified Presence Certificate onto Cisco Adaptive Security Appliance, page 5-4


Chapter 5 Configuring Security Certificates for SIP Federation (with Cisco Adaptive Security Appliance)How to Configure Security Certificate Exchange Between Cisco Unified Presence and

Generating the Key Pair and Trustpoints on Cisco Adaptive Security ApplianceYou need to generate the key pair for this certification (for example cup_proxy_key), and configure a trustpoint to identify the self-signed certificate from Cisco Adaptive Security Appliance to Cisco Unified Presence (for example cup_proxy). You need to specify the enrollment type as “self” to indicate you are generating a self-signed certificate on Cisco Adaptive Security Appliance, and specify the certificate subject name as the IP address of the inside interface.

Before You Begin

Ensure you carried out the configuration tasks described in the following chapters:

• Configuring Cisco Unified Presence for SIP Federation, page 4-1


Procedure

Step 1 Enter config mode, type:

>Enable >password>config t

Step 2 Enter this command to generate the key pair for this certification:

crypto key generate rsa label cup_proxy_key modulus 1024

Step 3 Enter the following sequence of commands to create a trustpoint for Cisco Unified Presence:

crypto ca trustpoint <name of trustpoint e.g.cup_proxy>(config-ca-trustpoint)# enrollment self(config-ca-trustpoint)# fqdn none(config-ca-trustpoint)# subject-name cn=<ASA inside interface ip address>(config-ca-trustpoint)# keypair cup_proxy_key

Troubleshooting Tip

Enter the command show crypto key mypubkey rsa to check that the key pair is generated.

What To Do Next

Generating a Self-Signed Certificate on Cisco Adaptive Security Appliance, page 5-2

Generating a Self-Signed Certificate on Cisco Adaptive Security Appliance

Before You Begin

• Complete the steps in Generating the Key Pair and Trustpoints on Cisco Adaptive Security Appliance, page 5-2.

• You need a text editor that has UNIX support to complete this procedure. We recommend Microsoft Wordpad version 5.1, or Microsoft Notepad version 5.1 service pack 2.



Procedure

Step 1 Enter this command to generate the self-signed certificate:

(config-ca-trustpoint)# crypto ca enroll <name of trustpoint e.g.cup_proxy>

Step 2 Enter no when you are prompted to include the device serial number in the subject name.

Step 3 Enter yes when you are prompted to generate the self-signed certificate.

Step 4 Enter this command to prepare the certificate to export to Cisco Unified Presence:

crypto ca export cup_proxy identity-certificate

The PEM encoded identity certificate displays on screen, for example:

-----BEGIN CERTIFICATE-----MIIBnDCCAQWgAwIBAgIBMTANBgkqhkiG9w0BAQQFADAUMRIwEAYDVQQDEwlDVVAt……..-----END CERTIFICATE-----

Step 5 Copy and paste the entire contents of the Cisco Adaptive Security Appliance certificate into Wordpad or Notepad with a .pem extension.

Step 6 Save the .pem file to your local machine.

What To Do Next

Importing the Self Signed Certificate onto Cisco Unified Presence, page 5-3

Importing the Self Signed Certificate onto Cisco Unified Presence

Before You Begin

Complete the steps in Generating a Self-Signed Certificate on Cisco Adaptive Security Appliance, page 5-2

Procedure

Step 1 Select Cisco Unified Operating System Administration > Security > Certificate Management on Cisco Unified Presence.

Step 2 Click Upload Certificate.

Step 3 Select cup-trust for Certificate Name.

Note Leave the Root Name field blank.

Step 4 Click Browse, and locate the Cisco Adaptive Security Appliance .pem certificate file (that you created in the previous procedure) on your local computer.

Step 5 Click Upload File to upload the certificate to the Cisco Unified Presence server.




Perform a find on the certificate list, you will see an <asa ip address>.pem and an <asa ip address>.der in the certificate list.

What To Do Next

Generating a New Certificate on Cisco Unified Presence, page 5-4

Generating a New Certificate on Cisco Unified Presence

Before You Begin

Complete the steps in Importing the Self Signed Certificate onto Cisco Unified Presence, page 5-3

Procedure


Step 2 Click Generate New.

Step 3 Select cup for the certificate name.

What To Do Next

Importing the Cisco Unified Presence Certificate onto Cisco Adaptive Security Appliance, page 5-4

Importing the Cisco Unified Presence Certificate onto Cisco Adaptive Security Appliance

In order to import the Cisco Unified Presence certificate onto Cisco Adaptive Security Appliance, you need to create a trustpoint to identify the imported certificate from Cisco Unified Presence (e.g. cert_from_cup), and specify the enrollment type as “terminal” to indicate that you will paste the certificate received from Cisco Unified Presence into the terminal.

Note It is essential that Cisco Unified Presence, Cisco Unified Communications Manager and Cisco Adaptive Security Appliance servers are all syncing off the same NTP source.

Before You Begin

• Complete the steps in Generating a New Certificate on Cisco Unified Presence, page 5-4.

• You need a text editor that has UNIX support to complete this procedure. We recommend Microsoft Wordpad version 5.1, or Microsoft Notepad version 5.1 service pack 2.

Procedure


>Enable >password


Chapter 5 Configuring Security Certificates for SIP Federation (with Cisco Adaptive Security Appliance)How to Configure Security Certificate Exchange Between Cisco Adaptive Security Appliance and Microsoft Access

>config t

Step 2 Enter this sequence of commands to create a trustpoint for the imported Cisco Unified Presence certificate:

crypto ca trustpoint cert_from_cupenrollment terminal

Step 3 Enter this command to import the certificate from Cisco Unified Presence:

crypto ca authenticate cert_from_cup


Step 5 Click Find.

Step 6 Locate the cup certificate that you created in the previous procedure.

Step 7 Click Download.

Step 8 Open the cup.pem file using one of the recommended text editors.

Step 9 Cut and paste the contents of the cup.pem into the Cisco Adaptive Security Appliance prompt window.

Step 10 Enter quit.

Step 11 Enter y when you are prompted to accept the certificate.


Run the command show crypto ca certificate to view the certificate.

What To Do Next

How to Configure Security Certificate Exchange Between Cisco Adaptive Security Appliance and Microsoft Access Edge (External Interface) Using a Microsoft CA, page 5-5

How to Configure Security Certificate Exchange Between Cisco Adaptive Security Appliance and Microsoft Access Edge (External Interface) Using a Microsoft CA

These procedures are an example, and demonstrate how to configure certificates using the Microsoft CA.

Note An example of this procedure using the VeriSign CA is provided in the appendix of this guide.

• CA Trustpoints, page 5-6

• Configuring the Certificate on Cisco Adaptive Security Appliance using SCEP Enrollment, page 5-6

• Configuring the Certificate on Cisco Adaptive Security Appliance using Manual Enrollment, page 5-8

• How to Configure the Certificate for External Access Edge Interface, page 5-9

• Creating a Custom Certificate for Access Edge Using an Enterprise Certificate Authority, page 5-13



CA TrustpointsWhen generating a trustpoint, you must specify an enrollment method to be used with the trustpoint. You can use Simple Certificate Enrollment Process (SCEP) as the enrollment method (assuming you are using a Microsoft CA), where you use the enrollment url command to define the URL to be used for SCEP enrollment with the trustpoint you declared. The URL defined should be the URL of your CA.

You can also use manual enrollment as the enrollment method, where you use the enrollment terminal command to indicate that you will paste the certificate received from the CA into the terminal. Both enrollment method procedures are described in this section. Refer to the Cisco Security Appliance Command Line Configuration Guide for further details about the enrollment method.

In order to use SCEP, you need to download the Microsoft SCEP add-on from the following URL. The SCEP add-on must be installed on the Microsoft CA that you are configuring the certificates on. http://www.microsoft.com/Downloads/details.aspx?familyid=9F306763-D036-41D8-8860-1636411B2D01&displaylang=en

Download the SCEP add-on as follows:

• Download and run scepsetup.exe.

• Select local system account.

• Deselect SCEP challenge phrase to enroll.

• Enter the details of the CA.

When you click Finish, retrieve the SCEP URL. You will use this URL during trustpoint enrollment on Cisco Adaptive Security Appliance.

Configuring the Certificate on Cisco Adaptive Security Appliance using SCEP Enrollment

Procedure

Step 1 Enter this command to generate a key pair for the CA:

crypto key generate rsa label public_key_for_ca modulus 1024

Step 2 Enter this command to generate a trustpoint to identify the CA.

crypto ca trustpoint <trustpoint_name>

Step 3 Use the "client-types" sub-command to specify the client connection types for the trustpoint that can be used to validate the certificates associated with a user connection. Enter this command to specify a "client-types ssl" configuration which indicates that SSL client connections can be validated using this trustpoint:

(config-ca-trustpoint)# client-types ssl

Step 4 Enter this command to configure the FQDN of the public Cisco Unified Presence address:

fqdn <fqdn_public_cup_address>

Note You may be issued a warning regarding VPN authentication here.

Step 5 Enter this command to configure a keypair for the trustpoint:

http://www.microsoft.com/Downloads/details.aspx?familyid=9F306763-D036-41D8-8860-1636411B2D01&displaylang=en

http://www.microsoft.com/Downloads/details.aspx?familyid=9F306763-D036-41D8-8860-1636411B2D01&displaylang=en



keypair public_key_for_ca

Step 6 Enter this command to configure the enrollment method for the trustpoint:

enrollment url http://<ip address of CA>/certsrv/mscep/mscep.dll

Step 7 Enter this command to obtain the CA certificate for the trustpoint you configured:

crypto ca authenticate <trustpoint_name>INFO: Certificate has the following attributes:Fingerprint: cc966ba6 90dfe235 6fe632fc 2e521e48

Step 8 Enter yes when you are prompted to accept the certificate from the CA.

Do you accept this certificate? [yes/no]: yesTrustpoint CA certificate accepted.

Step 9 Run the crypto ca enroll command.

crypto ca enroll <trustpoint_name>

The following warning output displays:

%WARNING: The certificate enrollment is configured with an fqdnthat differs from the system fqdn. If this certificate will beused for VPN authentication this may cause connection problems.

Step 10 Enter yes when you are prompted to continue with the enrollment.

Would you like to continue with this enrollment? [yes/no]: yes% Start certificate enrollment..

Step 11 Enter a password when you are prompted to create a challenge password.

% Create a challenge password. You will need to verbally provide thispassword to the CA Administrator in order to revoke your certificate.For security reasons your password will not be saved in the configuration.Please make a note of it.Password: **********Re-enter password: **********


Step 13 Enter yes when you are prompted to request the certificate from the CA.

Request certificate from CA? [yes/no]: yes% Certificate request sent to Certificate Authority

Step 14 Go to the CA and issue the pending certificate (if the certificate was not issued automatically).

What To Do Next

How to Configure the Certificate for External Access Edge Interface, page 5-9



Configuring the Certificate on Cisco Adaptive Security Appliance using Manual Enrollment

Enrolling a trustpoint by uploading a CA certificate:

Step 1 Enter this command to generate a key pair for the CA:

crypto key generate rsa label public_key_for_ca modulus 1024

Step 2 Enter this sequence of commands to generate a trustpoint to identify the CA:

crypto ca trustpoint <name of trustpoint>fqdn <fqdn_public_cup_address>client-types sslkeypair public_key_for_ca

Note • The FQDN value must be the FQDN of the public Cisco Unified Presence address.

• The keypair value must be the keypair created for the CA.

Step 3 Enter this command to configure the enrollment method for the trustpoint:

enrollment terminal

Step 4 Enter this command to authenticate the certificate:

crypto ca authenticate <trustpoint_name>

Step 5 Acquire the root certificate of the CA:

a. Go to your CA webpage, for example, http(s)://<CA_IP_Addr>/certsrv.

b. Select Download a CA certificate, certificate chain, or CRL.

c. Select Base 64.

d. Download the CA certificate.

e. Save the certificate as a .cer file, for example CARoot.cer.

Step 6 Open the root certificate (.cer file) in a text editor.

Step 7 Copy and paste this certificate into the Cisco Adaptive Security Appliance terminal.

Step 8 Enter yes when you are prompted to accept the certificate.

Generating a CSR for Cisco Adaptive Security Appliance Public Certificate

Step 1 Enter this command to send an enrollment request to the CA:

crypto ca enroll <trustpoint_name>

Step 2 Enter no when you are asked if you want to include the device serial number in the subject name.

Step 3 Enter yes when you are asked to Display Certificate Request to terminal.

Step 4 Copy and paste this base-64 certificate into a text editor (to use in a later step).

Step 5 Enter no when you are asked to redisplay the enrollment request.



Step 6 Paste the base-64 certificate (that you copied in step 4) into the certificate request page of your CA:

a. Go to your CA webpage, for example, http(s)://<CA_IP_Addr>/certsrv.

b. Select Request a certificate.

c. Select Advanced Certificate request.

d. Select Submit a certificate request by using a base-64-encoded CMC orPKCS#10 file...

e. Paste the base-64 certificate (that you copied in step 4).

f. Submit the request and issue the certificate from the CA.

g. Download the certificate and save as a *.cer file.

h. Open the certificate in a text editor and paste the contents into the terminal. End with the word 'quit' on a separate line.

Step 7 Enter this command to import the certificate that you receive from the CA:

crypto ca <trustpoint_name> import certificate

Step 8 Enter yes when you are asked if you want to continue with the enrollment.

What To Do Next

How to Configure the Certificate for External Access Edge Interface, page 5-9

How to Configure the Certificate for External Access Edge InterfaceThis procedure describes how to configure the certificate on the Access Edge server with a standalone CA.

• Downloading the CA Certification Chain, page 5-9

• Installing the CA Certification Chain, page 5-10

• Requesting a Certificate from the CA Server, page 5-11

• Downloading the Certificate from the CA Server, page 5-11

• Uploading the Certificate onto Access Edge, page 5-12

Downloading the CA Certification Chain

Procedure

Step 1 Click Start > Run.

Step 2 Enter http://<name of your Issuing CA Server>/certsrv, and click OK.

Step 3 Click Download a CA certificate, certificate chain, or CRL from the Select a task menu.

Step 4 Click Download CA certificate chain from Download a CA Certificate, Certificate Chain, or CRL menu.

Step 5 Click Save in the File Download dialog box.

Step 6 Save the file on a hard disk drive on your server. This file has an extension of .p7b. If you open this .p7b file, the chain displays the following two certificates:



• name of Standalone root CA certificate

• name of Standalone subordinate CA certificate (if any)

What To Do Next

Installing the CA Certification Chain, page 5-10

Installing the CA Certification Chain

Before You Begin

Complete the steps inDownloading the CA Certification Chain, page 5-9

Procedure

Step 1 Click Start > Run.

Step 2 Enter mmc, and click OK.

Step 3 Select Add/Remove Snap-in from the File menu.

Step 4 Click Add in the Add/Remove Snap-in dialog box.

Step 5 Select Certificates in the list of Available Standalone Snap-ins.

Step 6 Click Add.

Step 7 Select Computer account.

Step 8 Click Next.

Step 9 In the Select Computer dialog box, perform the following tasks:

a. Ensure that <Local Computer> (the computer this console is running on) is selected

b. Click Finish.

Step 10 Click Close.

Step 11 Click OK.

Step 12 In the left pane of the Certificates console, expand Certificates: Local Computer.

Step 13 Expand Trusted Root Certification Authorities.

Step 14 Right-click Certificates, and point to All Tasks.

Step 15 Click Import.

Step 16 In the Import Wizard, click Next.

Step 17 Click Browse and go to where you saved the certificate chain.

Step 18 Select the file, and click Open.

Step 19 Click Next.

Step 20 Leave the default value Place all certificates in the store and ensure that Trusted Root Certification Authorities appears under the Certificate store.

Step 21 Click Next.

Step 22 Click Finish.



What To Do Next

Requesting a Certificate from the CA Server, page 5-11

Requesting a Certificate from the CA Server

Before You Begin

Complete the steps in Installing the CA Certification Chain, page 5-10

Procedure

Step 1 Log in to the Access Edge server and open a web browser.

Step 2 Open the following URL: http://<ca_server_IP_address>/certsrv

Step 3 Click Request a Certificate.

Step 4 Click Advanced Certificate Request.

Step 5 Click Create and submit a request to this CA.

Step 6 Click Other in the Type of Certificate Needed list.

Step 7 Enter the FQDN of the Access Edge external interface for the Subject Common Name,

Step 8 Enter the following OID in the OID field:

1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2

Note A comma separates the two 1s in the middle of the OID.

Step 9 Perform one of the following procedures:

a. If you are using Windows Certificate Authority 2003, check Store certificate in the local computer certificate store in Key Options.

b. If you are using Windows Certificate Authority 2008, refer to the workaround described in the Troubleshooting Tips of this section. Enter a friendly name.

Step 10 Enter a friendly name.

Step 11 Click Submit.

What To Do Next

Downloading the Certificate from the CA Server, page 5-11

Downloading the Certificate from the CA Server

Before You Begin

Complete the steps in Requesting a Certificate from the CA Server, page 5-11

Procedure

Step 1 Launch the CA console by selecting Start -> Administrative Tools -> Certificate Authority.



Step 2 Click on Pending Requests in the left pane.

Step 3 Right-click on the certificate request that you submitted in the right pane,.

Step 4 Click All Tasks > Issue.

Step 5 Open http://<local_server>/certsrv on the Access Edge server that CA is running on.

Step 6 Click on your certificate request from View the Status of a Pending Certificate Request.

Step 7 Click Install this certificate.

What To Do Next

Uploading the Certificate onto Access Edge, page 5-12

Uploading the Certificate onto Access Edge

This procedure describes how to upload the certificate on the Access Edge server using the Certificate Wizard. You can also import the certificates manually on the Access Edge server by selecting Microsoft Office Communications Server 2007 > Properties > Edge Interfaces.

Before You Begin

Complete the steps in Downloading the Certificate from the CA Server, page 5-11

Procedure

Step 1 Select Start > Administrative Tools > Computer Management on the Access Edge server.

Step 2 Right-click on Microsoft Office Communications Server 2007 in the left pane.

Step 3 Click Certificates.

Step 4 Click Next.

Step 5 Click the Assign an existing certificate task option.

Step 6 Click Next.

Step 7 Select the certificate that you wish to use for the External Access Edge Interface, and click Next.

Step 8 Click Next.

Step 9 Click the Edge Server Public Interface checkbox, and click Next.

Step 10 Click Next.


What To Do Next

Configuring the TLS Proxy on Cisco Adaptive Security Appliance, page 7-1



Creating a Custom Certificate for Access Edge Using an Enterprise Certificate Authority

Refer to these instructions if you are using a Microsoft Enterprise Certificate Authority to issue a client/server role certificate to the external interface of Access Edge or to the public interface of the Cisco Adaptive Security Appliance.

Before You Begin

These steps require that the Certificate Authority is an Enterprise CA and is installed on the Enterprise Edition of either Windows Server 2003 or 2008.

For additional details about these steps, refer to the Microsoft instructions: http://technet.microsoft.com/en-us/library/bb694035.aspx

Creating and Issuing a Custom Certificate Template

Procedure

Step 1 Follow Steps 1- 6 from the Microsoft site: Creating and Issuing the Site Server Signing Certificate Template on the Certification Authority.

http://technet.microsoft.com/en-us/library/bb694035.aspx#BKMK_siteserver1

Tip For Step 5, use a more appropriate name for this specific template, such as Mutual Authentication Certificate.

Step 2 Follow these steps in place of Steps 7-12 from the Microsoft site:

a. Select the Extensions tab. Make sure that under Application Policies that both Client Authentication and Server Authentication are present and that no other Policies are present. If these policies are not available, then you must add them before proceeding.

– In the Edit Application Policies Extension dialog box, select Add.

– In the Add Application Policy dialog box, select Client Authentication, press Shift and select Server Authentication, and then click Add.

– In the Edit Application Policies Extension dialog box, select any other policy that may be present and then select Remove.

In the Properties of New Template dialog box, you should now see listed as the description of Application Policies: Client Authentication, Server Authentication.

b. Select the Issuance Requirement tab. If you do not want the Certificate to be automatically issued, then select CA certificate manager approval. Otherwise, leave this option blank.

c. Select the Security tab and ensure that all required users and groups have both read and enroll permission.

d. Select the Request Handling tab and select the CSP button.

e. On the CSP Selection dialog box select Requests must use one of the following CSP’s.

f. From the list of CSP’s select Microsoft Basic Cryptographic Provider v1.0 and Microsoft Enhanced Cryptographic Provider v1.0, and select OK.

http://technet.microsoft.com/en-us/library/bb694035.aspx



Chapter 5 Configuring Security Certificates for SIP Federation (with Cisco Adaptive Security Appliance)Security Certificate Exchange Between Cisco Adaptive Security Appliance and AOL SIP Access Gateway

Step 3 Continue with Steps 13-15 from the Microsoft site: Creating and Issuing the Site Server Signing Certificate Template on the Certification Authority.


