Federation

Integration Guide for Configuring Cisco Unified Presence Release 8.
5 for Interdomain Federation

April 4, 2011
Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R) Integration Guide for Configuring Cisco Unified Presence Release 8.5 for Interdomain Federation 2011 Cisco Systems, Inc. All rights reserved.
C O N T E N T S
CHAPTER
Overview of this Integration Basic Federated Network
1-1 1-1
About SIP Federation with AOL 1-4 Intercluster Deployments and SIP Federation with AOL Limitation with AOL Federation 1-5 About Intercluster and Multi-node Deployments SIP Federation Deployments 1-6 XMPP Federation Deployments 1-6 About High Availability and Federation 1-7 High Availability for SIP Federation 1-7 High Availability for XMPP Federation 1-8 Cisco Adaptive Security Appliance Deployment Options Presence Subscriptions and Blocking Levels
1-12 1-5
1-4
1-10
About Availability State Mappings 1-14 Availability State Mappings for Microsoft OCS 1-15 Availability State Mappings for Microsoft Lync 1-16 Availability State Mappings for AOL Instant Messenger 1-17 Availability State Mappings for XMPP Federation 1-18 About Instant Messaging 1-21 Instant Message Flow for SIP Federation 1-21 Availability and Instant Message Flow for XMPP Federation Federation and Subdomains
CHAPTER
1-22
1-24
Planning for this Integration Hardware Requirements Software Requirements
2-1 2-1
Supported Interdomain Federation Integrations

2-2 2-2
About Integration Preparation 2-3 Routing Configuration 2-3 Public IP Address 2-4 Public FQDN 2-5 AOL SIP Access Gateway 2-5 Redundancy/High Availability 2-5
Integration Guide for Configuring Cisco Unified Presence Release 8.5 for Interdomain Federation
Contents
DNS Configuration 2-6 Certificate Authority (CA) Server
2-6
About Prerequisite Configuration Tasks for this Integration 2-7 Prerequisite Configuration for Cisco Unified Presence 2-7 Prerequisite Configuration for Cisco Adaptive Security Appliance
CHAPTER
2-7
Configuration Workflows for Interdomain Federation
3-1 3-1 3-2
Configuration Workflow for SIP Federation with Microsoft OCS Configuration Workflow for SIP Federation with Microsoft Lync Configuration Workflow for SIP Federation with AOL Configuration Workflow for XMPP Federation
3-3 3-2
Configuration Workflow for Direct SIP Federation with Microsoft OCS
3-3 3-3
Configuration Workflow for Cisco Adaptive Security Appliance for SIP Federation
CHAPTER
Configuring Cisco Unified Presence for SIP Federation SIP Proxy Domain on Cisco Unified Presence Adding a SIP Federated Domain
4-2 4-1
4-1
How to Configure the Routing Configuration on Cisco Unified Presence DNS Configuration for SIP Federation 4-3 Configuring Static Routes Using TLS 4-3 Configuring the Cisco Unified Presence Domain from the CLI 4-4 Configuring the Federation Routing Parameter
4-5
4-3
How to Configure the Security Settings on Cisco Unified Presence 4-5 Creating a new TLS Peer Subject 4-6 Adding the TLS Peer to the Selected TLS Peer Subjects List 4-6 How to Configure the Routing Information for AOL Federation 4-7 Routing SIP Requests for SIP Federation with AOL 4-7 Verifying or Changing the Default Federation Routing Domain for SIP Federation with AOL How To Configure Email Address for Federation 4-9 Email Address for Federation Feature 4-9 Email Domain for Federation 4-9 Information to Provide to Administrator of the Foreign Domain Information to Provide to Cisco Unified Presence Users 4-10 Turning On Email for Federation 4-10 Turning On the SIP Federation Service
4-11
4-8
4-10
Contents
CHAPTER
Configuring Security Certificates for SIP Federation (with Cisco Adaptive Security Appliance) 5-1 How to Configure Security Certificate Exchange Between Cisco Unified Presence and Cisco Adaptive Security Appliance 5-1 Generating the Key Pair and Trustpoints on Cisco Adaptive Security Appliance 5-2 Generating a Self-Signed Certificate on Cisco Adaptive Security Appliance 5-2 Importing the Self Signed Certificate onto Cisco Unified Presence 5-3 Generating a New Certificate on Cisco Unified Presence 5-4 Importing the Cisco Unified Presence Certificate onto Cisco Adaptive Security Appliance
5-4
How to Configure Security Certificate Exchange Between Cisco Adaptive Security Appliance and Microsoft Access Edge (External Interface) Using a Microsoft CA 5-5 CA Trustpoints 5-6 Configuring the Certificate on Cisco Adaptive Security Appliance using SCEP Enrollment 5-6 Configuring the Certificate on Cisco Adaptive Security Appliance using Manual Enrollment 5-8 How to Configure the Certificate for External Access Edge Interface 5-9 Creating a Custom Certificate for Access Edge Using an Enterprise Certificate Authority 5-13 Security Certificate Exchange Between Cisco Adaptive Security Appliance and AOL SIP Access Gateway 5-14
CHAPTER
Configuring Cisco Adaptive Security Appliance for SIP Federation Cisco Adaptive Security Appliance Unified Communication Wizard External and Internal Interface Configuration Configuring the Static IP Routes
6-2 6-1 6-1
6-1
About Port Address Translation (PAT) 6-3 Port Address Translation for This Integration PAT for Private to Public Requests 6-6 Static PAT for New Requests 6-7 NAT Rules in ASDM 6-7
6-3
About Sample Static PAT Commands 6-8 PAT Configuration for Routing Cisco Unified Presence Release 8.x Node 6-9 PAT Configuration for Intercluster or Intracluster Cisco Unified Presence Release 8.x Nodes PAT Configuration for Intercluster Cisco Unified Presence Release 7.x Nodes 6-13 Failover on Cisco Adaptive Security Appliance
6-14 6-15
6-11
Cisco Adaptive Security Appliance Upgrade Options for Existing Deployments

CHAPTER
Configuring the TLS Proxy on Cisco Adaptive Security Appliance TLS Proxy
7-1 7-2
7-1
Access List Configuration Requirements Configuring the TLS Proxy Instances

7-4
Contents
Associating an Access List with a TLS Proxy Instance Using Class Maps Enabling the TLS Proxy
7-6
7-5
Configuring Cisco Adaptive Security Appliance for an Intercluster Deployment

CHAPTER
7-6
Configuring Interdomain Federation to Microsoft OCS within an Enterprise
8-1 8-1
How to Configure Static Routes Using TCP for Federation with Microsoft OCS Domain Configuring a Static Route on Cisco Unified Presence for the OCS Server 8-2 Configuring a Static Route on OCS for the Cisco Unified Presence server 8-2 Adding a Host Authorization entry for the Cisco Unified Presence server 8-3 Enabling Port 5060 on the OCS Server 8-3 How to Configure Static Routes Using TLS for Federation with Microsoft OCS Domain
CHAPTER
8-4
Configuring the Foreign Server Components for SIP Federation Microsoft Component Configuration for SIP Federation
9-1
9-1
About the Requirements for SIP Federation with AOL 9-4 License Requirements for AOL Federation 9-4 AOL Routing Information Requirements 9-5 AOL Provisioning Information Requirements 9-5
CHAPTER
10
Configuring the Load Balancer for Redundancy for SIP Federation About the Load Balancer
10-1 10-2 10-3
10-1
Updating the Cisco Unified Presence Servers
How to Update the Cisco Adaptive Security Appliance Updating the Static PAT Messages 10-3 Updating the Access Lists 10-4 Updating the TLS Proxy Instances 10-6
How to Update the CA-Signed Security Certificates 10-6 Configuring the Security Certificate between the Load Balancer and the Cisco Adaptive Security Appliance 10-7 Configuring the Security Certificate between the Load Balancer and the Cisco Unified Presence Server 10-8 Updating the Microsoft Components Updating the AOL Components Configuring the Load Balancer
CHAPTER
10-8
10-8 10-9
11
Configuring Cisco Unified Presence for XMPP Federation How to Configure the General Settings for XMPP Federation XMPP Federation Overview 11-1
11-1 11-1
Contents
Important Notes About Restarting Services for XMPP Federation 11-2 Turning on XMPP Federation on a Node 11-2 Configuring the Security Settings for XMPP Federation 11-3 Configuring the XMPP Federated Domains for Cisco Unified Personal Communicator Release 7.x Users 11-4 How to Configure DNS for XMPP Federation 11-4 DNS SRV Records for XMPP Federation 11-5 DNS SRV Records for Chat Feature for XMPP Federation 11-7 Configuring DNS SRV Record for Chat Node for XMPP Federation How To Configuring the Policy Settings for XMPP Federation Policy Exception Configuration 11-9 Configuring the Policy for XMPP Federation 11-10 Turning On Email for XMPP Federation Turning On the XMPP Federation Service
CHAPTER
11-7
11-9
Configuring Cisco Adaptive Security Appliance for XMPP Federation

11-12 11-12
11-10
12
Configuring Security Certificates for XMPP Federation Configuring the Domain for XMPP Certificate
12-1
12-1
How to Upload the XMPP Trust Certificates to Cisco Unified Presence 12-2 Importing the Root CA Certificate for XMPP Federation 12-2 Generating a Certificate Signing Request for XMPP Federation 12-3 Uploading the CA-Signed Certificate for XMPP Federation 12-4
CHAPTER
13
Configuring Serviceability for Federation
13-1
How To Turn on and Capture Logging for Federation 13-1 Location of Log Files for SIP Federation 13-1 Location of Log Files for XMPP Federation 13-1 Turning On Logging for Federation 13-1 How To Restart the Cisco UP XCP Router 13-2 About the Cisco UP XCP Router 13-2 Restating the Cisco UP XCP Router 13-2
CHAPTER
14
Verifying the Federation Integration
14-1 14-1 14-2
Verifying the SIP Federation Configuration Verifying the XMPP Federation Configuration
CHAPTER
15
Troubleshooting a SIP Federation Integration
15-1 15-1
Common Cisco Adaptive Security Appliance Problems and Recommended Actions
Contents
Certificate Configuration Problems 15-1 Errors When Creating the TLS Proxy Class Maps 15-3 Subscriptions Dont Reach Access Edge 15-3 Problems With Cisco Adaptive Security Appliance After Upgrade
15-4
Common Integration Problems and Recommended Actions 15-4 Unable to get Availability Exchange 15-5 Problems Sending and Receiving IMs 15-6 Losing Availability and IM Exchange After a Short Period 15-7 Delay in Availability State Changes and IM Delivery Time 15-7 403 FORBIDDEN Returned Following a Presence Subscription Attempt Time Out on NOTIFY Message 15-8 Cisco Unified Presence Certificate Not Accepted 15-8 Problems Starting the Front-End Server on OCS 15-9 Cisco Unified Personal Communicator Not Online after Login 15-10 Unable to Remote Desktop to Access Edge 15-10
CHAPTER
15-8
16
Troubleshooting an XMPP Federation Integration Checking the System Troubleshooter

16-1
16-1
APPENDIX
Sample Cisco Adaptive Security Appliance Configuration Sample Access List Configuration for XMPP Federation Sample NAT Configuration for XMPP Federation
A-4 A-3
A-1 A-1
Sample PAT Commands and Access List Configuration for SIP Federation
APPENDIX
Configuring Security Certificate Exchange Between Cisco Adaptive Security Appliance and Microsoft Access Edge Using VeriSign B-1 How to Configure the Security Certificates on Cisco Adaptive Security Appliance Deleting the Old Certificates and Trustpoints B-1 Generating a New Trustpoint for VeriSign B-2 Importing the Root Certificate B-3 Generating the Certificate Signing Request B-4 Submitting the Certificate Signing Request to VeriSign B-4 Deleting the Certificate Used for the Certificate Signing Request B-5 Importing the Intermediate Certificate B-6 Creating a Trustpoint for the Root Certificate B-6 Importing the Root Certificate B-7 Importing the Signed Certificate B-7 Importing the VeriSign Certificates onto Microsoft Access Edge
B-8 B-1
Contents
APPENDIX
Integration Debugging Information
C-1
Debugging Information for Cisco Adaptive Security Appliance C-1 Cisco Adaptive Security Appliance Debugging Commands C-1 Capturing the Output on the Internal and External Interfaces C-3 TLS Proxy Debugging Commands C-3 Debugging Access Edge and OCS Server C-5 Initiating a Debug Session on OCS/Access Edge C-5 Verifying the DNS Configuration on Access Edge C-5
Contents
CH A P T E R
Overview of this Integration

April 4, 2011
Basic Federated Network, page 1-1 About SIP Federation with AOL, page 1-4 About Intercluster and Multi-node Deployments, page 1-5 High Availability for SIP Federation, page 1-7 Cisco Adaptive Security Appliance Deployment Options, page 1-10 Presence Subscriptions and Blocking Levels, page 1-12 About Availability State Mappings, page 1-14 About Instant Messaging, page 1-21 Federation and Subdomains, page 1-24
Basic Federated Network

This integration enables Cisco Unified Presence users in one enterprise domain to exchange presence information and Instant Messaging (IM) with users in foreign domains. Cisco Unified Presence uses different protocols to federate with different foreign domains. Cisco Unified Presence uses the standard Session Initiation Protocol (SIP RFC 3261) to federate with:
Microsoft Office Communications Server Release 2 (OCS R2), OCS 2007, Microsoft Lync 2010 Only Cisco Unified Presence Release 8.5(2) or higher supports interdomain federation with Microsoft Lync. For Cisco Unified Presence Release 8.5(2) or higher, any reference to interdomain federation with OCS also includes Microsoft Lync, unless explicitly stated otherwise. AOL SIP Access Gateway (SAG) Only Cisco Unified Presence Release 8.5.x or higher supports interdomain federation with AOL. SIP federation with AOL enables Cisco Unified Presence users to federate with the following users:
Note
Note
1-1
Chapter 1 Basic Federated Network
Users of AOL public communities, for example, aim.com, aol.com. Users of an enterprise whose domain is hosted by AOL. Users of a foreign enterprise that federate with AOL. Cisco Unified Presence could use AOL as
a clearing house to federate with these foreign enterprises. Cisco Unified Presence uses the Extensible Messaging and Presence Protocol (XMPP) to federate with:

IBM Sametime Server 8.2 and 8.5 Cisco Webex Connect Release 6 GoogleTalk Cisco Unified Presence Release 8.x Cisco Unified Presence does not support federation between a Cisco Unified Presence Release 8.x enterprise, and a Cisco Unified Presence Release 7.0(x) enterprise. Cisco Unified Presence supports XMPP federation with GoogleTalk over TCP. XMPP federation with GoogleTalk over TLS is not supported.
Note
Figure 1-1 provides an example of a SIP federated network between Cisco Unified Presence enterprise deployment and Microsoft OCS enterprise deployment.
1-2
Chapter 1
Overview of this Integration Basic Federated Network
Figure 1-1
Basic SIP Federated Network between Cisco Unified Presence and Microsoft OCS
Enterprise X CUCM Inter-cluster communication CUP CUP CUP (UK) CUCM CUP CUP CUP (US) *ASA Internet SIP private DMZ Terminate TLS connection
Enterprise Y DMZ private network AD
Access Edge
OCS
CUPC (Ann)
MOC (Yao)
MOC (Zak)
In Figure 1-1, each internal enterprise domain interconnects over the public internet using its DMZ edge server using a secure TLS connection. Within the internal Cisco Unified Presence enterprise deployment, the Cisco Adaptive Security Appliance provides firewall, Port Address Translation (PAT) and TLS proxy functionality. The Cisco Adaptive Security Appliance routes all incoming traffic initiated from the foreign domain to a designated Cisco Unified Presence server. Figure 1-2 provides an example of an XMPP federated network between Cisco Unified Presence enterprise deployment and an IBM Sametime enterprise deployment. TLS is optional for XMPP federation. Cisco Adaptive Security Appliance acts only as a firewall for XMPP federation; it does not provide TLS proxy functionality or PAT for XMPP federation.
1-3
271521
*Cisco Adaptive Security Appliance
ASA functions as: TLS Proxy PAT Firewall
Chapter 1 About SIP Federation with AOL
Figure 1-2
Basic XMPP Federated Network between Cisco Unified Presence and IBM Sametime
Enterprise X CUCM Inter-cluster communication CUP CUP CUP (UK) CUCM CUP CUP CUP (US) *ASA private DMZ Pass-through for XMPP Requests No Termination of connections Internet XMPP
Enterprise Z DMZ private network Directory
IBM Sametime Gateway
IBM Sametime Sametime Gateway Server
XMPP Client (Ann)
XMPP Client (Tom)
Sametime Sametime (Bob) (Bill)
There are two DNS servers within the internal Cisco Unified Presence enterprise deployment. One DNS server hosts the Cisco Unified Presence private address. The other DNS server hosts the Cisco Unified Presence public address and a DNS SRV records for SIP federation (_sipfederationtls), and XMPP federation (_xmpp-server) with Cisco Unified Presence. The DNS server that hosts the Cisco Unified Presence public address is located in the local DMZ.
About SIP Federation with AOL

Intercluster Deployments and SIP Federation with AOL, page 1-4 Limitation with AOL Federation, page 1-5
Intercluster Deployments and SIP Federation with AOL

If you have an intercluster deployment that contains Cisco Unified Presence Release 7.x nodes, and Cisco Unified Presence Release 8.5 nodes, you can only configure the Cisco Unified Presence Release 8.5 nodes to federate with AOL. Note the following points:
An AOL user may see availability status of a Cisco Unified Presence Release 7.x intercluster contact. The Available state displays correctly, but all other states display as offline.
1-4
277887
ASA functions as: Firewall Open Port 5269
Chapter 1
Overview of this Integration About Intercluster and Multi-node Deployments
A Cisco Unified Presence Release 7.x intercluster user cannot see the availability status of AOL contacts. AOL users and Cisco Unified Presence Release 7.x intercluster contacts cannot exchange instant messages. We recommend that you do not configure AOL as a federated domain on Cisco Unified Presence Release 7.x. This configuration is not supported. Consequently, on Cisco Unified Presence Release 7.x, Cisco Unified Personal Communicator users cannot add federated AOL contacts.
Limitation with AOL Federation

Users in the AOL community (aol.com, aim.com) can use an existing email address as their screen name in AOL. This is existing email address that the user holds with any other public email provider, for example gmail.com, yahoo.com, msn.com and so on. In this scenario AOL expects a mapped JID when it addresses these users,, for example user(gmail.com)@aol.com, and similarly AOL sends out a modified JID. For example, AOL addresses the user with this screennameuser@gmail.com as follows:
SUBSCRIBE sip:user(gmail.com)@aol.com SIP/2.0 From: sip:user@cisco.com;tag= To: sip:user(gmail.com)@aol.com
AOL sends out this modified JID for this user:

SUBSCRIBE sip:user@cisco.com SIP/2.0 From: sip:user(gmail.com)@aol.com ;tag= To: sip:user@cisco.com
If you deploy SIP federation with AOL, Cisco Unified Presence does not support these AOL users whose screen names are an email address, and not a userID. Note that AOL routing is different to OCS routing in that AOL does not obey the SIP record-route;all requests from AOL are sent to the routing Cisco Unified Presence server, even if the original request was initiated from one of the other Cisco Unified Presence nodes. As a result, when you configure AOL federation, the federation routing Cisco Unified Presence may experience more load than it would when it federates with OCS.
About Intercluster and Multi-node Deployments

SIP Federation Deployments, page 1-6 XMPP Federation Deployments, page 1-6
Note
Any configuration procedures in this document that relate to intercluster Cisco Unified Presence deployments, you can also apply these procedures to multi-node Cisco Unified Presence deployments.
1-5
Chapter 1 About Intercluster and Multi-node Deployments
SIP Federation Deployments

In an intercluster and a multi-node cluster Cisco Unified Presence deployment, when a foreign domain initiates a new session, Cisco Adaptive Security Appliance routes all messages to a Cisco Unified Presence server that is designated for routing purposes. If the Cisco Unified Presence routing server does not host the recipient user, it routes the message via intercluster communication to the appropriate Cisco Unified Presence server within the cluster. The system routes all responses that are associated with this request through the routing Cisco Unified Presence server. Any Cisco Unified Presence server can initiate a message to a foreign domain via Cisco Adaptive Security Appliance. On OCS, when the foreign domain replies to these messages, the replies are sent directly back to the Cisco Unified Presence server that initiated the message via Cisco Adaptive Security Appliance. You enable this behavior when you configure Port Address Translation (PAT) on Cisco Adaptive Security Appliance. However, for AOL federation, all responses will be routed through the routing Cisco Unified Presence routing server. We recommend that you configure PAT on Cisco Adaptive Security Appliance as PAT is required for the 200 ok response messages.
Related Topics

About Port Address Translation (PAT), page 6-3 Intercluster Deployments and SIP Federation with AOL, page 1-4
XMPP Federation Deployments

For a single cluster, you only need to enable XMPP federation on one node in the cluster. A single DNS SRV record is published for the enterprise in the public DNS. This DNS SRV record maps to the Cisco Unified Presence node that is enabled for XMPP Federation. All incoming requests from foreign domains will be routed to the node running XMPP federation, based on the published SRV record. Internally Cisco Unified Presence reroutes the requests to the correct node for the user. Cisco Unified Presence also routes all outgoing requests via the node running XMPP federation. You can also publish multiple DNS SRV records, for example, for scale purposes, or if you have multiple Cisco Unified Presence clusters and you must enable XMPP federation at least once per cluster. Unlike SIP federation, XMPP federation does not require a single point of entry for the Cisco Unified Presence enterprise domain. As a result, Cisco Unified Presence can route incoming requests to any one of the published nodes that you enable for XMPP federation. In an intercluster and a multi-node cluster Cisco Unified Presence deployment, when a foreign XMPP federated domain initiates a new session, it performs a DNS SRV lookup to determine where to route the request. If you publish multiple DNS SRV records, the DNS lookup returns multiple results; Cisco Unified Presence can route the request to any of the servers that DNS publishes. Internally Cisco Unified Presence reroutes the requests to the correct node for the user. Cisco Unified Presence routes outgoing requests to any of the nodes running XMPP federation within the cluster. If you have multiple nodes running XMPP federation, you can still choose to publish only one node in the public DNS. With this configuration, Cisco Unified Presence routes all incoming requests via that single node, rather than load-balancing the incoming requests across the nodes running XMPP federation. Cisco Unified Presence will load-balance outgoing requests and send outgoing request via any of the nodes running XMPP federation within the cluster.
1-6
Chapter 1
Overview of this Integration About High Availability and Federation
About High Availability and Federation

High Availability for SIP Federation, page 1-7 High Availability for XMPP Federation, page 1-8
High Availability for SIP Federation