What To Do Next

Requesting the Site Server Signing Certificate, page 5-14

Requesting the Site Server Signing Certificate

Procedure

Step 1 Follow Steps 1-6 from the Microsoft site: Site Server Signing Certificate for the Server That Will Run the Configuration Manager 2007 Site Server.


Tip For Step 5, select the name of the certificate template you created previously, such as Mutual Authentication Certificate and enter the external FQDN of the access edge in the Name field.

Step 2 Follow these steps in place of Steps 7-8 from the Microsoft site:

a. If the certificate request is automatically issued then you will be presented with an option to install the signed certificate. Select Install this Certificate.

b. If the certificate request is not automatically issued then you will need to wait for the administrator to issue the certificate. Once issued:

– On the member server, load Internet Explorer and connect to the Web enrollment service with the address http://<server>/certsrv where <server> is the name or IP address of the Enterprise CA.

– On the Welcome page, select View the status of a pending certificate request.

c. Select the issued certificate and select Install this Certificate.

Security Certificate Exchange Between Cisco Adaptive Security Appliance and AOL SIP Access Gateway

AOL requires that the Cisco Adaptive Security Appliance certificate is signed by a trusted Certificate Authority. AOL has an established trust list of Certificate Authorities (CA) such as those commonly used in Windows or those in libraries distributed with the major browsers. If you wish to use a CA that is not on the AOL trust list, work with your Cisco representative to provide this information to AOL.





A sample configuration workflow that describes in detail how to configure certificate exchange between Cisco Adaptive Security Appliance and a foreign domain (Microsoft Access Edge) using the Verisign CA is provided in the appendix of this guide. Use this procedure as a reference to configure certificate exchange between Cisco Adaptive Security Appliance and the AOL SIP Access Gateway using the Verisign CA. A high-level overview of the configuration steps is provided below.

To configure certificate exchange between Cisco Adaptive Security Appliance and the AOL SIP Access Gateway using the Verisign CA, complete these steps:

• Download the AOL root certificate from https://pki-info.aol.com/AOL/.

• Download the AOL member certificate from https://pki-info.aol.com/AOLMSPKI/index.html.

• Delete any old intermediate and signed certificate, and the trustpoint for the root certificate on Cisco Adaptive Security Appliance.

• Create a new trust point on Cisco Adaptive Security Appliance for the AOL root certificate, see section Importing the Cisco Unified Presence Certificate onto Cisco Adaptive Security Appliance, page 5-4 (steps 1-3).

• Create a new trust point on Cisco Adaptive Security Appliance for the AOL member certificate.

• Create a new trustpoint for the Verisign CA on Cisco Adaptive Security Appliance.

• On Cisco Adaptive Security Appliance, import the root certificate, and then generate a Certificate Signing Request (CSR). See section Configuring the Certificate on Cisco Adaptive Security Appliance using Manual Enrollment, page 5-8 for a similar procedure.

Note The Cisco Unified Presence server certificate subject CN must match FQDN of the Cisco Unified Presence server. The public Certificate on Cisco Adaptive Security Appliance for Cisco Unified Presence and the CN must be the same as the Federation Routing CUP FQDN service parameter value.

• Submit the CSR to the Verisign CA.

• Verisign CA provides you with the following certificates:

– Verisign signed certificate

– Verisign subordinate intermediate root certificate

– Verisign root CA certificate

• On Cisco Adaptive Security Appliance, delete the temporary root certificate used to generate the Certificate Signing Request.

• Import the Verisign subordinate intermediate root certificate to Cisco Adaptive Security Appliance.

• Create a trustpoint for the Verisign root CA certificate on Cisco Adaptive Security Appliance.

• Import the Verisign root CA certificate to Cisco Adaptive Security Appliance, and then import the Verisign signed certificate to Cisco Adaptive Security Appliance.

• Provide the VeriSign root and intermediate certificates to AOL.

Note You must provide AOL with the root CA if the CA is not already in the AOL trust list.

Related Topics


https://pki-info.aol.com/AOL/

https://pki-info.aol.com/AOLMSPKI/index.html



• Configuring the Certificate on Cisco Adaptive Security Appliance using Manual Enrollment, page 5-8

• Configuring Security Certificate Exchange Between Cisco Adaptive Security Appliance and Microsoft Access Edge Using VeriSign, page B-1

• AOL Routing Information Requirements, page 9-5

C H A P T E R


6Configuring Cisco Adaptive Security Appliance for SIP Federation

April 4, 2011

• Cisco Adaptive Security Appliance Unified Communication Wizard, page 6-1




• About Sample Static PAT Commands, page 6-8

• Failover on Cisco Adaptive Security Appliance, page 6-14

• Cisco Adaptive Security Appliance Upgrade Options for Existing Deployments, page 6-15


Cisco Adaptive Security Appliance Unified Communication Wizard

If you deploy a single Cisco Unified Presence server in your interdomain federation deployment, you can use the Unified Communication wizard on Cisco Adaptive Security Appliance to configure the presence federation proxy between Cisco Adaptive Security Appliance and Cisco Unified Presence.

A configuration example showing the Unified Communication wizard is provided on the Cisco Unified Presence documentation wiki, see the URL below.

Related Topics

http://docwiki.cisco.com/wiki/Cisco_Unified_Presence%2C_Release_8.x

External and Internal Interface ConfigurationOn the Cisco Adaptive Security Appliance you must configure two interfaces as follows:

http://docwiki.cisco.com/wiki/Cisco_Unified_Presence%2C_Release_8.x


Chapter 6 Configuring Cisco Adaptive Security Appliance for SIP FederationConfiguring the Static IP Routes

• Use one interface as the “outside” or external interface. This is the interface to the internet and to the foreign domain servers (for example, Microsoft Access Edge/Access Proxy).

• Use the second interface as the”inside” or internal interface. This is the interface to Cisco Unified Presence or to the Load Balancer, depending on your deployment.

• When configuring an interface, you need to refer it with an interface type, for example Ethernet or Gigabit Ethernet, and an interface slot. The Cisco Adaptive Security Appliance has four embedded Ethernet or Gigabit Ethernet ports on slot 0. You may optionally add an SSM-4GE module in slot 1 to obtain an additional four Gigabit Ethernet ports on slot 1.

• For each interface to route traffic, you need to configure an interface name and an IP address. The internal and external interface IP addresses must be in different subnets, which means they must have different submasks.

• Each interface must have a security level ranging from zero to 100 (from lowest to highest). A security level value of 100 is the most secure interface (inside interface). A security level value of zero is the least secure interface. If you do not explicitly set the security level for the inside or outside interface, then Cisco Adaptive Security Appliance sets the security level to 100 by default.

• Please refer to the Cisco Security Appliance Command Line Configuration Guide for details on configuring the external and internal interfaces via the CLI.

Note You can configure the internal and external interfaces using the ASDM startup wizard. You can also view or edit an interface in ASDM by selecting Configuration > Device Setup > Interfaces.

Configuring the Static IP RoutesCisco Adaptive Security Appliance supports both static routes and dynamic routing protocols such as OSPF, RIP and EIGRP. For this integration you need to configure static routes that define the next hop address for IP traffic routed to the inside interface and for traffic routed to the outside interface of Cisco Adaptive Security Appliance. In the procedure below, the dest_ip mask is the IP address for the destination network and the gateway_ip value is the address of the next-hop router or gateway.

For a detailed description on setting up default and static routes on Cisco Adaptive Security Appliance, refer to the Cisco Security Appliance Command Line Configuration Guide.

Before You Begin

Complete the steps in External and Internal Interface Configuration, page 6-1

Procedure

Step 1 Enter config mode:


Step 2 Enter this command to add a static route for the inside interface:

hostname(config)# route inside dest_ip mask gateway_ip

Step 3 Enter this command to add a static route for the outside interface:


Chapter 6 Configuring Cisco Adaptive Security Appliance for SIP FederationAbout Port Address Translation (PAT)

hostname(config)# route outside dest_ip mask gateway_ip

Note You can also view and configure the static routes from ASDM by selecting Configuration > Device Setup > Routing > Static routes.

Figure 6-1 Viewing static routes via ASDM

What To Do Next

About Port Address Translation (PAT), page 6-3

About Port Address Translation (PAT) • Port Address Translation for This Integration, page 6-3

• PAT for Private to Public Requests, page 6-6

• Static PAT for New Requests, page 6-7

• NAT Rules in ASDM, page 6-7

Port Address Translation for This Integration

Note You also use Port Address Translation if you federate with another Cisco Unified Presence enterprise deployment in a foreign domain.

For this integration, Cisco Adaptive Security Appliance uses Port Address Translation (PAT) and static PAT for message address translation. Cisco Adaptive Security Appliance does not use Network Address Translation (NAT) for this integration.

This integration uses PAT to translate messages sent from Cisco Unified Presence to a foreign domain (private to public messages). Port Address Translation (PAT) means the real address and source port in a packet is substituted with a mapped address and unique port that is routable on the destination network. This translation method uses a two step process that translates the real IP address and port to a mapped IP address and port, and then the translation is “undone” for returning traffic.



Cisco Adaptive Security Appliance translates messages sent from Cisco Unified Presence to a foreign domain (private to public messages) by changing the private IP address and port on Cisco Unified Presence to a public IP address and one or more public port(s). Therefore, a local Cisco Unified Presence domain only uses one public IP address. Cisco Adaptive Security Appliance assigns a NAT command to the outside interface and translates the IP address and port of any message received on that interface as illustrated in Figure 6-2.

Figure 6-2 Example PAT for Messages Originating from Cisco Unified Presence to a Foreign

Domain

For new messages sent from a foreign domain to Cisco Unified Presence, Cisco Adaptive Security Appliance uses static PAT to map any message sent to the public IP address and port for Cisco Unified Presence to a designated Cisco Unified Presence server. Using static PAT allows you to translate the real IP address to a mapped IP address, and the real port number to a mapped port number. You can translate the real port number to the same port number or to a different port number. In this case, the port number identifies the correct Cisco Unified Presence server to handle the message request, as shown in Figure 6-3.

Note If a user does not exist on the Cisco Unified Presence server, the Cisco Unified Presence routing server uses intercluster routing to redirect the message. All responses are sent to Cisco Adaptive Security Appliance from the Cisco Unified Presence routing server.

2715

29

Internet

ASA Outside Interface• Translate outgoing traffic to use Cisco Unified Presence pubic address• Undo translation for returning traffic

CUCM

CUP(US) Access

Edge*ASA

CUCM

CUP(UK)

10.X.X.1/1

65.130.1.3/X

10.X.X.2/2




Figure 6-3 Static PAT for Messages Originating from a Foreign Domain

2715

30

Internet

ASA Outside Interface• Static PAT to translate all new traffic from foreign server• Port number is used to identify the Cisco Unified Presence server

CUCM

CUP(US) Access

Edge*ASA

CUCM

CUP(UK)

10.X.X.1/5061

147.168.22.18/5061

10.X.X.2/5062




PAT for Private to Public Requests For this integration, the address translation for private to public messages involves the following configuration:

• Define a NAT rule to identify the real IP address and port number that you wish to translate. In this case, configure a NAT rule that states that Cisco Adaptive Security Appliance must apply a NAT action to any message received on the internal interface.

• Configure a global NAT action to specify the mapped addresses to use for messages exiting via the external (outside) interface. For this integration, specify only one address (because it uses PAT). The NAT action maps the IP address (of messages received on the internal interface) to the Cisco Unified Presence public address.

Table 6-1 provides sample global address translation commands for Cisco Adaptive Security Appliance Releases 8.2 and 8.3. The first row is mandatory for both a single Cisco Unified Presence deployment, and a multiple Cisco Unified Presence deployment. The second row is for single Cisco Unified Presence deployment only. The third row is for a multiple Cisco Unified Presence deployment.

Table 6-1 Sample global address translation commands

Sample ConfigurationCisco Adaptive Security Appliance Release 8.2 Global Command

Cisco Adaptive Security Appliance Release 8.3 Global Command

You can use this sample NAT configuration in a deployment where there are one or more Cisco Unified Presence servers on the inside interface, with no other firewall traffic.

global (outside) 1 <public_cup_address>nat (inside) 1 0 0

object network obj_any host 0.0.0.0 nat (inside,outside) dynamic <public cup address>

You can use this sample NAT configuration in a deployment where there is one Cisco Unified Presence server on the inside interface, with other firewall traffic.

global (outside) 1 <public_cup_address>nat (inside) 1 <private_cup_address> 255.255.255.255

global (outside) 2 interfacenat (inside) 2 0 0

host <private cup address> nat (inside,outside) dynamic <public cup address>

object network my_inside subnet 0.0.0.0 0.0.0.0 nat (inside,outside) dynamic interface

You can use this sample NAT configuration in a deployment where there are multiple Cisco Unified Presence servers on the inside interface, with other firewall traffic.

global (outside) 1 <public cup ip>nat (inside) 1 <private_cup_net> <private_cup_netmask>

global (outside) 2 interfacenat (inside) 2 0 0

object network obj_<private subnet>.0_255.255.255.0 subnet <private subnet> 255.255.255.0 nat (inside,outside) dynamic <public cup address>

object network my_inside subnet 0.0.0.0 0.0.0.0 nat (inside,outside) dynamic interface



Note The sample configuration shown in the last row in Table 6-1 assumes that when there are multiple Cisco Unified Presence servers located behind Cisco Adaptive Security Appliance, and these Cisco Unified Presence servers are all on the same subnet. Specifically, if all the inside Cisco Unified Presence servers are on the 2.2.2.x/24 network, the NAT command is: nat (inside) 1 2.2.2.0 255.255.255.0

Related Topics

Port Address Translation for This Integration, page 6-3

Static PAT for New Requests For this integration the address translation for private to public messages involves the following configuration:

• Configure a static PAT command on TCP for the following ports: 5060, 5061, 5062 & 5080. Additionally if you have configured an intercluster connection with a Cisco Unified Presence Release 7.x node in your deployment, configure a TCP port for 5070.

• Configure a separate static PAT command on UDP for port 5080. Additionally if you have configured an intercluster connection with a Cisco Unified Presence Release 7.x node in your deployment, configure a UDP port for 5070.

This integration uses the following ports:

• 5060 - Cisco Adaptive Security Appliance uses this port for generic SIP inspection.

• 5061 - The SIP requests are sent to this port and this triggers the TLS handshake.

• 5062, 5070, 5080- Cisco Unified Presence uses these ports in the SIP VIA/CONTACT headers.

You only require PAT for port 5070 if you have an intercluster Cisco Unified Presence Release 7.x node in your Cisco Unified Presence Release 8.x cluster within the same domain. Cisco Unified Presence Release 8.x replaces port 5070 with port 5080.

Note You can check the peer auth listener port on Cisco Unified Presence by selecting Cisco Unified Presence Administration > System > Application Listeners.

Related Topics


• Sample Cisco Adaptive Security Appliance Configuration, page A-1

NAT Rules in ASDM

You can view the NAT rules in ASDM by selecting Configuration > Firewall > NAT Rules. The first five NAT rules shown in Figure 6-4 are the static PAT entries, and the final dynamic entry is the outgoing PAT configuration that maps any outgoing traffic to the public Cisco Unified Presence IP address and port.


Chapter 6 Configuring Cisco Adaptive Security Appliance for SIP FederationAbout Sample Static PAT Commands

Figure 6-4 Viewing PAT rules via ASDM

Related Topics



About Sample Static PAT Commands

Note This section shows sample commands for Cisco Adaptive Security Appliance Release 8.3 and Release 8.2. You need to execute these commands when you configure a fresh configuration of Cisco Adaptive Security Appliance for federation.

• PAT Configuration for Routing Cisco Unified Presence Release 8.x Node, page 6-9

• PAT Configuration for Intercluster or Intracluster Cisco Unified Presence Release 8.x Nodes, page 6-11

• PAT Configuration for Intercluster Cisco Unified Presence Release 7.x Nodes, page 6-13



PAT Configuration for Routing Cisco Unified Presence Release 8.x NodeTable 6-2 shows the PAT commands for the routing Cisco Unified Presence Release 8.x node, where the peer auth listener port is 5062.

Note For Cisco Adaptive Security Appliance 8.3 configuration, you only need to define an object once and you can reference that object in multiple commands; you do not need to repeatedly define the same object.

Table 6-2 PAT commands for routing Cisco Unified Presence Release 8.x node

Cisco Adaptive Security Appliance Release 8.2 Static Command Cisco Adaptive Security Appliance Release 8.3 NAT Command

static (inside,outside) tcp <public cup ipaddress> 5061 <routing cup private address>5062 netmask 255.255.255.255

If the routing CUP peer auth listening port is 5061, use the command:


Object network obj_host_<public cup ip address>(e.g. object network obj_host_10.10.10.10)#host <public cup ip address>

object network obj_host_<routing cup private address>#host <routing cup private address>

object service obj_tcp_ source_eq_5061# service tcp source eq 5061


nat (inside,outside) source static obj_host_<routing cup private address> obj_host_<public cup ip address> service obj_tcp_source_eq_5062 obj_tcp_source_eq_5061

If the routing CUP peer auth listening port is 5061, use the command:


static (inside,outside) tcp <public cup ip address> 5080 <routing cup private address> 5080 netmask 255.255.255.255

object service obj_tcp_source_eq_5080 # service tcp source eq 5080



object service obj_tcp_source_eq_5060# service tcp source eq 5060

Note 5060 displays as ‘sip’ in the service object.






Related Topics






PAT Configuration for Intercluster or Intracluster Cisco Unified Presence Release 8.x Nodes

In a multi-node or an intercluster Cisco Unified Presence deployment, if the non-routing nodes in your Cisco Unified Presence Release 8.x clusters communicate directly with Cisco Adaptive Security Appliance, you must configure a set of static PAT commands for each of these nodes. The commands listed below are an example of a set of the static PAT commands you must configure for a single node.

You must use an unused arbitrary port. We recommend that you select a corresponding number, for example, 5080 uses the unused arbitrary port X5080 where X corresponds to a number that uniquely maps to a Cisco Unified Presence intercluster or intracluster server. For example 45080 uniquely maps to one node and 55080 uniquely maps to another node.

Table 6-3 shows the NAT commands for the non-routing Cisco Unified Presence Release 8.x nodes. Repeat the commands for each non-routing Cisco Unified Presence Release 8.x node.


Table 6-3 NAT commands for non-routing Cisco Unified Presence Release 8.x nodes


static (inside,outside) tcp <public CUPaddress> 45062 <intercluster cup8 privateaddress> 5062 netmask 255.255.255.255

If the intercluster Cisco Unified Presence peer auth listening port is 5061, use the command:


object network obj_host_<intercluster cup8 privateaddress>#host <intercluster cup8 private address>


nat (inside,outside) source static obj_host_<intercluster cup8 private address> obj_host_<public cup ip address>service obj_tcp_source_eq_5062 obj_tcp_source_eq_45062


object service obj_tcp_ source_eq_45061 # service tcp source eq 45061

nat (inside,outside) source static obj_host_<intercluster cup8 private address> obj_host_<public cup ip address> service obj_tcp_source_eq_5061 obj_tcp_source_eq_45061



Related Topics




static (inside,outside) tcp <public cup ipaddress> 45080 <intercluster cup8 privateaddress> 5080 netmask 255.255.255.255



static (inside,outside) tcp <public cup ipaddress> 45060 <intercluster cup8 private address> 5060 netmask 255.255.255.255



Table 6-3 NAT commands for non-routing Cisco Unified Presence Release 8.x nodes




PAT Configuration for Intercluster Cisco Unified Presence Release 7.x NodesIn a multi-node or an intercluster Cisco Unified Presence deployment, if nodes in your Cisco Unified Presence Release 7.x clusters communicate directly with Cisco Adaptive Security Appliance, you must configure a set of static PAT commands for each of these nodes. The commands listed below are an example of a set of the static PAT commands you must configure for a single node.

You must use an unused arbitrary port. We recommend that you select a corresponding number, for example, 5070 uses the unused arbitrary port X5070 where X corresponds to a number that uniquely maps to a Cisco Unified Presence intercluster or intracluster server. For example 65070 uniquely maps to one node and 75070 uniquely maps to another node.

Table 6-4 shows the NAT commands for intercluster Cisco Unified Presence Release 7.x nodes. Repeat the commands for each node.


Table 6-4 NAT commands for intercluster Cisco Unified Presence Release 7.x nodes

Cisco Adaptive Security Appliance Release 8.2 Static Command Cisco Adaptive Security Appliance Release 8.3 NAT Commandstatic (inside,outside) tcp <public CUPaddress> 55062 <intercluster cup7 privateaddress> 5062 netmask 255.255.255.255

If the intercluster CUP peer auth listening port is 5061, use the command:


object network obj_host_<intercluster cup7 privateaddress>#host <intercluster cup7 private address>




object service obj_tcp_ source_eq_55061# service tcp source eq 55061nat (inside,outside) source static obj_host_<interclustercup7 private address> obj_host_<public cup ip address>service obj_tcp_source_eq_5061 obj_tcp_source_eq_55061


Chapter 6 Configuring Cisco Adaptive Security Appliance for SIP FederationFailover on Cisco Adaptive Security Appliance

There is a limitation with intercluster deployments and SIP federation with AOL, refer to Intercluster Deployments and SIP Federation with AOL, page 1-4 for details.