Note
Only Cisco Unified Presence Release 8.5 or higher supports high availability. If you are federating with a Microsoft OCS enterprise, the Microsoft Access Edge server only supports the return of a single hostname and server address in the DNS SRV lookup. Also the Microsoft Access Edge server only supports the manual provisioning of a single IP address. Therefore, in order to achieve high availability when federating with Microsoft OCS, you must incorporate a load balancer between the Cisco Unified Presence server and Cisco Adaptive Security Appliance, as shown in Figure 1-3. The load balancer terminates incoming TLS connections from Cisco Adaptive Security Appliance, and initiates a new TLS connection to route the content to the appropriate backend Cisco Unified Presence server. Currently only the Cisco CSS11506 Content Services Switch supports TLS. Similarly, in order to achieve high availability when federating with AOL, you must incorporate a load balancer between the Cisco Unified Presence server and Cisco Adaptive Security Appliance, as shown in Figure 1-3.
1-7
Chapter 1 About High Availability and Federation
Figure 1-3
Federated Network between Cisco Unified Presence and Microsoft OCS with High Availability
Enterprise X private network CUCM CUP CUP CUP (UK) CUCM CUP CUP CUP (US) Load Balancer *ASA Internet SIP DMZ
Access Edge
OCS
CUPC (Ann)
MOC (Yao)
MOC (Zak)
Related Topics
Configuring the Load Balancer for Redundancy for SIP Federation, page 10-1
High Availability for XMPP Federation

Note
Only Cisco Unified Presence Release 8.5 or higher supports high availability. High availability for XMPP federation differs from the high availability model for other Cisco Unified Presence features because it is not tied to the two node sub-cluster model. To provide high availability for XMPP federation, you must enable two or more Cisco Unified Presence nodes in your cluster for XMPP federation; having multiple nodes enabled for XMPP federation not only adds scale but it also provides redundancy in the event that any node fails.
High Availability for Outbound Request Routing
Cisco Unified Presence evenly load balances outbound requests from users within that cluster across all the XMPP federation enabled nodes in the cluster. If any node fails, Cisco Unified Presence dynamically spreads the outbound traffic across the remaining active nodes within the cluster.
1-8
271523
Chapter 1
Overview of this Integration About High Availability and Federation
High Availability for Inbound Request Routing
An additional step is required to provide high availability for inbound request routing. To allow a foreign domain to discover the local Cisco Unified Presence deployment, a DNS SRV record must be published on a public DNS server. This record resolves to an XMPP federation enabled node. The foreign domain then connects to the resolved address. To provide high availability in this model, multiple DNS SRV records must be published for the local Cisco Unified Presence deployment. Each of these records will resolve to one of the XMPP Federation enabled nodes within the local Cisco Unified Presence deployment. These records provide a choice of DNS SRV records for the local deployment. If an XMPP federation enabled node fails, the foreign system will have other options from which to connect to the local Cisco Unified Presence Deployment.
Note
Each published DNS SRV records must have the same priority and weight. This will allow for an spread of load across all published records, and will also allow for the foreign system to correctly reconnect to one of the other nodes with a DNS SRV record in the event of a failure. DNS SRV records may be published for all or just a subset of XMPP federation enabled nodes. The greater the number of records published, the greater the redundancy in the system for inbound request handling. If you configure the Chat feature on a Cisco Unified Presence server in an XMPP federation deployment, you can publish multiple DNS SRV records for chat node aliases also. This will allow the foreign system to find another inbound route to that specific chat node through another XMPP federation node, should any XMPP Federation enabled node fail. Note that this is not high availability for the Chat feature itself, but an extension of the XMPP Federation high availability feature for inbound requests addressed to chat node aliases.
IBM Sametime Federation
Cisco Unified Presence Release 8.5 does not support high availability for interdomain federation between a Cisco Unified Presence Release 8.5 enterprise and an IBM Sametime enterprise. This is because IBM Sametime does not retry other records that are returned in a DNS SRV lookup. It only tries the first DNS SRV record found, and if the connection attempt fails, it does not retry to lower weighted nodes.
Note
There is one situation where XMMP Federation high availability may appear to occur on Cisco Unified Presence in an IBM Sametime federation deployment. If users have failed over to the backup node due to critical services failing, but the Cisco UP XCP XMPP Federation Connection Manager remains running on the primary node. In this case, incoming traffic is still directed to the primary node, and then redirected to the backup node using the router to router connection. However, in this scenario XMPP Federation has not failed and can continue to operate as normal.
GoogleTalk Federation
Cisco Unified Presence Release 8.5 does not support high availability for interdomain federation between a Cisco Unified Presence Release 8.5 enterprise and GoogleTalk.
Related Topics

How to Configure DNS for XMPP Federation, page 11-4 Turning on XMPP Federation on a Node, page 11-2
1-9
Chapter 1 Cisco Adaptive Security Appliance Deployment Options
Cisco Adaptive Security Appliance Deployment Options

Within the internal Cisco Unified Presence enterprise deployment, the Cisco Adaptive Security Appliance provides firewall, Port Address Translation (PAT) and TLS proxy functionality in the DMZ to terminate the incoming connections from the public internet, and permit traffic from specific federated domains.
Note
In an XMPP federation deployment, Cisco Adaptive Security Appliance provides firewall functionality only. If you already deploy a firewall, you do not require an extra Cisco Adaptive Security Appliance for XMPP federation. You can deploy the Cisco Adaptive Security Appliance in a number of different ways, depending on your existing network and the type of firewall functionality you want to deploy. This section contains only an overview of the deployment models we recommend. For further details please refer to the deployment guidelines in the Cisco Adaptive Security Appliance documentation. The Cisco Adaptive Security Appliance deployment options we describe here apply to SIP federation only. You can deploy the Cisco Adaptive Security Appliance as the enterprise firewall that protects Instant Messaging (IM) traffic, Presence traffic and other traffic, as illustrated in Figure 1-1 and Figure 1-4. This is the most cost-effective deployment, and the one we recommend for new and existing networks. You can also deploy the Cisco Adaptive Security Appliance in parallel to the existing firewall, as illustrated in Figure 1-4. In this deployment Cisco Adaptive Security Appliance handles the IM and Presence traffic between Cisco Unified Presence and the public internet, and the pre-existing traffic continues to use any existing firewall. In Figure 1-4 Cisco Adaptive Security Appliance is also deployed as a gateway for the Cisco Unified Presence server, which means that you do not require a separate router to direct traffic to Cisco Adaptive Security Appliance.
1-10
Chapter 1
Overview of this Integration Cisco Adaptive Security Appliance Deployment Options
Figure 1-4
Cisco ASA 5500 Deployed in Parallel to Existing NAT/Firewall
Enterprise X CUCM CUP (UK) private DMZ
Cisco Unified Presence IM/P traffic routed to ASA
CUCM CUP (US) *ASA
Internet SIP Access Edge OCS
NAT/ FW Pre-existing non-Cisco Unified Presence traffic
CUPC (Ann)
MOC (Yao)
MOC (Zak)
You can also deploy the Cisco Adaptive Security Appliance behind an existing firewall. In this case, you configure the existing firewall to allow traffic destined for Cisco Unified Presence to reach the Cisco Adaptive Security Appliance, as illustrated in Figure 1-5. In this type of deployment the Cisco Adaptive Security Appliance is functioning as a gateway for the Cisco Unified Presence server.
271519
1-11
Chapter 1 Presence Subscriptions and Blocking Levels
Figure 1-5
Cisco ASA 5500 Deployed Behind Existing NAT/Firewall
Enterprise X CUCM CUP (UK) Internet *ASA SIP private DMZ
CUCM CUP (US)
Access Edge
OCS
NAT/ FW Pre-existing non-Cup traffic CUPC (Ann) IM/P traffic for ASA/CUP passes through hole opened in existing FW MOC (Yao) MOC (Zak)
Presence Subscriptions and Blocking Levels

All new presence subscriptions from x@foreigndomain.com to user@local.comare sent via the Cisco Adaptive Security Appliance, as illustrated in Figure 1-6. Cisco Adaptive Security Appliance checks the inbound SIP subscriptions against the list of permitted foreign domains. If the domain is not permitted, Cisco Adaptive Security Appliance denies the presence subscription.
Note
In an XMPP federation deployment, Cisco Adaptive Security Appliance does not perform any domain checks. On receipt of the inbound subscription, Cisco Unified Presence verifies that the foreign domain is one of the permitted federated domains that you define at the administration level on the Cisco Unified Presence server. For SIP federation, you configure a federated domain. For XMPP federation, you define the administrator policy for XMPP federation. If the subscription is not from a permitted domain, Cisco Unified Presence denies the subscription (without contacting the local user). If the subscription is from a permitted domain, Cisco Unified Presence checks the authorization policies of the local user to verify that the local user has not previously blocked or allowed either the federated domain or the user sending the presence subscription. Cisco Unified Presence then accepts the incoming subscription and places it in a pending state.
1-12
271520
Chapter 1
Overview of this Integration Presence Subscriptions and Blocking Levels
Cisco Unified Presence notifies the local user that x@foreigndomain.com wants to watch their presence by sending the client application a notification message for the subscription. This triggers a dialog box on the client application that enables the local user to allow or deny the subscription. Once the user has made an authorization decision, the client application communicates that decision back to Cisco Unified Presence. The authorization decision is added to the policy list of the user stored on Cisco Unified Presence.
Note
Third-party XMPP clients do not update the policy list of the user, they just accept the subscription. The user can manually update their privacy list in the Cisco Unified Presence User Options interface. A deny decision is handled using polite blocking, which means that the presence state of the user appears offline on the foreign client. If the local user allows the subscription, Cisco Unified Presence sends a presence updates to the foreign watcher. The user can also block subscriptions on a per user and a per domain basis. This can be configured via the Cisco Unified Presence User Options interface, and the Cisco Unified Personal Communicator client.
Figure 1-6 Inbound SIP Presence Message Flow
Enterprise X private network DMZ
Enterprise Y DMZ NOTIFY Yao with Anns Presence status private network Client (Yao)
Authorization Policy Updates via SOAP Allow/Deny Policy
Client (Ann)
Watcher Info NOTIFY Ann
CUP
*ASA
Internet
Foreign Gateway
Foreign Server
Cisco Unified Presence sends all outgoing subscriptions through Cisco Adaptive Security Appliance, and Cisco Adaptive Security Appliance forwards these subscriptions to the foreign domain. Cisco Unified Presence sends an outgoing subscription even if an active subscription already exists between a different local user to the same foreign user in the same foreign domain. Figure 1-7 illustrates an outgoing presence subscription flow. The foreign user is added to the contact list on the client application and the Cisco Unified Presence User Options interface as user@foreigndomain.com.
Note
The domain level authentication check is not applied on Cisco Adaptive Security Appliance for XMPP federation.
1-13
277993
Admin level authorization check 3 User level authorization check
1
Domain level authorization check
Yao initiates an IM session with local user Ann (INVITE)
Chapter 1 About Availability State Mappings
Figure 1-7
Outbound Presence Request Flow
Enterprise X private network Contact Updates via SOAP *ASA Internet DMZ
Enterprise Y DMZ private network Client (Matt)
Client (Ann)
CUP Ann sends request to subscribe to presence 1 of foreign user Matt Admin level authorization check
Foreign Gateway
Foreign Server

277994
Note
Microsoft OCS performs a refresh subscribe every one hour and 45 minutes. Therefore, if a Cisco Unified Presence server restarts, the maximum duration a Microsoft Office Communicator client will be without the presence status of Cisco Unified Presence contacts is approximately two hours. If Microsoft OCS restarts, the maximum duration a Cisco Unified Presence client will be without presence status of Microsoft Office Communicator contacts is approximately two hours.
Related Topics

About Availability State Mappings, page 1-14 About Instant Messaging, page 1-21
About Availability State Mappings

Availability State Mappings for Microsoft OCS, page 1-15 Availability State Mappings for Microsoft Lync, page 1-16 Availability State Mappings for AOL Instant Messenger, page 1-17 Availability State Mappings for XMPP Federation, page 1-18
1-14
Chapter 1
Overview of this Integration About Availability State Mappings
Availability State Mappings for Microsoft OCS

Table 1-1 shows the availability mapping states from Microsoft Office Communicator to Cisco Unified Presence, third-party XMPP clients and Cisco Unified Personal Communicator.
Table 1-1 Availability Mapping States from Microsoft Office Communicator
Microsoft Office Communicator Setting Available Busy Do Not Disturb Be Right Back Away Offline
Third-party XMPP Client Setting (connected to Cisco Unified Presence) Available Away Away Away Away Offline
Cisco Unified Personal Communicator Release 7.x Setting Available Away Away Away Away Offline
Cisco Unified Personal Communicator Release 8.x Setting Available Busy Busy Away Away Offline
In Table 1-1, Microsoft Office Communicator Busy and Do Not Disturb states map to Away with a status text of "Busy" on a third-party XMPP client. XMPP clients differ in how they render this Away status, for example, certain XMPP clients will show the "Away" icon with no text. Other XMPP clients will render the "Away" icon with "Busy" text annotation alongside. Table 1-2 shows the availability mapping states from Cisco Unified Personal Communicator Release 7.x to Microsoft Office Communicator.
Table 1-2 Availability Mapping States from Cisco Unified Personal Communicator Release 7.x
Cisco Unified Personal Communicator Microsoft Office Communicator Release 7.x Setting Setting Available Away Do Not Disturb Offline Invisible Available Away Busy Offline Away
Table 1-3 shows the availability mapping states from Cisco Unified Personal Communicator Release 8.x to Microsoft Office Communicator.
Cisco Unified Personal Communicator Microsoft Office Communicator Release 8.x Setting Setting Available Busy Do Not Disturb Offline Available Busy Busy Offline
1-15
Table 1-4 shows the availability mapping states from third-party XMPP clients, that are connected to Cisco Unified Presence, to Microsoft Office Communicator.
Table 1-4
Availability Mapping States from Third-party XMPP Client
Third-party XMPP Client Setting (connected to Cisco Unified Presence) Available Away Extended Away Do Not Disturb Offline
Related Topics
Microsoft Office Communicator Setting Available Away Away Busy Offline
Presence Subscriptions and Blocking Levels, page 1-12
Availability State Mappings for Microsoft Lync

Table 1-5 shows the availability mapping states from Microsoft Lync to Cisco Unified Presence, third-party XMPP clients and Cisco Unified Personal Communicator.
Table 1-5 Availability Mapping States from Microsoft Lync
Microsoft Lync Setting Available Busy Do Not Disturb Be Right Back Away Offline
Third-party XMPP Client Setting (connected to Cisco Unified Presence) Available Away Away Away Away Offline
Cisco Unified Personal Communicator Release 7.x Setting Available Away Away Away Away Offline
Cisco Unified Personal Communicator Release 8.x Setting Available Busy Busy Away Away Offline
In Table 1-5, Lync Client Busy and Do Not Disturb states map to Away with a status text of "Busy" on a third-party XMPP client. XMPP clients differ in how they render this Away status, for example, certain XMPP clients will show the "Away" icon with no text. Other XMPP clients will render the "Away" icon with "Busy" text annotation alongside. Table 1-6 shows the availability mapping states from Cisco Unified Personal Communicator Release 7.x to a Lync client.
1-16
Chapter 1
Table 1-6
Availability Mapping States from Cisco Unified Personal Communicator Release 7.x
Cisco Unified Personal Communicator Microsoft Lync Release 7.x Setting Setting Available Away Do Not Disturb Offline Invisible Available Away Busy Offline Away
Table 1-7 shows the availability mapping states from Cisco Unified Personal Communicator Release 8.x to a Lync client.
Cisco Unified Personal Communicator Microsoft Lync Release 8.x Setting Setting Available Busy Do Not Disturb Offline Available Busy Busy Offline
Table 1-8 shows the availability mapping states from third-party XMPP clients, that are connected to Cisco Unified Presence, to a Lync client.
Table 1-8 Availability Mapping States from Third-party XMPP Client
Third-party XMPP Client Setting (connected to Cisco Unified Presence) Available Away Extended Away Do Not Disturb Offline
Related Topics
Microsoft Lync Setting Available Away Away Busy Offline
Availability State Mappings for AOL Instant Messenger

Table 1-9 shows the availability mapping states from AOL Instant Messenger to Cisco Unified Personal Communicator.
1-17
Table 1-9
Availability Mapping States from AOL Instant Messenger to Cisco Unified Personal Communicator
AOL Instant Messenger Setting Available Away Invisible Offline
Cisco Unified Personal Communicator Release 7.x Setting Available Away Offline Offline
Cisco Unified Personal Communicator Release 8.x Setting Available Away Offline Offline
Table 1-10 shows the availability mapping states from Cisco Unified Personal Communicator to AOL Instant Messenger.
Table 1-10 Availability Mapping States from Cisco Unified Personal Communicator to AOL Instant Messenger
Cisco Unified Personal Communicator Release 7.x Setting Available Do Not Disturb Away Idle Offline
Related Topics
Cisco Unified Personal Communicator Release 8.x Setting Available Do Not Disturb Busy Idle Offline
AOL Instant Messenger Available Away Away Away Offline
Availability State Mappings for XMPP Federation

Table 1-11 shows the availability mapping states from IBM Sametime 8.2 to a third-party XMPP client on Cisco Unified Presence, and to Cisco Unified Personal Communicator.
Table 1-11 Availability Mapping States from IBM Sametime 8.2 client
IBM Sametime Client Setting Available Do Not Disturb Available with status In a meeting
Third-party XMPP Client Setting (connected to Cisco Unified Presence) Available Do Not Disturb Available with status In a meeting
Cisco Unified Personal Cisco Unified Personal Communicator Communicator Setting Release 7.x Setting Release 8.x Available Do Not Disturb Available with status In a meeting Available with status message Do Not Disturb with status message Available with status message
1-18
Chapter 1
Table 1-11
Availability Mapping States from IBM Sametime 8.2 client
IBM Sametime Client Setting Away Offline
Third-party XMPP Client Setting (connected to Cisco Unified Presence) Away Offline
Cisco Unified Personal Cisco Unified Personal Communicator Communicator Setting Release 7.x Setting Release 8.x Away Offline Away with status message Offline
Table 1-12 shows the availability mapping states from webex Connect to a third-party XMPP client on Cisco Unified Presence, and to Cisco Unified Personal Communicator.
Table 1-12 Availability Mapping States from Webex Connect
Webex Connect Setting Available Do Not Disturb Away with status In a meeting Away Offline
Third-party XMPP Client Setting (connected to Cisco Unified Presence ) Available Do Not Disturb Available with status In a meeting Away Offline
Cisco Unified Personal Communicator Setting Release 7.x Available Do Not Disturb Away with status In a meeting Away Offline
Cisco Unified Personal Communicator Setting Release 8.x Available Do Not Disturb Away with status In a meeting Away Offline
Table 1-13 shows the availability mapping states from Cisco Unified Personal Communicator Release 7.x to other federated clients.
Table 1-13
Federated Cisco Unified Personal Cisco Unified Pers onal Communicat Communicator Release 7.x or Release 7.x Setting Setting Available Do Not Disturb Away Idle Offline Available Do Not Disturb Away Idle Offline
Federated Cisco Unified Personal Communicator Release 8.x Setting Available Do Not Disturb Away Idle Offline
Federated Third-party XMPP Client Setting (connected to Cisco Unified Presence) Available Do Not Disturb Away Away with status Idle Offline
Webex Connect Client Setting Available Do Not Disturb Away
IBM Sametime Client Server Available Do Not Disturb Away
Away with Extended status Idle Away Offline Offline
1-19
Table 1-14 shows the availability mapping states from Cisco Unified Personal Communicator Release 8.x to other federated clients.
Table 1-14
Federated Cisco Unified Personal Cisco Unified Pers onal Communicat Communicator Release 8.x or Release 7.x Setting Setting Available Do Not Disturb Available Do Not Disturb
Federated Cisco Unified Personal Communicator Release 8.x Setting Available Do Not Disturb
Federated Third-party XMPP Client Setting (connected to Cisco Unified Presence) Available Do Not Disturb Away Idle Offline
Webex Connect Client Setting Available Do Not Disturb Idle Idle Offline
IBM Sametime Client Server Available Do Not Disturb Away Idle Offline
Busy Idle Offline
Away Idle Offline
Busy Idle Offline
Table 1-15 shows the availability mapping states from a third-party XMPP client on Cisco Unified Presence to other federated clients.
Table 1-15 Availability Mapping States from XMPP Client Connected to Cisco Unified Presence
Third-party XMPP Client Setting (connected to Cisco Unified Presence) Available Do Not Disturb Away Extended Away Away with status Idle
Federated Cisco Unified Personal Communicator Release 7.x Setting Available Do Not Disturb Away Away Idle
Federated Cisco Unified Personal Communicator Release 8.x Setting Available Do Not Disturb Away Away Idle
Federated XMPP Client Setting (connected to Cisco Unified Prese Webex nce) Connect Client Setting Available Do Not Disturb Away Extended Away Away with status Idle Available Do Not Disturb Away Extended Away Away with status Idle
IBM Sametime Client Server Available Do Not Disturb Away Away Away with status Idle Offline
Offline
Offline
Offline
Offline
Offline
1-20
Chapter 1
Overview of this Integration About Instant Messaging
About Instant Messaging

Instant Message Flow for SIP Federation, page 1-21 Availability and Instant Message Flow for XMPP Federation, page 1-22
Instant Message Flow for SIP Federation

Instant Messages (IMs) that are sent between two enterprise deployments use Session Mode. When a user in a foreign domain sends an IM to a local user in the Cisco Unified Presence domain, the foreign server sends an INVITE message, as illustrated in Figure 1-8. Cisco Adaptive Security Appliance forwards the INVITE message to Cisco Unified Presence. Cisco Unified Presence replies with a 200 OK message to the foreign server, and the foreign server sends a SIP MESSAGE containing the text data. Cisco Unified Presence forwards the text data to the client application of the local user, using the appropriate protocol.
Figure 1-8 Inbound Instant Messaging Flow
Enterprise X private network DMZ
Enterprise Y DMZ private network MOC (Yao)
CUPC (Ann)
IM sent to client (SIP message)
CUP
*ASA
Internet SIP
Access Edge
OCS
Allow/Deny Policy
Admin level authorization check
Yao initiates an IM session with local user Ann (INVITE)
When a local user in the Cisco Unified Presence domain sends an IM to a user in a foreign domain, the IM is sent to the Cisco Unified Presence server. If no existing IM session is established between these two users, Cisco Unified Presence sends an INVITE message to the foreign domain to establish a new session. Figure 1-9 illustrates this flow. Cisco Unified Presence uses this session for any subsequent MESSAGE traffic from either of these two users. Note that users of Cisco Unified Personal Communicator Release 8.x and third-party XMPP clients can initiate an IM even if they do not have availability.
1-21
271524
Chapter 1 About Instant Messaging
Figure 1-9
Outbound Instant Message Flow
Enterprise X private network If Ann has presence for Matt, she can initiate an IM to Matt CUPC (Ann) CUP ASA Internet SIP DMZ
Enterprise Y DMZ private network MOC (Matt)
Ann initiates an IM session with foreign user Matt
Access Edge
OCS