Related Topics




• Intercluster Deployments and SIP Federation with AOL, page 1-4

Failover on Cisco Adaptive Security ApplianceFor a detailed description of configuring failover for Cisco Adaptive Security Appliance, refer to the Cisco Security Appliance Command Line Configuration Guide. If you are considering deploying failover for Cisco Adaptive Security Appliance in your federated network, note the following:

• Failover is supported using the active/standby mode. With active/standby failover, only one Cisco Adaptive Security Appliance router passes traffic while the other router waits in a standby state.

• In terms of hardware requirements, the two Cisco Adaptive Security Appliances in a failover deployment must have the exact same hardware configuration.

• In terms of software requirements, the two Cisco Adaptive Security Appliances in a failover configuration must be in the operating mode, and must have the same software version.

• In terms of licensing, for active/standby mode you will require a security plus license, and unrestricted (UR) licence.

Note Cisco Adaptive Security Appliance does not support a TLS stateful or graceful failover. Existing TLS connections must be reestablished following a failover to the standby Cisco Adaptive Security Appliance.




static (inside,outside) udp <public cup ipaddress> 55070 <intercluster cup7 privateaddress> 5070 netmask 255.255.255.255

object service obj_udp_source_eq_55070# service udp source eq 55070

nat (inside,outside) source static obj_host_<intercluster cup7 private address> obj_host_<public cup ip address>

Table 6-4 NAT commands for intercluster Cisco Unified Presence Release 7.x nodes



Chapter 6 Configuring Cisco Adaptive Security Appliance for SIP FederationCisco Adaptive Security Appliance Upgrade Options for Existing Deployments

Cisco Adaptive Security Appliance Upgrade Options for Existing Deployments

If you upgrade from Cisco Adaptive Security Appliance Release 8.2 to Release 8.3, Cisco Adaptive Security Appliance migrates the existing commands seamlessly during the upgrade.

Note Once you upgrade to Cisco Unified Presence Release 8.x, you must open port 5080 on Cisco Adaptive Security Appliance for each Cisco Unified Presence 8.x node located behind Cisco Adaptive Security Appliance. This is independent of whether you have upgraded Cisco Adaptive Security Appliance also.

Use one of the following upgrade procedures when you upgrade both Cisco Unified Presence and Cisco Adaptive Security Appliance in your existing federation deployment:

Upgrade Procedure Option 1: 1. Upgrade Cisco Unified Presence to Release 8.x.

2. Configure NAT rules for port 5080 on Cisco Adaptive Security Appliance.

3. Confirm that federation is working in your deployment after the Cisco Unified Presence upgrade.

4. Upgrade Cisco Adaptive Security Appliance to Release 8.3.

5. Confirm that federation is working in your deployment after the Cisco Adaptive Security Appliance upgrade.

Upgrade Procedure Option 2: 1. Upgrade both Cisco Unified Presence nodes to Release 8.x and Cisco Adaptive Security Appliance to Release 8.3.

2. After both upgrades, configure NAT rules for port 5080 on Cisco Adaptive Security Appliance.

3. Confirm that federation is working in your deployment.


Chapter 6 Configuring Cisco Adaptive Security Appliance for SIP FederationCisco Adaptive Security Appliance Upgrade Options for Existing Deployments

These are the commands you require to open port 5080 for each Cisco Unified Presence Release 8.x node that sits behind Cisco Adaptive Security Appliance:




Note Configure these commands for each intercluster Cisco Unified Presence 8.x server, and use a different arbitrary port for each.


nat (inside,outside) source static obj_host_<routing cupprivate address> obj_host_<public cup ip address> serviceobj_tcp_source_eq_5080 obj_tcp_source_eq_5080


nat (inside,outside) source static obj_host_<intercluster cup8 private address> obj_host_<public cup ip address>service obj_tcp_source_eq_5080 obj_tcp_source_eq_45080

Note Configure these commands for each intercluster Cisco Unified Presence 8.x server, and use a different arbitrary port for each.

C H A P T E R


7Configuring the TLS Proxy on Cisco Adaptive Security Appliance

April 4, 2011

Note For up to date release information on configuring the TLS proxy, please refer to the Cisco Adaptive Security Appliance Configuration Guide at the following URL: http://www.cisco.com/en/US/products/ps6120/tsd_products_support_configure.html

• TLS Proxy, page 7-1

• Access List Configuration Requirements, page 7-2

• Configuring the TLS Proxy Instances, page 7-4

• Associating an Access List with a TLS Proxy Instance Using Class Maps, page 7-5

• Enabling the TLS Proxy, page 7-6

• Configuring Cisco Adaptive Security Appliance for an Intercluster Deployment, page 7-6


TLS ProxyCisco Adaptive Security Appliance acts as a TLS proxy between the Cisco Unified Presence and the foreign server. This allows Cisco Adaptive Security Appliance to proxy TLS messages on behalf of the server (that initiates the TLS connection), and route the TLS messages from the proxy to the client. The TLS proxy decrypts, inspects and modifies the TLS messages as required on the incoming leg, and then re-encrypts traffic on the return leg.

Note Before configuring the TLS proxy, you must configure the Cisco Adaptive Security Appliance security certificates between Cisco Adaptive Security Appliance and Cisco Unified Presenceo, and Cisco Adaptive Security Appliance and the foreign server. Complete the procedures in the following sections to accomplish this:



Chapter 7 Configuring the TLS Proxy on Cisco Adaptive Security ApplianceAccess List Configuration Requirements



Related Topics

Common Cisco Adaptive Security Appliance Problems and Recommended Actions, page 15-1.

Access List Configuration RequirementsThis section lists the access list configuration requirements for a single Cisco Unified Presence deployment.

Note • For each access list, you must configure a corresponding class-map, and configure an entry in the policy-map global policy.

• You can check the peer auth listener port on Cisco Unified Presence by selecting Cisco Unified Presence Administration > System > Application Listeners.

Deployment Scenario:

A Cisco Unified Presence server federating with one or more foreign domains

Configuration Requirement:

Configure the following two access lists for each foreign domain that Cisco Unified Presence is federates with:

• Configure an access list to allow Cisco Unified Presence to send messages to the foreign domain on port 5061.

• Configure an access list to allow Cisco Unified Presence to receive messages from the foreign domain on port 5061, or if you use Cisco Adaptive Security Appliance Release 8.3, the actual port that Cisco Unified Presence listens on for SIP federation (check the peer auth listener port on Cisco Unified Presence).


Chapter 7 Configuring the TLS Proxy on Cisco Adaptive Security ApplianceAccess List Configuration Requirements

Configuration Example:

access-list ent_cup_to_foreign_server extended permit tcp host <routing cup private address> host <foreign public address> eq 5061

Cisco Adaptive Security Appliance Release 8.2:

access-list ent_foreign_server_to_cup extended permit tcp host <foreign public address> host < CUP public address> eq 5061


access-list ent_foreign_server_to_cup extendedpermit tcp host <foreign public address> host <CUP private address> eq 5061

Note In the access list above 5061 is the port that Cisco Unified Presence listens on for SIP messaging. If Cisco Unified Presence listens on port 5062, specify 5062 in the access list.

Deployment Scenario:

Intercluster deployment

(This also applies to a multi-node deployment)

Configuration Requirement:

Configure the following two access lists for each intercluster Cisco Unified Presence server.

• Configure an access list to allow Cisco Unified Presence to send messages to the foreign domain on port 5061.

• Configure an access list to allow Cisco Unified Presence to receive messages from the foreign domain on the arbitrary port 5061, or if you use Cisco Adaptive Security Appliance Release 8.3, the actual port that Cisco Unified Presence listens on for SIP federation (check the peer auth listener port on Cisco Unified Presence)

Configuration Example:

access-list ent_intercluster_cup_to_foreign_server extended permit tcp host <intercluster cup private address> host <foreign public address> eq 5061


access-list ent_foreign_server_to_intercluster_cup extended permit tcp host <foreign public address> host <cup public address> eq <arbitrary port>


ent_foreign_server_to_intercluster_cupextended permit tcp host <foreign public address> host <cup private address> eq 5061

In the access list above 5061 is the port that Cisco Unified Presence listens on for SIP messaging. If Cisco Unified Presence listens on port 5062, specify 5062 in the access list.


Chapter 7 Configuring the TLS Proxy on Cisco Adaptive Security ApplianceConfiguring the TLS Proxy Instances

Related Topics





Configuring the TLS Proxy InstancesFor this integration, you need to create two TLS proxy instances. The first TLS proxy handles the TLS connections initiated by Cisco Unified Presence, where Cisco Unified Presence is the client and the foreign domain is the server. In this case, the Cisco Adaptive Security Appliance acts as the TLS server facing the "client" which is Cisco Unified Presence. The second TLS Proxy handles the TLS connections initiated by the foreign domain, where the foreign domain is the client and Cisco Unified Presence is the server.

The TLS proxy instance defines “trustpoints” for both the server and the client. The direction from which the TLS handshake is initiated determines the trustpoint defined in the server and client commands:

• If the TLS handshake initiates from Cisco Unified Presence to the foreign domain, the server command specifies the trustpoint that contains the Cisco Adaptive Security Appliance self-signed certificate. The client command specifies the trustpoint that contains the Cisco Adaptive Security Appliance certificate that is used in the TLS handshake between Cisco Adaptive Security Appliance and the foreign domain.

• If the handshake initiates from the foreign domain to Cisco Unified Presence, the server command specifies the trustpoint that contains the Cisco Adaptive Security Appliance certificate the TLS handshake uses between Cisco Adaptive Security Appliance and the foreign domain. The client command specifies the trustpoint that contains the Cisco Adaptive Security Appliance self-signed certificate.

Before You Begin

• Complete the steps in Access List Configuration Requirements, page 7-2.

Procedure



Step 2 Create a TLS proxy instance for TLS connections initiated by Cisco Unified Presence. This example creates a TLS proxy instance called cup_to_foreign:

tls-proxy ent_cup_to_foreignserver trust-point cup_proxyclient trust-point <trustpoint_name>client cipher-suite aes128-sha1 aes256-sha1 3des-sha1 null-sha1

Step 3 Create a TLS proxy instance for TLS connections initiated by a foreign domain. This example creates a TLS proxy instance called foreign_to_cup:


Chapter 7 Configuring the TLS Proxy on Cisco Adaptive Security ApplianceAssociating an Access List with a TLS Proxy Instance Using Class Maps

tls-proxy ent_foreign_to_cupserver trust-point <trustpoint_name>client trust-point cup_proxyclient cipher-suite aes128-sha1 aes256-sha1 3des-sha1 null-sha1

What To Do Next

Associating an Access List with a TLS Proxy Instance Using Class Maps, page 7-5

Associating an Access List with a TLS Proxy Instance Using Class Maps

Using the class map command, you need to associate a TLS Proxy instance to each of the foreign domain access lists you defined previously.

Before You Begin

Complete the steps in Configuring the TLS Proxy Instances, page 7-4

Procedure



Step 2 Associate each of your access lists with the TLS proxy instance that the class map uses. The TLS proxy you select depends on whether the class-map is for messages from Cisco Unified Presence to a foreign domain, or from a foreign domain to Cisco Unified Presence.

In the example below, the access list for messages sent from Cisco Unified Presence to a foreign domain is associated with the TLS proxy instance for TLS connections initiated by Cisco Unified Presence called “ent_cup_to_foreign”:

class-map ent_cup_to_foreignmatch access-list ent_cup_to_foreign

In the example below, the access list for messages sent from a foreign domain to Cisco Unified Presence is associated with the TLS proxy instance for TLS connections initiated by the foreign server called "ent_foreign_to_cup":

class-map ent_foreign_to_cupmatch access-list ent_foreign_to_cup

Step 3 If you are have an intercluster Cisco Unified Presence deployment, configure a class map for each Cisco Unified Presence server, and associate this with the appropriate access-list for the server that you defined previously, for example:

class-map ent_second_cup_to_foreignmatch access-list ent_second_cup_to_foreignclass-map ent_foreign_to_second_cupmatch access-list ent_foreign_to_second_cup


Chapter 7 Configuring the TLS Proxy on Cisco Adaptive Security ApplianceEnabling the TLS Proxy

What To Do Next

Enabling the TLS Proxy, page 7-6

Enabling the TLS Proxy Using the policy map command, you need to enable the TLS proxy for each class map you created in the previous section.

Note You cannot use a High security sip-inspect policy map on Cisco Adaptive Security Appliance for a federated deployment because the configuration will fail. You must use a Low/Medium security policy map.

Before You Begin

Complete the steps in Associating an Access List with a TLS Proxy Instance Using Class Maps, page 7-5

Procedure



Step 2 Define the sip-inspect policy map, for example:

policy-map type inspect sip sip_inspectParameters

!SIP Inspection Parameters

Step 3 Define the global policy map, for example:

policy-map global_policyclass ent_cup_to_foreigninspect sip sip_inspect tls-proxy ent_cup_to_foreign

Configuring Cisco Adaptive Security Appliance for an Intercluster Deployment

For an intercluster Cisco Unified Presence deployment, you must perform the following configuration on the Cisco Adaptive Security Appliance for each additional Cisco Unified Presence server.

Procedure

Step 1 Create an additional access list for the Cisco Unified Presence server.


Chapter 7 Configuring the TLS Proxy on Cisco Adaptive Security ApplianceConfiguring Cisco Adaptive Security Appliance for an Intercluster Deployment

Step 2 Generate and import the Cisco Adaptive Security Appliance security certificate onto the Cisco Unified Presence server.

Step 3 Generate and import the Cisco Unified Presence security certificate onto Cisco Adaptive Security Appliance.

Step 4 Configure a class map for each foreign domain.

Step 5 Include the class maps in the global policy map.

Related Topics





• About Intercluster and Multi-node Deployments, page 1-5


Chapter 7 Configuring the TLS Proxy on Cisco Adaptive Security ApplianceConfiguring Cisco Adaptive Security Appliance for an Intercluster Deployment

C H A P T E R


8Configuring Interdomain Federation to Microsoft OCS within an Enterprise

April 4, 2011

• How to Configure Static Routes Using TCP for Federation with Microsoft OCS Domain, page 8-1

• How to Configure Static Routes Using TLS for Federation with Microsoft OCS Domain, page 8-4

Note • If you configure federation within the enterprise, in addition to the static routes, you must configure a SIP federation domain on Cisco Unified Presence. See section Adding a SIP Federated Domain, page 4-2.

• Refer to this section Federation and Subdomains, page 1-24 for information on federation and subdomains. However once the OCS and Cisco Unified Presence domains are different, you can configure federation within the enterprise. You do not have to use subdomains; separate domains are equally applicable.

How to Configure Static Routes Using TCP for Federation with Microsoft OCS Domain

This section describes how to configure statics routes using TCP for direct federation between Cisco Unified Presence and Microsoft OCS. The Cisco Adaptive Security Appliance or the Microsoft Access Edge are not required.

Caution The domain portion of the Routing Proxy FQDN parameter value cannot be the same as the Microsoft OCS domain. To view or edit the Routing Proxy FQDN parameter, select Cisco Unified Presence Administration > System > Service Parameters, and select the Cisco UP SIP Proxy service.

• Configuring a Static Route on Cisco Unified Presence for the OCS Server, page 8-2

• Configuring a Static Route on OCS for the Cisco Unified Presence server, page 8-2

• Adding a Host Authorization entry for the Cisco Unified Presence server, page 8-3

• Enabling Port 5060 on the OCS Server, page 8-3


Chapter 8 Configuring Interdomain Federation to Microsoft OCS within an EnterpriseHow to Configure Static Routes Using TCP for Federation with Microsoft OCS Domain

Configuring a Static Route on Cisco Unified Presence for the OCS ServerTo configure Cisco Unified Presence to use TCP when exchanging IM and presence with a federated Microsoft OCS domain, you must configure a static route on Cisco Unified Presence that points to the OCS server (and not the external edge of Microsoft Access Edge).

Procedure

Step 1 Select Cisco Unified Presence Administration > Presence > Routing > Static Routes.

Step 2 Configure the static route parameters as follows:

• The destination pattern value must be configured such that the foreign enterprise domain is reversed. For example if the domain is "domaina.com" then the Destination Pattern value must be ‘.com.domaina.*’

• The Next Hop value is the OCS FQDN or IP address.

• The Next Hop Port number is 5060.

• The Route Type value is domain.

• The Protocol Type is TCP.

Step 3 Click Save.

What To Do Next

Configuring a Static Route on OCS for the Cisco Unified Presence server, page 8-2.

Configuring a Static Route on OCS for the Cisco Unified Presence serverIf you are using direct federation from Cisco Unified Presence to OCS without the Access Edge server or Cisco Adaptive Security Appliance, then you need to configure a static route from OCS to Cisco Unified Presence.

Procedure

Step 1 Click Start > Programs > Administrative Tools > Microsoft Office Communicator Server 2007 on OCS.

Step 2 Right-click on the Front End server.

Step 3 Select Properties > Front End Properties.

Step 4 Click the Routing tab.

Step 5 Click Add.

Step 6 Enter the domain for the Cisco Unified Presence server, for example 'cisco.com'.

Step 7 Enter the IP of the Cisco Unified Presence server for the Next Hop IP address.

Step 8 Select TCP for the Transport value.

Step 9 Enter 5060 for the Port value.


Chapter 8 Configuring Interdomain Federation to Microsoft OCS within an EnterpriseHow to Configure Static Routes Using TCP for Federation with Microsoft OCS Domain

Step 10 Click OK.

What To Do Next

Adding a Host Authorization entry for the Cisco Unified Presence server, page 8-3

Adding a Host Authorization entry for the Cisco Unified Presence server

Procedure

Step 1 Click on the Host Authorization tab on OCS.

Step 2 Perform one of the following steps:

• Enter the IP address of the authorized host if you configured a static route on OCS that specifies the next hop computer by its IP address.

• Enter the FQDN of the authorized host if you configured a static route on OCS that specifies the next hop computer by its FQDN.

Step 3 Click Add.

Step 4 Select IP.

Step 5 Enter the IP address of the Cisco Unified Presence server.

Step 6 Check Throttle as Server.

Step 7 Check Treat as Authenticated.

Note Do not check Outbound Only.

Step 8 Click OK.

Enabling Port 5060 on the OCS Server

Procedure

Step 1 Select Start > Programs > Administrative Tools > Microsoft Office Communicator Server 2007 on OCS.

Step 2 Right-click on the FQDN of Front End server.

Step 3 Select Properties > Front End Properties.

Step 4 Click the General tab

Step 5 If port 5060 is not listed under Connections, select Add.

Step 6 Configure port 5060 as follows:

• Select All as the IP Address Value.


Chapter 8 Configuring Interdomain Federation to Microsoft OCS within an EnterpriseHow to Configure Static Routes Using TLS for Federation with Microsoft OCS Domain

• Select 5060 as the Port Value

• Select TCP as the Transport Value

Step 7 Select OK.

How to Configure Static Routes Using TLS for Federation with Microsoft OCS Domain

Step Notes

Configure a static route on Cisco Unified Presence for OCS

Use the procedure Configuring a Static Route on Cisco Unified Presence for the OCS Server, page 8-2 as a guide.

When you configure the static route on Cisco Unified Presence, select the protocol type TLS, and make sure that the static route points to port 5061.

Configure a static route on OCS for Cisco Unified Presence

Use the procedure Configuring a Static Route on OCS for the Cisco Unified Presence server, page 8-2 as a guide.

When you configure the static route on OCS, select the protocol type TLS, and make sure that the static route points to port 5061 (the default is 5062).

Note When using TLS with static routes on OCS, you must specify the FQDN of the Cisco Unified Presence server, rather than an IP address.

On Cisco Unified Presence, you must also configure the Peer Auth Listener port on OCS as 5061. You configure this by selecting Cisco Unified Presence Administration > System > Application Listeners. Verify that the Peer Auth Listener port is 5061. You can configure the Server Auth Listener port to be 5062.

Configure a host authorization entry for the Cisco Unified Presence FQDN

Use the procedure Adding a Host Authorization entry for the Cisco Unified Presence server, page 8-3 as a guide.

Configure the certificates on OCS • To retrieve the CA root certificate and the OCS signed certificate, follow these procedures, applying them to the OCS server (rather than the Access Edge server):

– Downloading the CA Certification Chain, page 5-9

– Installing the CA Certification Chain, page 5-10

– Requesting a Certificate from the CA Server, page 5-11

– Downloading the Certificate from the CA Server, page 5-11

• In the OCS Front End Server Properties ensure the TLS listener for port 5061 on OCS is configured. (The transport can be MTLS or TLS).

• From the OCS Front End Server Properties, select the Certificates tab, and click Select Certificate to select the OCS signed certificate.