271527
Note
Cisco Unified Presence does not support a three-way IM session (group chat) with a Microsoft OCS contact.
Related Topics
Availability and Instant Message Flow for XMPP Federation

The flow of incoming and outgoing availability and IM requests for XMPP federation can vary in a multi-node Cisco Unified Presence deployment. In a multi-node deployment, you can enable XMPP federation on each node in the cluster, or just on a single node in a cluster. In addition, you can decide to publish only a single DNS SRV record, or publish multiple DNS SRV records (one record for each node on which you enable XMPP Federation). If you only publish a single DNS SRV record, the system routes all inbound requests to that single node, and internally Cisco Unified Presence routes the traffic to the correct node using intercluster routing, as illustrated in Figure 1-10. If you publish multiple DNS SRV records, depending on how you configure the SRV records, the system could load-balance inbound requests across each node.
1-22
Chapter 1
Overview of this Integration About Instant Messaging
Figure 1-10
XMPP Inbound Request Flow
Enterprise X CUCM nter-cluster communication CUP CUP CUP (UK) CUCM CUP CUP CUP (US) *ASA Internet XMPP private DMZ
CUPC (Ann)
Third-party XMPP Client (Tom)
Cisco Unified Presence routes outbound requests to any node in the cluster on which you enable XMPP Federation, even if that node is not the home node for the user that initiates the request, as illustrated in Figure 1-11.
1-23
277888
Incoming all requests are directed to the node where XMPP Federation is enabled and published in public DNS.
Chapter 1 Federation and Subdomains
Figure 1-11
XMPP Outbound Request Flow
Enterprise X CUCM Inter-cluster communication CUP CUP CUP (UK) CUCM CUP CUP CUP (US) *ASA Internet private DMZ
CUPC (Ann)
Third-party XMPP Client (Tom) Outbound requests can be directed outwards via any node within the cluster which has XMPP federation enabled.
Related Topics
High Availability for XMPP Federation, page 1-8
Federation and Subdomains

Cisco Unified Presence supports the following subdomain scenarios:
Cisco Unified Presence belongs to a subdomain of the foreign domain. For example, Cisco Unified Presence belongs to the subdomain "cup.cisco.com". Cisco Unified Presence federates with a foreign enterprise that belongs to the domain "cisco.com". In this case, the Cisco Unified Presence user is assigned the URI cupuser@cup.cisco.com, and the foreign user has the URI foreignuser@cisco.com. Cisco Unified Presence belongs to a parent domain, and the foreign enterprise belongs to a subdomain of that parent domain. For example, Cisco Unified Presence belongs to the domain "cisco.com". Cisco Unified Presence federates with a foreign enterprise that belongs to the subdomain "foreign.cisco.com". In this case, the Cisco Unified Presence user is assigned the URI cupuser@cisco.com, and the foreign user is assigned the URI foreignuser@foreign.cisco.com.
1-24
277884
Chapter 1
Overview of this Integration Federation and Subdomains
Cisco Unified Presence and the foreign enterprise each belong to different subdomains, but both of these subdomains belong to the same parent domain. For example, Cisco Unified Presence belongs to the subdomain "cup.cisco.com" and the foreign enterprise belongs to the subdomain "foreign.cisco.com". Both of these subdomains belong to the parent domain "cisco.com". In this case, the Cisco Unified Presence user is assigned the URI cupuser@cup.cisco.com and the foreign user is assigned the URI foreignuser@foreign.cisco.com.
If you federate with subdomains, you only need to configure separate DNS domains; there is no requirement to split your Active Directory. If you configure federation within the enterprise, Cisco Unified Presence users or foreign users can belong to the same Active Directory domain. For example, in the third scenario above, the Active Directory can belong to the parent domain cisco.com. You can configure all users under the cisco.com domain in Active Directory, even though a user may belong to the subdomain "cup.cisco.com" or "foreign.cisco.com", and may have the URI cupuser@cup.cisco.com or foreignuser@foreign.cisco.com. Note that even though an LDAP search from Cisco Unified Personal Communicator may return users in the other domain, or subdomain, a Cisco Unified Personal Communicator user cannot add these federated users from the LDAP lookup on Cisco Unified Personal Communicator. The Cisco Unified Personal Communicator user must add these users as external (federated) contacts so that the Cisco Unified Presence applies the correct domain and not the local domain.
Note
Cisco Unified Presence also supports the scenarios above if you configure federation between two Cisco Unified Presence enterprise deployments.
1-25
Chapter 1 Federation and Subdomains
1-26
CH A P T E R
Planning for this Integration

April 4, 2011
Supported Interdomain Federation Integrations, page 2-1 Hardware Requirements, page 2-2 Software Requirements, page 2-2 About Integration Preparation, page 2-3 About Prerequisite Configuration Tasks for this Integration, page 2-7
Supported Interdomain Federation Integrations

This document describes the configuration steps for setting up a federated network between Cisco Unified Presence server and a foreign domain. The supported foreign domains that a Cisco Unified Presence server can federate with are:
Microsoft Office Communications Server Releases 2007, R2, Microsoft Lync 2010 over SIP Only Cisco Unified Presence Release 8.5(2) or higher supports interdomain federation with Microsoft Lync. For Cisco Unified Presence Release 8.5(2) or higher, any reference to interdomain federation with OCS also includes Microsoft Lync, unless explicitly stated otherwise. AOL over SIP Cisco Webex Connect Release 6.x over XMPP IBM Sametime Server Release 8.2, 8.5 over XMPP GoogleTalk over XMPP Cisco Unified Presence Release 8.x over XMPP
Note
Note
If you federate between one Cisco Unified Presence enterprise and another, follow the procedures that describe how to configure XMPP Federation.
Related Topics
Hardware Requirements, page 2-2
2-1
Chapter 2 Hardware Requirements
Software Requirements, page 2-2
Hardware Requirements
Cisco Hardware

Cisco Unified Presence server. For Cisco Unified Presence hardware support, refer to the Cisco Unified Presence compatibility matrix Cisco Unified Communications Manager server. For Cisco Unified Communications Manager hardware support, refer to the Cisco Unified Communications Manager compatibility matrix Two DNS servers within the Cisco Unified Presence enterprise Cisco Adaptive Security Appliance 5500 Series (Optional) Cisco CSS11506 Content Services Switch We only recommend the Cisco Adaptive Security Appliance for SIP federation as it provides the TLS proxy functionality. For XMPP federation, any firewall is sufficient. When selecting a Cisco Adaptive Security Appliance model, go to: http://www.cisco.com/en/US/products/ps6120/prod_models_home.html. The TLS proxy component is available on all 5500 models. Make sure you use the correct version of Cisco Adaptive Security Appliance software for your deployment. If you are configuring a new interdomain federation deployment, refer to the Cisco Unified Presence compatibility matrix for the correct version of Cisco Adaptive Security Appliance software.
Note
Related Topics
Hardware and Software Compatibility Information for Cisco Unified Presence: http://www.cisco.com/en/US/products/ps6837/products_device_support_tables_list.html Cisco Unified Communications Manager Hardware Compatibility Matrix: http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_device_support_tables_list.ht ml
Software Requirements, page 2-2
Software Requirements
Note
You require Cisco Unified Presence Release 8.5 or higher to configure SIP federation with AOL.
Cisco Software

Cisco Unified Presence Server Release 8.5 Cisco Unified Communications Manager Server Release 6.x+ Cisco Unified Personal Communicator Release 7.x (7.03.13742 or later) - SIP client
2-2
Chapter 2
Planning for this Integration About Integration Preparation
Cisco Unified Personal Communicator Release 8.0 - XMPP client Cisco Adaptive Security Appliance v8.3(1) Cisco Adaptive Security Device Manager (ASDM) v6.3
Microsoft Software for SIP Federation

Microsoft Lync 2010 Microsoft OCS 2007 Release 2 Server Standard or Enterprise Microsoft Office Communicator 2007 Release 2 Microsoft Active Directory
AOL Software for SIP Federation

AOL SIP Access Gateway (SAG) AOL Instant Messenger Release 7.2.6.1 or later
Software for XMPP Federation

Cisco Webex Connect Release 6.x IBM Sametime Server Release 8.2 GoogleTalk
Related Topics
Hardware Requirements, page 2-2
About Integration Preparation

It is essential that you plan carefully for this integration. Read the items in this section before you commence any configuration for this integration.

Routing Configuration, page 2-3 Public IP Address, page 2-4 Public FQDN, page 2-5 AOL SIP Access Gateway, page 2-5 Redundancy/High Availability, page 2-5 DNS Configuration, page 2-6 Certificate Authority (CA) Server, page 2-6
Routing Configuration
Consider how you are going to set up routing in your federated network. Consider how you route messages that are destined for a foreign domain address from Cisco Unified Presence through the Cisco Adaptive Security Appliance to the foreign domain. You could consider deploying a routing entity (router, switch or gateway) between the Cisco Unified Presence enterprise deployment and Cisco Adaptive Security Appliance. The routing entity routes messages to the Cisco Adaptive Security Appliance, and Cisco Adaptive Security Appliance routes these messages to the foreign domain.
2-3
Chapter 2 About Integration Preparation
You can also deploy Cisco Adaptive Security Appliance as a gateway between Cisco Unified Presence and the foreign domain. If you use Cisco Adaptive Security Appliance as a gateway for Cisco Unified Presence, within your local enterprise deployment you must consider how Cisco Unified Communications Manager, and the Cisco Unified Presence client will access the Cisco Unified Presence server. If Cisco Unified Communications Manager and the Cisco Unified Presence clients are in a different subnet from Cisco Unified Presence, they will need to access the Cisco Unified Presence using Cisco Adaptive Security Appliance. If you deploy Cisco Adaptive Security Appliance behind an existing firewall in your network, consider how you route traffic to Cisco Adaptive Security Appliance and to Cisco Unified Presence. On the existing firewall, configure routes and access lists to route traffic to the public Cisco Unified Presence address. You must also configure routes to the foreign domain using the existing firewall.
Related Topics

Cisco Adaptive Security Appliance Deployment Options, page 1-10 Configuring Cisco Adaptive Security Appliance for SIP Federation, page 6-1
Public IP Address
For SIP federation, you require a publicly accessible IP address for the public Cisco Unified Presence address. If you do not have an IP address that you can assign, use the outside interface of the Cisco Adaptive Security Appliance as the public Cisco Unified Presence address (once you only use the Cisco Adaptive Security Appliance for availability and IM traffic). For SIP federation with Microsoft OCS R2, you require a single public IP address, even if you deploy multiple Cisco Unified Presence servers. Cisco Adaptive Security Appliance routes the requests from OCS to the correct Cisco Unified Presence server using Port Address Translation (PAT). For XMPP federation, you can choose to either expose a public IP address for each Cisco Unified Presence server on which you enable XMPP federation, or expose a single public IP address:
If you expose multiple IP addresses, you use NAT on Cisco Adaptive Security Appliance to convert the public addresses to private addresses. For example, you can use NAT to convert the public addresses x.x.x.x:5269 and y.y.y.y:5269 to the private addresses a.a.a.a:5269 and b.b.b.b:5269 respectively. If you expose a single IP address, you use PAT on Cisco Adaptive Security Appliance to map to the correct Cisco Unified Presence server. For example, the public IP address in your deployment is x.x.x.x, and there are multiple DNS SRV records for _xmpp-server. Each record has a different port, but all records resolve to x.x.x.x. The foreign servers sends requests to x.x.x.x:5269, x.x.x.x:15269, x.x.x.x.25269 through Cisco Adaptive Security Appliance. Cisco Adaptive Security Appliance performs PAT on the IP addresses, whereby it maps each address to the corresponding internal IP address for each Cisco Unified Presence server. For example, the public IP address x.x.x.x:5269 maps to the private IP address a.a.a.a:5269, the public IP address x.x.x.x:15269 maps to the private IP address a.b.b.b.b:5269, and the public IP address x.x.x.x:25269 maps to the private IP address c.c.c.c:5269, and so on. All IP addresses map internally to the same port (5269) on Cisco Unified Presence.
Related Topics

External and Internal Interface Configuration, page 6-1 DNS Configuration, page 2-6
2-4
Chapter 2
Planning for this Integration About Integration Preparation
Public FQDN
For SIP federation, request messages are routed based on the FQDN. Therefore, the FQDN of the routing Cisco Unified Presence server (publisher) must be publicly resolvable.
AOL SIP Access Gateway

The AOL SIP Access Gateway provides federated services, which permit a companys SIP/SIMPLE-based instant messaging servers to communicate with other instant messaging users on the network. Using the AOL SIP Access Gateway, it is possible for users of a companys SIP/SIMPLE-based messaging server to obtain availability information for, and hold conversations with, public users of the AIM or AOL services. The AOL SIP Access Gateway also enables users of the AIM or AOL systems to send instant messages and to display availability information for users of the companys internal SIP/SIMPLE-based system. The AOL SIP Access Gateway acts as the front end to a translator for internal AOL protocols. All communications between the company server and AOL will use SIP. The AOL SIP Access Gateway handles the translation into the protocols needed by internal AOL systems. It is not necessary to add any translation capabilities to external servers; from that perspective the AOL protocols are hidden. If the company server communicates using SIP/SIMPLE, it should still be possible to connect to AOL via the AOL SIP Access Gateway. The AOL SIP Access Gateway supports connections via TLS over TCP only. The AOL SIP Access Gateway server should be defined within your instant messaging servers or proxies with this address: Server Name: sip.oscar.aol.com Server Port: 5061 The server name sip.oscar.aol.com resolves to 205.188.153.55 & 64.12.162.248.
Note
If you configure these IP addresses statically anywhere in your network, we recommend that you periodically check with AOL for potential changes to these addresses. We recommend that you ping the FQDN of AOL SIP Access Gateway (sip.oscar.aol.com) to confirm the IP address as it may be subject to change, for example ping sip.oscar.aol.com.
Redundancy/High Availability
You need to consider how you are going to configure redundancy in your federated network. Cisco Adaptive Security Appliance supports redundancy by providing the Active/Standby (A/S) deployment model. If you wish to make your Cisco Unified Presence federation capability highly available you can deploy a load balancer in front of your designated (federation) Cisco Unified Presence cluster. Cisco recommends you use the Cisco CSS 11500 Content Services Switch. The Cisco CSS 11500 Content Services Switch documentation is available at the following URL: http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_installation_and_configuration_g uides_list.html
2-5
Chapter 2 About Integration Preparation
DNS Configuration
In the local Cisco Unified Presence enterprise deployment, Cisco Unified Presence must publish a DNS SRV record for the Cisco Unified Presence domain to make it possible for other domains to discover the Cisco Unified Presence server through DNS SRV. The DNS SRV records reside on the DNS server in the enterprise DMZ. For SIP federation with Microsoft OCS R2, you must publish the DNS SRV record _sipfederationtls. The Microsoft enterprise deployment requires this record because you configure Cisco Unified Presence as a Public IM Provider on the Access Edge server. In the external enterprise deployment, in order for Cisco Unified Presence to discover the Microsoft domain, a DNS SRV record must exist that points to this external domain. If the Cisco Unified Presence server cannot discover the Microsoft domain using DNS SRV, you must configure a static route on Cisco Unified Presence that points to the public interface of this external domain. For AOL federation, AOL publishes the DNS SRV record _sipfederationtls_tcp.aol.com in their public DNS server for the domain aol.com. This resolves to sip.oscar.aol.com which is the AOL SIP Access Gateway. Because DNS SRV records are publicly resolvable, if you turn on DNS forwarding in the local enterprise, DNS queries retrieve information about public domains outside of the local enterprise. If the DNS queries rely completely on DNS information within the local enterprise (you do not turn on DNS forwarding in the local enterprise), you will need to publish DNS SRV record/FQDN/IP address that points to the external domain. Alternatively. you can configure static routes. For XMPP federation, you must publish the DNS SRV record _xmpp-server. This record enables federated XMPP domains to discover the Cisco Unified Presence domain so users in both domains can exchange IM and availability information over XMPP. Similarly, foreign domains must publish the _xmpp-server record in their public DNS server to enable Cisco Unified Presence to discover the foreign domain.
Related Topics

Routing SIP Requests for SIP Federation with AOL, page 4-7 Verifying or Changing the Default Federation Routing Domain for SIP Federation with AOL, page 4-8
Certificate Authority (CA) Server

For SIP federation, the Cisco Adaptive Security Appliance in the Cisco Unified Presence enterprise deployment, and the foreign enterprise deployment, share IM and availability over a secure SSL/TLS connection. Each enterprise deployment must present a certificate that is signed by an external CA, however each enterprise deployment may using a different CA. Therefore each enterprise deployment must download the root certificate from the external CA of the other enterprise deployment to achieve a mutual trust between the two enterprise deployments. For XMPP federation, you can choose whether or not to configure a secure TLS connection. If you configure TLS, on Cisco Unified Presence you need to upload the root certificate of the Certificate Authority (CA) that signs the certificate of the foreign enterprise. This certificate must exist in the certificate trust store on Cisco Unified Presence because the Cisco Adaptive Security Appliance does not terminate the TLS connections for XMPP federation; Cisco Adaptive Security Appliance acts as a firewall for XMPP federation.
2-6
Chapter 2
Planning for this Integration About Prerequisite Configuration Tasks for this Integration
About Prerequisite Configuration Tasks for this Integration

Prerequisite Configuration for Cisco Unified Presence, page 2-7 Prerequisite Configuration for Cisco Adaptive Security Appliance, page 2-7
Prerequisite Configuration for Cisco Unified Presence

Note
These prerequisite tasks apply to both SIP and XMPP federation.

1.
Install and configure Cisco Unified Presence as described in the Deployment Guide for Cisco Unified Presence. At this point, perform the following checks to ensure that your Cisco Unified Presence is operating properly:
2.
Run the Cisco Unified Presence Troubleshooter. Check that you can add local contacts to Cisco Unified Presence. Check that your clients are receiving availability states from the Cisco Unified Presence server. Configure Cisco Unified Presence server with a Cisco Unified Communications Manager (CUCM) server as described in the Deployment Guide for Cisco Unified Presence. Ensure that the Cisco Unified Presence server is working without any issues.
Related Topics
Deployment Guide for Cisco Unified Presence: http://www.cisco.com/en/US/products/ps6837/tsd_products_support_series_home.html Prerequisite Configuration for Cisco Adaptive Security Appliance, page 2-7
Prerequisite Configuration for Cisco Adaptive Security Appliance

Note
For SIP federation, you require Cisco Adaptive Security Appliance. For XMPP federation, you require a firewall. You can use any firewall, including Cisco Adaptive Security Appliance for basic firewall/NAT/PAT functionality. For XMPP federation you do not use Cisco Adaptive Security Appliance for TLS proxy functionality.
Install and configure Cisco Adaptive Security Appliance. Perform the following basic configuration checks on the Cisco Adaptive Security Appliance:
1. 2.
Access Cisco Adaptive Security Appliance either via console though a hyperterminal, or via the web-based Adaptive Security Device Manager (ASDM). Obtain the appropriate licenses for Cisco Adaptive Security Appliance. Note that you will require a license for the TLS proxy on Cisco Adaptive Security Appliance. Contact your Cisco representative for license information. Upgrade the software (if necessary).
3.
2-7
Chapter 2 About Prerequisite Configuration Tasks for this Integration
4. 5.
Configure the hostname using the command:

(config)# hostname name
Set the timezone, date and time in ASDM by selecting Device Setup > System Time > Clock, or via the CLI using the clock set command. Note the following: Set the clock on the Cisco ASA 5500 before configuring the TLS proxy. We recommend that Cisco Adaptive Security Appliance use the same NTP server as the Cisco Unified Presence cluster. The TLS connections may fail due to certificate validation failure if clock is out of sync between Cisco Adaptive Security Appliance and the Cisco Unified Presence server. Use the command ntp server <server_address> to view the NTP server address, and the command show ntp associat | status to view the status of the NTP server. Check the Cisco ASA 5500 modes. The Cisco ASA 5500 is configured to use single mode and routed mode by default. Check the current mode. This value is single mode by default.
(config)# show mode
6.
Check the current firewall mode. This is routed mode by default.

(config)# show firewall
Set up the external and internal interfaces. Set up the basic IP routes.
Related Topics:
Cisco Adaptive Security Appliance documentation: http://www.cisco.com/en/US/products/ps6120/tsd_products_support_series_home.html Cisco Adaptive Security Appliance Command Line Reference Guides: http://www.cisco.com/en/US/products/ps6120/tsd_products_support_reference_guides.html Cisco Adaptive Security Appliance Configuration Guide: http://www.cisco.com/en/US/products/ps6120/tsd_products_support_configure.html ASDM 6.0 User Guide: http://www.cisco.com/en/US/products/ps6120/tsd_products_support_maintain_and_operate.html External and Internal Interface Configuration, page 6-1 Configuring the Static IP Routes, page 6-2 Prerequisite Configuration for Cisco Unified Presence, page 2-7
2-8
CH A P T E R

April 4, 2011
Configuration Workflow for SIP Federation with Microsoft OCS, page 3-1 Configuration Workflow for SIP Federation with Microsoft Lync, page 3-2 Configuration Workflow for SIP Federation with AOL, page 3-2 Configuration Workflow for XMPP Federation, page 3-3 Configuration Workflow for Direct SIP Federation with Microsoft OCS, page 3-3 Configuration Workflow for Cisco Adaptive Security Appliance for SIP Federation, page 3-3
Note
Only Cisco Unified Presence Release 8.5(2) or higher supports interdomain federation with Microsoft Lync. For Cisco Unified Presence Release 8.5(2) or higher, any reference to interdomain federation with OCS also includes Microsoft Lync, unless explicitly stated otherwise.
Configuration Workflow for SIP Federation with Microsoft OCS

Configure a federated domain on Cisco Unified Presence for Microsoft OCS federation, see Adding a SIP Federated Domain, page 4-2. Configure the DNS SRV records, see DNS Configuration for SIP Federation, page 4-3. Configure the routing on Cisco Unified Presencefor Microsoft OCS federation, see How to Configure the Routing Configuration on Cisco Unified Presence, page 4-3 (Optional) Configure the email address for federation feature, see How To Configure Email Address for Federation, page 4-9. Configure the TLS security settings on Cisco Unified Presence, see How to Configure the Security Settings on Cisco Unified Presence, page 4-5 Configure the Cisco Adaptive Security Appliance for Microsoft OCS federation, see Configuring Cisco Adaptive Security Appliance for SIP Federation, page 6-1 and Configuring the TLS Proxy on Cisco Adaptive Security Appliance, page 7-1. Configure certificate exchange for Microsoft OCS federation, see Configuring Security Certificates for SIP Federation (with Cisco Adaptive Security Appliance), page 5-1
3-1
Chapter 3 Configuration Workflow for SIP Federation with Microsoft Lync
Configure the Microsoft OCS server, see Configuring a Static Route on OCS for the Cisco Unified Presence server, page 8-2 and Adding a Host Authorization entry for the Cisco Unified Presence server, page 8-3 (Optional) Configure a load balancer for redundancy, see Configuring the Load Balancer for Redundancy for SIP Federation, page 10-1 For troubleshooting information on Microsoft OCS federation, see Troubleshooting a SIP Federation Integration, page 15-1
Configuration Workflow for SIP Federation with Microsoft Lync

Configure a federated domain on Cisco Unified Presence for Microsoft Lync federation, see Adding a SIP Federated Domain, page 4-2. Configure the DNS SRV records, see DNS Configuration for SIP Federation, page 4-3. Configure the routing on Cisco Unified Presence for Microsoft Lync federation, see How to Configure the Routing Configuration on Cisco Unified Presence, page 4-3 (Optional) Configure the email address for federation feature, see How To Configure Email Address for Federation, page 4-9. Configure the TLS security settings on Cisco Unified Presence, see How to Configure the Security Settings on Cisco Unified Presence, page 4-5 Configure the Cisco Adaptive Security Appliance for Microsoft Lync federation, see Configuring Cisco Adaptive Security Appliance for SIP Federation, page 6-1 and Configuring the TLS Proxy on Cisco Adaptive Security Appliance, page 7-1. Configure certificate exchange for Microsoft Lync federation, see Configuring Security Certificates for SIP Federation (with Cisco Adaptive Security Appliance), page 5-1 Configuration of Lync Server 2010 and Edge Servers for interdomain federation differs from that outlined within this guide for OCS. For information on configuring the Lync enterprise for interdomain federation with Cisco Unified Presence, see Microsoft documentation http://technet.microsoft.com/en-us/library/gg399048.aspx
Configuration Workflow for SIP Federation with AOL
Establish an AOL license to enable AOL Federation, see License Requirements for AOL Federation, page 9-4, AOL Routing Information Requirements, page 9-5 and AOL Provisioning Information Requirements, page 9-5. Configure federated domains on Cisco Unified Presence for AOL federation, see Adding a SIP Federated Domain, page 4-2. Configure DNS SRV records, see DNS Configuration for SIP Federation, page 4-3. If you are not using DNS, see the next step). Configure the routing for AOL federation, see Configuring Static Routes Using TLS, page 4-3. (Optional) Verify and configure the Default Federation Routing Domain for AOL hosted domains, see How to Configure the Routing Information for AOL Federation, page 4-7. (Optional) Configure the email address for federation feature, see How To Configure Email Address for Federation, page 4-9.
3-2
Chapter 3
Configuration Workflows for Interdomain Federation Configuration Workflow for XMPP Federation
Configure the TLS security settings and certificates on Cisco Unified Presence, see How to Configure the Security Settings on Cisco Unified Presence, page 4-5 and Security Certificate Exchange Between Cisco Adaptive Security Appliance and AOL SIP Access Gateway, page 5-14. Configure Cisco Adaptive Security Appliance for AOL, see AOL SIP Access Gateway, page 2-5 for information on AOL FQDN, server port, and the public IP address. (Optional) Configure a load balancer for redundancy, see Configuring the Load Balancer for Redundancy for SIP Federation, page 10-1.
Configuration Workflow for XMPP Federation

Note
Follow this workflow for Webex, Cisco Unified Presence, IBM Sametime and GoogleTalk federation.

Configure Cisco Unified Presence for XMPP federation, see Configuring Cisco Unified Presence for XMPP Federation, page 11-1. Configure security for XMPP federation (not applicable for GoogleTalk), see Configuring Security Certificates for XMPP Federation, page 12-1. (Optional) Configure the email address for federation feature, see Turning On Email for XMPP Federation, page 11-12 and How To Configure Email Address for Federation, page 4-9. Turn on the XMPP Federation service, see Turning On the XMPP Federation Service, page 11-12. Configure Cisco Adaptive Security Appliance for XMPP federation, see Configuring Cisco Adaptive Security Appliance for XMPP Federation, page 11-10. For troubleshooting information on XMPP federation, see Troubleshooting an XMPP Federation Integration, page 16-1
Configuration Workflow for Direct SIP Federation with Microsoft OCS

Configure a federated domains on Cisco Unified Presence for Microsoft OCS federation, see Adding a SIP Federated Domain, page 4-2. Configure static Routes for direct Microsoft OCS federation, see Configuring Interdomain Federation to Microsoft OCS within an Enterprise, page 8-1. (Optional) Configure the TLS security settings and certificates on Cisco Unified Presence, see How to Configure Static Routes Using TLS for Federation with Microsoft OCS Domain, page 8-4.
Configuration Workflow for Cisco Adaptive Security Appliance for SIP Federation
Configure certificates between Cisco Adaptive Security Appliance and Cisco Unified Presence (inside interface), see How to Configure Security Certificate Exchange Between Cisco Unified Presence and Cisco Adaptive Security Appliance, page 5-1.
3-3
Chapter 3 Configuration Workflow for Cisco Adaptive Security Appliance for SIP Federation
Configure certificates between Cisco Adaptive Security Appliance and the federated domain (outside Interface), see How to Configure Security Certificate Exchange Between Cisco Adaptive Security Appliance and Microsoft Access Edge (External Interface) Using a Microsoft CA, page 5-5 and Security Certificate Exchange Between Cisco Adaptive Security Appliance and AOL SIP Access Gateway, page 5-14. Configure PAT rules for private to public messaging, see About Port Address Translation (PAT), page 6-3. Configure static PAT for public to private messaging, see About Sample Static PAT Commands, page 6-8. Configure the required access lists, see Access List Configuration Requirements, page 7-2. Configure the TLS proxy instances, see Configuring the TLS Proxy Instances, page 7-4. Associate the access lists with the TLS proxy, see Associating an Access List with a TLS Proxy Instance Using Class Maps, page 7-5.
3-4
CH A P T E R
Configuring Cisco Unified Presence for SIP Federation

April 4, 2011
SIP Proxy Domain on Cisco Unified Presence, page 4-1 Adding a SIP Federated Domain, page 4-2 How to Configure the Routing Configuration on Cisco Unified Presence, page 4-3 Configuring the Federation Routing Parameter, page 4-5 How to Configure the Security Settings on Cisco Unified Presence, page 4-5 How to Configure the Routing Information for AOL Federation, page 4-7 How To Configure Email Address for Federation, page 4-9 Turning On the SIP Federation Service, page 4-11
Note
SIP Proxy Domain on Cisco Unified Presence

If you change the SIP proxy domain on Cisco Unified Presence before you configure federation, as part of the SIP proxy domain change procedure you must also change the Federation Routing CUP FQDN parameter. Refer to the Deployment Guide for Cisco Unified Presence for the correct sequence of steps for changing the SIP proxy domain on Cisco Unified Presence.
Related Topics
Deployment Guide for Cisco Unified Presence: http://www.cisco.com/en/US/products/ps6837/products_installation_and_configuration_guides_lis t.html
4-1
Chapter 4 Adding a SIP Federated Domain
Adding a SIP Federated Domain

Note
Only Cisco Unified Presence Release 8.5.x or later releases support SIP federation with AOL. When you configure a federated domain entry, Cisco Unified Presence automatically adds the incoming ACL for the federated domain entry. You can see the incoming ACL associated with a federated domain on Cisco Unified Presence Administration, but you cannot modify or delete it. You can only delete the incoming ACL when you delete the (associated) federated domain entry. If you are configuring SIP federation with AOL, note the following:

The AOL network can comprise of both public communities and hosted networks. You must configure each of these domains as SIP federated domain of type AOL on Cisco Unified Presence. To handle users in a hosted domain such as user@acompany.com, you must configure a SIP federated domain of type AOL on Cisco Unified Presence for acompany.com. To handle users in domains aol.com and aim.com, you only need to add one SIP federated domain for aol.com on Cisco Unified Presence. The AOL network allows you to address user@aim.com as user@aol.com.
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5
Select Cisco Unified Presence Administration > Presence > Inter Domain Federation > SIP Federation. Select Add New. Enter the federated domain name in the Domain Name field. Enter a description that identifies the federated domain in the Description field. Select one of these integrations:

Inter-domain to OCS Inter-domain to AOL For Cisco Unified Presence Release 8.5(2) or higher, you must select Inter-domain to OCS if you are federating with a Microsoft Lync enterprise.
Note
Step 6 Step 7
Select Save. After you add, edit or delete a SIP federated domain, restart the Cisco UP XCP Router by selecting Tools > Control Center - Network Services in Cisco Unified Serviceability. When you restart Cisco UP XCP Router, this causes a restart of all XCP services on Cisco Unified Presence.
Troubleshooting Tips
The text string you enter in the Description field is displayed to the user in the Cisco Unified Personal Communicator Release 7.x privacy preferences available from the Manage Domains tab. Therefore make sure you enter a domain name that is easily-recognizable to the user.
4-2
Chapter 4
Configuring Cisco Unified Presence for SIP Federation How to Configure the Routing Configuration on Cisco Unified Presence
How to Configure the Routing Configuration on Cisco Unified Presence

DNS Configuration for SIP Federation, page 4-3 Configuring Static Routes Using TLS, page 4-3 Configuring the Cisco Unified Presence Domain from the CLI, page 4-4
DNS Configuration for SIP Federation

In the local Cisco Unified Presence enterprise, Cisco Unified Presence must publish a DNS SRV record for the Cisco Unified Presence domain to make it possible for other domains to discover the Cisco Unified Presence server through DNS SRV. The Microsoft enterprise deployment requires Cisco Unified Presence to publish a DNS SRV record for the Cisco Unified Presence domain because you configure Cisco Unified Presence as a Public IM Provider on the Access Edge server. In the Cisco Unified Presence enterprise deployment, you need to configure a DNS SRV record that points to _sipfederationtls._tcp.<CUP_domain> over port 5061where <CUP_domain> is the name of the Cisco Unified Presence domain. This DNS SRV should point to the public FQDN of the routing Cisco Unified Presence server. This FQDN must be publicly resolvable. In order for Cisco Unified Presence to discover the foreign domain, a DNS SRV record must exist in the DNS server of the foreign domain that points to the FQDN of the external interface of the foreign domain. If you configure SIP federation with AOL, AOL routes based on FQDN, so you just require the FQDN of the routing Cisco Unified Presence server to be publicly resolvable. AOL does not perform a DNS SRV lookup; instead it statically configures the FQDN of Cisco Unified Presence so it requires this FQDN to be publicly resolvable.
Tip
Use this sequence of commands for performing a DNS SRV lookup:

nslookup set type=srv _sipfederationtls._tcp.<domain>
If Cisco Unified Presence cannot resolve the foreign enterprise via public DNS lookup, you must configure static routes in your deployment.
Related Topics
Configuring Static Routes Using TLS, page 4-3
Configuring Static Routes Using TLS

Note
Static route configuration is only applicable to SIP federation.
4-3
Chapter 4 How to Configure the Routing Configuration on Cisco Unified Presence
If the Cisco Unified Presence server cannot discover the external domain using DNS SRV, you must configure a static route on Cisco Unified Presence that points to the external interface of the foreign domain.
Procedure
Step 1 Step 2
Select Cisco Unified Presence Administration > Presence > Routing > Static Routes. Configure the static route parameters as follows:
The destination pattern value must be configured such that the foreign enterprise domain is reversed. For example if the domain is "domaina.com" then the Destination Pattern value must be ".com.domaina.*". The Next Hop value is the FQDN or IP address of the external Access Edge for federation with Microsoft OCS, or the FQDN or IP address of the AOL SIP Access Gateway for federation with AOL. The Next Hop Port number is 5061. The Route Type value is domain. The Protocol Type is TLS.
Step 3
Click Save.
Related Topics
Configuring the Cisco Unified Presence Domain from the CLI, page 4-4
Configuring the Cisco Unified Presence Domain from the CLI

If you do not enable DHCP, use this procedure to configure the Cisco Unified Presence domain from the CLI.
Procedure
Step 1
Log in to the administrator CLI on Cisco Unified Presence. Enter this command to display the current network settings:
show network eth0
Step 2
If no domain exists and you do not enable DHCP, configure the domain to be the same as the Cisco Unified Presence proxy domain. Enter this command:
set network domain <domain name>.
Step 3
Enter y at the prompt to confirm the changes. The server automatically restarts. This can take up to 5 minutes. When the sever restarts, enter this command to confirm you have configured the domain:
show network eth0
Step 4
4-4
Chapter 4
Configuring Cisco Unified Presence for SIP Federation Configuring the Federation Routing Parameter
Configuring the Federation Routing Parameter

Before You Begin
When you first install Cisco Unified Presence, the federation routing parameter is automatically set to the FDQN of the publisher node, and Cisco Unified Presence passes this value to each subscriber node.
Procedure
Step 1 Step 2 Step 3 Step 4
Select Cisco Unified Presence Administration > System > Service Parameters. Select the Cisco Unified Presence server from the Server menu. Select Cisco UP SIP Proxy from the Service menu. Enter the public FQDN value for the Federation Routing CUP FQDN parameter in the Federation Routing Parameters (Clusterwide) section.

Note
This FQDN value must correspond to the _sipfederationtls entry in the public DNS for that Cisco Unified Presence domain. If you assign users to the routing Cisco Unified Presence server, this FQDN value cannot be the same as the actual FQDN of the routing Cisco Unified Presence server.
Step 5 Step 6
Select Save. After you add, edit or delete a SIP federated domain, restart the Cisco UP XCP Router by selecting Tools > Control Center - Network Services in Cisco Unified Serviceability. When you restart Cisco UP XCP Router, this causes a restart of all XCP services on Cisco Unified Presence.
Related Topics
Turning On Email for Federation, page 4-10
How to Configure the Security Settings on Cisco Unified Presence

Note
This procedure is only applicable if you do not have Cisco Adaptive Security Appliance in your federation deployment, for example, if you deploy federation within your enterprise and you want a secure TLS connection.

Creating a new TLS Peer Subject, page 4-6 Adding the TLS Peer to the Selected TLS Peer Subjects List, page 4-6
4-5
Chapter 4 How to Configure the Security Settings on Cisco Unified Presence
Creating a new TLS Peer Subject

When you import the Cisco Adaptive Security Appliance security certificate to Cisco Unified Presence, Cisco Unified Presence automatically adds Cisco Adaptive Security Appliance as a TLS peer subject. Therefore you do not need to manually add Cisco Adaptive Security Appliance as a TLS peer subject on Cisco Unified Presence.
Procedure
Step 1 Step 2 Step 3
Select Cisco Unified Presence Administration > System > Security > TLS Peer Subjects. Click Add New. Enter one of the following values:
a.
If you configure SIP federation with Microsoft OCS, enter the external FQDN of the Access Edge Server in the Peer Subject Name field. This value must match the subject CN of the certificate that the Microsoft Access Edge server presents. If you configure SIP federation with AOL, enter the external FQDN of the AOL SIP Access Gateway. This value must match the subject CN of the certificate that the AOL SIP Access Gateway presents
b.
Step 4 Step 5
Enter the name of the foreign server in the Description field. Click Save.
What To Do Next
Adding the TLS Peer to the Selected TLS Peer Subjects List, page 4-6
Related Topics
Importing the Self Signed Certificate onto Cisco Unified Presence, page 5-3
Adding the TLS Peer to the Selected TLS Peer Subjects List
Before You Begin
Create a new TLS peer subject.

Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7
Select Cisco Unified Presence Administration > System > Security > TLS Context Configuration. Click Find. Click Default_Cisco_UP_SIP_Proxy_Peer_Auth_TLS_Context. Select all ciphers from the list of available TLS ciphers. Click the down arrow to move these cipher selections to Selected TLS Ciphers. From the list of available TLS peer subjects, click the TLS peer subject that you configured in the previous section. Click the down arrow to move the selected TLS peer subject to Selected TLS Peer Subjects.
4-6
Chapter 4
Configuring Cisco Unified Presence for SIP Federation How to Configure the Routing Information for AOL Federation
Check Disable Empty TLS Fragments when you federate with Microsoft OCS. Click Save. Restart the Cisco UP SIP Proxy service.
Note
If you deploy AOL and Microsoft OCS federation on the same Cisco Unified Presence node, checking the Disable Empty TLS Fragments setting will not impact AOL federation.
Related Topics
Creating a new TLS Peer Subject, page 4-6
How to Configure the Routing Information for AOL Federation

Routing SIP Requests for SIP Federation with AOL, page 4-7 Verifying or Changing the Default Federation Routing Domain for SIP Federation with AOL, page 4-8
Routing SIP Requests for SIP Federation with AOL

Note
Only Cisco Unified Presence Release 8.5.x or later releases support SIP federation with AOL. SIP federation with AOL enables Cisco Unified Presence users to federate with the following users:

Users of AOL public communities, for example, aim.com, aol.com. Users of an enterprise whose domain is hosted by AOL. Users of a foreign enterprise that federates with AOL. Cisco Unified Presence could use AOL as a clearing house to federate with these foreign enterprises.
For example, AOL hosts an enterprise with a domain called hosteddomain.com, and there is an enterprise federating with AOL with a domain called acompany.com. You can add a SIP federation domain entry for each of these domains on Cisco Unified Presence to allow Cisco Unified Presence users to federate with users@hosteddomain.com and users@acompany.com. The routing logic on Cisco Unified Presence is enhanced to support routing to domains that federate through AOL. When you configure SIP federation with AOL, Cisco Unified Presence routes messages based on the default federation routing domain. The default value for this domain is aol.com.
Note
The routing described here is only applicable when you configure a federated domain of type Inter-domain to AOL. If the federated user belongs to one of the hosted domains in AOL (a domain other than aol.com), Cisco Unified Presence performs the following steps:
1.
Performs a lookup for a static route for the hosted domain. If no static route exists, Cisco Unified Presence will,
4-7
Chapter 4 How to Configure the Routing Information for AOL Federation
2. 3. 4.
Perform a DNS SRV lookup for hosted domain. If the lookup returns nothing, Cisco Unified Presence will, Perform a lookup for a static route for the default federation routing domain (aol.com by default). If no static route exists, Cisco Unified Presence will, Perform a DNS SRV lookup for the default federation routing domain (aol.com by default).
If the federated user is in the default AOL domain (user@aol.com), Cisco Unified Presence performs the following steps:
1. 2.
Performs a lookup for a static route for default AOL domain (aol.com by default). If no static route exists Cisco Unified Presence will, Perform a DNS SRV lookup for default federation routing domain (aol.com by default).
Related Topics
Verifying or Changing the Default Federation Routing Domain for SIP Federation with AOL, page 4-8
Verifying or Changing the Default Federation Routing Domain for SIP Federation with AOL
Note
Only Cisco Unified Presence Release 8.5.x or later releases support SIP federation with AOL. Generally you should not need to change the value of the default federation routing domain, unless the AOL enterprise changes the domain that the AOL server resolves to.
Before You Begin
Read the topic on routing SIP requests for SIP Federation with AOL
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Select Cisco Unified Presence Administration > System > Service Parameters. Select the Cisco Unified Presence server from the Server menu. Select Cisco UP SIP Proxy from the Service menu. Verify or edit the value of the Default Federation Routing Domain parameter in the Federation Routing Parameters (Clusterwide) section. Select Save if you change the value of the Default Federation Routing Domain parameter. You need to restart the Cisco UP XCP Router if you change the value of the Default Federation Routing Domain parameter. In Cisco Unified Serviceability, select Tools > Control Center - Network Services to restart the Cisco UP XCP Router.
Related Topics
Routing SIP Requests for SIP Federation with AOL, page 4-7
4-8
Chapter 4
Configuring Cisco Unified Presence for SIP Federation How To Configure Email Address for Federation
How To Configure Email Address for Federation

Note
This section is only applicable to Cisco Unified Presence Release 8.5 or later releases. This section applies to both SIP and XMPP federation.
Email Address for Federation Feature, page 4-9 Email Domain for Federation, page 4-9 Information to Provide to Administrator of the Foreign Domain, page 4-10 Information to Provide to Cisco Unified Presence Users, page 4-10 Turning On Email for Federation, page 4-10
Email Address for Federation Feature

When you turn on Cisco Unified Presence to use the email address for SIP federation, Cisco Unified Presence changes the SIP URI of each federated contact from `userid@domain' to the email address of the contact. Before you turn on email address for interdomain federation, note the following:
If you have not yet attempted to federate with the foreign domain, and you wish to turn on email for federation, we recommend that you turn on this setting before users begin to add any federated contacts. If you turn on email address for federation, and a user does not have an email address configured in Active Directory, Cisco Unified Presence uses the JID of the user for federation. If you turn on email address for federation, and a federated contact uses the JID of a Cisco Unified Presence user rather than using the email address, Cisco Unified Presence drops these requests (even if a valid email address is configured for the user). Cisco Unified Presence does not support email aliases for the email address for federation feature.
Email Domain for Federation

If the email domain for federation is different to the SIP Proxy domain value that you configure on the Cluster Topology Settings page on the Cisco Unified Presence Administration interface, follow these steps:
Configure the Federation Routing CUP FQDN parameter value under Proxy Service Parameters to contain the email domain for federation rather than the SIP Proxy domain. Note that this step applies to both XMPP and SIP federation. Make sure that you publish the email domain for the federation DNS SRV records in the public DNS server:
_xmpp-server._tcp.<email-domain> _sipfederationtls._tcp.<email-domain>
4-9
Chapter 4 How To Configure Email Address for Federation
Information to Provide to Administrator of the Foreign Domain

Before you turn on email address for federation, you must alert the system administrator of the foreign domain to the following:

You are using email address for federation, and that the users in the foreign domain must specify an email address when adding a federated contact to their contact list. If you are already federating with the foreign domain, and you wish to turn on email for federation, users in the foreign domain must remove the existing federated contacts in their contact list, and add these federated contacts again specifying an email address.
Information to Provide to Cisco Unified Presence Users

When you turn on email address for federation, you must notify all Cisco Unified Presence users of the following:

Federated contacts will now use email address rather than the user_id@domain address. When adding new contacts to their contact list, federated contacts must now use the email address for Cisco Unified Presence users, rather than the user_id@domain. Existing Cisco Unified Presence contacts (on the federated watcher's contact list) that were added with user_id@domain must be removed, and added again using the email address for the Cisco Unified Presence user. Any messages that Cisco Unified Presence receives from federated contacts to the user_id@domain address will be dropped (unless it happens to be the same as the email address configured in Active Directory, and the address configured in the users table on Cisco Unified Presence). If Cisco Unified Presence users already have federated contacts on their contact list, when these users sign in to the client again, the federated contact may get a pop-up containing the email address.
Note
When you turn on email address for federation, the Cisco Unified Presence user does NOT need to change anything on the client when they connect to Cisco Unified Presence, nor do they interact any differently with the Cisco Unified Presence server.
Turning On Email for Federation