Configure OCS to use FIPS (TLSv1 rather than SSLv3), and import the CA root certificate.

1. Open the Local Security Settings on OCS.

2. In the console tree, select Local Polices.

3. Select Security Options.

4. Double-click System Cryptography:Use FIPS Compliant algorithms for encryption, hashing and signing.

5. Enable the security setting.

6. Select OK.

Note You may need to restart OCS for this to take effect.

7. Import the CA root certificate for the CA that signs the Cisco Unified Presence certificate. Import the CA root certificate in to the trust store on OCS using the certificate snap-in.

Configure the certificates on Cisco Unified Presence

• On Cisco Unified Presence, upload the root certificate for the CA that signs the OCS certificate. Note the following:

– Uploaded the certificate as a ‘cup-trust’ certificate.

– Leave the ‘Root Certificate’ field blank.

– Use the procedure Importing the Self Signed Certificate onto Cisco Unified Presence, page 5-3 as a guide for uploading a certificate to Cisco Unified Presence.

• Generate a CSR for Cisco Unified Presence so that the Cisco Unified Presence certificate can be signed by a CA. Upload the CSR to the CA that will sign your certificate.

• When you have retrieved the CA-signed certificate and the CA root certificate, upload the CA-signed certificate and the root certificate to Cisco Unified Presence. Note the following:

– Upload the root certificate as a ‘cup-trust’ certificate.

– Upload the C- signed Cisco Unified Presence certificate as a ‘cup’ certificate. Specify the root certificate .pem file as the root certificate.

• Add a TLS Peer subject on Cisco Unified Presence for the OCS server. Follow these steps Creating a new TLS Peer Subject, page 4-6 to create the peer subject for the OCS server. Use the FQDN of the OCS server.

• Add the TLS Peer to the Selected TLS Peer Subjects list. Follow these steps Adding the TLS Peer to the Selected TLS Peer Subjects List, page 4-6 to add the TLS Peer to the Selected TLS Peer Subjects list. Note the following:

– Make sure that the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher is selected for the TLS Context Configuration.

– Make sure that you disable empty TLS fragments.

Step Notes

C H A P T E R


9Configuring the Foreign Server Components for SIP Federation

April 4, 2011

• Microsoft Component Configuration for SIP Federation, page 9-1

• About the Requirements for SIP Federation with AOL, page 9-4

Microsoft Component Configuration for SIP FederationTable 9-1 provides a brief checklist relative to configuring federation on the Microsoft servers. For detailed instructions on setting up and deploying the OCS server and the Access Edge server, refer to the Microsoft documentation.


Chapter 9 Configuring the Foreign Server Components for SIP FederationMicrosoft Component Configuration for SIP Federation

Table 9-1 Configuration tasks for Microsoft Components

Server Task Procedure

OCS Server Enable Global Federation Setting

1. Select Properties > Global Properties > Federation in the global forest branch in the left pane.

2. Check Enable Federation and Public IM Connectivity.

3. Enter the FQDN and the port number for the internal interface of the Access Edge server.

Configure the Access Edge server address

1. Select Properties > Global Properties > Edge Servers in the global forest branch in the left pane.

2. Click Add in the Access Edge and Web Conferencing Edge Servers window.

3. Enter the FQDN for the internal interface of the Access Edge server.

Enable Each Front End Federation Setting

You need to enable the federation setting for each front-end server that is federating:

1. Select Properties > Front End Properties > Federation in the front-end server branch in the left pane.

2. Check Enable Federation and Public IM Connectivity.

Check your users are enabled for MOC and for Federation

• From the Users tab, check that your users are enabled for MOC.

• If your user is not present in this list, you need to enable the user for MOC in Microsoft Active Directory.

• You also need to enable the user for Public IM Connectivity in Microsoft Active Directory.

Refer to the Microsoft Active Directory documentation at the following URL: http://technet2.microsoft.com/windowsserver/en/technologies/featured/ad/default.mspx

http://technet2.microsoft.com/windowsserver/en/technologies/featured/ad/default.mspx


Chapter 9 Configuring the Foreign Server Components for SIP FederationMicrosoft Component Configuration for SIP Federation

Access Edge Server

Configure DNS In the Microsoft enterprise deployment, you need to configure an external SRV record for all Access Edge Servers that points to _sipfederationtls._tcp.<domain>, over port 5061, where <domain> is the name of the SIP domain of your organization. This SRV should point to the external FQDN of the Access Edge server.

Configure Cisco Unified Presence as an IM Provider

1. Select Start > Administrative Tools > Computer Management on the external Access Edge server.

2. Right-click Microsoft Office Communications Server 2007 in the left pane.

3. Click the IM Provider tab.

4. Click Add.

5. Check Allow the IM service provider.

6. Define the IM service provider name, for example, the Cisco Unified Presence server.

7. Define the network address of the IM service provider, in this case the public FQDN of the Cisco Unified Presence server.

8. Ensure that the IM service provider is not marked as “public”.

9. Click the filtering option Allow all communications from this provider option.

10. Click OK.

In the Cisco Unified Presence enterprise deployment, you need to configure a DNS SRV record that points to _sipfederationtls._tcp.<CUP_domain> over port 5061where <CUP_domain> is the name of the Cisco Unified Presence domain. This DNS SRV should point to the public FQDN of the Cisco Unified Presence server.

Check the Access Method Settings

1. Right-click on Microsoft Office Communications Server 2007 in the console tree.

2. Click Properties > Access Methods.

3. Check Federation.

4. Check Allow discovery if you are using DNS SRV.

Configure Access Edge to use TLSv1

1. Select Start > Administrative Tools > Local Security Policy to open the Local Security Policy.

Note If you are configuring this on a domain controller, the path is Start > Administrative Tools > Domain Controller Security Policy.

2. Click Security Settings > Local Policies > Security Options in the console tree.

3. Double-click the FIPS security setting in the details pane.

4. Enable the FIPS security setting.

5. Click OK.

Note There is a known issue with remote desktop to the Access Edge Server with FIPS enabled on Windows XP. Refer to Unable to Remote Desktop to Access Edge, page 15-10 for a resolution to this issue.

Table 9-1 Configuration tasks for Microsoft Components (continued)



Chapter 9 Configuring the Foreign Server Components for SIP FederationAbout the Requirements for SIP Federation with AOL

Related Topics

Configuring Interdomain Federation to Microsoft OCS within an Enterprise, page 8-1

About the Requirements for SIP Federation with AOL • License Requirements for AOL Federation, page 9-4


• AOL Provisioning Information Requirements, page 9-5

License Requirements for AOL FederationYou must order the AOL-FEDERATION SKU license from Cisco to allow you to turn on interdomain federation between Cisco Unified Presence and AOL. When you submit this license request, Cisco will request from you the AOL customer routing and contact information described in the later sections of this topic. After Cisco receives your AOL customer routing and contact information, AOL federation between Cisco Unified Presence and AOL will be turned on.

Related Topics


• AOL Provisioning Information Requirements, page 9-5

OCS/Access Edge Server

Configure the security certificates

• You need to configure security certificates between the OCS server and the Access Edge server.

• You will require a CA server to perform this procedure.

• Please refer to the Microsoft documentation for details on configuring security certificates between these servers.

Table 9-1 Configuration tasks for Microsoft Components (continued)




AOL Routing Information RequirementsWhen you configure interdomain federation between Cisco Unified Presence and AOL SIP Access Gateway, you must provide AOL with the following information.

We recommend that you work with your Cisco support representative to provide this information to AOL.

AOL Provisioning Information Requirements • The name of the enterprise, company or other.

• The domain name used for the federation (e.g. companyabc.com).

• The FQDN of the Cisco Unified Presence server that is being used for federation.

• The customer contact details: name, email address, phone number.

• Copy of certificate(s):

– If the certificate is signed by a Certificate Authority, root certificate including the whole chain of certificates of the Certificate Authority must be provided.

– The base64 encoding of the certificate(s) is required, for example:

BEGIN CERTIFICATE----- MIIGKDCCBRCgAwIBAgIKH5c9LAAIAAGTvjANBgkqhkiG9w0BAQUFADCBizETMBEG CgmSJomT8ixkARkWA2NvbTEZMBcGCgmSJomT8ixkARkWCW1pY3Jvc29mdDEUMBIG..... 6HKfdML7AkWOV0Wiwc8HUb/0iFmfB24jWOnjj3NW15k0tDJXmbSMuAxjZ/2dZ4dA

Deployment Type Provide (for each domain) Notes

No load balancer • The public FQDN of the federation routing Cisco Unified Presence server: <sip.domain.com>

• The domain name of the Cisco Unified Presence server: @<domain.com>

• Cisco Unified Presence server certificate subject CN must match FQDN of the Cisco Unified Presence server

• The CA that signs the Cisco Unified Presence server certificate must be trusted by the AOL server.

Load balancer • The FQDN of the load balancer: <lb.domain.com>

• The domain name of the load balancer: @<domain.com>

• Cisco Unified Presence server certificate subject CN must match FQDN of the load balancer.

• The CA that signs the Cisco Unified Presence server certificate must be trusted by the AOL server.

• The secure SIP federation port of the Cisco Unified Presence server that will be used for the domain

The AOL SIP Access Gateway connects (via SSL) to the IP address that is returned by an nslookup on this port. The default port is 5061.



4zd4FeZvoCzyVglPkoLvA0Z+AJyOkO7/tie4EF3n/kEedaPWimv2TpRrlAP5lBXn tbM82NpEDaSqzg0d4Dswqe7W30CKGgUBYS1fO7xJHSRju719D+H7XivmjvU= -----END CERTIFICATE-----

We recommend that you work with your Cisco support representative to provide this information to AOL.

C H A P T E R


10Configuring the Load Balancer for Redundancy for SIP Federation

April 4, 2011

• About the Load Balancer, page 10-1

• Updating the Cisco Unified Presence Servers, page 10-2

• How to Update the Cisco Adaptive Security Appliance, page 10-3

• How to Update the CA-Signed Security Certificates, page 10-6

• Updating the Microsoft Components, page 10-8

• Configuring the Load Balancer, page 10-9

About the Load BalancerFor redundancy and high-availability purposes, you can incorporate a load balancer into the federated network. Cisco recommends the Cisco CSS 11500 Content Services Switch, which is placed between the Cisco Unified Presence server and the Cisco Adaptive Security Appliance (see Figure 1-3 on page 1-8).

The load balancer terminates incoming TLS connections from Cisco Adaptive Security Appliance, and initiates a new TLS connection to route the content to the appropriate backend Cisco Unified Presence server.


Chapter 10 Configuring the Load Balancer for Redundancy for SIP FederationUpdating the Cisco Unified Presence Servers

Updating the Cisco Unified Presence ServersWhen using a load balancer for redundancy, you must update settings on the Cisco Unified Presence publisher and subscriber nodes.

Procedure

Related Topics

• Configuring the Federation Routing Parameter, page 4-5

• Creating a new TLS Peer Subject, page 4-6


Task Procedure

Update the federation routing parameter Select Cisco Unified Presence Administration > System > Service Parameters > Cisco UP SIP Proxy from the Service menu and enter these values:

• Virtual IP Address—enter the virtual IP address set on the load balancer

• Server Name—set to the FQDN of the load balancer

• Federation Routing CUP FQDN—set to the FQDN of the load balancer.

Create a new TLS peer subject 1. Select Cisco Unified Presence Administration > System > Security > TLS Peer Subjects.

2. Click Add New and enter these values:

• Peer Subject Name— enter the external FQDN of the load balancer

• Description—enter the name of the load balancer

Add the TLS peer to the TLS peer subjects list 1. Select Cisco Unified Presence Administration > System > Security > TLS Context Configuration.

2. Click Find.

3. Click Default_Cisco_UPS_SIP_Proxy_Peer_Auth_TLS_Context.

4. Move the load balancer federation-TLS peer subject for the load balancer to the selected TLS peer subjects list.


Chapter 10 Configuring the Load Balancer for Redundancy for SIP FederationHow to Update the Cisco Adaptive Security Appliance

How to Update the Cisco Adaptive Security ApplianceWhen using a load balancer, the foreign domain still sends messages to the public CUP address, but the Cisco Adaptive Security Appliance maps that address to a virtual IP address on the load balancer. Thus, when the Cisco Adaptive Security Appliance receives messages from the foreign domain, it forwards it to the load balancer. The load balancer then passes it on to the appropriate Cisco Unified Presence servers.

To support this configuration, you must make some changes to the Cisco Adaptive Security Appliance:

• Updating the Static PAT Messages, page 10-3

• Updating the Access Lists, page 10-4

• Updating the TLS Proxy Instances, page 10-6

Updating the Static PAT MessagesYou must update the static PAT messages to include the load balancer details.

Procedure

TaskCisco Adaptive Security Appliance Release 8.2 Command

Cisco Adaptive Security Appliance Release 8.3 Command

Changes Required for Cisco Unified Presence Publisher

Change the static PAT to use an arbitrary, unused port for the public CUP address.

Change: static (inside,outside) tcp <Public CUP IP address> 5061 <Routing CUP private IP address> 5062 netmask 255.255.255.255

to:

static (inside,outside) tcp <Public CUP IP address> 55061 <Routing CUP/Publisher private IP address> 5062 netmask 255.255.255.255


nat (inside,outside) source static obj_host_<RoutingCUP Private IP address> obj_host_<public cup ipaddress> service obj_tcp_source_eq_5062obj_tcp_source_eq_5061

to


nat (inside,outside) source static obj_host_<RoutingCUP Private IP address> obj_host_<public cup ipaddress> service obj_tcp_source_eq_5062obj_tcp_source_eq_55061



Related Topics



Updating the Access ListsTo support the load balancer, you also need to update the access lists on the Cisco Adaptive Security Appliance specific to your deployment scenario.

Note The Cisco Unified Presence public IP address refers to the public IP address of the Cisco Unified Presence domain as configured on Cisco Adaptive Security Appliance, and as it appears in the DNS record. This record shows the FQDN of the load balancer containing the public IP of Cisco Adaptive Security Appliance.

Add a new static PAT to allow messages sent to the public Cisco Unified Presence address to be forwarded to the virtual port address (on whichever port the load balancer is listening for TLS messages).

static (inside,outside) tcp <Public CUP address> 5061 <Load Balancer VIP> 5062 netmask 255.255.255.255.

object network obj_host_<Loadbalancer VIP>#host <routing cup private address>


nat (inside,outside) source staticobj_host_<LoadBalancer VIP> obj_host_<public cupip address> service obj_tcp_source_eq_5062obj_tcp_source_eq_5061

Changes Required for Cisco Unified Presence Subscriber

Add a new access list for the load balancer virtual IP address. You must add an access list for each foreign domain that Cisco Unified Presence needs to access.

access-list ent_lber_to_foreign_ocs extended permit tcp host <subscriber private ip address> host <foreign domain public IP address> 5061

access-list ent_lcs_to_lber_routgcup extended permit tcp host <foreign domain public ip address> host <cup public ip address> 65061Add a new access list for a foreign

domain to initiate messages to a Cisco Unified Presence server when the load balancer virtual IP address is in place. You must add an access list for each foreign domain that needs to access Cisco Unified Presence.

TaskCisco Adaptive Security Appliance Release 8.2 Command

Cisco Adaptive Security Appliance Release 8.3 Command



Procedure

Deployment Scenario Task Configuration Example

A Cisco Unified Presence server federating with one or more foreign domains

Add a new access list for the new load balancer virtual IP address. You must add an access list for each foreign domain that Cisco Unified Presence needs to access.

Publisher:

Cisco Adaptive Security Appliance Release 8.2 and 8.3 Command:

access-list ent_lber_to_foreign_ocs extended permit tcp host <Virtual IP address> host <foreign domain public IP address> eq 5061

Add a new access list for a foreign domain to initiate messages to a Cisco Unified Presence server when the load balancer virtual IP address is in place. You must add an access list for each foreign domain that needs to access Cisco Unified Presence.

Publisher:

Cisco Adaptive Security Appliance Release 8.2 Command:

access-list ent_lcs_to_lber_routgcup extended permit tcp host <foreign domain public ip address> host <cup public ip address> eq 5062

Cisco Adaptive Security Appliance Release 8.3 Command:

access-listent_foreign_server_to_lbextended permit tcp host<foreign public address>host <LoadbalancerVirtual IP address> eq5062

For each access list, add a new class to incorporate the new access list.

class ent_lber_to_foreign_ocs match access-list ent_lber_to_foreign_ocs

For each class, make an entry in the policy-map global_policy for messages initiated by Cisco Unified Presence.

policy-map global_policyclass ent_lber_to_foreign_ocsinspect sip sip_inspect tls-proxy ent_cup_to_foreign

For each class, make an entry in the policy-map global_policy for messages initiated on a foreign domain.

policy-map global_policyclass ent_lcs_to_lber_routgcupinspect sip sip_inspect tls-proxy ent_foreign_to_cup

Cisco Unified Presence to Cisco Unified Presence Federation, where the foreign domain has added one or more intercluster Cisco Unified Presence servers

The foreign domain ASA must allow access to the arbitrary ports which have been chosen for our local domain publisher and the subscriber.

access-list ent_cup_to_foreignPubcupwlber extended permit tcp host <foreign domain private CUP address> host <public CUP address of our local domain> 55061

access-list ent_cup_to_foreignSubcupwlber extended permit tcp host <foreign domain private CUP address> host <public CUP address of our local domain> 65061

For each access list, add a new class to incorporate the new access list.

For each class, make an entry in the policy-map global_policy.


Chapter 10 Configuring the Load Balancer for Redundancy for SIP FederationHow to Update the CA-Signed Security Certificates

Related Topics

• Access List Configuration Requirements, page 7-2

Updating the TLS Proxy InstancesUpdate the TLS proxy instances on the Cisco Adaptive Security Appliance.

Procedure

Related Topics


How to Update the CA-Signed Security CertificatesWhen adding the load balancer to the configuration, you must also generate CA-signed security certificates between the load balancer and the Cisco Adaptive Security Appliance and Cisco Unified Presence server as described in these sections:

• Configuring the Security Certificate between the Load Balancer and the Cisco Adaptive Security Appliance, page 10-7

• Configuring the Security Certificate between the Load Balancer and the Cisco Unified Presence Server, page 10-8

Task Configuration Example

Update TLS-PROXY Change

tls-proxy ent_foreign_to_cup server trust-point msoft_publicfqdn client trust-point cup_proxy client cipher-suite aes128-sha1 aes256-sha1 3des-sha1 null-sha1!tls-proxy ent_cup_to_foreign server trust-point cup_proxy client trust-point msoft_publicfqdn client cipher-suite aes128-sha1 aes256-sha1 3des-sha1 null-sha1

to:

tls-proxy ent_foreign_to_cup server trust-point msoft_publicfqdn client trust-point msoft_publicfqdn client cipher-suite aes128-sha1 aes256-sha1 3des-sha1 null-sha1!tls-proxy ent_cup_to_foreign server trust-point msoft_publicfqdn client trust-point msoft_publicfqdn client cipher-suite aes128-sha1 aes256-sha1 3des-sha1 null-sha1


Chapter 10 Configuring the Load Balancer for Redundancy for SIP FederationHow to Update the CA-Signed Security Certificates

Configuring the Security Certificate between the Load Balancer and the Cisco Adaptive Security Appliance

This topic provides an overview of the required steps for configuring the security certificate between the load balancer and the Cisco Adaptive Security Appliance. For details, refer to Cisco CSS 11500 Content Services Switch documentation: http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_installation_and_configuration_guides_list.html

Procedure

Related Topics

• Configuring the Certificate on Cisco Adaptive Security Appliance using SCEP Enrollment, page 5-6



Task Procedure

Generate CA-signed certificate for the load balancer on the Cisco Adaptive Security Appliance.

Use the crypto ca enroll command and specify the FQDN of the load balancer.

Import the CA-signed certificate from the Cisco Adaptive Security Appliance to the load balancer.

Use the copy ssl command.

Generate a CA-signed certificate for the Cisco Adaptive Security Appliance on the load balancer.

These steps provide an overview but refer to the CSS SSL Configuration Guide for details:

1. Enter global configuration mode (config ).

2. Generate the RSA key pair used in the exchange (ssl genrsa).

3. Associate the generated RSA key pair with a file (ssl associate)

4. Generate the Certificate Signing Request (ssl gencsr).

5. Obtain a root CA certificate from the CA.

6. Transfer the CSR to the CA.

7. Re-import the signed certificate into the load balancer (copy ssl and ssl associate).

Import the CA-signed certificate from the load balancer to the Cisco Adaptive Security Appliance

Use the crypto ca trustpoint command.

To verify that the certificate was imported, use the show crypto ca certificate command.



Chapter 10 Configuring the Load Balancer for Redundancy for SIP FederationUpdating the Microsoft Components

Configuring the Security Certificate between the Load Balancer and the Cisco Unified Presence Server

This topic provides an overview of the required steps for configuring the security certificate between the load balancer and the Cisco Unified Presence nodes.

Procedure

Updating the Microsoft ComponentsYou must update some Microsoft components with the load balancer details.