Note
If you have an intercluster deployment, you must turn on the email address for federation on any intercluster nodes in your deployment.
Procedure
Select Cisco Unified Presence Administration > Presence > Settings. Check Enable use of Email Address when Federating. Read the warning message, and click OK. Click Save.
4-10
Chapter 4
Configuring Cisco Unified Presence for SIP Federation Turning On the SIP Federation Service
Step 5
After you turn on email for federation, restart the Cisco UP XCP Router in Cisco Unified Serviceability. Select Tools > Control Center - Network Services.
Related Topics
Configuring the Federation Routing Parameter, page 4-5
Turning On the SIP Federation Service

You need to turn on the Cisco UP XCP SIP Federation Connection Manager service on each Cisco Unified Presence node. This turns on the SIP Federation feature for each user that you provision on the node. You must perform this procedure on each node in the cluster.
Procedure
Select Cisco Unified Serviceability > Tools > Service Activation. Select the server from the Server list box. Select Go. Select the radio button next to the Cisco UP XCP SIP Federation Connection Manager service in the CUP Services section. Select Save. The Cisco UP SIP Proxy service must be running for SIP federation to work. Select Cisco Unified Serviceability > Tools > Feature Services and verify that the Cisco UP SIP Proxy service is running.
Related Topics
How To Turn on and Capture Logging for Federation, page 13-1
4-11
Chapter 4 Turning On the SIP Federation Service
4-12
CH A P T E R
Configuring Security Certificates for SIP Federation (with Cisco Adaptive Security Appliance)
April 4, 2011

How to Configure Security Certificate Exchange Between Cisco Unified Presence and Cisco Adaptive Security Appliance, page 5-1 How to Configure Security Certificate Exchange Between Cisco Adaptive Security Appliance and Microsoft Access Edge (External Interface) Using a Microsoft CA, page 5-5 Security Certificate Exchange Between Cisco Adaptive Security Appliance and AOL SIP Access Gateway, page 5-14
Note
How to Configure Security Certificate Exchange Between Cisco Unified Presence and Cisco Adaptive Security Appliance

Generating the Key Pair and Trustpoints on Cisco Adaptive Security Appliance, page 5-2 Generating a Self-Signed Certificate on Cisco Adaptive Security Appliance, page 5-2 Importing the Self Signed Certificate onto Cisco Unified Presence, page 5-3 Generating a New Certificate on Cisco Unified Presence, page 5-4 Importing the Cisco Unified Presence Certificate onto Cisco Adaptive Security Appliance, page 5-4
5-1
Chapter 5 Configuring Security Certificates for SIP Federation (with Cisco Adaptive Security Appliance) How to Configure Security Certificate Exchange Between Cisco Unified Presence and
Generating the Key Pair and Trustpoints on Cisco Adaptive Security Appliance
You need to generate the key pair for this certification (for example cup_proxy_key), and configure a trustpoint to identify the self-signed certificate from Cisco Adaptive Security Appliance to Cisco Unified Presence (for example cup_proxy). You need to specify the enrollment type as self to indicate you are generating a self-signed certificate on Cisco Adaptive Security Appliance, and specify the certificate subject name as the IP address of the inside interface.
Before You Begin
Ensure you carried out the configuration tasks described in the following chapters:

Configuring Cisco Unified Presence for SIP Federation, page 4-1 Configuring Cisco Adaptive Security Appliance for SIP Federation, page 6-1
Procedure
Step 1
Enter config mode, type:

>Enable >password >config t
Step 2
Enter this command to generate the key pair for this certification:
crypto key generate rsa label cup_proxy_key modulus 1024
Step 3
Enter the following sequence of commands to create a trustpoint for Cisco Unified Presence:
crypto ca trustpoint <name of trustpoint e.g.cup_proxy> (config-ca-trustpoint)# enrollment self (config-ca-trustpoint)# fqdn none (config-ca-trustpoint)# subject-name cn=<ASA inside interface ip address> (config-ca-trustpoint)# keypair cup_proxy_key
Troubleshooting Tip
Enter the command show crypto key mypubkey rsa to check that the key pair is generated.
What To Do Next
Generating a Self-Signed Certificate on Cisco Adaptive Security Appliance, page 5-2
Generating a Self-Signed Certificate on Cisco Adaptive Security Appliance

Before You Begin

Complete the steps in Generating the Key Pair and Trustpoints on Cisco Adaptive Security Appliance, page 5-2. You need a text editor that has UNIX support to complete this procedure. We recommend Microsoft Wordpad version 5.1, or Microsoft Notepad version 5.1 service pack 2.
5-2
Chapter 5
Configuring Security Certificates for SIP Federation (with Cisco Adaptive Security Appliance) How to Configure Security Certificate Exchange Between Cisco Unified Presence and
Procedure
Step 1
Enter this command to generate the self-signed certificate:

(config-ca-trustpoint)# crypto ca enroll <name of trustpoint e.g.cup_proxy>
Enter no when you are prompted to include the device serial number in the subject name. Enter yes when you are prompted to generate the self-signed certificate. Enter this command to prepare the certificate to export to Cisco Unified Presence:
crypto ca export cup_proxy identity-certificate
The PEM encoded identity certificate displays on screen, for example:

-----BEGIN CERTIFICATE----MIIBnDCCAQWgAwIBAgIBMTANBgkqhkiG9w0BAQQFADAUMRIwEAYDVQQDEwlDVVAt.. -----END CERTIFICATE-----
Step 5 Step 6
Copy and paste the entire contents of the Cisco Adaptive Security Appliance certificate into Wordpad or Notepad with a .pem extension. Save the .pem file to your local machine.
What To Do Next
Importing the Self Signed Certificate onto Cisco Unified Presence, page 5-3
Importing the Self Signed Certificate onto Cisco Unified Presence

Before You Begin
Complete the steps in Generating a Self-Signed Certificate on Cisco Adaptive Security Appliance, page 5-2
Procedure
Select Cisco Unified Operating System Administration > Security > Certificate Management on Cisco Unified Presence. Click Upload Certificate. Select cup-trust for Certificate Name.
Note
Leave the Root Name field blank.
Step 4 Step 5
Click Browse, and locate the Cisco Adaptive Security Appliance .pem certificate file (that you created in the previous procedure) on your local computer. Click Upload File to upload the certificate to the Cisco Unified Presence server.
5-3
Chapter 5 Configuring Security Certificates for SIP Federation (with Cisco Adaptive Security Appliance) How to Configure Security Certificate Exchange Between Cisco Unified Presence and
Perform a find on the certificate list, you will see an <asa ip address>.pem and an <asa ip address>.der in the certificate list.
What To Do Next
Generating a New Certificate on Cisco Unified Presence, page 5-4
Generating a New Certificate on Cisco Unified Presence

Before You Begin
Complete the steps in Importing the Self Signed Certificate onto Cisco Unified Presence, page 5-3
Procedure
Select Cisco Unified Operating System Administration > Security > Certificate Management on Cisco Unified Presence. Click Generate New. Select cup for the certificate name.
What To Do Next
Importing the Cisco Unified Presence Certificate onto Cisco Adaptive Security Appliance, page 5-4
Importing the Cisco Unified Presence Certificate onto Cisco Adaptive Security Appliance
In order to import the Cisco Unified Presence certificate onto Cisco Adaptive Security Appliance, you need to create a trustpoint to identify the imported certificate from Cisco Unified Presence (e.g. cert_from_cup), and specify the enrollment type as terminal to indicate that you will paste the certificate received from Cisco Unified Presence into the terminal.
Note
It is essential that Cisco Unified Presence, Cisco Unified Communications Manager and Cisco Adaptive Security Appliance servers are all syncing off the same NTP source.
Before You Begin

Complete the steps in Generating a New Certificate on Cisco Unified Presence, page 5-4. You need a text editor that has UNIX support to complete this procedure. We recommend Microsoft Wordpad version 5.1, or Microsoft Notepad version 5.1 service pack 2.
Procedure
Step 1

>Enable >password
5-4
Chapter 5
Configuring Security Certificates for SIP Federation (with Cisco Adaptive Security Appliance) How to Configure Security Certificate Exchange Between Cisco Adaptive Security Appliance and Microsoft Access
>config t
Step 2
Enter this sequence of commands to create a trustpoint for the imported Cisco Unified Presence certificate:
crypto ca trustpoint cert_from_cup enrollment terminal
Step 3
Enter this command to import the certificate from Cisco Unified Presence:
crypto ca authenticate cert_from_cup
Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11
Select Cisco Unified Operating System Administration > Security > Certificate Management on Cisco Unified Presence. Click Find. Locate the cup certificate that you created in the previous procedure. Click Download. Open the cup.pem file using one of the recommended text editors. Cut and paste the contents of the cup.pem into the Cisco Adaptive Security Appliance prompt window. Enter quit. Enter y when you are prompted to accept the certificate.
Run the command show crypto ca certificate to view the certificate.

What To Do Next
How to Configure Security Certificate Exchange Between Cisco Adaptive Security Appliance and Microsoft Access Edge (External Interface) Using a Microsoft CA, page 5-5
How to Configure Security Certificate Exchange Between Cisco Adaptive Security Appliance and Microsoft Access Edge (External Interface) Using a Microsoft CA
These procedures are an example, and demonstrate how to configure certificates using the Microsoft CA.
Note
An example of this procedure using the VeriSign CA is provided in the appendix of this guide.

CA Trustpoints, page 5-6 Configuring the Certificate on Cisco Adaptive Security Appliance using SCEP Enrollment, page 5-6 Configuring the Certificate on Cisco Adaptive Security Appliance using Manual Enrollment, page 5-8 How to Configure the Certificate for External Access Edge Interface, page 5-9 Creating a Custom Certificate for Access Edge Using an Enterprise Certificate Authority, page 5-13
5-5
Chapter 5 Configuring Security Certificates for SIP Federation (with Cisco Adaptive Security Appliance) How to Configure Security Certificate Exchange Between Cisco Adaptive Security Appliance and Microsoft Access
CA Trustpoints
When generating a trustpoint, you must specify an enrollment method to be used with the trustpoint. You can use Simple Certificate Enrollment Process (SCEP) as the enrollment method (assuming you are using a Microsoft CA), where you use the enrollment url command to define the URL to be used for SCEP enrollment with the trustpoint you declared. The URL defined should be the URL of your CA. You can also use manual enrollment as the enrollment method, where you use the enrollment terminal command to indicate that you will paste the certificate received from the CA into the terminal. Both enrollment method procedures are described in this section. Refer to the Cisco Security Appliance Command Line Configuration Guide for further details about the enrollment method. In order to use SCEP, you need to download the Microsoft SCEP add-on from the following URL. The SCEP add-on must be installed on the Microsoft CA that you are configuring the certificates on. http://www.microsoft.com/Downloads/details.aspx?familyid=9F306763-D036-41D8-8860-1636411B2 D01&displaylang=en Download the SCEP add-on as follows:

Download and run scepsetup.exe. Select local system account. Deselect SCEP challenge phrase to enroll. Enter the details of the CA.
When you click Finish, retrieve the SCEP URL. You will use this URL during trustpoint enrollment on Cisco Adaptive Security Appliance.
Configuring the Certificate on Cisco Adaptive Security Appliance using SCEP Enrollment
Procedure
Step 1
Enter this command to generate a key pair for the CA:

crypto key generate rsa label public_key_for_ca modulus 1024
Step 2
Enter this command to generate a trustpoint to identify the CA.

crypto ca trustpoint <trustpoint_name>
Step 3
Use the "client-types" sub-command to specify the client connection types for the trustpoint that can be used to validate the certificates associated with a user connection. Enter this command to specify a "client-types ssl" configuration which indicates that SSL client connections can be validated using this trustpoint:
(config-ca-trustpoint)# client-types ssl
Step 4
Enter this command to configure the FQDN of the public Cisco Unified Presence address:
fqdn <fqdn_public_cup_address>
Note Step 5
You may be issued a warning regarding VPN authentication here.
Enter this command to configure a keypair for the trustpoint:
5-6
Chapter 5
keypair public_key_for_ca
Step 6
Enter this command to configure the enrollment method for the trustpoint:
enrollment url http://<ip address of CA>/certsrv/mscep/mscep.dll
Step 7
Enter this command to obtain the CA certificate for the trustpoint you configured:
crypto ca authenticate <trustpoint_name> INFO: Certificate has the following attributes: Fingerprint: cc966ba6 90dfe235 6fe632fc 2e521e48
Step 8
Enter yes when you are prompted to accept the certificate from the CA.
Do you accept this certificate? [yes/no]: yes Trustpoint CA certificate accepted.
Step 9
Run the crypto ca enroll command.

crypto ca enroll <trustpoint_name>
The following warning output displays:

%WARNING: The certificate enrollment is configured with an fqdn that differs from the system fqdn. If this certificate will be used for VPN authentication this may cause connection problems.
Step 10
Enter yes when you are prompted to continue with the enrollment.
Would you like to continue with this enrollment? [yes/no]: yes % Start certificate enrollment..
Step 11
Enter a password when you are prompted to create a challenge password.

% Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password: ********** Re-enter password: **********
Step 12 Step 13
Enter no when you are prompted to include the device serial number in the subject name. Enter yes when you are prompted to request the certificate from the CA.
Request certificate from CA? [yes/no]: yes % Certificate request sent to Certificate Authority
Step 14
Go to the CA and issue the pending certificate (if the certificate was not issued automatically).
What To Do Next
How to Configure the Certificate for External Access Edge Interface, page 5-9
5-7
Configuring the Certificate on Cisco Adaptive Security Appliance using Manual Enrollment
Enrolling a trustpoint by uploading a CA certificate:
Step 1
Enter this command to generate a key pair for the CA:

crypto key generate rsa label public_key_for_ca modulus 1024
Step 2
Enter this sequence of commands to generate a trustpoint to identify the CA:

crypto ca trustpoint <name of trustpoint> fqdn <fqdn_public_cup_address> client-types ssl keypair public_key_for_ca
Note
The FQDN value must be the FQDN of the public Cisco Unified Presence address. The keypair value must be the keypair created for the CA.
Step 3
Enter this command to configure the enrollment method for the trustpoint:
enrollment terminal
Step 4
Enter this command to authenticate the certificate:

crypto ca authenticate <trustpoint_name>
Step 5
Acquire the root certificate of the CA:

a. b. c. d. e.
Go to your CA webpage, for example, http(s)://<CA_IP_Addr>/certsrv. Select Download a CA certificate, certificate chain, or CRL. Select Base 64. Download the CA certificate. Save the certificate as a .cer file, for example CARoot.cer.
Open the root certificate (.cer file) in a text editor. Copy and paste this certificate into the Cisco Adaptive Security Appliance terminal. Enter yes when you are prompted to accept the certificate.
Generating a CSR for Cisco Adaptive Security Appliance Public Certificate

Step 1
Enter this command to send an enrollment request to the CA:

crypto ca enroll <trustpoint_name>
Enter no when you are asked if you want to include the device serial number in the subject name. Enter yes when you are asked to Display Certificate Request to terminal. Copy and paste this base-64 certificate into a text editor (to use in a later step). Enter no when you are asked to redisplay the enrollment request.
5-8
Chapter 5
Step 6
Paste the base-64 certificate (that you copied in step 4) into the certificate request page of your CA:
a. b. c. d. e. f. g. h.
Go to your CA webpage, for example, http(s)://<CA_IP_Addr>/certsrv. Select Request a certificate. Select Advanced Certificate request. Select Submit a certificate request by using a base-64-encoded CMC orPKCS#10 file... Paste the base-64 certificate (that you copied in step 4). Submit the request and issue the certificate from the CA. Download the certificate and save as a *.cer file. Open the certificate in a text editor and paste the contents into the terminal. End with the word 'quit' on a separate line.
Step 7
Enter this command to import the certificate that you receive from the CA:
crypto ca <trustpoint_name> import certificate
Step 8
Enter yes when you are asked if you want to continue with the enrollment.
What To Do Next
How to Configure the Certificate for External Access Edge Interface, page 5-9
How to Configure the Certificate for External Access Edge Interface

This procedure describes how to configure the certificate on the Access Edge server with a standalone CA.

Downloading the CA Certification Chain, page 5-9 Installing the CA Certification Chain, page 5-10 Requesting a Certificate from the CA Server, page 5-11 Downloading the Certificate from the CA Server, page 5-11 Uploading the Certificate onto Access Edge, page 5-12
Downloading the CA Certification Chain

Procedure
Click Start > Run. Enter http://<name of your Issuing CA Server>/certsrv, and click OK. Click Download a CA certificate, certificate chain, or CRL from the Select a task menu. Click Download CA certificate chain from Download a CA Certificate, Certificate Chain, or CRL menu. Click Save in the File Download dialog box. Save the file on a hard disk drive on your server. This file has an extension of .p7b. If you open this .p7b file, the chain displays the following two certificates:
5-9
name of Standalone root CA certificate name of Standalone subordinate CA certificate (if any)
What To Do Next
Installing the CA Certification Chain, page 5-10
Installing the CA Certification Chain

Before You Begin
Complete the steps inDownloading the CA Certification Chain, page 5-9

Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9
Click Start > Run. Enter mmc, and click OK. Select Add/Remove Snap-in from the File menu. Click Add in the Add/Remove Snap-in dialog box. Select Certificates in the list of Available Standalone Snap-ins. Click Add. Select Computer account. Click Next. In the Select Computer dialog box, perform the following tasks:
a. b.
Ensure that <Local Computer> (the computer this console is running on) is selected Click Finish.
Step 10 Step 11 Step 12 Step 13 Step 14 Step 15 Step 16 Step 17 Step 18 Step 19 Step 20 Step 21 Step 22
Click Close. Click OK. In the left pane of the Certificates console, expand Certificates: Local Computer. Expand Trusted Root Certification Authorities. Right-click Certificates, and point to All Tasks. Click Import. In the Import Wizard, click Next. Click Browse and go to where you saved the certificate chain. Select the file, and click Open. Click Next. Leave the default value Place all certificates in the store and ensure that Trusted Root Certification Authorities appears under the Certificate store. Click Next. Click Finish.
5-10
Chapter 5
What To Do Next
Requesting a Certificate from the CA Server, page 5-11
Requesting a Certificate from the CA Server

Before You Begin
Complete the steps in Installing the CA Certification Chain, page 5-10

Procedure
Log in to the Access Edge server and open a web browser. Open the following URL: http://<ca_server_IP_address>/certsrv Click Request a Certificate. Click Advanced Certificate Request. Click Create and submit a request to this CA. Click Other in the Type of Certificate Needed list. Enter the FQDN of the Access Edge external interface for the Subject Common Name, Enter the following OID in the OID field: 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
Note
A comma separates the two 1s in the middle of the OID.
Step 9
Perform one of the following procedures:

a. b.
If you are using Windows Certificate Authority 2003, check Store certificate in the local computer certificate store in Key Options. If you are using Windows Certificate Authority 2008, refer to the workaround described in the Troubleshooting Tips of this section. Enter a friendly name.
Step 10 Step 11
Enter a friendly name. Click Submit.
What To Do Next
Downloading the Certificate from the CA Server, page 5-11
Downloading the Certificate from the CA Server

Before You Begin
Complete the steps in Requesting a Certificate from the CA Server, page 5-11
Procedure
Step 1
Launch the CA console by selecting Start -> Administrative Tools -> Certificate Authority.
5-11
Click on Pending Requests in the left pane. Right-click on the certificate request that you submitted in the right pane,. Click All Tasks > Issue. Open http://<local_server>/certsrv on the Access Edge server that CA is running on. Click on your certificate request from View the Status of a Pending Certificate Request. Click Install this certificate.
What To Do Next
Uploading the Certificate onto Access Edge, page 5-12
Uploading the Certificate onto Access Edge

This procedure describes how to upload the certificate on the Access Edge server using the Certificate Wizard. You can also import the certificates manually on the Access Edge server by selecting Microsoft Office Communications Server 2007 > Properties > Edge Interfaces.
Before You Begin
Complete the steps in Downloading the Certificate from the CA Server, page 5-11
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11
Select Start > Administrative Tools > Computer Management on the Access Edge server. Right-click on Microsoft Office Communications Server 2007 in the left pane. Click Certificates. Click Next. Click the Assign an existing certificate task option. Click Next. Select the certificate that you wish to use for the External Access Edge Interface, and click Next. Click Next. Click the Edge Server Public Interface checkbox, and click Next. Click Next. Click Finish.
What To Do Next
Configuring the TLS Proxy on Cisco Adaptive Security Appliance, page 7-1
5-12
Chapter 5
Creating a Custom Certificate for Access Edge Using an Enterprise Certificate Authority
Refer to these instructions if you are using a Microsoft Enterprise Certificate Authority to issue a client/server role certificate to the external interface of Access Edge or to the public interface of the Cisco Adaptive Security Appliance.
Before You Begin
These steps require that the Certificate Authority is an Enterprise CA and is installed on the Enterprise Edition of either Windows Server 2003 or 2008. For additional details about these steps, refer to the Microsoft instructions: http://technet.microsoft.com/en-us/library/bb694035.aspx
Creating and Issuing a Custom Certificate Template

Procedure
Step 1
Follow Steps 1- 6 from the Microsoft site: Creating and Issuing the Site Server Signing Certificate Template on the Certification Authority. http://technet.microsoft.com/en-us/library/bb694035.aspx#BKMK_siteserver1
Tip
For Step 5, use a more appropriate name for this specific template, such as Mutual Authentication Certificate.
Step 2
Follow these steps in place of Steps 7-12 from the Microsoft site:
a.
Select the Extensions tab. Make sure that under Application Policies that both Client Authentication and Server Authentication are present and that no other Policies are present. If these policies are not available, then you must add them before proceeding.
In the Edit Application Policies Extension dialog box, select Add. In the Add Application Policy dialog box, select Client Authentication, press Shift and select
Server Authentication, and then click Add.