Procedure

Related Topics

• Configuring the Foreign Server Components for SIP Federation, page 9-1

Updating the AOL ComponentsIf you incorporate a load balancer into your AOL federation deployment, you must provide AOL with some details about the load balancer. Refer to the section in the Related topics for details.

Task Procedure

Generate a CA-signed certificate on both the publisher and subscriber nodes.

Follow the instructions to exchange certificates using CA-signed certificates.

Import the CA-signed certificates (from the publisher and subscriber nodes) to the load balancer

Use the copy ssl and ssl associate commands.

Task Procedure

Update all instances of the FQDN to correspond to the load balancer FQDN.

Update the domain name in the IM Provider list with the load balancer.

1. Select Start > Administrative Tools > Computer Management on the external Access Edge server.

2. Right-click Microsoft Office Communications Server 2007 in the left pane.

3. Click the IM Provider tab.

4. Click Add.

5. Check Allow the IM service provider.

Define the network address of the IM service provider as the public FQDN of the Load Balancer


Chapter 10 Configuring the Load Balancer for Redundancy for SIP FederationConfiguring the Load Balancer

Related Topics

About the Requirements for SIP Federation with AOL, page 9-4

Configuring the Load BalancerThis topic gives an overview of the necessary tasks for configuring the Cisco CSS 11500 Content Services Switch for this integration. The Cisco CSS 11500 Content Services Switch must have an SSL Accelerator Module installed and configured in back-end SSL mode.For detailed information on each task, refer to the Cisco CSS 11500 Content Services Switch documentation at the following URL:


Procedure

Task Additional Notes

Configure certificate exchange between Cisco CSS 11500 Content Services Switch and Cisco Unified Presence.

• CA or self-signed certificates can be used in the SSL module.

• You need to generate a certificate for the Cisco CSS 11500 Content Services Switch, and import this onto the remote server.

• You need to import the certificate from the remote server onto the Cisco CSS 11500 Content Services Switch.

Configure certificate exchange between Cisco CSS 11500 Content Services Switch and Cisco Adaptive Security Appliance.

You must define a virtual SSL server in an SSL proxy list for an SSL module to properly process and terminate SSL communications from the client and initiate a HTTP connection to the server.

• You must specify the IP address and port number that the Cisco Adaptive Security Appliance points to.

• You must specify the name of the existing certificate and key pair for the Cisco Adaptive Security Appliance.

Create a Back-End SSL server entry in SSL Proxy List for each Cisco Unified Presence server.

• You must specify the Cisco Unified Presence server address. Note that the Cisco Unified Presence servers (back-end servers) must be on a different subnet than the VIP address.

• The back-end server connection can be a different TLS cipher suite than the front-end, or can be TCP.

• You must specify the port to receive the TLS traffic on the Cisco CSS 11500 Content Services Switch.

• You must specify the port to send the TLS traffic to the Cisco Unified Presence servers.

Create an SSL service for SSL termination for each Cisco Unified Presence server.

• When specifying the keepalive port, ensure that the port number is the same as those you configured for the Back-End SSL server entries.

• The keepalive message type value should be ‘tcp’.



Chapter 10 Configuring the Load Balancer for Redundancy for SIP FederationConfiguring the Load Balancer

Create the SSL module. • You must specify the physical slot number of the SSL module. Use the CSS command ‘show chassis’ to retrieve this slot number.

• In the SSL module you must associate a Cisco Unified Presence server with an SSL service, for example add ssl-proxy-list called ssl_list1.

Create an internal content rule to route the decrypted data from the ASA to CUP server.

Create content rule to route TLS data to the SSL module for decryption and load-balancing.

Create a NAT association between the VIP and the back-end Cisco Unified Presence servers.

When using a Cisco CSS 11500 Content Services Switch directly between Cisco Unified Presence and Microsoft OCS (no Cisco Adaptive Security Appliance), you must be able to resolve the certificate Subject Common Name for the Cisco Unified Presence server to Cisco Unified Presence IP address from OCS. Also each Cisco Unified Presence server Subject Common Name must be in the OCS host authorization list.

Task Additional Notes

C H A P T E R


11Configuring Cisco Unified Presence for XMPP Federation

April 4, 2011

• How to Configure the General Settings for XMPP Federation, page 11-1

• Configuring the Security Settings for XMPP Federation, page 11-3

• Configuring the XMPP Federated Domains for Cisco Unified Personal Communicator Release 7.x Users, page 11-4

• How to Configure DNS for XMPP Federation, page 11-4

• How To Configuring the Policy Settings for XMPP Federation, page 11-9

• Turning On Email for XMPP Federation, page 11-12

• Turning On the XMPP Federation Service, page 11-12

How to Configure the General Settings for XMPP Federation • XMPP Federation Overview, page 11-1

• Important Notes About Restarting Services for XMPP Federation, page 11-2


• Configuring the Security Settings for XMPP Federation, page 11-3

• Configuring the XMPP Federated Domains for Cisco Unified Personal Communicator Release 7.x Users, page 11-4

XMPP Federation OverviewCisco Unified Presence Release 8.x supports XMPP federation with the following enterprises:

• Cisco WebEx Connect Release 6.0

• IBM Sametime Release 8.2 and 8.5

• GoogleTalk

• (Another) Cisco Unified Presence Release 8.x enterprise


Chapter 11 Configuring Cisco Unified Presence for XMPP FederationHow to Configure the General Settings for XMPP Federation

Note Cisco Unified Presence does not support XMPP federation between a Cisco Unified Presence Release 8.x enterprise and a Cisco Unified Presence Release 7.x enterprise.

When Cisco Unified Presence is federating with Webex Enterprise, it is not possible for Webex Connect client users to invite Cisco Unified Presence users to temporary or persistent chat rooms. This is due to a design constraint on the WebEx Connect client.

To allow Cisco Unified Presence to federate over XMPP, you must enable and configure XMPP federation on Cisco Unified Presence, following the procedures we describe in this chapter.

If you have multiple Cisco Unified Presence clusters, you must enable and configure XMPP federation on at least one node per cluster. The XMPP federation configuration must be identical across clusters. The Diagnostics Troubleshooter compares the XMPP federation configuration across clusters, and reports if the XMPP federation configuration is not identical across cluster.

If you deploy Cisco Adaptive Security Appliance for firewall purposes, note the following:

• See section About Integration Preparation, page 2-3 for considerations on routing, scale, public IP addresses and the CA authority.

• See section Prerequisite Configuration for Cisco Adaptive Security Appliance, page 2-7 for information on configuring the prerequisite information such as the hostname, timezone, clock and so on.

Important Notes About Restarting Services for XMPP FederationIf you make a change to any of the XMPP Federation settings, you must restart these services in Cisco Unified Serviceability: Cisco UP XCP Router (select Tools > Control Center - Network Services), Cisco UP XCP XMPP Federation Connection Manager (select Tools > Control Center - Feature Services). When you restart the Cisco UP XCP Router service, Cisco Unified Presence restarts all the XCP services.

If you enable or disable XMPP federation on a node, you must restart the Cisco UP XCP Router on all nodes within a cluster, not just on the node where XMPP federation has been enabled or disabled. For all other XMPP federation settings, a Cisco UP XCP Router restart is only required on the node to which the setting is being changed.

Turning on XMPP Federation on a NodeThis setting is turned off by default.

Procedure

Step 1 Select Cisco Unified Presence Administration > Presence > Inter Domain Federation > XMPP Federation > Settings.

Select On in the XMPP Federation Status menu.

Step 2 Select Save.


Chapter 11 Configuring Cisco Unified Presence for XMPP FederationHow to Configure the General Settings for XMPP Federation

Troubleshooting Topics

You cannot start the XCP XMPP Federation Connection Manager service on the Cisco Unified Presence node, unless you turn on XMPP Federation on the node.

What To Do Next

Configuring the Security Settings for XMPP Federation, page 11-3

Configuring the Security Settings for XMPP Federation

Before You Begin

• Determine whether the foreign domain that you are federating with supports TLS connections.

• The TLS and SASL specific settings are only configurable if you select the SSL mode ‘TLS Optional’ or ‘TLS Required’.

• If you are configuring federation between Cisco Unified Presence and IBM using TLS, you must configure the SSL mode ‘TLS Required’, and you must enable SASL.

Procedure


Step 2 Select a security mode from the menu:

• No TLS—Cisco Unified Presence will not establish a TLS connection with the foreign domain. The system uses a non-encrypted connection to federate with the foreign domain, and uses the server dialback mechanism to verify the identity of the other server.

• TLS Optional—Cisco Unified Presence attempts to establish a TLS connection with the foreign domain. If Cisco Unified Presence fails to establish a TLS connection, it reverts to server dialback to verify the identity of the other server.

• TLS Required—The system guarantees a secure (encrypted) connection with the foreign domain.

Step 3 Check Require client-side security certificates if you want to enforce strict validation of certificates from foreign domain servers against an installed root CA certificate. This setting turns on, by default, if you select either TLS Optional or TLS Required security settings.

Note If you are configuring XMPP federation with WebEx, do not check Require client-side security certificates.

Step 4 Check Enable SASL EXTERNAL on all incoming connections to ensure that Cisco Unified Presence advertises support for SASL EXTERNAL on incoming connection attempts and will implement SASL EXTERNAL validation.

Step 5 Check Enabling SASL on outbound connections to ensure that Cisco Unified Presence sends a SASL auth id to the foreign domain if the foreign server requests SASL EXTERNAL.

Step 6 Enter the dialback secret if you want to use DNS to verify the identity of a foreign server that is attempting to connect to Cisco Unified Presence. Cisco Unified Presence will not accept any packets from the foreign server until DNS validates the identity of the foreign server.


Chapter 11 Configuring Cisco Unified Presence for XMPP FederationHow to Configure DNS for XMPP Federation

Step 7 Select Save.


• For further information on the security settings, see the Online Help.

• If the server is part of an intercluster deployment, then you must configure each cluster with the same security settings. Run the System Troubleshooter to ensure that your configuration is consistent on all nodes.

Related Topics


• For further information on Server Dialback, see XEP:0220 in the XMPP Standards:

http://xmpp.org/extensions/xep-0220.html

Configuring the XMPP Federated Domains for Cisco Unified Personal Communicator Release 7.x Users

Note This topic is only applicable if your federation deployment contains Cisco Unified Personal Communicator Release 7.x users, otherwise you do not need to explicitly configure the domains for XMPP federation.

Procedure


Step 2 Select Configure for domain(s).

Step 3 Select Add New.

Step 4 Enter the XMPP domain of the foreign server that you want to add. This must correspond to the domain configuration in DNS for the foreign enterprise. Cisco Unified Presence uses the domain in the XMPP JID/URIs of users from that domain.

Step 5 Enter a description that will help you distinguish between XMPP domain instances when you have more than one configured.

Step 6 Select Save.

Related Topics

How to Configure DNS for XMPP Federation, page 11-4

How to Configure DNS for XMPP Federation • DNS SRV Records for XMPP Federation, page 11-5

http://xmpp.org/extensions/xep-0220.html



• DNS SRV Records for Chat Feature for XMPP Federation, page 11-7

• Configuring DNS SRV Record for Chat Node for XMPP Federation, page 11-7

DNS SRV Records for XMPP FederationTo allow Cisco Unified Presence to discover a particular XMPP federated domain, the federated enterprise must publish the DNS SRV record _xmpp-server in its public DNS server. Similarly, Cisco Unified Presence must publish the same DNS SRV record in the DNS for its domain. Both enterprises must publish the port 5269. The published FQDN must also be resolvable to an IP address in DNS.

The record required is:

_xmpp-server._tcp.<domain>

See Figure 11-1 for a sample DNS configuration for the DNS SRV record _xmpp-server.

Figure 11-1 DNS SRV for _xmpp-server

If you have remote root access to Cisco Unified Presence, you can run nslookup to determine if the federated domain is discoverable.

Tip Use this sequence of commands for performing a DNS SRV lookup:

nslookupset type=srv_xmpp-server._tcp.<domain>

(<domain> is the domain of the federated enterprise.)

This command returns an output similar to this (where’ example.com’ is the domain of the federated server):



_xmpp-server._tcp.example.com service = 0 0 5269 hostname.example.com.

For a single cluster, you only need to enable XMPP federation on one node in the cluster. You publish one DNS SRV record for the enterprise in the public DNS. Cisco Unified Presence routes all incoming requests from foreign domains to the node running federation. Internally Cisco Unified Presence reroutes the requests to the correct node for the user. Cisco Unified Presence also routes all outgoing requests to the node running XMPP federation.

You can also publish multiple DNS SRV records, for example, for scale purposes, or if you have multiple Cisco Unified Presence clusters and you must enable XMPP federation at least once per cluster. Unlike SIP federation, XMPP federation does not require a single point of entry for the Cisco Unified Presence enterprise domain. As a result, Cisco Unified Presence can route incoming requests to any one of the published nodes in the cluster that you enable for XMPP federation.

In an intercluster and a multi-node cluster Cisco Unified Presence deployment, when a foreign XMPP federated domain initiates a new session, it performs a DNS SRV lookup to determine where to route the request. If you publish multiple DNS SRV records, the DNS lookup returns multiple results; Cisco Unified Presence can route the request to any of the servers that DNS publishes. Internally Cisco Unified Presence reroutes the requests to the correct node for the user. Cisco Unified Presence routes outgoing requests to any of the nodes running XMPP federation.

If you have multiple nodes running XMPP federation, you can still choose to publish only one node in the public DNS. With this configuration, Cisco Unified Presence routes all incoming requests to that single node, rather than load-balancing the incoming requests across the nodes running XMPP federation. Cisco Unified Presence will load-balance outgoing requests and send outgoing request from from any of the nodes running XMPP federation.

Related Topics

DNS SRV Records for Chat Feature for XMPP Federation, page 11-7



DNS SRV Records for Chat Feature for XMPP FederationIf you configure the Chat feature on a Cisco Unified Presence server in an XMPP federation deployment, you must publish the chat node alias in DNS.

The hostname, to which the DNS SRV record for the chat node resolves, resolves to a public IP address. Depending on your deployment, you may have a single public IP address, or a public IP address for each chat node within your network:

For information on configuring the Chat feature on Cisco Unified Presence, see Deployment Guide for Cisco Unified Presence Release 8.x.

Related Topics

Configuring DNS SRV Record for Chat Node for XMPP Federation, page 11-7

Configuring DNS SRV Record for Chat Node for XMPP Federation

Procedure

Step 1 To retrieve the chat node alias:

a. Select Cisco Unified Presence Administration > Messaging > Conference Server Alias Mapping.

Single public IP address, multiple nodes internally:

To route all chat requests to the XMPP federation node, and then on to the chat node:

1. Configure the DNS SRV for the chat node alias to point to port 5269.

2. Configure a NAT command configured on Cisco Adaptive Security Appliance or firewall\NAT server that maps publicIPAddress:5269 to XMPPFederationNodePrivateIPAddress:5269.

Multiple public IP addresses, multiple nodes internally:

If you have multiple public IP addresses, you can choose to route chat requests directly to the appropriate chat node.

1. Configure the DNS SRV for the chat node to use some arbitrary port other than 5269, for example, 25269.

2. Configure a PAT command on Cisco Adaptive Security Appliance or firewall\NAT server that maps textChatServerPublicIPAddress:25269 to textChatServerPrivateIPAddress:5269.

Note To allow the chat node handle incoming federated text requests, you must turn on the Cisco UP XCP XMPP Federation Connection Manager on the chat node.



b. Select Find to display a list of chat node aliases.

c. Select the chat node alias that you want to publish in DNS, for example ‘conference-2.StandAloneCluster.example.com’.

Step 2 In the public DNS server for the ‘example.com’ domain, create the domain ‘StandAloneCluster’.

Step 3 In the domain ‘StandAloneCluster’, create the domain ‘conference-2’.

Step 4 In the domain ‘conference-2’, create the domain ‘ _tcp’.

Step 5 In the domain ‘_tcp’, create a new DNS SRV record for _xmpp-server. See Figure 11-2 and Figure 11-3

for a sample DNS configuration.

Note If the text conference server alias is ‘conference-2-StandAloneCluster.example.com’ then the domain at step 3 is ‘conference-2-StandAloneCluster ‘, and you skip step 4.

Figure 11-2 DNS SRV for _xmpp-server for Chat Feature

Figure 11-3 DNS configuration for Chat Feature


Chapter 11 Configuring Cisco Unified Presence for XMPP FederationHow To Configuring the Policy Settings for XMPP Federation

Related Topics

• Deployment Guide for Cisco Unified Presence Release 8.x:


• DNS SRV Records for XMPP Federation, page 11-5

How To Configuring the Policy Settings for XMPP FederationPolicy Exception Configuration, page 11-9

Configuring the Policy for XMPP Federation, page 11-10

Policy Exception ConfigurationYou can configure exceptions to the default policy for XMPP federation. In the exception, you must specify the foreign domain to which you want to apply the exception, and a direction rule for the exception. When you configure the domain name for a policy exception, note the following:

• If the URI or JID of the user is ‘[email protected]’, configure the foreign domain name in the exception as ‘example.com’.

• If the foreign enterprise uses hostname.domain in the URI or JID of the user, for example ‘[email protected]’, configure the foreign domain name in the exception as “hostname.example.com”.

• You can use a wildcard (*) for the foreign domain name in the exception. For example, the value ‘*.example.com’ applies the policy on ‘example.com’ and any subdomain of example.com, for example, ‘somewhere.example.com’.

You must also specify the direction that Cisco Unified Presence applies the policy exception. These direction options are available:

• all federated packets from/to the above domain/host—Cisco Unified Presence allows or denies all traffic going to and coming from the specified domain.

• only incoming federated packets from the above domain/host—Allow Cisco Unified Presence to receive inbound broadcasts from the specified domain, but Cisco Unified Presence does not send responses.

• only outgoing federated packets to the above domain/host—Allow Cisco Unified Presence to send outbound broadcasts to the specified domain, but Cisco Unified Presence does not receive responses.

Related Topics

Configuring the Policy for XMPP Federation, page 11-10



Chapter 11 Configuring Cisco Unified Presence for XMPP FederationConfiguring Cisco Adaptive Security Appliance for XMPP Federation

Configuring the Policy for XMPP Federation

Caution If you make a change to any of the XMPP Federation settings, you must restart these services in Cisco Unified Serviceability: Cisco UP XCP Router (select Tools > Control Center - Network Services), Cisco UP XCP XMPP Federation Connection Manager (select Tools > Control Center - Feature Services). When you restart the Cisco UP XCP Router service, Cisco Unified Presence restarts all the XCP services.

Procedure

Step 1 Select Cisco Unified Presence Administration > Presence > Inter Domain Federation > XMPP Federation > Policy.

Step 2 Select the policy settings from the menu:

• Allow - Cisco Unified Presence permits all federated traffic from XMPP federated domains, except those domains that you explicitly deny on the policy exception list.

• Deny - Cisco Unified Presence denies all federated traffic from XMPP federated domains, except those domains that you explicitly permit on the policy exceptions list.

Step 3 To configure a domain on the policy exception list:

a. Select Add New.

b. Specify the domain name or the hostname of the foreign server.

c. Specify the direction to apply the policy exception.

d. Select Save on the policy exception window.

Step 4 Select Save on the policy window.


See the Online Help for federation policy recommendations.

Related Topics

Policy Exception Configuration, page 11-9

Configuring Cisco Adaptive Security Appliance for XMPP Federation

For XMPP Federation, Cisco Adaptive Security Appliance acts as a firewall only. You must open port 5269 for both incoming and outgoing XMPP federated traffic on Cisco Adaptive Security Appliance.

These are sample access lists to open port 5269 on Cisco Adaptive Security Appliance Release 8.3.

Allow traffic from any address to any address on port 5269:

access-list ALLOW-ALL extended permit tcp any any eq 5269

Allow traffic from any address to any single node on port 5269:


Chapter 11 Configuring Cisco Unified Presence for XMPP FederationConfiguring Cisco Adaptive Security Appliance for XMPP Federation

access-list ALLOW-ALL extended permit tcp any host <private cup IP address> eq 5269

If you do not configure the access list above, and you publish additional XMPP federation nodes in DNS, you must configure access to each of these nodes, for example:

object network obj_host_<private cup ip address>#host <private cup ip address>object network obj_host_<private cup2 ip address>#host <private cup2 ip address>object network obj_host_<public cup ip address>#host <public cup ip address>

....

Configure the following NAT commands:

nat (inside,outside) source static obj_host_<private cup1 IP> obj_host_<public cup IP> serviceobj_udp_source_eq_5269 obj_udp_source_eq_5269nat (inside,outside) source static obj_host_<private cup1 IP> obj_host_<public cup IP> serviceobj_tcp_source_eq_5269 obj_tcp_source_eq_5269

If you publish a single public IP address in DNS, and use arbitrary ports, configure the following:

(This example is for two additional XMPP federation nodes)

nat (inside,outside) source static obj_host_<private cup2 ip> obj_host_<public cup IP> serviceobj_udp_source_eq_5269 obj_udp_source_eq_25269nat (inside,outside) source static obj_host_<private cup2 ip> obj_host_<public cup IP> serviceobj_tcp_source_eq_5269 obj_tcp_source_eq_25269

nat (inside,outside) source static obj_host_<private cup3 ip> obj_host_<public cup IP> serviceobj_udp_source_eq_5269 obj_udp_source_eq_35269nat (inside,outside) source static obj_host_<private cup3 ip> obj_host_<public cup IP> serviceobj_tcp_source_eq_5269 obj_tcp_source_eq_35269

If you publish multiple public IP addresses in DNS all using port 5269, configure the following:

(This example is for two additional XMPP federation nodes)

nat (inside,outside) source static obj_host_<private cup2 ip> obj_host_<public cup2 IP> serviceobj_udp_source_eq_5269 obj_udp_source_eq_5269nat (inside,outside) source static obj_host_<private cup2 ip> obj_host_<public cup2 IP> serviceobj_tcp_source_eq_5269 obj_tcp_source_eq_5269

nat (inside,outside) source static obj_host_<private cup3 ip> obj_host_<public cup3 IP> serviceobj_udp_source_eq_5269 obj_udp_source_eq_5269nat (inside,outside) source static obj_host_<private cup3 ip> obj_host_<public cup IP> serviceobj_tcp_source_eq_5269 obj_tcp_source_eq_5269

Related Topics

Configuring Cisco Adaptive Security Appliance for SIP Federation, page 6-1


Chapter 11 Configuring Cisco Unified Presence for XMPP FederationTurning On Email for XMPP Federation

Turning On Email for XMPP FederationWhen you turn on Cisco Unified Presence to use the email address for XMPP federation, Cisco Unified Presence changes the JID of each federated contact to the email address of the contact.

To turn on email for XMPP federation, follow the same procedure as for SIP federation, see the procedure in the Related Topics section below.

The email address for federation feature (in an XMPP federation deployment) does not currently support temporary or persistent chat rooms in a multi-cluster Cisco Unified Presence deployment. In the deployment scenario where there are multiple Cisco Unified Presence clusters in the local domain, the local users actual jid may be sent to the federated user. The only impact to the chat room is that the name that displays to the federated user s the userid of the local user, instead of the email address of the local user; all other chat room functionality operates as normal. This only occurs in temporary or persistent chat rooms with federated users.

Related Topics

Turning On Email for Federation, page 4-10

Turning On the XMPP Federation ServiceYou need to turn on the Cisco UP XCP XMPP Federation Connection Manager service on each Cisco Unified Presence node that runs XMPP federation. Once you turn on the Federation Connection Manager service from the Service Activation window, Cisco Unified Presence automatically starts the service; you do not need to manually start the service from the Control Center - Feature Services window.

Before You Begin

Turn on XMPP Federation for the node from Cisco Unified Presence Administration, see Turning on XMPP Federation on a Node, page 11-2.

Procedure

Step 1 Select Cisco Unified Serviceability > Tools > Service Activation.


Step 3 Select Go.

Step 4 Select the radio button next to the Cisco UP XCP XMPP Federation Connection Manager service in the CUP Services section.

Step 5 Select Save.

Related Topics

Configuring Serviceability for Federation, page 13-1

C H A P T E R


12Configuring Security Certificates for XMPP Federation

April 4, 2011

• Configuring the Domain for XMPP Certificate, page 12-1

• How to Upload the XMPP Trust Certificates to Cisco Unified Presence, page 12-2

Configuring the Domain for XMPP CertificateFor XMPP Federation, the Subject Common Name (CN) for the certificate must contain the domain of the Cisco Unified Presence server.

Procedure

Step 1 Select Cisco Unified Presence Administration > System > Security > Settings.

Step 2 In Domain name for XMPP Server-to-Server certificate Subject Common name, enter the domain name of the Cisco Unified Presence server.

Tip You can configure a wildcard domain here, for example, ‘*.example.net’ if you deploy the Chat feature on Cisco Unified Presence, and the chat component is a subdomain of the parent domain.

Note You can check Use Domain Name for XMPP Certificate Subject Common Name if you want the general XMPP certificate to use the same Domain Name as the XMPP server-to-server certificate.

Step 3 Select Save.


• If you make any changes to this configuration, you must restart the Cisco UP XCP Router service. Select Cisco Unified Serviceability > Tools > Control Center - Network Services to restart this service.


Chapter 12 Configuring Security Certificates for XMPP FederationHow to Upload the XMPP Trust Certificates to Cisco Unified Presence

• If you change server-to-server domain name value, you must regenerate affected XMPP S2S certificates before you restart the Cisco UP XCP Router service.

How to Upload the XMPP Trust Certificates to Cisco Unified Presence

Note Cisco Unified Presence does not support third-party certificates for XMPP federation.

• Importing the Root CA Certificate for XMPP Federation, page 12-2

• Generating a Certificate Signing Request for XMPP Federation, page 12-3

• Uploading the CA-Signed Certificate for XMPP Federation, page 12-4

Importing the Root CA Certificate for XMPP Federation

Note This section describes how to manually upload the XMPP S2S trust certificates to Cisco Unified Presence. You can also use the Certificate Import Tool to automatically upload XMPP S2S trust certificates. To access the Certificate Import Tool, select Cisco Unified Presence Administration > System > Security > Certificate Import Tool, and see the Online Help for instructions on how to use this tool.

If Cisco Unified Presence federates with an enterprise, and a commonly trusted Certificate Authority (CA) signs the certificate of that enterprise, you must upload the root certificate from the CA to Cisco Unified Presence server.

If Cisco Unified Presence federates with an enterprise that uses a self-signed certificate rather than a certificate signed by a commonly trusted CA, you can upload the self-signed certificate using this procedure. Note that if your trust certificate is self-signed, you cannot turn on the Require client side certificates parameter in the XMPP federation security settings window.

Before You Begin

Download the root CA certificate and save it to your local machine.

Procedure


Step 2 Select Upload Certificate.

Step 3 Select cup-xmpp-trust for Certificate Name.

Note Leave the Root Name field blank.



Step 4 Select Browse, and browse to the location of the root CA certificate that you previously downloaded and saved to you local machine.

Step 5 Select Upload File to upload the certificate to the Cisco Unified Presence server.

What To Do Next

Generating a Certificate Signing Request for XMPP Federation, page 12-3

Configuring the Security Settings for XMPP Federation, page 11-3

Generating a Certificate Signing Request for XMPP FederationThe procedure below outlines how to generate a Certificate Signing Request for a Microsoft Certificate Services CA.

Before You Begin

Complete the steps in Importing the Root CA Certificate for XMPP Federation, page 12-2

Procedure


Step 2 To generate the CSR, perform these steps:

a. Select Generate CSR.

b. Select cup-xmpp-s2s for the certificate name.

c. Select Generate CSR.

d. Select Close, and return to the main certificate window.

Step 3 To download the .csr file to your local machine:

a. Select Download CSR.

b. Select the cup-xmpp-s2s.csr file in the menu on the Download Certificate Signing Request window.

c. Select Download CSR to download this file to your local machine.

Step 4 Using a text editor, open the cup-xmpp-s2s.csr file.

Step 5 Copy the contents of the CSR file.

You must copy all information from and including

-----BEGIN CERTIFICATE REQUEST

to and including

END CERTIFICATE REQUEST-----

Step 6 On your internet browser, browse to your CA server, for example: http://<name of your

Issuing CA Server>/certsrv

Step 7 Select Request a certificate.

Step 8 Select Advanced certificate request.



Step 9 Select Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

Step 10 Paste the contents of the CSR file (that you copied in step 5) into the Saved Request field.

Step 11 Select Submit.

Step 12 On your internet browser, return to the URL: http://<name of your Issuing CA

Server>/certsrv

Step 13 Select View the status of a pending certificate request.

Step 14 Click on the certificate request that you issued in the previous section.

Step 15 Select Base 64 encoded.

Step 16 Select Download certificate.

Step 17 Save the certificate to your local machine:

a. Specify a certificate file name cup-xmpp-s2s.pem.

b. Save the certificate as type Security Certificate.

What To Do Next

Uploading the CA-Signed Certificate for XMPP Federation, page 12-4

Uploading the CA-Signed Certificate for XMPP Federation

Before You Begin

Complete the steps in Generating a Certificate Signing Request for XMPP Federation, page 12-3

Procedure


Step 2 Select Upload Certificate.

Step 3 Select cup-xmpp-s2s for Certificate Name.

Step 4 Specify the name of the root certificate in the Root Certificate Field.

Step 5 Select Upload File.

Step 6 Browse to the location of the CA-signed certificate that you saved to your local machine.

Step 7 Select Upload File.

What To Do Next

Restart the Cisco UP XCP Router service. Select Cisco Unified Serviceability > Tools > Control Center - Network Services to restart this service

C H A P T E R


13Configuring Serviceability for Federation

April 4, 2011

• How To Turn on and Capture Logging for Federation, page 13-1

• How To Restart the Cisco UP XCP Router, page 13-2

How To Turn on and Capture Logging for Federation • Location of Log Files for SIP Federation, page 13-1

• Location of Log Files for XMPP Federation, page 13-1

• Turning On Logging for Federation, page 13-1

Location of Log Files for SIP FederationThe following log files are applicable for SIP federation:

• sip-cm-3_0000000X.log located in /var/log/active/epas/trace/xcp/log

• esp0000000X.log located in /var/log/active/epas/trace/esp/sdi

You can also capture these logs from RTMT.

Location of Log Files for XMPP FederationThe following log files are applicable for XMPP federation:

• xmpp-cm-4_0000000X.log located in /var/log/active/epas/trace/xcp/log

You can also capture these logs from RTMT.

Turning On Logging for Federation

Procedure

Step 1 Select Cisco Unified Serviceability > Trace > Configuration.

Step 2 Select the Cisco Unified Presence server, and select Go.


Chapter 13 Configuring Serviceability for FederationHow To Restart the Cisco UP XCP Router

Step 3 Select CUP Services from the Service Group list box, and select Go.

Step 4 Perform one of the following steps:

• For SIP federation, select the Cisco UP XCP SIP Federation Connection Manager service from the Service list box, and click Go.

• For XMPP federation, select the Cisco UP XCP XMPP Federation Connection Manager service from the Service list box, and click Go.

Step 5 Select Trace On.

Select the Debug Trace Level in the Trace Filter Settings. If you want to enable Debug level on the traces select Debug for Debug Trace Level.

How To Restart the Cisco UP XCP Router • About the Cisco UP XCP Router, page 13-2

• Restating the Cisco UP XCP Router, page 13-2

About the Cisco UP XCP RouterIf you make any configuration changes for SIP or XMPP federation configuration, you must restart the Cisco UP XCP Router on Cisco Unified Presence. If you restart the Cisco UP XCP Router, Cisco Unified Presence automatically restarts all active XCP services.

Note that you must restart the Cisco UP XCP Router, not turn off and turn on the Cisco UP XCP Router. If you turn off the Cisco UP XCP Router, rather than restart this service, Cisco Unified Presence stops all other XCP services. Subsequently when you then turn on the XCP router, Cisco Unified Presence will not automatically turn on the other XCP services; you need to manually turn on the other XCP services.

Restating the Cisco UP XCP Router

Procedure

Step 1 Select Cisco Unified Serviceability > Tools > Control Center - Network Services.


Step 3 Click Go.

Step 4 Select the radio button next to the Cisco UP XCP Router service in the CUP Services section.

Step 5 Click Restart.

Step 6 Click OK when a message indicates that restarting may take a while.

C H A P T E R


14Verifying the Federation Integration

April 4, 2011

• Verifying the SIP Federation Configuration, page 14-1

• Verifying the XMPP Federation Configuration, page 14-2

Verifying the SIP Federation ConfigurationThis procedure describes how to verify the configuration for a federated network between a Cisco Unified Presence enterprise deployment, and a Microsoft OCS enterprise deployment. Use this procedure as a guide for verifying the other types of integrations if necessary.

Procedure

Step 1 Log on to the Cisco Unified Personal Communicator client or the third-party XMPP client.

Step 2 Log on to two federated Microsoft Office Communicator clients.

Step 3 Perform the following steps on the first Microsoft Office Communicator client:

a. Add the Cisco Unified Presence user as a contact.

b. A pop-up message displays on Cisco Unified Presence requesting that you accept or block or ignore the presence subscription of Microsoft Office Communicator user.

c. Check that the Cisco Unified Presence user and the Microsoft Office Communicator user are able to see each other's availability.

Step 4 Perform the following steps on the client of the Cisco Unified Presence client:

a. Add the second Microsoft Office Communicator user as a contact.

b. Check that you can see the availability of the Microsoft Office Communicator user.

c. A pop-up message should appear on the user client for the Microsoft Office Communicator user informing you that the Cisco Unified Personal Communicator user has been added as a contact.

Step 5 Toggle between the availability states on both the clients of the Cisco Unified Presence user and the Microsoft Office Communicator clients. Check that the availability state changes for the contacts on each client.

Step 6 Initiate an IM from the client of a Cisco Unified Presence user to a Microsoft Office Communicator user.

Step 7 Check that the IM window appears on Microsoft Office Communicator with the message from the Cisco Unified Presence user.


Chapter 14 Verifying the Federation IntegrationVerifying the XMPP Federation Configuration

Step 8 Close both the IM window on the client of the Cisco Unified Presence user and IM window on the Microsoft Office Communicator client.

Step 9 Initiate an IM from Microsoft Office Communicator user to the Cisco Unified Presence user.

Step 10 Check that an IM window appears on the client of the Cisco Unified Presence user with the message from the Microsoft Office Communicator user.

Step 11 On the Cisco Unified Personal Communicator client, perform the following steps:

a. Block one of the Microsoft Office Communicator users.

Note Any third-party clients that do not support XEP-0016 - Privacy Lists, if you block from a third-party XMPP client, you only block IM; users can still exchange availability status. To block server-side IM and availability, the user configures their privacy settings from the Cisco Unified Presence Users Options interface, or from the Privacy configuration on Cisco Unified Personal Communicator.

b. Check that this Microsoft Office Communicator user now sees that the availability of the Cisco Unified Presence user as offline. The second Microsoft Office Communicator user should still be able to see availability status for the Cisco Unified Presence user.

c. On the client of the Cisco Unified Presence user, the blocked Microsoft Office Communicator user should still appear online, and you should be able to initiate an IM to the blocked Microsoft Office Communicator user.

Step 12 Block the Cisco Unified Presence user from the Microsoft Office Communicator client.

Step 13 Verify that the presence of the Microsoft Office Communicator user is no longer available on the client of the Cisco Unified Presence user.

Verifying the XMPP Federation ConfigurationThis procedure describes how to verify the configuration for a federated network between a Cisco Unified Presence Release 8.x enterprise deployment, and either a WebEx, an IBM Sametime. or another Cisco Unified Presence Release 8.x enterprise deployment. The procedure below describes the procedure for a Cisco Unified Presence Release 8.x and a WebEx deployment. Use this procedure as a guide to verify the other types of XMPP federations.

Procedure

Step 1 Log on to the Cisco Unified Personal Communicator client or the third-party XMPP client connected to the Cisco Unified Presence Release 8.x server.

Step 2 Log on to two federated WebEx Connect clients.

Step 3 Perform the following steps on the first WebEx Connect client:

a. Add the Cisco Unified Presence user as a contact.

b. A pop-up message displays on client of the Cisco Unified Presence user requesting that you accept or block or ignore the presence subscription from the WebEx Connect user. Accept the subscription.

c. Check that the Cisco Unified Presence user and the WebEx Connect user are able to see each other's availability.



Step 4 Perform the following steps on the client of the Cisco Unified Presence user:

a. Add the second WebEx Connect user as a contact.

b. A pop-up should appear on the WebEx Connect client. Accept the subscription.

c. Check that you can see the availability of the WebEx Connect user.

Step 5 Toggle between the availability states on both the client of the Cisco Unified Presence user and the WebEx Connect client. Check that the availability state changes for the contacts on each client.

Step 6 Initiate an IM from the client of the Cisco Unified Presence user to a WebEx Connect contact.

Step 7 Check that the IM window displays on WebEx Connect client with the IM from the Cisco Unified Presence user.

Step 8 Close the IM window on both clients.

Step 9 Initiate an IM from the WebEx Connect user to the Cisco Unified Presence user.

Step 10 Check that an IM window displays on the client of the Cisco Unified Presence user with the IM from the WebEx Connect user.

Step 11 On the client of the Cisco Unified Presence user, perform the following steps:

a. Block one of WebEx Connect users.

Note If you block from a third-party XMPP client, you only block IM; users can still exchange availability status. To block server-side IM and availability, the user configures their privacy settings from the Cisco Unified Presence Users Options interface, or from the Privacy configuration on Cisco Unified Personal Communicator.

b. Check that this WebEx Connect user now sees that the availability of the Cisco Unified Presence user as offline. The second WebEx Connect user should still be able to see availability status for the Cisco Unified Presence user.

c. On the client of the Cisco Unified Presence user, the blocked WebEx Connect user should still appear as online, however you will not be able to send an IM to the blocked WebEx Connect user.

Step 12 Block the Cisco Unified Presence user from the WebEx Connect client.

Step 13 Verify that the availability of the WebEx Connect user is no longer available on the client of the Cisco Unified Presence user.

C H A P T E R


15Troubleshooting a SIP Federation Integration

April 4, 2011

• Common Cisco Adaptive Security Appliance Problems and Recommended Actions, page 15-1

• Common Integration Problems and Recommended Actions, page 15-4

Common Cisco Adaptive Security Appliance Problems and Recommended Actions

• Certificate Configuration Problems, page 15-1

• Errors When Creating the TLS Proxy Class Maps, page 15-3

• Subscriptions Don’t Reach Access Edge, page 15-3

• Problems With Cisco Adaptive Security Appliance After Upgrade, page 15-4

Certificate Configuration Problems • Certificate Failure Between Cisco Unified Presence and Cisco Adaptive Security Appliance,

page 15-1

• Certificate Failure Between Cisco Adaptive Security Appliance and Microsoft Access Edge, page 15-2

• Certificate Error in SSL Handshake, page 15-2

• Error When Submitting Certificate Signing Request to VeriSign, page 15-2

Certificate Failure Between Cisco Unified Presence and Cisco Adaptive Security Appliance

Problem The certificate configuration between Cisco Unified Presence and Cisco Adaptive Security Appliance is failing.

Solution The time and time zones on Cisco Adaptive Security Appliance may not be configured correctly.

• Set the time and time zones on Cisco Adaptive Security Appliance.

• Check that the time and time zones are configured correctly on Cisco Unified Presence and Cisco Unified Communications Manager.


Chapter 15 Troubleshooting a SIP Federation IntegrationCommon Cisco Adaptive Security Appliance Problems and Recommended Actions

Related Topics

About Prerequisite Configuration Tasks for this Integration, page 2-7

Certificate Failure Between Cisco Adaptive Security Appliance and Microsoft Access Edge

Problem The certificate configuration between Cisco Adaptive Security Appliance and Microsoft Access Edge is failing at certificate enrollment on Cisco Adaptive Security Appliance.

Solution If you are using SCEP enrollment on Cisco Adaptive Security Appliance, the SCEP add-on may not be installed and configured correctly. Install and configure the SCEP add-on.

Related Topics

CA Trustpoints, page 5-6

Certificate Error in SSL Handshake

Problem A certificate error displays in the SSL handshake.

Solution There is no FQDN in the certificate. You need to configure the domain on the Cisco Unified Presence CLI, and regenerate the certificate on Cisco Unified Presence to have FQDN. You need to restart the SIP proxy on Cisco Unified Presence when you regenerate a certificate.

Related Topics

Configuring the Cisco Unified Presence Domain from the CLI, page 4-4

Error When Submitting Certificate Signing Request to VeriSign

Problem I am using VeriSign for certificate enrollment. When I paste the Certificate Signing Request into the VeriSign website, I get an error (usually a 9406 or 9442 error).

Solution The subject-name in the Certificate Signing Request is missing information. If you are submitting a renewal certificate signing request (CSR) file to VeriSign, the subject-name in the Certificate Signing Request must contain the following information:

• Country (two letter country code only)

• State (no abbreviations)

• Locality (no abbreviations)

• Organization Name

• Organizational Unit

• Common Name (FQDN)

The format of the subject-name line entry should be:

(config-ca-trustpoint)# subject-name cn=<fqdn>, OU=<organisational_unit>,O=<organisation_name>,C=<country>,St=<state>,L=<locality>

Related Topics

Generating a New Trustpoint for VeriSign, page B-2


Chapter 15 Troubleshooting a SIP Federation IntegrationCommon Cisco Adaptive Security Appliance Problems and Recommended Actions

SSL Errors When Cisco Unified Presence Domain or Hostname is Changed

Problem I changed the Cisco Unified Presence domain from the CLI, and I am getting SSL certificate errors between Cisco Unified Presence and Cisco Adaptive Security Appliance.