In the Edit Application Policies Extension dialog box, select any other policy that may be
present and then select Remove. In the Properties of New Template dialog box, you should now see listed as the description of Application Policies: Client Authentication, Server Authentication.
b. c. d. e. f.
Select the Issuance Requirement tab. If you do not want the Certificate to be automatically issued, then select CA certificate manager approval. Otherwise, leave this option blank. Select the Security tab and ensure that all required users and groups have both read and enroll permission. Select the Request Handling tab and select the CSP button. On the CSP Selection dialog box select Requests must use one of the following CSPs. From the list of CSPs select Microsoft Basic Cryptographic Provider v1.0 and Microsoft Enhanced Cryptographic Provider v1.0, and select OK.
5-13
Chapter 5 Configuring Security Certificates for SIP Federation (with Cisco Adaptive Security Appliance) Security Certificate Exchange Between Cisco Adaptive Security Appliance and AOL SIP Access Gateway
Step 3
Continue with Steps 13-15 from the Microsoft site: Creating and Issuing the Site Server Signing Certificate Template on the Certification Authority. http://technet.microsoft.com/en-us/library/bb694035.aspx#BKMK_siteserver1
What To Do Next
Requesting the Site Server Signing Certificate, page 5-14
Requesting the Site Server Signing Certificate

Procedure
Step 1
Follow Steps 1-6 from the Microsoft site: Site Server Signing Certificate for the Server That Will Run the Configuration Manager 2007 Site Server. http://technet.microsoft.com/en-us/library/bb694035.aspx#BKMK_siteserver2
Tip
For Step 5, select the name of the certificate template you created previously, such as Mutual Authentication Certificate and enter the external FQDN of the access edge in the Name field.
Step 2
Follow these steps in place of Steps 7-8 from the Microsoft site:
a. b.
If the certificate request is automatically issued then you will be presented with an option to install the signed certificate. Select Install this Certificate. If the certificate request is not automatically issued then you will need to wait for the administrator to issue the certificate. Once issued:
On the member server, load Internet Explorer and connect to the Web enrollment service with
the address http://<server>/certsrv where <server> is the name or IP address of the Enterprise CA.
On the Welcome page, select View the status of a pending certificate request. c.
Select the issued certificate and select Install this Certificate.
Security Certificate Exchange Between Cisco Adaptive Security Appliance and AOL SIP Access Gateway
AOL requires that the Cisco Adaptive Security Appliance certificate is signed by a trusted Certificate Authority. AOL has an established trust list of Certificate Authorities (CA) such as those commonly used in Windows or those in libraries distributed with the major browsers. If you wish to use a CA that is not on the AOL trust list, work with your Cisco representative to provide this information to AOL.
5-14
Chapter 5
Configuring Security Certificates for SIP Federation (with Cisco Adaptive Security Appliance) Security Certificate Exchange Between Cisco Adaptive Security Appliance and AOL SIP Access Gateway
A sample configuration workflow that describes in detail how to configure certificate exchange between Cisco Adaptive Security Appliance and a foreign domain (Microsoft Access Edge) using the Verisign CA is provided in the appendix of this guide. Use this procedure as a reference to configure certificate exchange between Cisco Adaptive Security Appliance and the AOL SIP Access Gateway using the Verisign CA. A high-level overview of the configuration steps is provided below. To configure certificate exchange between Cisco Adaptive Security Appliance and the AOL SIP Access Gateway using the Verisign CA, complete these steps:

Download the AOL root certificate from https://pki-info.aol.com/AOL/. Download the AOL member certificate from https://pki-info.aol.com/AOLMSPKI/index.html. Delete any old intermediate and signed certificate, and the trustpoint for the root certificate on Cisco Adaptive Security Appliance. Create a new trust point on Cisco Adaptive Security Appliance for the AOL root certificate, see section Importing the Cisco Unified Presence Certificate onto Cisco Adaptive Security Appliance, page 5-4 (steps 1-3). Create a new trust point on Cisco Adaptive Security Appliance for the AOL member certificate. Create a new trustpoint for the Verisign CA on Cisco Adaptive Security Appliance. On Cisco Adaptive Security Appliance, import the root certificate, and then generate a Certificate Signing Request (CSR). See section Configuring the Certificate on Cisco Adaptive Security Appliance using Manual Enrollment, page 5-8 for a similar procedure.
Note
The Cisco Unified Presence server certificate subject CN must match FQDN of the Cisco Unified Presence server. The public Certificate on Cisco Adaptive Security Appliance for Cisco Unified Presence and the CN must be the same as the Federation Routing CUP FQDN service parameter value.

Submit the CSR to the Verisign CA. Verisign CA provides you with the following certificates:
Verisign signed certificate Verisign subordinate intermediate root certificate Verisign root CA certificate
On Cisco Adaptive Security Appliance, delete the temporary root certificate used to generate the Certificate Signing Request. Import the Verisign subordinate intermediate root certificate to Cisco Adaptive Security Appliance. Create a trustpoint for the Verisign root CA certificate on Cisco Adaptive Security Appliance. Import the Verisign root CA certificate to Cisco Adaptive Security Appliance, and then import the Verisign signed certificate to Cisco Adaptive Security Appliance. Provide the VeriSign root and intermediate certificates to AOL.
Note
You must provide AOL with the root CA if the CA is not already in the AOL trust list.
Related Topics
Importing the Cisco Unified Presence Certificate onto Cisco Adaptive Security Appliance, page 5-4
5-15
Chapter 5 Configuring Security Certificates for SIP Federation (with Cisco Adaptive Security Appliance) Security Certificate Exchange Between Cisco Adaptive Security Appliance and AOL SIP Access Gateway
Configuring the Certificate on Cisco Adaptive Security Appliance using Manual Enrollment, page 5-8 Configuring Security Certificate Exchange Between Cisco Adaptive Security Appliance and Microsoft Access Edge Using VeriSign, page B-1 AOL Routing Information Requirements, page 9-5
5-16
CH A P T E R
Configuring Cisco Adaptive Security Appliance for SIP Federation

April 4, 2011
Cisco Adaptive Security Appliance Unified Communication Wizard, page 6-1 External and Internal Interface Configuration, page 6-1 Configuring the Static IP Routes, page 6-2 About Port Address Translation (PAT), page 6-3 About Sample Static PAT Commands, page 6-8 Failover on Cisco Adaptive Security Appliance, page 6-14 Cisco Adaptive Security Appliance Upgrade Options for Existing Deployments, page 6-15
Note
Cisco Adaptive Security Appliance Unified Communication Wizard

If you deploy a single Cisco Unified Presence server in your interdomain federation deployment, you can use the Unified Communication wizard on Cisco Adaptive Security Appliance to configure the presence federation proxy between Cisco Adaptive Security Appliance and Cisco Unified Presence. A configuration example showing the Unified Communication wizard is provided on the Cisco Unified Presence documentation wiki, see the URL below.
Related Topics
http://docwiki.cisco.com/wiki/Cisco_Unified_Presence%2C_Release_8.x
External and Internal Interface Configuration

On the Cisco Adaptive Security Appliance you must configure two interfaces as follows:
6-1
Chapter 6 Configuring the Static IP Routes
Use one interface as the outside or external interface. This is the interface to the internet and to the foreign domain servers (for example, Microsoft Access Edge/Access Proxy). Use the second interface as theinside or internal interface. This is the interface to Cisco Unified Presence or to the Load Balancer, depending on your deployment. When configuring an interface, you need to refer it with an interface type, for example Ethernet or Gigabit Ethernet, and an interface slot. The Cisco Adaptive Security Appliance has four embedded Ethernet or Gigabit Ethernet ports on slot 0. You may optionally add an SSM-4GE module in slot 1 to obtain an additional four Gigabit Ethernet ports on slot 1. For each interface to route traffic, you need to configure an interface name and an IP address. The internal and external interface IP addresses must be in different subnets, which means they must have different submasks. Each interface must have a security level ranging from zero to 100 (from lowest to highest). A security level value of 100 is the most secure interface (inside interface). A security level value of zero is the least secure interface. If you do not explicitly set the security level for the inside or outside interface, then Cisco Adaptive Security Appliance sets the security level to 100 by default. Please refer to the Cisco Security Appliance Command Line Configuration Guide for details on configuring the external and internal interfaces via the CLI.
Note
You can configure the internal and external interfaces using the ASDM startup wizard. You can also view or edit an interface in ASDM by selecting Configuration > Device Setup > Interfaces.
Configuring the Static IP Routes

Cisco Adaptive Security Appliance supports both static routes and dynamic routing protocols such as OSPF, RIP and EIGRP. For this integration you need to configure static routes that define the next hop address for IP traffic routed to the inside interface and for traffic routed to the outside interface of Cisco Adaptive Security Appliance. In the procedure below, the dest_ip mask is the IP address for the destination network and the gateway_ip value is the address of the next-hop router or gateway. For a detailed description on setting up default and static routes on Cisco Adaptive Security Appliance, refer to the Cisco Security Appliance Command Line Configuration Guide.
Before You Begin
Complete the steps in External and Internal Interface Configuration, page 6-1
Procedure
Step 1
Enter config mode:

Step 2
Enter this command to add a static route for the inside interface:
hostname(config)# route inside dest_ip mask gateway_ip
Step 3
Enter this command to add a static route for the outside interface:
6-2
Chapter 6
Configuring Cisco Adaptive Security Appliance for SIP Federation About Port Address Translation (PAT)
hostname(config)# route outside dest_ip mask gateway_ip
Note
You can also view and configure the static routes from ASDM by selecting Configuration > Device Setup > Routing > Static routes.
Figure 6-1 Viewing static routes via ASDM
What To Do Next
About Port Address Translation (PAT), page 6-3
About Port Address Translation (PAT)

Port Address Translation for This Integration, page 6-3 PAT for Private to Public Requests, page 6-6 Static PAT for New Requests, page 6-7 NAT Rules in ASDM, page 6-7
Port Address Translation for This Integration

Note
You also use Port Address Translation if you federate with another Cisco Unified Presence enterprise deployment in a foreign domain. For this integration, Cisco Adaptive Security Appliance uses Port Address Translation (PAT) and static PAT for message address translation. Cisco Adaptive Security Appliance does not use Network Address Translation (NAT) for this integration. This integration uses PAT to translate messages sent from Cisco Unified Presence to a foreign domain (private to public messages). Port Address Translation (PAT) means the real address and source port in a packet is substituted with a mapped address and unique port that is routable on the destination network. This translation method uses a two step process that translates the real IP address and port to a mapped IP address and port, and then the translation is undone for returning traffic.
6-3
Chapter 6 About Port Address Translation (PAT)
Cisco Adaptive Security Appliance translates messages sent from Cisco Unified Presence to a foreign domain (private to public messages) by changing the private IP address and port on Cisco Unified Presence to a public IP address and one or more public port(s). Therefore, a local Cisco Unified Presence domain only uses one public IP address. Cisco Adaptive Security Appliance assigns a NAT command to the outside interface and translates the IP address and port of any message received on that interface as illustrated in Figure 6-2.
Figure 6-2 Example PAT for Messages Originating from Cisco Unified Presence to a Foreign Domain
ASA Outside Interface Translate outgoing traffic to use Cisco Unified Presence pubic address Undo translation for returning traffic 10.X.X.1/1 CUCM CUP (US) 65.130.1.3/X *ASA Internet Access Edge
CUP (UK) CUCM
10.X.X.2/2
271529
For new messages sent from a foreign domain to Cisco Unified Presence, Cisco Adaptive Security Appliance uses static PAT to map any message sent to the public IP address and port for Cisco Unified Presence to a designated Cisco Unified Presence server. Using static PAT allows you to translate the real IP address to a mapped IP address, and the real port number to a mapped port number. You can translate the real port number to the same port number or to a different port number. In this case, the port number identifies the correct Cisco Unified Presence server to handle the message request, as shown in Figure 6-3.
Note
If a user does not exist on the Cisco Unified Presence server, the Cisco Unified Presence routing server uses intercluster routing to redirect the message. All responses are sent to Cisco Adaptive Security Appliance from the Cisco Unified Presence routing server.
6-4
Chapter 6
Figure 6-3
Static PAT for Messages Originating from a Foreign Domain
ASA Outside Interface Static PAT to translate all new traffic from foreign server Port number is used to identify the Cisco Unified Presence server 10.X.X.1/5061 CUCM 147.168.22.18/5061 CUP (US) *ASA Access Edge
Internet
CUP (UK) CUCM
10.X.X.2/5062
271530
6-5
Chapter 6 About Port Address Translation (PAT)
PAT for Private to Public Requests

For this integration, the address translation for private to public messages involves the following configuration:
Define a NAT rule to identify the real IP address and port number that you wish to translate. In this case, configure a NAT rule that states that Cisco Adaptive Security Appliance must apply a NAT action to any message received on the internal interface. Configure a global NAT action to specify the mapped addresses to use for messages exiting via the external (outside) interface. For this integration, specify only one address (because it uses PAT). The NAT action maps the IP address (of messages received on the internal interface) to the Cisco Unified Presence public address.
Table 6-1 provides sample global address translation commands for Cisco Adaptive Security Appliance Releases 8.2 and 8.3. The first row is mandatory for both a single Cisco Unified Presence deployment, and a multiple Cisco Unified Presence deployment. The second row is for single Cisco Unified Presence deployment only. The third row is for a multiple Cisco Unified Presence deployment.
Table 6-1 Sample global address translation commands
Sample Configuration You can use this sample NAT configuration in a deployment where there are one or more Cisco Unified Presence servers on the inside interface, with no other firewall traffic. You can use this sample NAT configuration in a deployment where there is one Cisco Unified Presence server on the inside interface, with other firewall traffic. You can use this sample NAT configuration in a deployment where there are multiple Cisco Unified Presence servers on the inside interface, with other firewall traffic.
Cisco Adaptive Security Appliance Release 8.2 Global Command

global (outside) 1 <public_cup_address> nat (inside) 1 0 0
Cisco Adaptive Security Appliance Release 8.3 Global Command

object network obj_any host 0.0.0.0 nat (inside,outside) dynamic <public cup address>
global (outside) 1 <public_cup_address> nat (inside) 1 <private_cup_address> 255.255.255.255 global (outside) 2 interface nat (inside) 2 0 0
host <private cup address> nat (inside,outside) dynamic <public cup address> object network my_inside subnet 0.0.0.0 0.0.0.0 nat (inside,outside) dynamic interface
global (outside) 1 <public cup ip> nat (inside) 1 <private_cup_net> <private_cup_netmask> global (outside) 2 interface nat (inside) 2 0 0
object network obj_<private subnet>.0_255.255.255.0 subnet <private subnet> 255.255.255.0 nat (inside,outside) dynamic <public cup address> object network my_inside subnet 0.0.0.0 0.0.0.0 nat (inside,outside) dynamic interface
6-6
Chapter 6
Note
The sample configuration shown in the last row in Table 6-1 assumes that when there are multiple Cisco Unified Presence servers located behind Cisco Adaptive Security Appliance, and these Cisco Unified Presence servers are all on the same subnet. Specifically, if all the inside Cisco Unified Presence servers are on the 2.2.2.x/24 network, the NAT command is: nat (inside)
2.2.2.0 255.255.255.0
Related Topics
Port Address Translation for This Integration, page 6-3
Static PAT for New Requests

For this integration the address translation for private to public messages involves the following configuration:
Configure a static PAT command on TCP for the following ports: 5060, 5061, 5062 & 5080. Additionally if you have configured an intercluster connection with a Cisco Unified Presence Release 7.x node in your deployment, configure a TCP port for 5070. Configure a separate static PAT command on UDP for port 5080. Additionally if you have configured an intercluster connection with a Cisco Unified Presence Release 7.x node in your deployment, configure a UDP port for 5070. 5060 - Cisco Adaptive Security Appliance uses this port for generic SIP inspection. 5061 - The SIP requests are sent to this port and this triggers the TLS handshake. 5062, 5070, 5080- Cisco Unified Presence uses these ports in the SIP VIA/CONTACT headers.
This integration uses the following ports:

You only require PAT for port 5070 if you have an intercluster Cisco Unified Presence Release 7.x node in your Cisco Unified Presence Release 8.x cluster within the same domain. Cisco Unified Presence Release 8.x replaces port 5070 with port 5080.
Note
You can check the peer auth listener port on Cisco Unified Presence by selecting Cisco Unified Presence Administration > System > Application Listeners.
Related Topics

About Sample Static PAT Commands, page 6-8 Sample Cisco Adaptive Security Appliance Configuration, page A-1
NAT Rules in ASDM

You can view the NAT rules in ASDM by selecting Configuration > Firewall > NAT Rules. The first five NAT rules shown in Figure 6-4 are the static PAT entries, and the final dynamic entry is the outgoing PAT configuration that maps any outgoing traffic to the public Cisco Unified Presence IP address and port.
6-7
Chapter 6 About Sample Static PAT Commands
Figure 6-4
Viewing PAT rules via ASDM
Related Topics

About Sample Static PAT Commands, page 6-8 Sample Cisco Adaptive Security Appliance Configuration, page A-1
About Sample Static PAT Commands

Note
This section shows sample commands for Cisco Adaptive Security Appliance Release 8.3 and Release 8.2. You need to execute these commands when you configure a fresh configuration of Cisco Adaptive Security Appliance for federation.
PAT Configuration for Routing Cisco Unified Presence Release 8.x Node, page 6-9 PAT Configuration for Intercluster or Intracluster Cisco Unified Presence Release 8.x Nodes, page 6-11 PAT Configuration for Intercluster Cisco Unified Presence Release 7.x Nodes, page 6-13
6-8
Chapter 6
Configuring Cisco Adaptive Security Appliance for SIP Federation About Sample Static PAT Commands
PAT Configuration for Routing Cisco Unified Presence Release 8.x Node
Table 6-2 shows the PAT commands for the routing Cisco Unified Presence Release 8.x node, where the peer auth listener port is 5062.
Note
For Cisco Adaptive Security Appliance 8.3 configuration, you only need to define an object once and you can reference that object in multiple commands; you do not need to repeatedly define the same object.
Table 6-2
PAT commands for routing Cisco Unified Presence Release 8.x node
Cisco Adaptive Security Appliance Release 8.2 Static Command

static (inside,outside) tcp <public cup ip address> 5061 <routing cup private address> 5062 netmask 255.255.255.255
Cisco Adaptive Security Appliance Release 8.3 NAT Command

Object network obj_host_<public cup ip address> (e.g. object network obj_host_10.10.10.10) #host <public cup ip address> object network obj_host_<routing cup private address> #host <routing cup private address> object service obj_tcp_ source_eq_5061 # service tcp source eq 5061 object service obj_tcp_ source_eq_5062 # service tcp source eq 5062 nat (inside,outside) source static obj_host_<routing cup private address> obj_host_<public cup ip address> service obj_tcp_source_eq_5062 obj_tcp_source_eq_5061
If the routing CUP peer auth listening port is 5061, use the command:
If the routing CUP peer auth listening port is 5061, use the command:
nat (inside,outside) source static obj_host_<routing cup private address> obj_host_<public cup ip address> service obj_tcp_source_eq_5061 obj_tcp_source_eq_5061 static (inside,outside) tcp <public cup ip address> 5080 <routing cup private address> 5080 netmask 255.255.255.255 object service obj_tcp_source_eq_5080 # service tcp source eq 5080 nat (inside,outside) source static obj_host_<routing cup private address> obj_host_<public cup ip address> service obj_tcp_source_eq_5080 obj_tcp_source_eq_5080 object service obj_tcp_source_eq_5060 # service tcp source eq 5060
Note
5060 displays as sip in the service object.
nat (inside,outside) source static obj_host_<routing cup private address> obj_host_<public cup ip address> service obj_tcp_source_eq_5060 obj_tcp_source_eq_5060 static (inside,outside) tcp <public cup ip address> 5062 <routing cup private address> 5062 netmask 255.255.255.255 nat (inside,outside) source static obj_host_<routing cup private address> obj_host_<public cup ip address> service obj_tcp_source_eq_5062 obj_tcp_source_eq_5062
6-9
Related Topics

Static PAT for New Requests, page 6-7 PAT Configuration for Intercluster or Intracluster Cisco Unified Presence Release 8.x Nodes, page 6-11 PAT Configuration for Intercluster Cisco Unified Presence Release 7.x Nodes, page 6-13
6-10
Chapter 6
PAT Configuration for Intercluster or Intracluster Cisco Unified Presence Release 8.x Nodes
In a multi-node or an intercluster Cisco Unified Presence deployment, if the non-routing nodes in your Cisco Unified Presence Release 8.x clusters communicate directly with Cisco Adaptive Security Appliance, you must configure a set of static PAT commands for each of these nodes. The commands listed below are an example of a set of the static PAT commands you must configure for a single node. You must use an unused arbitrary port. We recommend that you select a corresponding number, for example, 5080 uses the unused arbitrary port X5080 where X corresponds to a number that uniquely maps to a Cisco Unified Presence intercluster or intracluster server. For example 45080 uniquely maps to one node and 55080 uniquely maps to another node. Table 6-3 shows the NAT commands for the non-routing Cisco Unified Presence Release 8.x nodes. Repeat the commands for each non-routing Cisco Unified Presence Release 8.x node.
Note
Table 6-3
NAT commands for non-routing Cisco Unified Presence Release 8.x nodes

static (inside,outside) tcp <public CUP address> 45062 <intercluster cup8 private address> 5062 netmask 255.255.255.255

object network obj_host_<intercluster cup8 private address> #host <intercluster cup8 private address> object service obj_tcp_ source_eq_45062 # service tcp source eq 45062 nat (inside,outside) source static obj_host_<intercluster cup8 private address> obj_host_<public cup ip address>service obj_tcp_source_eq_5062 obj_tcp_source_eq_45062
If the intercluster Cisco Unified Presence peer auth listening port is 5061, use the command:
object service obj_tcp_ source_eq_45061 # service tcp source eq 45061 nat (inside,outside) source static obj_host_<intercluster cup8 private address> obj_host_<public cup ip address> service obj_tcp_source_eq_5061 obj_tcp_source_eq_45061
6-11
Table 6-3
NAT commands for non-routing Cisco Unified Presence Release 8.x nodes

static (inside,outside) tcp <public cup ip address> 45080 <intercluster cup8 private address> 5080 netmask 255.255.255.255

object service obj_tcp_source_eq_45080 # service tcp source eq 45080 nat (inside,outside) source static obj_host_<intercluster cup8 private address> obj_host_<public cup ip address> service obj_tcp_source_eq_5080 obj_tcp_source_eq_45080 object service obj_tcp_source_eq_55060 # service tcp source eq 45060 nat (inside,outside) source static obj_host_<intercluster cup8 private address> obj_host_<public cup ip address> service obj_tcp_source_eq_5060 obj_tcp_source_eq_45060
Related Topics