Solution If you change the Cisco Unified Presence domain name from the CLI, the Cisco Unified Presence self-signed cert, sipproxy.pem, regenerates. As a result you must reimport the sipproxy.pem certificate into Cisco Adaptive Security Appliance. Specifically you must delete the current sipproxy.pem certificate on Cisco Adaptive Security Appliance, and reimport the (regenerated) sipproxy.pem certificate.

Related Topics

How to Configure Security Certificate Exchange Between Cisco Unified Presence and Cisco Adaptive Security Appliance, page 5-1

Errors When Creating the TLS Proxy Class Maps

Problem The following errors are displayed when configuring the TLS Proxy class maps:

ciscoasa(config)# class-map ent_cup_to_foreignciscoasa(config-cmap)# match access-list ent_cup_to_foreignERROR: Specified ACL (ent_cup_to_foreign) either does not exist or its type is not supported by the match command.ciscoasa(config-cmap)# exit

ciscoasa(config)# class-map ent_foreign_to_cupciscoasa(config-cmap)# match access-list ent_foreign_to_cupERROR: Specified ACL (ent_foreign_to_cup) either does not exist or its type is not supported by the match command.ciscoasa(config-cmap)#

Solution The access list for the foreign domain does not exist. In the example above the access list called ent_foreign_to_cup does not exist. Create an extended access list for the foreign domain using the access list command.

Related Topics

• Access List Configuration Requirements, page 7-2.

• TLS Proxy Debugging Commands, page C-3

Subscriptions Don’t Reach Access Edge

Problem Subscriptions from Microsoft Office Communicator do not reach the Access Edge. OCS reports network function error with Access Edge as the peer. The Access Edge service will not start.

Solution On Access Edge, the Cisco Unified Presence domain may be configured in both the Allow tab and the IM provider tab. The Cisco Unified Presence domain should only be configured in the IM Provider tab. On Access Edge, remove the Cisco Unified Presence domain entry from the Allow tab. Make sure there is an entry for the Cisco Unified Presence domain on the IM Provider tab.


Chapter 15 Troubleshooting a SIP Federation IntegrationCommon Integration Problems and Recommended Actions

Problems With Cisco Adaptive Security Appliance After Upgrade

Problem The Cisco Adaptive Security Appliance does not boot after a software upgrade.

Solution You can download a new software image to the Cisco Adaptive Security Appliance using a TFTP server and using the ROM Monitor (ROMMON) on the Cisco Adaptive Security Appliance. ROMMON is command line interface used for image loading and retrieval over TFTP and related diagnostic utilities.

Step 1 Attach a console cable (the blue cable that is distributed with the Cisco Adaptive Security Appliance) from the console port to a port on a nearby TFTP server.

Step 2 Open hyperterminal or equivalent.

Step 3 Accept all default values as you are prompted.

Step 4 Reboot the Cisco Adaptive Security Appliance.

Step 5 Hit ESC during bootup to access ROMMON.

Step 6 Enter this sequence of commands to enable Cisco Adaptive Security Appliance to download the image from your TFTP server

ip <Cisco Adaptive Security Appliance inside interface>server <TFTP server>interface Ethernet 0/1file <name of new image>

Note The Ethernet interface you specify must equate to the Cisco Adaptive Security Appliance inside interface.

Step 7 Place the software image on the TFTP server in a recommended location (depending on your TFTP software).

Step 8 Enter this command to start the download:

tftpdnld

Note You need to define a gateway if the TFTP server is in a different subnet.

Common Integration Problems and Recommended Actions • Unable to get Availability Exchange, page 15-5

• Problems Sending and Receiving IMs, page 15-6

• Losing Availability and IM Exchange After a Short Period, page 15-7

• Delay in Availability State Changes and IM Delivery Time, page 15-7

• 403 FORBIDDEN Returned Following a Presence Subscription Attempt, page 15-8

• Time Out on NOTIFY Message, page 15-8

• Cisco Unified Presence Certificate Not Accepted, page 15-8



• Problems Starting the Front-End Server on OCS, page 15-9

• Cisco Unified Personal Communicator Not Online after Login, page 15-10

• Unable to Remote Desktop to Access Edge, page 15-10

Unable to get Availability Exchange

Problem Unable to exchange availability information between Cisco Unified Personal Communicator and Microsoft Office Communicator.

Solution

OCS/Access Edge:

1. The certificate may have been configured incorrectly on the public interface of Access Edge. If you are using a Microsoft CA, ensure that you are using an OID value of 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2. The incorrect value displays on the general tab of the certificate (if it is correct it will not be visible). You can also see the incorrect value on an ethereal trace of the TLS handshake between Cisco Unified Presence and Access Edge.

Regenerate the certificate for the public interface of the Access Edge with a certificate type of "Other" and OID value of 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2

2. The front end server may not be running on OCS.

Ensure that the "Office Communications Server Front-End" service is running. You can check this service by selecting Start > Programs > Administrative Tools > Computer Management. In Services and Applications, select Services and locate the "Office Communications Server Front-End" service. If running, this service should have a status of "Started".

Cisco Unified Presence:

1. The certificate may have been configured incorrectly on Cisco Unified Presence.

Generate the correct sipproxy-trust certificate for Cisco Unified Presence.

2. If you are using static routes, a static route may have been configured incorrectly. Also, the SIP Proxy domain may not have been properly set to the domain that the Cisco Unified Presence server resides in. Please note that the SIP Proxy will default to domain that was setup during fresh install.

If you are using static routes, configure a static route that points to the public interface of the Access Edge. The static route should have a route type set to "domain" and have a reversed destination pattern set e.g. if the federated domain is abc.com then the destination address pattern should be set to “.com.abc.*”. Static routes are configured in Cisco Unified Presence Administration by selecting Presence > Routing > Static Routes.

Cisco Unified Personal Communicator client:

The DNS settings on the Cisco Unified Personal Communicator client may be configured incorrectly. Ensure that the client machine is pointing to the correct DNS. Logout and login of the Cisco Unified Personal Communicator client.

Related Topics

• How to Configure the Certificate for External Access Edge Interface, page 5-9

• Generating a New Certificate on Cisco Unified Presence, page 5-4




Problems Sending and Receiving IMs

Problem Problems sending and receiving IM's between a Microsoft Office Communicator user and a Cisco Unified Personal Communicator 7.0 user.

Solution

DNS Settings:

DNS SRV records may not have been created, or configured incorrectly. To check if the DNS SRV records have been configured correctly, perform an nslookup for type=srv from both Cisco Unified Presence and Access Edge.

On Access Edge:

a. From a command prompt on Access Edge, enter nslookup.

b. Enter set type=srv.

c. Enter the SRV record for the Cisco Unified Presence domain e.g. _sipfederationtls._tcp.abc.com where abc.com is the domain name. If the SRV record exists, the FQDN for Cisco Unified Presence/Cisco Adaptive Security Appliance is returned.

On Cisco Unified Presence:

a. Using a remote access account, ssh into the Cisco Unified Presence server.

b. Perform the same steps as per the Access Edge above, except in this case use the OCS domain name.

Microsoft Office Communicator client:

The Microsoft Office Communicator 2007 user may have their presence set to "Do Not Disturb" (DND). If Microsoft Office Communicator 2007 is set to DND then it will not receive IM's from other users. Set the presence of the Microsoft Office Communicator user to another state.

Cisco Unified Presence:

1. If you are using static routes instead of DNS SRV, a static route may have been configured incorrectly. Configure a static route that points to the public interface of the Access Edge. The static route should have a route type set to "domain" and have a reversed destination pattern set e.g. if the federated domain is “abc.com” then the destination address pattern should be set to “.com.abc.*”. Static routes are configured in Cisco Unified Presence Administration by selecting Presence > Routing > Static Routes.

2. The Federation IM Controller Module Status may be disabled. In Cisco Unified Presence Administration, select System > Service Parameters, and select the SIP Proxy service. At the end of the screen, check that the Federation IM Control Module Status parameter is set to On.

3. The Federated Domain may have not have been added, or configured incorrectly. In Cisco Unified Presence Administration, select Presence > Inter-Domain Federation and check that the correct federated domain has been added.

Related Topics


• Adding a SIP Federated Domain, page 4-2



Losing Availability and IM Exchange After a Short Period

Problem Can share availability and IMs between Cisco Unified Personal Communicator and Microsoft Office Communicator but after a short period, they start to lose each others availability, and then can no longer exchange IM's.

Solution

OCS/Access Edge:

1. On Access Edge, both the internal and external edges may have the same FQDN. Also in DNS there may be two "A" record entries for that FQDN, one resolving to the IP address of the external edge and the other to the IP address of the internal edge.

On Access Edge, change the FQDN of the internal edge, and add an updated record entry in DNS. Remove the DNS entry that was originally resolving to the internal IP of the Access Edge. Also reconfigure the certificate for the internal edge on Access Edge.

2. On OCS, under global settings and front end properties, the FQDN for the access edge may have been entered incorrectly. On OCS, reconfigure the server to reflect the new FQDN of the internal edge.

DNS Settings:

DNS SRV records may not have created, or configured incorrectly. Add the necessary "A" records and SRV records.

Related Topics

Configuring the Foreign Server Components for SIP Federation, page 9-1

Delay in Availability State Changes and IM Delivery Time

Problem There is a delay in the delivery time of IMs and presence state changes between Cisco Unified Personal Communicator and Microsoft Office Communicator.

Solution On the Cisco Unified Presence server, the Disable Empty TLS Fragments option may not be selected for the Default_Cisco_UPS_SIP_Proxy_Peer_Auth_TLS_Context.

Step 1 Select Cisco Unified Presence Administration > System > Security > TLS Context Configuration.

Step 2 Click Default_Cisco_UPS_SIP_Proxy_Peer_Auth_TLS_Context.

Step 3 Check Disable Empty TLS Fragments.

Step 4 Click Save.



403 FORBIDDEN Returned Following a Presence Subscription Attempt

Problem Cisco Unified Presence attempts to subscribe to the presence of a Microsoft Office Communicator user and receives a 403 FORBIDDEN message from the OCS server.

Solution On the Access Edge server, the Cisco Unified Presence server may not have been added to the IM service provider list. On the Access Edge server, add an entry for the Cisco Unified Presence server to the IM service provider list. On the DNS server for Access Edge, ensure that there is a _sipfederationtls record for the Cisco Unified Presence domain that points to the public address of the Cisco Unified Presence server

or

On the Access Edge server, the Cisco Unified Presence server may have been added to the Allow list. On the Access Edge server, remove any entry from the Allow list that points to the Cisco Unified Presence server.

Related Topics

Configuring the Foreign Server Components for SIP Federation, page 9-1

Time Out on NOTIFY Message

Problem Cisco Unified Presence times out when sending a NOTIFY message (when federating directly between Cisco Unified Presence and Microsoft OCS using TCP).

Solution On the Cisco Unified Presence server, the Use Transport in Record-Route Header may need to be enabled.


Step 2 Select the Cisco UP SIP Proxy service.

Step 3 In the SIP Parameters (Clusterwide) section, select On for the Use Transport in Record-Route Header parameter.

Step 4 Click Save.

Cisco Unified Presence Certificate Not Accepted

Problem Access Edge is not accepting the certificate from Cisco Unified Presence.

Solution The TLS handshake between Cisco Unified Presence/Cisco Adaptive Security Appliance and the Access Edge may be failing.

OCS/Access Edge:

1. Ensure that the IM Provider list on the Access Edge contains the public FQDN of the Cisco Unified Presence server, and it matches the subject CN of the Cisco Unified Presence certificate. If you have opted not to populate the Allow List with the FQDN of Cisco Unified Presence, then you must ensure that the subject CN of the Cisco Unified Presence certificate resolves to the FQDN of the SRV record for the Cisco Unified Presence domain.



2. Ensure that FIPS is enabled on Access Edge (use TLSv1).

3. Ensure that Federation is enabled globally on OCS, and enabled on the front end server.

4. If failing to resolve DNS SRV, ensure that DNS is set up correctly and perform an nslookup for type=srv from Access Edge:

a. From a command prompt on Access Edge, enter nslookup.

b. Enter set type=srv.

c. Enter the SRV record for the Cisco Unified Presence domain, for example. _sipfederationtls._tcp.abc.com where abc.com is the domain name. If the SRV record exists, the FQDN for Cisco Unified Presence/Cisco Adaptive Security Appliance is returned.

Cisco Unified Presence/Cisco Adaptive Security Appliance:

Check the ciphers on Cisco Unified Presence and Cisco Adaptive Security Appliance. In Cisco Unified Presence Administration, select System > Security > TLS Context Configuration > Default Cisco UP SIP Proxy Peer Auth TLS Context, and ensure that the "TLS_RSA_WITH 3DES_EDE_CBC_SHA" cipher is selected.

Related Topics

• Configuring the Foreign Server Components for SIP Federation, page 9-1


Problems Starting the Front-End Server on OCS

Problem The front-end server on OCS will not start.

Solution On OCS, the FQDN of the private interface of the Access Edge may have been defined in the list of Authorized Hosts. Remove the private interface of the Access Edge from the list of Authorized Hosts on OCS.

During OCS install, two Active Directory user accounts are created called RTCService and RTCComponentService. These accounts are given an administrator-defined password, however, on both of these accounts the "Password never expires" option is not selected by default so the password will expire periodically. To reset the password of the RTCService or RTCComponentService on the OCS server, follow the procedure below.

Step 1 Right-click on the user account.

Step 2 Select Reset Password.

Right-click on the user account.

Select Properties.

Select the Account tab.

Check Password never expires.

Click OK.



Cisco Unified Personal Communicator Not Online after Login

Problem Cisco Unified Personal Communicator client does not have available online status after login.

Solution The client computer may be pointing to the incorrect DNS server. Update the correct DNS server on the client PC and then login to Cisco Unified Personal Communicator again.

Unable to Remote Desktop to Access Edge

Problem Unable to successfully remote desktop to the Access Edge Server with FIPS enabled on Windows XP.

Solution This is a known Microsoft issue. The workaround to resolve the issue involves installing a Remote Desktop Connection application on the Windows XP computer. To install Remote Desktop Connection 6.0, follow the instructions at the following Microsoft URL:

http://support.microsoft.com/kb/811770

http://support.microsoft.com/kb/811770

C H A P T E R


16Troubleshooting an XMPP Federation Integration

April 4, 2011

• Checking the System Troubleshooter, page 16-1

Checking the System TroubleshooterIf you deploy multiple Cisco Unified Presence clusters and you configure XMPP federation, you must turn on XMPP federation on at least one node per cluster. You must configure the same XMPP federation settings and policy on each cluster; Cisco Unified Presence does not replicate the XMPP federation configuration across cluster. The System Troubleshooter reports if XMPP federation settings across clusters are not synchronized. The System Troubleshooter performs the following checks:

• XMPP federation is enabled consistently across intercluster peers.

• The SSL Mode is configured consistently across intercluster peers.

• The ‘Required Valid client-side certificates’ is configured consistently across intercluster peers.

• The SASL settings are configured consistently across intercluster peers.

• The dialback secret is configured consistently across intercluster peers.

• The default Admin Policy for XMPP Federation is configured consistently across inter-cluster peers.

• The Policy hosts are configured consistently across inter-cluster peers.

Procedure

Step 1 Select Cisco Unified Presence Administration > Diagnostics > System Troubleshooter.

Step 2 Ensure there are green checks beside the following checks:

• Verify the XMPP Federation settings match on all interclustered peers.

• Verify that SASL settings have been correctly configured for all intercluster peers.

• Verify that XMPP has been uniformly disabled or enabled on at least one node in each all clusters.

• Verify that the default Admin Policy is consistent across all intercluster peers.

• Verify that the Host Policy is consistent across all intercluster peers.

The System Troubleshooter provides recommended actions if it reports a problem with any of these checks.


Chapter 16 Troubleshooting an XMPP Federation IntegrationChecking the System Troubleshooter

Related Topics

Location of Log Files for XMPP Federation, page 13-1

A-1Integration Guide for Configuring Cisco Unified Presence Release 8.5 for Interdomain Federation

A P P E N D I X ASample Cisco Adaptive Security Appliance Configuration

April 4, 2011

• Sample PAT Commands and Access List Configuration for SIP Federation, page A-1

• Sample Access List Configuration for XMPP Federation, page A-3

• Sample NAT Configuration for XMPP Federation, page A-4

Sample PAT Commands and Access List Configuration for SIP Federation

This section provides a sample configuration for a Cisco Unified Presence server that is federating with a foreign OCS enterprise deployment. There are two additional intercluster Cisco Unified Presence servers in the local enterprise deployment.

The following values are used in this sample configuration:

• Public Cisco Unified Presence IP Address = 10.10.10.10

• Private Routing Cisco Unified Presence IP Address = 1.1.1.1

• Private Second Cisco Unified Presence IP Address = 2.2.2.2

• Private Third Cisco Unified Presence IP Address = 3.3.3.3

• Peer Auth Listener Port on Cisco Unified Presence = 5062

• Netmask = 255.255.255.255

• Foreign Domain = abc.com

• Microsoft OCS External Interface = 20.20.20.20

These PAT commands are defined for the (routing) Cisco Unified Presence server:

(Cisco Adaptive Security Appliance Release 8.2:)

static (inside,outside) tcp 10.10.10.10 5061 1.1.1.1 5062 netmask 255.255.255.255static (inside,outside) tcp 10.10.10.10 5080 1.1.1.1 5080 netmask 255.255.255.255static (inside,outside) tcp 10.10.10.10 5060 1.1.1.1 5060 netmask 255.255.255.255



Appendix A Sample Cisco Adaptive Security Appliance ConfigurationSample PAT Commands and Access List Configuration for SIP Federation

nat (inside,outside) source static obj_host_1.1.1.1 obj_host_10.10.10.10 serviceobj_tcp_source_eq_5061 obj_tcp_source_eq_5062nat (inside,outside) source static obj_host_1.1.1.1 obj_host_10.10.10.10 serviceobj_tcp_source_eq_5080 obj_tcp_source_eq_5080nat (inside,outside) source static obj_host_1.1.1.1 obj_host_10.10.10.10 serviceobj_tcp_source_eq_5060 obj_tcp_source_eq_5060

These PAT commands are defined for the two additional intercluster Cisco Unified Presence servers in the enterprise deployment:


static (inside,outside) tcp 10.10.10.10 45080 2.2.2.2 5080 netmask 255.255.255.255static (inside,outside) udp 10.10.10.10 55070 3.3.3.3 5070 netmask 255.255.255.255static (inside,outside) tcp 10.10.10.10 55070 3.3.3.3 5070 netmask 255.255.255.255static (inside,outside) udp 10.10.10.10 45062 2.2.2.2 5062 netmask 255.255.255.255static (inside,outside) tcp 10.10.10.10 55062 3.3.3.3 5062 netmask 255.255.255.255


nat (inside,outside) source static obj_host_2.2.2.2 obj_host_10.10.10.10 serviceobj_tcp_source_eq_5080 obj_tcp_source_eq_45080nat (inside,outside) source static obj_host_3.3.3.3 obj_host_10.10.10.10 serviceobj_tcp_source_eq_5070 obj_tcp_source_eq_55070nat (inside,outside) source static obj_host_3.3.3.3 obj_host_10.10.10.10 serviceobj_udp_source_eq_5070 obj_udp_source_eq_55070nat (inside,outside) source static obj_host_2.2.2.2 obj_host_10.10.10.10 serviceobj_tcp_source_eq_5062 obj_tcp_source_eq_45062nat (inside,outside) source static obj_host_3.3.3.3 obj_host_10.10.10.10 serviceobj_tcp_source_eq_5062 obj_tcp_source_eq_55062

The corresponding access lists for this configuration are provided below. Note that for each foreign domain that you federate with, you must add access lists similar to these access lists for the domain abc.com.


access-list ent_cup_to_abc extended permit tcp host 1.1.1.1 host 20.20.20.20 eq 5061access-list ent_abc_to_cup extended permit tcp host 20.20.20.20 host 10.10.10.10 eq 5061access-list ent_secondcup_to_abc extended permit tcp host 2.2.2.2 host 20.20.20.20 eq 5061access-list ent_thirdcup_to_abc extended permit tcp host 3.3.3.3 host 20.20.20.20 eq 5061access-list ent_abc_to_secondcup extended permit tcp host 20.20.20.20 host 10.10.10.10 eq 45061access-list ent_abc_to_thirdcup extended permit tcp host 20.20.20.20 host 10.10.10.10 eq 55061


access-list ent_cup_to_abc extended permit tcp host 1.1.1.1 host 20.20.20.20 eq 5061access-list ent_abc_to_cup extended permit tcp host 20.20.20.20 host 1.1.1.1 eq 5062access-list ent_secondcup_to_abc extended permit tcp host 2.2.2.2 host 20.20.20.20 eq 5061access-list ent_thirdcup_to_abc extended permit tcp host 3.3.3.3 host 20.20.20.20 eq 5061access-list ent_abc_to_secondcup extended permit tcp host 20.20.20.20 host 2.2.2.2 eq 5062access-list ent_abc_to_thirdcup extended permit tcp host 20.20.20.20 host 3.3.3.3 eq 5062

Associate each of your access lists with the a class map:class-map ent_cup_to_abc

match access-list ent_cup_to_abc

class-map ent_abc_to_cupmatch access-list ent_abc_to_cup


Appendix A Sample Cisco Adaptive Security Appliance ConfigurationSample Access List Configuration for XMPP Federation

class-map ent_secondcup_to_abcmatch access-list ent_secondcup_to_abc

class-map ent_thirdcup_to_abcmatch access-list ent_thirdcup_to_abc

class-map ent_abc_to_secondcupmatch access-list ent_abc_to_secondcup

class-map ent_abc_to_thirdcupmatch access-list ent_abc_to_thirdcup

Update the global policy map for each class map you created. In this example, the TLS proxy instance for TLS connections initiated by Cisco Unified Presence is called “cup_to_foreign”, and the TLS proxy instance for TLS connections initiated by a foreign domain is called “foreign_to_cup”.

policy-map global_policyclass ent_cup_to_abcinspect sip sip_inspect tls-proxy ent_cup_to_foreign

policy-map global_policyclass ent_abc_to_cupinspect sip sip_inspect tls-proxy ent_foreign_to_cup

policy-map global_policyclass ent_secondcup_to_abcinspect sip sip_inspect tls-proxy ent_cup_to_foreign

policy-map global_policyclass ent_thirdcup_to_abcinspect sip sip_inspect tls-proxy ent_cup_to_foreign

policy-map global_policyclass ent_abc_to_secondcupinspect sip sip_inspect tls-proxy ent_foreign_to_cup

policy-map global_policyclass ent_abc_to_thirdcupinspect sip sip_inspect tls-proxy ent_foreign_to_cup

Sample Access List Configuration for XMPP Federation

Note The examples in this section are applicable to Cisco Adaptive Security Appliance Release 8.3.

Example 1: This example access list configuration allows from any address to any address on port 5269:

access-list ALLOW-ALL extended permit tcp any any eq 5269

Example 2: This example access list configuration allows from any address to any single XMPP federation node on port 5269. The following values are used in this example:

• Private XMPP federation Cisco Unified Presence Release 8.x IP address = 1.1.1.1

• XMPP federation listening port = 5269

access-list ALLOW-ALL extended permit tcp any host 1.1.1.1 eq 5269


Appendix A Sample Cisco Adaptive Security Appliance ConfigurationSample NAT Configuration for XMPP Federation

Example 3: This example access list configuration allows from any address to specific XMPP federation nodes published in DNS.

Note The public addresses are published in DNS, but the private addresses are configured in the access-list command.



• Private second Cisco Unified Presence Release 8.x IP address= 2.2.2.2

• Private third Cisco Unified Presence Release 7.x IP address = 3.3.3.3


access-list ALLOW-ALL extended permit tcp any host 1.1.1.1 eq 5269access-list ALLOW-ALL extended permit tcp any host 2.2.2.2 eq 5269access-list ALLOW-ALL extended permit tcp any host 3.3.3.3 eq 5269

Example 4: This example access list configuration allows only from a specific federated domain interface to specific XMPP federation nodes published in DNS.

Note The public addresses are published in DNS, but the private addresses are configured in the access-list command.



• Private second Cisco Unified Presence Release 8.x IP address = 2.2.2.2



• External interface of the foreign XMPP enterprise = 100.100.100.100

access-list ALLOW-ALL extended permit tcp host 100.100.100.100 host 1.1.1.1 eq 5269access-list ALLOW-ALL extended permit tcp host 100.100.100.100 host 2.2.2.2 eq 5269access-list ALLOW-ALL extended permit tcp host 100.100.100.100 host 3.3.3.3 eq 5269

Sample NAT Configuration for XMPP FederationExample 1: Single node with XMPP federation enabled


• Public Cisco Unified Presence IP address = 10.10.10.10



nat (inside,outside) source static obj_host_1.1.1.1 obj_host_10.10.10.10 serviceobj_udp_source_eq_5269 obj_udp_source_eq_5269nat (inside,outside) source static obj_host_1.1.1.1 obj_host_10.10.10.10 service



obj_tcp_source_eq_5269 obj_tcp_source_eq_5269

Example 2: Multiple nodes with XMPP federation, each with a public IP address in DNS


• Public Cisco Unified Presence IP addresses = 10.10.10.10, 20.20.20.20, 30.30.30.30


• Private second Cisco Unified Presence Release 8.x IP address = 2.2.2.2



nat (inside,outside) source static obj_host_1.1.1.1 obj_host_10.10.10.10 serviceobj_udp_source_eq_5269 obj_udp_source_eq_5269nat (inside,outside) source static obj_host_1.1.1.1 obj_host_10.10.10.10 serviceobj_tcp_source_eq_5269 obj_tcp_source_eq_5269



Example 3: Multiple nodes with XMPP federation, but a single public IP address in DNS with arbitrary

ports published in DNS (PAT).


• Public Cisco Unified Presence IP Address = 10.10.10.10

• Private XMPP federation Cisco Unified Presence Release 8.x IP address = 1.1.1.1, port 5269

• Private second Cisco Unified Presence Release 8.x IP address = 2.2.2.2, arbitrary port 25269

• Private third Cisco Unified Presence Release 7.x IP address = 3.3.3.3, arbitrary port 35269




B-1Integration Guide for Configuring Cisco Unified Presence Release 8.5 for Interdomain Federation

A P P E N D I X BConfiguring Security Certificate Exchange Between Cisco Adaptive Security Appliance and Microsoft Access Edge Using VeriSign

April 4, 2011

• How to Configure the Security Certificates on Cisco Adaptive Security Appliance, page B-1

• Importing the VeriSign Certificates onto Microsoft Access Edge, page B-8

How to Configure the Security Certificates on Cisco Adaptive Security Appliance

• Deleting the Old Certificates and Trustpoints, page B-1

• Generating a New Trustpoint for VeriSign, page B-2

• Importing the Intermediate Certificate, page B-6

• Importing the Root Certificate, page B-3

• Generating the Certificate Signing Request, page B-4

• Submitting the Certificate Signing Request to VeriSign, page B-4

• Deleting the Certificate Used for the Certificate Signing Request, page B-5

• Importing the Intermediate Certificate, page B-6

• Creating a Trustpoint for the Root Certificate, page B-6

• Importing the Root Certificate, page B-7

• Importing the Signed Certificate, page B-7

Deleting the Old Certificates and TrustpointsThis procedure describes how to delete the old intermediate and signed certificate, and the trustpoint for the root certificate on Cisco Adaptive Security Appliance.

Before You Begin

Ensure you carried out the configuration tasks described in the following chapters:


Appendix B Configuring Security Certificate Exchange Between Cisco Adaptive Security Appliance and Microsoft How to Configure the Security Certificates on Cisco Adaptive Security Appliance

• Configuring Cisco Unified Presence for SIP Federation, page 4-1


Procedure



Step 2 Enter this command to display the trustpoints:

show crypto ca trustpoints

Step 3 Enter this command to delete the trustpoint and associated certificates:

no crypto ca trustpoint <name of trustpoint>


WARNING: Removing an enrolled trustpoint will destroy allcertificates received from the related Certificate Authority.

Step 4 Enter yes when you are prompted to delete the trustpoint.

What To Do Next

Generating a New Trustpoint for VeriSign, page B-2

Generating a New Trustpoint for VeriSign

Procedure



Step 2 Enter this command to generate the key pair for this certification:

crypto key generate rsa label keys_for_verisign

Step 3 Enter the following sequence of commands to create a trustpoint for Cisco Unified Presence:

crypto ca trustpoint <name of trustpoint>(config-ca-trustpoint)# enrollment terminal(config-ca-trustpoint)# subject-name cn=<fqdn>, OU=<organisational_unit>,O=<organisation_name>,C=<country>,St=<state>,L=<locality>(config-ca-trustpoint)# keypair keys_for_verisign(config-ca-trustpoint)# fqdn none(config-ca-trustpoint)# exit

Note If you are submitting a renewal certificate signing request (CSR) file to VeriSign, the subject-name value must contain the following information:



• Country (two letter country code only)

• State (no abbreviations)

• Locality (no abbreviations)

• Organization Name

• Organizational Unit

• Common Name (FQDN) - This value must be the FQDN of the public Cisco Unified Presence.


Enter the command show crypto key mypubkey rsa to check that the key pair is generated.

What To Do Next

Importing the Intermediate Certificate, page B-6

Importing the Root Certificate

Before You Begin

Complete the steps in Generating a New Trustpoint for VeriSign, page B-2.

Procedure



Step 2 Enter this command to import the certificate onto Cisco Adaptive Security Appliance:

crypto ca authenticate <name of trustpoint>

Step 3 Enter the CA certificate, for example:

-----BEGIN CERTIFICATE-----MIIDAzCCAmwCEQC5L2DMiJ+hekYJuFtwbIqvMA0GCSqGSIb3DQEBBQUAMIH...-----END CERTIFICATE-----quit

Note Finish with the word "quit" on a separate line.


What To Do Next

Generating the Certificate Signing Request, page B-4



Generating the Certificate Signing Request

Before You Begin

Complete the steps in Importing the Root Certificate, page B-3.

Procedure



Step 2 Enter this command to send an enrollment request to the CA:

crypto ca enroll <name of trustpoint>


%WARNING: The certificate enrollment is configured with an fqdnthat differs from the system fqdn. If this certificate will beused for VPN authentication this may cause connection problems.

Step 3 Enter yes when you are prompted to continue with the enrollment.

% Start certificate enrollment..% The subject name in the certificate will be: <fqdn>, OU=<organisational_unit>,O=<organisation_name>,C=<country>,St=<state>,L=<locality>


Step 5 Enter yes when you are prompted to display the certificate request in the terminal.

The certificate request displays.

What To Do Next

Submitting the Certificate Signing Request to VeriSign, page B-4

Submitting the Certificate Signing Request to VeriSignWhen you submit the Certificate Signing Request, VeriSign will provide you with the following certificate files:

• verisign-signed-cert.cer (signed certificate)

• trial-inter-root.cer (subordinate intermediate root certificate)

• verisign-root-ca.cer (root CA certificate)

Save the certificate files in separate notepad files once you have downloaded them.

Before You Begin

• Complete the steps in Generating the Certificate Signing Request, page B-4.

• You will need the challenge password that you defined when generating the Certificate Signing Request.



Procedure

Step 1 Go to the VeriSign website.

Step 2 Follow the procedure to enter a Certificate Signing Request.

Step 3 When prompted, submit the challenge password for the Certificate Signing Request.

Step 4 Paste the Certificate Signing Request into the window provided.

Note You need to paste from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- inclusive.

What To Do Next

Deleting the Certificate Used for the Certificate Signing Request, page B-5

Deleting the Certificate Used for the Certificate Signing RequestYou must delete the temporary root certificate used to generate the Certificate Signing Request.

Before You Begin

Complete the steps in Submitting the Certificate Signing Request to VeriSign, page B-4.

Procedure



Step 2 Enter this command to display the certificates:

show running-config crypto calook for crypto ca certificate chain <name of trustpoint>

Step 3 Enter this command to delete the certificate:

(config)# crypto ca certificate chain <name of trustpoint>(config-cert-chain)# no certificate ca 00b92f60cc889fa17a4609b85b70$


WARNING: The CA certificate will be disassociated from this trustpoint andwill be removed if it is not associated with any other trustpoint. Anyother certificates issued by this CA and associated with this trustpointwill also be removed.

Step 4 Enter yes when you are prompted to delete the trustpoint.

What To Do Next

Importing the Intermediate Certificate, page B-6



Importing the Intermediate Certificate

Before You Begin

Complete the steps in Deleting the Certificate Used for the Certificate Signing Request, page B-5.

Procedure




crypto ca authenticate <name of trustpoint>


-----BEGIN CERTIFICATE-----MIIEwDCCBCmgAwIBAgIQY7GlzcWfeIAdoGNs+XVGezANBgkqhkiG9w0BAQU....-----END CERTIFICATE-----quit



What To Do Next

Creating a Trustpoint for the Root Certificate, page B-6

Creating a Trustpoint for the Root Certificate

Before You Begin

Complete the steps in Importing the Intermediate Certificate, page B-6.



Step 2 Enter this command to generate the trustpoint:

crypto ca trustpoint verisign_root

Step 3 Enter the following sequence of commands:

(config-ca-trustpoint)# revocation-check none(config-ca-trustpoint)# keypair keys_for_verisign(config-ca-trustpoint)# enrollment terminal(config-ca-trustpoint)# exit



Importing the Root Certificate

Before You Begin

Complete the steps in Creating a Trustpoint for the Root Certificate, page B-6.

Procedure




crypto ca authenticate verisign_root


-----BEGIN CERTIFICATE-----MIICmDCCAgECECCol67bggLewTagTia9h3MwDQYJKoZIhvcNAQECBQAw....-----END CERTIFICATE-----quit



What To Do Next

Importing the Signed Certificate, page B-7

Importing the Signed Certificate

Before You Begin

Complete the steps in Importing the Root Certificate, page B-7.

Procedure




crypto ca import verisignca certificate


Appendix B Configuring Security Certificate Exchange Between Cisco Adaptive Security Appliance and Microsoft Importing the VeriSign Certificates onto Microsoft Access Edge


WARNING: The certificate enrollment is configured with an fqdnthat differs from the system fqdn. If this certificate will beused for VPN authentication this may cause connection problems.

Step 3 Enter yes when you are prompted to continue with the certificate enrollment.


-----BEGIN CERTIFICATE-----MIIFYTCCBEmgAwIBAgIQXtEPGWzZ0b9gejHejq+HazANBgkqhkiG9w0B....-----END CERTIFICATE-----quit



What To Do Next

Importing the VeriSign Certificates onto Microsoft Access Edge, page B-8

Importing the VeriSign Certificates onto Microsoft Access EdgeThis procedure describes how to import the VeriSign root and intermediate certificates onto the Microsoft Access Edge server.

Before You Begin

Save the certificates that were provided by VeriSign to the Access Edge server, for example, in C:\.

Procedure

Step 1 On the Access Edge server, enter mmc from the run command.

Step 2 Select File-> Add/Remove Snap-in.

Step 3 Click Add.

Step 4 Click Certificates.

Step 5 Click Add.

Step 6 Select Computer account.

Step 7 Click Next.

Step 8 Select Local computer.


Step 10 Click OK to close the Add/Remove Snap-In window.

Step 11 In the main console, expand the Certificates tree.

Step 12 Open the Trusted Root Certificates branch.

Step 13 Right-click on Certificates.



Step 14 Select All Tasks > Import.

Step 15 Click Next on the certificate wizard.

Step 16 Browse for a VeriSign certificate in the C:\ directory.

Step 17 Click Place all certificates in the following store.

Step 18 Select Trusted Root Certification Authorities as the certificate store.

Step 19 Repeat steps 13 to 18 to import the additional VeriSign certificates.

C-1Integration Guide for Configuring Cisco Unified Presence Release 8.5 for Interdomain Federation

A P P E N D I X CIntegration Debugging Information

April 4, 2011,

• Debugging Information for Cisco Adaptive Security Appliance, page C-1

• Debugging Access Edge and OCS Server, page C-5

Debugging Information for Cisco Adaptive Security Appliance • Cisco Adaptive Security Appliance Debugging Commands, page C-1

• Capturing the Output on the Internal and External Interfaces, page C-3

• TLS Proxy Debugging Commands, page C-3

Cisco Adaptive Security Appliance Debugging CommandsTable C-1 lists the debugging commands for the Cisco Adaptive Security Appliance.

Table C-1 Cisco Security Appliance Debugging Command

To Use the Command Notes

Show ICMP packet information for pings to the Cisco Adaptive Security Appliance interfaces

debug icmp trace We strongly recommend that you disable debug messages once you have completed your troubleshooting. To disable ICMP debug messages, use the no debug icmp trace command.

Show messages relating to the certificate validation between Cisco Unified Presence/Cisco Adaptive Security Appliance or Cisco Adaptive Security Appliance/foreign domain

debug crypto ca You can increase log level on ASA by adding the log level parameter to this command, for example:

debug crypto ca 3

debug crypto ca messages Shows only debug messages for input and output messages

debug crypto ca transactions Shows only debug messages for transactions

Show the SIP messages sent through Cisco Adaptive Security Appliance

debug sip


Appendix C Integration Debugging InformationDebugging Information for Cisco Adaptive Security Appliance

Related Topics

TLS Proxy Debugging Commands, page C-3

Send log messages to a buffer (for later viewing)

terminal monitor

Enable system log messages logging on We strongly recommend that you disable system log messages once you have completed your troubleshooting. To disable system log messages, use the no logging on command.

Send system log messages to a buffer logging buffer debug

Set system log messages to be sent to Telnet or SSH sessions

logging monitor debug

Designate a (syslog) server to receive the system log messages

logging host <interface_name> <ip_ address>

• The interface_name argument specifies the Cisco Adaptive Security Appliance interface through which you access the syslog server.

• The ip_address argument specifies the IP address of the syslog server.

Ping the Interfaces ping Refer to the Troubleshooting section of the Cisco Security Appliance Command Line Configuration Guide for details on pinging the Cisco Adaptive Security Appliance interfaces, and also pinging between hosts on different interfaces to ensure that the traffic can pass successfully through the Cisco Adaptive Security Appliance.

You can also ping an interface in ASDM by selecting Tools > Ping.

Note You will not be able to ping the public Cisco Unified Presence IP address. However the MAC address of the ASA outside interface should appear in the ARP table (arp –a).

Trace the route of a packet traceroute You can also trace the route of a packet in ASDM via Tools > Traceroute.

Trace the life span of a packet through the Cisco Adaptive Security Appliance

packet-tracer You can also trace the life span of a packet in ASDM via Tools > Packet Tracer.

Table C-1 Cisco Security Appliance Debugging Command (continued)

To Use the Command Notes



Capturing the Output on the Internal and External Interfaces

Procedure



Step 2 Define an access-list to specify the traffic to be captured, for example:

access-list cap extended permit ip 10.53.0.0 255.255.0.0 10.53.0.0 255.255.0.0

Step 3 It is recommended that you clear the capture content before starting the tests. Use the command “clear capture in” to clear the internal interface capture, and the command “clear capture out” to clear the external interface capture.

Step 4 Enter this command to capture the packets on the internal interface:

cap in interface inside access-list cap

Step 5 Enter this command to capture the packets on the external interface:

cap out interface outside access-list cap

Step 6 Enter this command to capture TLS specific packets:

capture <capture_name> type tls-proxy interface <interface_name>

Step 7 Enter this command to retrieve the packet capture:

copy /pcap capture:in tftp://xx.xx.xx.xx copy /pcap capture:out tftp://xx.xx.xx.xx

Enter this command to copy the output to disk and retrieve using ASDM (Actions > File Management > File Transfer):

copy /pcap capture:in disk0:in_1

TLS Proxy Debugging CommandsTable C-2 lists the debugging commands for the TLS Proxy.

Table C-2 TLS Proxy Debugging Commands

To Use the Command(s)

Enable TLS proxy-related debug and syslog output debug inspect tls-proxy events

debug inspect tls-proxy errors

debug inspect tls-proxy all

Show a TLS proxy session output show log



Check the active TLS proxy sessions show tls-proxy

View the detail of the current TLS proxy sessions

(Use when Cisco Adaptive Security Appliance successfully establishes connections with Cisco Unified Presence and the foreign domain)

show tls-proxy session detail

Table C-2 TLS Proxy Debugging Commands

To Use the Command(s)


Appendix C Integration Debugging InformationDebugging Access Edge and OCS Server

Debugging Access Edge and OCS Server • Initiating a Debug Session on OCS/Access Edge, page C-5

• Verifying the DNS Configuration on Access Edge, page C-5

Initiating a Debug Session on OCS/Access Edge

Procedure

Step 1 Select Start > Administrative Tools > Computer Management on the external Access Edge server.

Step 2 Right-click Microsoft Office Communications Server 2007 in the left pane.

Step 3 Select Logging Tool > New Debug Session.

Step 4 Select SIP Stack in the Logging Options.

Step 5 Select All for the Level value.

Step 6 Select Start Logging.

Step 7 Select Stop Logging when complete.

Step 8 Select Analyze Log Files.

Verifying the DNS Configuration on Access Edge

Procedure

Step 1 On the external Access Edge server, select Start > Administrative Tools > Computer Management.

Step 2 Right-click on Microsoft Office Communications Server 2007in the left pane.

Step 3 Select the Block tab.

Step 4 Check that the domain not blocked.

Step 5 Ensure that the following options are selected in the Access Methods pane:

• Federate with other domains

• Allow discovery of federation partners

Step 6 Check the Access Edge is publishing DNS SRV records.


Appendix C Integration Debugging InformationDebugging Access Edge and OCS Server

integration guide for configuring cisco unified presence ... · 1 integration guide for configuring...

Documents