Static PAT for New Requests, page 6-7 PAT Configuration for Routing Cisco Unified Presence Release 8.x Node, page 6-9 PAT Configuration for Intercluster Cisco Unified Presence Release 7.x Nodes, page 6-13
6-12
Chapter 6
PAT Configuration for Intercluster Cisco Unified Presence Release 7.x Nodes
In a multi-node or an intercluster Cisco Unified Presence deployment, if nodes in your Cisco Unified Presence Release 7.x clusters communicate directly with Cisco Adaptive Security Appliance, you must configure a set of static PAT commands for each of these nodes. The commands listed below are an example of a set of the static PAT commands you must configure for a single node. You must use an unused arbitrary port. We recommend that you select a corresponding number, for example, 5070 uses the unused arbitrary port X5070 where X corresponds to a number that uniquely maps to a Cisco Unified Presence intercluster or intracluster server. For example 65070 uniquely maps to one node and 75070 uniquely maps to another node. Table 6-4 shows the NAT commands for intercluster Cisco Unified Presence Release 7.x nodes. Repeat the commands for each node.
Note
Table 6-4
NAT commands for intercluster Cisco Unified Presence Release 7.x nodes


object network obj_host_<intercluster cup7 private address> #host <intercluster cup7 private address> object service obj_tcp_ source_eq_55062 # service tcp source eq 55062 nat (inside,outside) source static obj_host_<intercluster cup7 private address> obj_host_<public cup ip address> service obj_tcp_source_eq_5062 obj_tcp_source_eq_55062
If the intercluster CUP peer auth listening port is 5061, use the command:
object service obj_tcp_ source_eq_55061 # service tcp source eq 55061 nat (inside,outside) source static obj_host_<intercluster cup7 private address> obj_host_<public cup ip address> service obj_tcp_source_eq_5061 obj_tcp_source_eq_55061
6-13
Chapter 6 Failover on Cisco Adaptive Security Appliance
Table 6-4
NAT commands for intercluster Cisco Unified Presence Release 7.x nodes


object service obj_tcp_source_eq_55070 # service tcp source eq 55070 nat (inside,outside) source static obj_host_<intercluster cup7 private address> obj_host_<public cup ip address> service obj_tcp_source_eq_5070 obj_tcp_source_eq_55070 object service obj_udp_source_eq_55070 # service udp source eq 55070 nat (inside,outside) source static obj_host_<intercluster cup7 private address> obj_host_<public cup ip address>
static (inside,outside) udp <public cup ip address> 55070 <intercluster cup7 private address> 5070 netmask 255.255.255.255
There is a limitation with intercluster deployments and SIP federation with AOL, refer to Intercluster Deployments and SIP Federation with AOL, page 1-4 for details.
Related Topics

Static PAT for New Requests, page 6-7 PAT Configuration for Routing Cisco Unified Presence Release 8.x Node, page 6-9 PAT Configuration for Intercluster or Intracluster Cisco Unified Presence Release 8.x Nodes, page 6-11 Intercluster Deployments and SIP Federation with AOL, page 1-4
Failover on Cisco Adaptive Security Appliance

For a detailed description of configuring failover for Cisco Adaptive Security Appliance, refer to the Cisco Security Appliance Command Line Configuration Guide. If you are considering deploying failover for Cisco Adaptive Security Appliance in your federated network, note the following:
Failover is supported using the active/standby mode. With active/standby failover, only one Cisco Adaptive Security Appliance router passes traffic while the other router waits in a standby state. In terms of hardware requirements, the two Cisco Adaptive Security Appliances in a failover deployment must have the exact same hardware configuration. In terms of software requirements, the two Cisco Adaptive Security Appliances in a failover configuration must be in the operating mode, and must have the same software version. In terms of licensing, for active/standby mode you will require a security plus license, and unrestricted (UR) licence.
Note
Cisco Adaptive Security Appliance does not support a TLS stateful or graceful failover. Existing TLS connections must be reestablished following a failover to the standby Cisco Adaptive Security Appliance.
6-14
Chapter 6
Configuring Cisco Adaptive Security Appliance for SIP Federation Cisco Adaptive Security Appliance Upgrade Options for Existing Deployments
Cisco Adaptive Security Appliance Upgrade Options for Existing Deployments

If you upgrade from Cisco Adaptive Security Appliance Release 8.2 to Release 8.3, Cisco Adaptive Security Appliance migrates the existing commands seamlessly during the upgrade.
Note
Once you upgrade to Cisco Unified Presence Release 8.x, you must open port 5080 on Cisco Adaptive Security Appliance for each Cisco Unified Presence 8.x node located behind Cisco Adaptive Security Appliance. This is independent of whether you have upgraded Cisco Adaptive Security Appliance also. Use one of the following upgrade procedures when you upgrade both Cisco Unified Presence and Cisco Adaptive Security Appliance in your existing federation deployment:
Upgrade Procedure Option 1:
1. Upgrade Cisco Unified Presence to Release 8.x. 2. Configure NAT rules for port 5080 on Cisco Adaptive Security Appliance. 3. Confirm that federation is working in your deployment after the Cisco Unified Presence upgrade. 4. Upgrade Cisco Adaptive Security Appliance to Release 8.3. 5. Confirm that federation is working in your deployment after the Cisco Adaptive Security Appliance upgrade.
Upgrade Procedure Option 2:
1. Upgrade both Cisco Unified Presence nodes to Release 8.x and Cisco Adaptive Security Appliance to Release 8.3. 2. After both upgrades, configure NAT rules for port 5080 on Cisco Adaptive Security Appliance. 3. Confirm that federation is working in your deployment.
6-15
Chapter 6 Cisco Adaptive Security Appliance Upgrade Options for Existing Deployments
These are the commands you require to open port 5080 for each Cisco Unified Presence Release 8.x node that sits behind Cisco Adaptive Security Appliance:

static (inside,outside) tcp <public cup ip address> 5080 <routing cup private address> 5080 netmask 255.255.255.255 static (inside,outside) tcp <public cup ip address> 45080 <intercluster cup8 private address> 5080 netmask 255.255.255.255

object service obj_tcp_source_eq_5080 # service tcp source eq 5080 nat (inside,outside) source static obj_host_<routing cupprivate address> obj_host_<public cup ip address> serviceobj_tcp_source_eq_5080 obj_tcp_source_eq_5080 object service obj_tcp_source_eq_45080 # service tcp source eq 45080 nat (inside,outside) source static obj_host_<intercluster cup8 private address> obj_host_<public cup ip address>service obj_tcp_source_eq_5080 obj_tcp_source_eq_45080
Note
Configure these commands for each intercluster Cisco Unified Presence 8.x server, and use a different arbitrary port for each.
Note
Configure these commands for each intercluster Cisco Unified Presence 8.x server, and use a different arbitrary port for each.
6-16
CH A P T E R
Configuring the TLS Proxy on Cisco Adaptive Security Appliance

April 4, 2011 Note
For up to date release information on configuring the TLS proxy, please refer to the Cisco Adaptive Security Appliance Configuration Guide at the following URL: http://www.cisco.com/en/US/products/ps6120/tsd_products_support_configure.html

TLS Proxy, page 7-1 Access List Configuration Requirements, page 7-2 Configuring the TLS Proxy Instances, page 7-4 Associating an Access List with a TLS Proxy Instance Using Class Maps, page 7-5 Enabling the TLS Proxy, page 7-6 Configuring Cisco Adaptive Security Appliance for an Intercluster Deployment, page 7-6
Note
TLS Proxy
Cisco Adaptive Security Appliance acts as a TLS proxy between the Cisco Unified Presence and the foreign server. This allows Cisco Adaptive Security Appliance to proxy TLS messages on behalf of the server (that initiates the TLS connection), and route the TLS messages from the proxy to the client. The TLS proxy decrypts, inspects and modifies the TLS messages as required on the incoming leg, and then re-encrypts traffic on the return leg.
Note
Before configuring the TLS proxy, you must configure the Cisco Adaptive Security Appliance security certificates between Cisco Adaptive Security Appliance and Cisco Unified Presenceo, and Cisco Adaptive Security Appliance and the foreign server. Complete the procedures in the following sections to accomplish this:
7-1
Chapter 7 Access List Configuration Requirements
How to Configure Security Certificate Exchange Between Cisco Unified Presence and Cisco Adaptive Security Appliance, page 5-1 How to Configure Security Certificate Exchange Between Cisco Adaptive Security Appliance and Microsoft Access Edge (External Interface) Using a Microsoft CA, page 5-5
Related Topics
Common Cisco Adaptive Security Appliance Problems and Recommended Actions, page 15-1.
Access List Configuration Requirements

This section lists the access list configuration requirements for a single Cisco Unified Presence deployment.
Note
For each access list, you must configure a corresponding class-map, and configure an entry in the policy-map global policy. You can check the peer auth listener port on Cisco Unified Presence by selecting Cisco Unified Presence Administration > System > Application Listeners.
Deployment Scenario: Configuration Requirement:
A Cisco Unified Presence server federating with one or more foreign domains Configure the following two access lists for each foreign domain that Cisco Unified Presence is federates with:

Configure an access list to allow Cisco Unified Presence to send messages to the foreign domain on port 5061. Configure an access list to allow Cisco Unified Presence to receive messages from the foreign domain on port 5061, or if you use Cisco Adaptive Security Appliance Release 8.3, the actual port that Cisco Unified Presence listens on for SIP federation (check the peer auth listener port on Cisco Unified Presence).
7-2
Chapter 7
Configuring the TLS Proxy on Cisco Adaptive Security Appliance Access List Configuration Requirements
Configuration Example:
access-list ent_cup_to_foreign_server extended permit tcp host <routing cup private address> host <foreign public address> eq 5061
Cisco Adaptive Security Appliance Release 8.2:

access-list ent_foreign_server_to_cup extended permit tcp host <foreign public address> host < CUP public address> eq 5061

access-list ent_foreign_server_to_cup extendedpermit tcp host <foreign public address> host <CUP private address> eq 5061
Note
In the access list above 5061 is the port that Cisco Unified Presence listens on for SIP messaging. If Cisco Unified Presence listens on port 5062, specify 5062 in the access list.
Deployment Scenario:
Intercluster deployment (This also applies to a multi-node deployment)
Configuration Requirement:
Configure the following two access lists for each intercluster Cisco Unified Presence server.

Configure an access list to allow Cisco Unified Presence to send messages to the foreign domain on port 5061. Configure an access list to allow Cisco Unified Presence to receive messages from the foreign domain on the arbitrary port 5061, or if you use Cisco Adaptive Security Appliance Release 8.3, the actual port that Cisco Unified Presence listens on for SIP federation (check the peer auth listener port on Cisco Unified Presence)
Configuration Example:
access-list ent_intercluster_cup_to_foreign_server extended permit tcp host <intercluster cup private address> host <foreign public address> eq 5061

access-list ent_foreign_server_to_intercluster_cup extended permit tcp host <foreign public address> host <cup public address> eq <arbitrary port>

ent_foreign_server_to_intercluster_cup extended permit tcp host <foreign public address> host <cup private address> eq 5061
In the access list above 5061 is the port that Cisco Unified Presence listens on for SIP messaging. If Cisco Unified Presence listens on port 5062, specify 5062 in the access list.
7-3
Chapter 7 Configuring the TLS Proxy Instances
Related Topics

Sample Cisco Adaptive Security Appliance Configuration, page A-1 Configuring the TLS Proxy Instances, page 7-4 Associating an Access List with a TLS Proxy Instance Using Class Maps, page 7-5 Enabling the TLS Proxy, page 7-6
Configuring the TLS Proxy Instances

For this integration, you need to create two TLS proxy instances. The first TLS proxy handles the TLS connections initiated by Cisco Unified Presence, where Cisco Unified Presence is the client and the foreign domain is the server. In this case, the Cisco Adaptive Security Appliance acts as the TLS server facing the "client" which is Cisco Unified Presence. The second TLS Proxy handles the TLS connections initiated by the foreign domain, where the foreign domain is the client and Cisco Unified Presence is the server. The TLS proxy instance defines trustpoints for both the server and the client. The direction from which the TLS handshake is initiated determines the trustpoint defined in the server and client commands:
If the TLS handshake initiates from Cisco Unified Presence to the foreign domain, the server command specifies the trustpoint that contains the Cisco Adaptive Security Appliance self-signed certificate. The client command specifies the trustpoint that contains the Cisco Adaptive Security Appliance certificate that is used in the TLS handshake between Cisco Adaptive Security Appliance and the foreign domain. If the handshake initiates from the foreign domain to Cisco Unified Presence, the server command specifies the trustpoint that contains the Cisco Adaptive Security Appliance certificate the TLS handshake uses between Cisco Adaptive Security Appliance and the foreign domain. The client command specifies the trustpoint that contains the Cisco Adaptive Security Appliance self-signed certificate.
Before You Begin
Complete the steps in Access List Configuration Requirements, page 7-2.
Procedure
Step 1
Enter config mode:

Step 2
Create a TLS proxy instance for TLS connections initiated by Cisco Unified Presence. This example creates a TLS proxy instance called cup_to_foreign:
tls-proxy ent_cup_to_foreign server trust-point cup_proxy client trust-point <trustpoint_name> client cipher-suite aes128-sha1 aes256-sha1 3des-sha1 null-sha1
Step 3
Create a TLS proxy instance for TLS connections initiated by a foreign domain. This example creates a TLS proxy instance called foreign_to_cup:
7-4
Chapter 7
Configuring the TLS Proxy on Cisco Adaptive Security Appliance Associating an Access List with a TLS Proxy Instance Using Class Maps
tls-proxy ent_foreign_to_cup server trust-point <trustpoint_name> client trust-point cup_proxy client cipher-suite aes128-sha1 aes256-sha1 3des-sha1 null-sha1
What To Do Next
Associating an Access List with a TLS Proxy Instance Using Class Maps, page 7-5
Associating an Access List with a TLS Proxy Instance Using Class Maps
Using the class map command, you need to associate a TLS Proxy instance to each of the foreign domain access lists you defined previously.
Before You Begin
Complete the steps in Configuring the TLS Proxy Instances, page 7-4
Procedure
Step 1
Enter config mode:

Step 2
Associate each of your access lists with the TLS proxy instance that the class map uses. The TLS proxy you select depends on whether the class-map is for messages from Cisco Unified Presence to a foreign domain, or from a foreign domain to Cisco Unified Presence. In the example below, the access list for messages sent from Cisco Unified Presence to a foreign domain is associated with the TLS proxy instance for TLS connections initiated by Cisco Unified Presence called ent_cup_to_foreign:
class-map ent_cup_to_foreign match access-list ent_cup_to_foreign
In the example below, the access list for messages sent from a foreign domain to Cisco Unified Presence is associated with the TLS proxy instance for TLS connections initiated by the foreign server called "ent_foreign_to_cup":
class-map ent_foreign_to_cup match access-list ent_foreign_to_cup
Step 3
If you are have an intercluster Cisco Unified Presence deployment, configure a class map for each Cisco Unified Presence server, and associate this with the appropriate access-list for the server that you defined previously, for example:
class-map ent_second_cup_to_foreign match access-list ent_second_cup_to_foreign class-map ent_foreign_to_second_cup match access-list ent_foreign_to_second_cup
7-5
Chapter 7 Enabling the TLS Proxy
What To Do Next
Enabling the TLS Proxy, page 7-6
Enabling the TLS Proxy

Using the policy map command, you need to enable the TLS proxy for each class map you created in the previous section.
Note
You cannot use a High security sip-inspect policy map on Cisco Adaptive Security Appliance for a federated deployment because the configuration will fail. You must use a Low/Medium security policy map.
Before You Begin
Complete the steps in Associating an Access List with a TLS Proxy Instance Using Class Maps, page 7-5
Procedure
Step 1
Enter config mode:

Step 2
Define the sip-inspect policy map, for example:

policy-map type inspect sip sip_inspect Parameters !SIP Inspection Parameters
Step 3
Define the global policy map, for example:

policy-map global_policy class ent_cup_to_foreign inspect sip sip_inspect tls-proxy ent_cup_to_foreign
Configuring Cisco Adaptive Security Appliance for an Intercluster Deployment

For an intercluster Cisco Unified Presence deployment, you must perform the following configuration on the Cisco Adaptive Security Appliance for each additional Cisco Unified Presence server.
Procedure
Step 1
Create an additional access list for the Cisco Unified Presence server.
7-6
Chapter 7
Configuring the TLS Proxy on Cisco Adaptive Security Appliance Configuring Cisco Adaptive Security Appliance for an Intercluster Deployment
Generate and import the Cisco Adaptive Security Appliance security certificate onto the Cisco Unified Presence server. Generate and import the Cisco Unified Presence security certificate onto Cisco Adaptive Security Appliance. Configure a class map for each foreign domain. Include the class maps in the global policy map.
Related Topics

How to Configure Security Certificate Exchange Between Cisco Unified Presence and Cisco Adaptive Security Appliance, page 5-1 How to Configure Security Certificate Exchange Between Cisco Unified Presence and Cisco Adaptive Security Appliance, page 5-1 Associating an Access List with a TLS Proxy Instance Using Class Maps, page 7-5 Enabling the TLS Proxy, page 7-6 About Intercluster and Multi-node Deployments, page 1-5
7-7
Chapter 7 Configuring Cisco Adaptive Security Appliance for an Intercluster Deployment
7-8
CH A P T E R
Configuring Interdomain Federation to Microsoft OCS within an Enterprise

April 4, 2011
How to Configure Static Routes Using TCP for Federation with Microsoft OCS Domain, page 8-1 How to Configure Static Routes Using TLS for Federation with Microsoft OCS Domain, page 8-4 If you configure federation within the enterprise, in addition to the static routes, you must configure a SIP federation domain on Cisco Unified Presence. See section Adding a SIP Federated Domain, page 4-2. Refer to this section Federation and Subdomains, page 1-24 for information on federation and subdomains. However once the OCS and Cisco Unified Presence domains are different, you can configure federation within the enterprise. You do not have to use subdomains; separate domains are equally applicable.
Note
How to Configure Static Routes Using TCP for Federation with Microsoft OCS Domain
This section describes how to configure statics routes using TCP for direct federation between Cisco Unified Presence and Microsoft OCS. The Cisco Adaptive Security Appliance or the Microsoft Access Edge are not required.
Caution
The domain portion of the Routing Proxy FQDN parameter value cannot be the same as the Microsoft OCS domain. To view or edit the Routing Proxy FQDN parameter, select Cisco Unified Presence Administration > System > Service Parameters, and select the Cisco UP SIP Proxy service.

Configuring a Static Route on Cisco Unified Presence for the OCS Server, page 8-2 Configuring a Static Route on OCS for the Cisco Unified Presence server, page 8-2 Adding a Host Authorization entry for the Cisco Unified Presence server, page 8-3 Enabling Port 5060 on the OCS Server, page 8-3
8-1
Chapter 8 Configuring Interdomain Federation to Microsoft OCS within an Enterprise How to Configure Static Routes Using TCP for Federation with Microsoft OCS Domain
Configuring a Static Route on Cisco Unified Presence for the OCS Server
To configure Cisco Unified Presence to use TCP when exchanging IM and presence with a federated Microsoft OCS domain, you must configure a static route on Cisco Unified Presence that points to the OCS server (and not the external edge of Microsoft Access Edge).
Procedure
Step 1 Step 2
Select Cisco Unified Presence Administration > Presence > Routing > Static Routes. Configure the static route parameters as follows:
The destination pattern value must be configured such that the foreign enterprise domain is reversed. For example if the domain is "domaina.com" then the Destination Pattern value must be .com.domaina.* The Next Hop value is the OCS FQDN or IP address. The Next Hop Port number is 5060. The Route Type value is domain. The Protocol Type is TCP.
Step 3
Click Save.
What To Do Next
Configuring a Static Route on OCS for the Cisco Unified Presence server, page 8-2.
Configuring a Static Route on OCS for the Cisco Unified Presence server
If you are using direct federation from Cisco Unified Presence to OCS without the Access Edge server or Cisco Adaptive Security Appliance, then you need to configure a static route from OCS to Cisco Unified Presence.
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9
Click Start > Programs > Administrative Tools > Microsoft Office Communicator Server 2007 on OCS. Right-click on the Front End server. Select Properties > Front End Properties. Click the Routing tab. Click Add. Enter the domain for the Cisco Unified Presence server, for example 'cisco.com'. Enter the IP of the Cisco Unified Presence server for the Next Hop IP address. Select TCP for the Transport value. Enter 5060 for the Port value.
8-2
Chapter 8
Configuring Interdomain Federation to Microsoft OCS within an Enterprise How to Configure Static Routes Using TCP for Federation with Microsoft OCS Domain
Step 10
Click OK.
What To Do Next
Adding a Host Authorization entry for the Cisco Unified Presence server, page 8-3
Adding a Host Authorization entry for the Cisco Unified Presence server
Procedure
Step 1 Step 2
Click on the Host Authorization tab on OCS. Perform one of the following steps:

Enter the IP address of the authorized host if you configured a static route on OCS that specifies the next hop computer by its IP address. Enter the FQDN of the authorized host if you configured a static route on OCS that specifies the next hop computer by its FQDN.
Click Add. Select IP. Enter the IP address of the Cisco Unified Presence server. Check Throttle as Server. Check Treat as Authenticated. Do not check Outbound Only. Click OK.
Note Step 8
Enabling Port 5060 on the OCS Server

Procedure
Select Start > Programs > Administrative Tools > Microsoft Office Communicator Server 2007 on OCS. Right-click on the FQDN of Front End server. Select Properties > Front End Properties. Click the General tab If port 5060 is not listed under Connections, select Add. Configure port 5060 as follows:
Select All as the IP Address Value.
8-3
Chapter 8 Configuring Interdomain Federation to Microsoft OCS within an Enterprise How to Configure Static Routes Using TLS for Federation with Microsoft OCS Domain
Step 7
Select 5060 as the Port Value Select TCP as the Transport Value
Select OK.
How to Configure Static Routes Using TLS for Federation with Microsoft OCS Domain
Step Configure a static route on Cisco Unified Presence for OCS Notes Use the procedure Configuring a Static Route on Cisco Unified Presence for the OCS Server, page 8-2 as a guide. When you configure the static route on Cisco Unified Presence, select the protocol type TLS, and make sure that the static route points to port 5061. Configure a static route on OCS for Cisco Unified Presence Use the procedure Configuring a Static Route on OCS for the Cisco Unified Presence server, page 8-2 as a guide. When you configure the static route on OCS, select the protocol type TLS, and make sure that the static route points to port 5061 (the default is 5062).
Note
When using TLS with static routes on OCS, you must specify the FQDN of the Cisco Unified Presence server, rather than an IP address.
On Cisco Unified Presence, you must also configure the Peer Auth Listener port on OCS as 5061. You configure this by selecting Cisco Unified Presence Administration > System > Application Listeners. Verify that the Peer Auth Listener port is 5061. You can configure the Server Auth Listener port to be 5062. Configure a host authorization entry Use the procedure Adding a Host Authorization entry for the Cisco Unified Presence for the Cisco Unified Presence FQDN server, page 8-3 as a guide. Configure the certificates on OCS
To retrieve the CA root certificate and the OCS signed certificate, follow these procedures, applying them to the OCS server (rather than the Access Edge server):
Downloading the CA Certification Chain, page 5-9 Installing the CA Certification Chain, page 5-10 Requesting a Certificate from the CA Server, page 5-11 Downloading the Certificate from the CA Server, page 5-11
In the OCS Front End Server Properties ensure the TLS listener for port 5061 on OCS is configured. (The transport can be MTLS or TLS). From the OCS Front End Server Properties, select the Certificates tab, and click Select Certificate to select the OCS signed certificate.
8-4
Chapter 8
Configuring Interdomain Federation to Microsoft OCS within an Enterprise How to Configure Static Routes Using TLS for Federation with Microsoft OCS Domain
Step Configure OCS to use FIPS (TLSv1 rather than SSLv3), and import the CA root certificate.
Notes
1. 2. 3. 4. 5. 6.
Open the Local Security Settings on OCS. In the console tree, select Local Polices. Select Security Options. Double-click System Cryptography:Use FIPS Compliant algorithms for encryption, hashing and signing. Enable the security setting. Select OK. You may need to restart OCS for this to take effect. Import the CA root certificate for the CA that signs the Cisco Unified Presence certificate. Import the CA root certificate in to the trust store on OCS using the certificate snap-in. On Cisco Unified Presence, upload the root certificate for the CA that signs the OCS certificate. Note the following:
Uploaded the certificate as a cup-trust certificate. Leave the Root Certificate field blank. Use the procedure Importing the Self Signed Certificate onto
Note 7.
Configure the certificates on Cisco Unified Presence
Cisco Unified Presence, page 5-3 as a guide for uploading a certificate to Cisco Unified Presence.
Generate a CSR for Cisco Unified Presence so that the Cisco Unified Presence certificate can be signed by a CA. Upload the CSR to the CA that will sign your certificate. When you have retrieved the CA-signed certificate and the CA root certificate, upload the CA-signed certificate and the root certificate to Cisco Unified Presence. Note the following:
Upload the root certificate as a cup-trust certificate. Upload the C- signed Cisco Unified Presence certificate as a cup
certificate. Specify the root certificate .pem file as the root certificate.
Add a TLS Peer subject on Cisco Unified Presence for the OCS server. Follow these steps Creating a new TLS Peer Subject, page 4-6 to create the peer subject for the OCS server. Use the FQDN of the OCS server. Add the TLS Peer to the Selected TLS Peer Subjects list. Follow these steps Adding the TLS Peer to the Selected TLS Peer Subjects List, page 4-6 to add the TLS Peer to the Selected TLS Peer Subjects list. Note the following:
Make sure that the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher is
selected for the TLS Context Configuration.

Make sure that you disable empty TLS fragments.
8-5
Chapter 8 Configuring Interdomain Federation to Microsoft OCS within an Enterprise How to Configure Static Routes Using TLS for Federation with Microsoft OCS Domain
8-6
CH A P T E R
Configuring the Foreign Server Components for SIP Federation

April 4, 2011
Microsoft Component Configuration for SIP Federation, page 9-1 About the Requirements for SIP Federation with AOL, page 9-4
Microsoft Component Configuration for SIP Federation

Table 9-1 provides a brief checklist relative to configuring federation on the Microsoft servers. For detailed instructions on setting up and deploying the OCS server and the Access Edge server, refer to the Microsoft documentation.
9-1
Chapter 9 Microsoft Component Configuration for SIP Federation
Table 9-1
Configuration tasks for Microsoft Components
Server OCS Server
Task Enable Global Federation Setting
Procedure
1. 2. 3.
Select Properties > Global Properties > Federation in the global forest branch in the left pane. Check Enable Federation and Public IM Connectivity. Enter the FQDN and the port number for the internal interface of the Access Edge server. Select Properties > Global Properties > Edge Servers in the global forest branch in the left pane. Click Add in the Access Edge and Web Conferencing Edge Servers window. Enter the FQDN for the internal interface of the Access Edge server. Select Properties > Front End Properties > Federation in the front-end server branch in the left pane. Check Enable Federation and Public IM Connectivity. From the Users tab, check that your users are enabled for MOC. If your user is not present in this list, you need to enable the user for MOC in Microsoft Active Directory. You also need to enable the user for Public IM Connectivity in Microsoft Active Directory. Refer to the Microsoft Active Directory documentation at the following URL: http://technet2.microsoft.com/windowsserver/en/technologies/featured/ad/default .mspx
Configure the Access Edge server address
1. 2. 3.
Enable Each Front End Federation Setting
You need to enable the federation setting for each front-end server that is federating:
1. 2.
Check your users are enabled for MOC and for Federation
9-2
Chapter 9
Configuring the Foreign Server Components for SIP Federation Microsoft Component Configuration for SIP Federation
Table 9-1
Configuration tasks for Microsoft Components (continued)
Server
Task
Procedure In the Microsoft enterprise deployment, you need to configure an external SRV record for all Access Edge Servers that points to _sipfederationtls._tcp.<domain>, over port 5061, where <domain> is the name of the SIP domain of your organization. This SRV should point to the external FQDN of the Access Edge server.
1. 2. 3. 4. 5. 6. 7. 8. 9.
Access Edge Configure DNS Server
Configure Cisco Unified Presen ce as an IM Provider
Select Start > Administrative Tools > Computer Management on the external Access Edge server. Right-click Microsoft Office Communications Server 2007 in the left pane. Click the IM Provider tab. Click Add. Check Allow the IM service provider. Define the IM service provider name, for example, the Cisco Unified Presence server. Define the network address of the IM service provider, in this case the public FQDN of the Cisco Unified Presence server. Ensure that the IM service provider is not marked as public. Click the filtering option Allow all communications from this provider option.
10. Click OK.
In the Cisco Unified Presence enterprise deployment, you need to configure a DNS SRV record that points to _sipfederationtls._tcp.<CUP_domain> over port 5061where <CUP_domain> is the name of the Cisco Unified Presence domain. This DNS SRV should point to the public FQDN of the Cisco Unified Presence server. Check the Access Method Settings
1. 2. 3. 4.
Right-click on Microsoft Office Communications Server 2007 in the console tree. Click Properties > Access Methods. Check Federation. Check Allow discovery if you are using DNS SRV. Select Start > Administrative Tools > Local Security Policy to open the Local Security Policy. If you are configuring this on a domain controller, the path is Start > Administrative Tools > Domain Controller Security Policy. Click Security Settings > Local Policies > Security Options in the console tree. Double-click the FIPS security setting in the details pane. Enable the FIPS security setting. Click OK. There is a known issue with remote desktop to the Access Edge Server with FIPS enabled on Windows XP. Refer to Unable to Remote Desktop to Access Edge, page 15-10 for a resolution to this issue.
Configure Access Edge to use TLSv1
1.
Note
2. 3. 4. 5.
Note
9-3
Chapter 9 About the Requirements for SIP Federation with AOL
Table 9-1
Configuration tasks for Microsoft Components (continued)
Server
Task
Procedure

OCS/Access Configure the Edge Server security certificates
You need to configure security certificates between the OCS server and the Access Edge server. You will require a CA server to perform this procedure. Please refer to the Microsoft documentation for details on configuring security certificates between these servers.
Related Topics
Configuring Interdomain Federation to Microsoft OCS within an Enterprise, page 8-1
About the Requirements for SIP Federation with AOL

License Requirements for AOL Federation, page 9-4 AOL Routing Information Requirements, page 9-5 AOL Provisioning Information Requirements, page 9-5
License Requirements for AOL Federation

You must order the AOL-FEDERATION SKU license from Cisco to allow you to turn on interdomain federation between Cisco Unified Presence and AOL. When you submit this license request, Cisco will request from you the AOL customer routing and contact information described in the later sections of this topic. After Cisco receives your AOL customer routing and contact information, AOL federation between Cisco Unified Presence and AOL will be turned on.
Related Topics

AOL Routing Information Requirements, page 9-5 AOL Provisioning Information Requirements, page 9-5
9-4
Chapter 9
Configuring the Foreign Server Components for SIP Federation About the Requirements for SIP Federation with AOL
AOL Routing Information Requirements

When you configure interdomain federation between Cisco Unified Presence and AOL SIP Access Gateway, you must provide AOL with the following information.
Deployment Type No load balancer
Provide (for each domain)
Notes
The public FQDN of the federation routing Cisco Unified Presence server: <sip.domain.com> The domain name of the Cisco Unified Presence server: @<domain.com> The FQDN of the load balancer: <lb.domain.com> The domain name of the load balancer: @<domain.com>
Cisco Unified Presence server certificate subject CN must match FQDN of the Cisco Unified Presence server The CA that signs the Cisco Unified Presence server certificate must be trusted by the AOL server. Cisco Unified Presence server certificate subject CN must match FQDN of the load balancer. The CA that signs the Cisco Unified Presence server certificate must be trusted by the AOL server.
Load balancer
The secure SIP federation port of the Cisco Unified Presence server that will be used for the domain
The AOL SIP Access Gateway connects (via SSL) to the IP address that is returned by an nslookup on this port. The default port is 5061.
We recommend that you work with your Cisco support representative to provide this information to AOL.
AOL Provisioning Information Requirements

The name of the enterprise, company or other. The domain name used for the federation (e.g. companyabc.com). The FQDN of the Cisco Unified Presence server that is being used for federation. The customer contact details: name, email address, phone number. Copy of certificate(s):
If the certificate is signed by a Certificate Authority, root certificate including the whole chain
of certificates of the Certificate Authority must be provided.

The base64 encoding of the certificate(s) is required, for example:
BEGIN CERTIFICATE----MIIGKDCCBRCgAwIBAgIKH5c9LAAIAAGTvjANBgkqhkiG9w0BAQUFADCBizETMBEG CgmSJomT8ixkARkWA2NvbTEZMBcGCgmSJomT8ixkARkWCW1pY3Jvc29mdDEUMBIG..... 6HKfdML7AkWOV0Wiwc8HUb/0iFmfB24jWOnjj3NW15k0tDJXmbSMuAxjZ/2dZ4dA
9-5
Chapter 9 About the Requirements for SIP Federation with AOL
4zd4FeZvoCzyVglPkoLvA0Z+AJyOkO7/tie4EF3n/kEedaPWimv2TpRrlAP5lBXn tbM82NpEDaSqzg0d4Dswqe7W30CKGgUBYS1fO7xJHSRju719D+H7XivmjvU= -----END CERTIFICATE----We recommend that you work with your Cisco support representative to provide this information to AOL.
9-6
CH A P T E R
10
Configuring the Load Balancer for Redundancy for SIP Federation

April 4, 2011
About the Load Balancer, page 10-1 Updating the Cisco Unified Presence Servers, page 10-2 How to Update the Cisco Adaptive Security Appliance, page 10-3 How to Update the CA-Signed Security Certificates, page 10-6 Updating the Microsoft Components, page 10-8 Configuring the Load Balancer, page 10-9
About the Load Balancer

For redundancy and high-availability purposes, you can incorporate a load balancer into the federated network. Cisco recommends the Cisco CSS 11500 Content Services Switch, which is placed between the Cisco Unified Presence server and the Cisco Adaptive Security Appliance (see Figure 1-3 on page 1-8). The load balancer terminates incoming TLS connections from Cisco Adaptive Security Appliance, and initiates a new TLS connection to route the content to the appropriate backend Cisco Unified Presence server.
10-1
Chapter 10 Updating the Cisco Unified Presence Servers
Updating the Cisco Unified Presence Servers

When using a load balancer for redundancy, you must update settings on the Cisco Unified Presence publisher and subscriber nodes.
Procedure
Task Update the federation routing parameter
Procedure Select Cisco Unified Presence Administration > System > Service Parameters > Cisco UP SIP Proxy from the Service menu and enter these values:

Virtual IP Addressenter the virtual IP address set on the load balancer Server Nameset to the FQDN of the load balancer Federation Routing CUP FQDNset to the FQDN of the load balancer. Select Cisco Unified Presence Administration > System > Security > TLS Peer Subjects. Click Add New and enter these values: Peer Subject Name enter the external FQDN of the load balancer Descriptionenter the name of the load balancer Select Cisco Unified Presence Administration > System > Security > TLS Context Configuration. Click Find. Click Default_Cisco_UPS_SIP_Proxy_Peer_Auth_TLS_Context. Move the load balancer federation-TLS peer subject for the load balancer to the selected TLS peer subjects list.
Create a new TLS peer subject
1. 2.
Add the TLS peer to the TLS peer subjects list
1. 2. 3. 4.
Related Topics

Configuring the Federation Routing Parameter, page 4-5 Creating a new TLS Peer Subject, page 4-6 Adding the TLS Peer to the Selected TLS Peer Subjects List, page 4-6
10-2
Chapter 10
Configuring the Load Balancer for Redundancy for SIP Federation How to Update the Cisco Adaptive Security Appliance
How to Update the Cisco Adaptive Security Appliance

When using a load balancer, the foreign domain still sends messages to the public CUP address, but the Cisco Adaptive Security Appliance maps that address to a virtual IP address on the load balancer. Thus, when the Cisco Adaptive Security Appliance receives messages from the foreign domain, it forwards it to the load balancer. The load balancer then passes it on to the appropriate Cisco Unified Presence servers. To support this configuration, you must make some changes to the Cisco Adaptive Security Appliance:

Updating the Static PAT Messages, page 10-3 Updating the Access Lists, page 10-4 Updating the TLS Proxy Instances, page 10-6
Updating the Static PAT Messages

You must update the static PAT messages to include the load balancer details.
Procedure
Task Change the static PAT to use an arbitrary, unused port for the public CUP address.
Cisco Adaptive Security Appliance Release 8.2 Command Change: static

(inside,outside) tcp <Public CUP IP address> 5061 <Routing CUP private IP address> 5062 netmask 255.255.255.255
Cisco Adaptive Security Appliance Release 8.3 Command
Changes Required for Cisco Unified Presence Publisher

object service obj_tcp_ source_eq_5061 # service tcp source eq 5061 nat (inside,outside) source static obj_host_<Routing CUP Private IP address> obj_host_<public cup ip address> service obj_tcp_source_eq_5062 obj_tcp_source_eq_5061
to:
static (inside,outside) tcp <Public CUP IP address> 55061 <Routing CUP/Publisher private IP address> 5062 netmask 255.255.255.255
to
object service obj_tcp_ source_eq_55061 # service tcp source eq 55061 nat (inside,outside) source static obj_host_<Routing CUP Private IP address> obj_host_<public cup ip address> service obj_tcp_source_eq_5062 obj_tcp_source_eq_55061
10-3
Chapter 10 How to Update the Cisco Adaptive Security Appliance
Task Add a new static PAT to allow messages sent to the public Cisco Unified Presence address to be forwarded to the virtual port address (on whichever port the load balancer is listening for TLS messages).

static (inside,outside) tcp <Public CUP address> 5061 <Load Balancer VIP> 5062 netmask 255.255.255.255.

object network obj_host_<Loadbalancer VIP> #host <routing cup private address> object service obj_tcp_ source_eq_5061 # service tcp source eq 5061 nat (inside,outside) source static obj_host_<LoadBalancer VIP> obj_host_<public cup ip address> service obj_tcp_source_eq_5062 obj_tcp_source_eq_5061
Changes Required for Cisco Unified Presence Subscriber Add a new access list for the load balancer virtual IP address. You must add an access list for each foreign domain that Cisco Unified Presence needs to access. Add a new access list for a foreign domain to initiate messages to a Cisco Unified Presence server when the load balancer virtual IP address is in place. You must add an access list for each foreign domain that needs to access Cisco Unified Presence.
Related Topics

access-list ent_lber_to_foreign_ocs extended permit tcp host <subscriber private ip address> host <foreign domain public IP address> 5061
access-list ent_lcs_to_lber_routgcup extended permit tcp host <foreign domain public ip address> host <cup public ip address> 65061
Configuring the Static IP Routes, page 6-2 About Port Address Translation (PAT), page 6-3
Updating the Access Lists

To support the load balancer, you also need to update the access lists on the Cisco Adaptive Security Appliance specific to your deployment scenario.
Note
The Cisco Unified Presence public IP address refers to the public IP address of the Cisco Unified Presence domain as configured on Cisco Adaptive Security Appliance, and as it appears in the DNS record. This record shows the FQDN of the load balancer containing the public IP of Cisco Adaptive Security Appliance.
10-4
Chapter 10
Configuring the Load Balancer for Redundancy for SIP Federation How to Update the Cisco Adaptive Security Appliance
Procedure
Deployment Scenario
Task
Configuration Example Publisher: Cisco Adaptive Security Appliance Release 8.2 and 8.3 Command:
access-list ent_lber_to_foreign_ocs extended permit tcp host <Virtual IP address> host <foreign domain public IP address> eq 5061
A Cisco Unified Presence Add a new access list for the new load server federating with one balancer virtual IP address. You must or more foreign domains add an access list for each foreign domain that Cisco Unified Presence needs to access.
Add a new access list for a foreign Publisher: domain to initiate messages to a Cisco Adaptive Security Appliance Release 8.2 Cisco Unified Presence server when the Command: load balancer virtual IP address is in access-list ent_lcs_to_lber_routgcup extended place. You must add an access list for permit tcp host <foreign domain public ip each foreign domain that needs to access address> host <cup public ip address> eq 5062 Cisco Unified Presence. Cisco Adaptive Security Appliance Release 8.3 Command:
access-list ent_foreign_server_to_lb extended permit tcp host <foreign public address> host <Loadbalancer Virtual IP address> eq 5062
For each access list, add a new class to incorporate the new access list. For each class, make an entry in the policy-map global_policy for messages initiated by Cisco Unified Presence. For each class, make an entry in the policy-map global_policy for messages initiated on a foreign domain. Cisco Unified Presence to Cisco Unified Presence Federation, where the foreign domain has added one or more intercluster Cisco Unified Presence servers The foreign domain ASA must allow access to the arbitrary ports which have been chosen for our local domain publisher and the subscriber.
class ent_lber_to_foreign_ocs match access-list ent_lber_to_foreign_ocs policy-map global_policy class ent_lber_to_foreign_ocs inspect sip sip_inspect tls-proxy ent_cup_to_foreign policy-map global_policy class ent_lcs_to_lber_routgcup inspect sip sip_inspect tls-proxy ent_foreign_to_cup access-list ent_cup_to_foreignPubcupwlber extended permit tcp host <foreign domain private CUP address> host <public CUP address of our local domain> 55061 access-list ent_cup_to_foreignSubcupwlber extended permit tcp host <foreign domain private CUP address> host <public CUP address of our local domain> 65061
For each access list, add a new class to incorporate the new access list. For each class, make an entry in the policy-map global_policy.
10-5
Chapter 10 How to Update the CA-Signed Security Certificates
Related Topics
Access List Configuration Requirements, page 7-2
Updating the TLS Proxy Instances

Update the TLS proxy instances on the Cisco Adaptive Security Appliance.
Procedure
Task Update TLS-PROXY
Configuration Example Change

tls-proxy ent_foreign_to_cup server trust-point msoft_publicfqdn client trust-point cup_proxy client cipher-suite aes128-sha1 aes256-sha1 3des-sha1 null-sha1 ! tls-proxy ent_cup_to_foreign server trust-point cup_proxy client trust-point msoft_publicfqdn client cipher-suite aes128-sha1 aes256-sha1 3des-sha1 null-sha1
to:
tls-proxy ent_foreign_to_cup server trust-point msoft_publicfqdn client trust-point msoft_publicfqdn client cipher-suite aes128-sha1 aes256-sha1 3des-sha1 null-sha1 ! tls-proxy ent_cup_to_foreign server trust-point msoft_publicfqdn client trust-point msoft_publicfqdn client cipher-suite aes128-sha1 aes256-sha1 3des-sha1 null-sha1
Related Topics
Configuring the TLS Proxy Instances, page 7-4
How to Update the CA-Signed Security Certificates

When adding the load balancer to the configuration, you must also generate CA-signed security certificates between the load balancer and the Cisco Adaptive Security Appliance and Cisco Unified Presence server as described in these sections:

Configuring the Security Certificate between the Load Balancer and the Cisco Adaptive Security Appliance, page 10-7 Configuring the Security Certificate between the Load Balancer and the Cisco Unified Presence Server, page 10-8
10-6
Chapter 10
Configuring the Load Balancer for Redundancy for SIP Federation How to Update the CA-Signed Security Certificates
Configuring the Security Certificate between the Load Balancer and the Cisco Adaptive Security Appliance
This topic provides an overview of the required steps for configuring the security certificate between the load balancer and the Cisco Adaptive Security Appliance. For details, refer to Cisco CSS 11500 Content Services Switch documentation: http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_installation_and_configuration_g uides_list.html
Procedure
Task Generate CA-signed certificate for the load balancer on the Cisco Adaptive Security Appliance. Import the CA-signed certificate from the Cisco Adaptive Security Appliance to the load balancer.
Procedure Use the crypto load balancer. Use the copy

ca enroll command and specify the FQDN of the
ssl
command.
Generate a CA-signed certificate for the These steps provide an overview but refer to the CSS SSL Cisco Adaptive Security Appliance on the load balancer. Configuration Guide for details:
1. 2. 3. 4. 5. 6. 7.
Enter global configuration mode ( config ). Generate the RSA key pair used in the exchange (ssl
genrsa ).
Associate the generated RSA key pair with a file ( ssl associate ) Generate the Certificate Signing Request (ssl Obtain a root CA certificate from the CA. Transfer the CSR to the CA.
ssl gencsr ).
Re-import the signed certificate into the load balancer ( copy and ssl associate).
ca trustpoint
Import the CA-signed certificate from the load balancer to the Cisco Adaptive Security Appliance
Use the crypto
command.
crypto
To verify that the certificate was imported, use the show ca certificate command.
Related Topics

Configuring the Certificate on Cisco Adaptive Security Appliance using SCEP Enrollment, page 5-6 Importing the Cisco Unified Presence Certificate onto Cisco Adaptive Security Appliance, page 5-4 How to Configure Security Certificate Exchange Between Cisco Adaptive Security Appliance and Microsoft Access Edge (External Interface) Using a Microsoft CA, page 5-5
10-7
Chapter 10 Updating the Microsoft Components
Configuring the Security Certificate between the Load Balancer and the Cisco Unified Presence Server
This topic provides an overview of the required steps for configuring the security certificate between the load balancer and the Cisco Unified Presence nodes.
Procedure
Task Generate a CA-signed certificate on both the publisher and subscriber nodes. Import the CA-signed certificates (from the publisher and subscriber nodes) to the load balancer
Procedure Follow the instructions to exchange certificates using CA-signed certificates. Use the copy
ssl
and ssl
associate
commands.
Updating the Microsoft Components

You must update some Microsoft components with the load balancer details.
Procedure
Task Update all instances of the FQDN to correspond to the load balancer FQDN. Update the domain name in the IM Provider list with the load balancer.
Procedure
1. 2. 3. 4. 5.
Select Start > Administrative Tools > Computer Management on the external Access Edge server. Right-click Microsoft Office Communications Server 2007 in the left pane. Click the IM Provider tab. Click Add. Check Allow the IM service provider.
Define the network address of the IM service provider as the public FQDN of the Load Balancer
Related Topics
Configuring the Foreign Server Components for SIP Federation, page 9-1
Updating the AOL Components

If you incorporate a load balancer into your AOL federation deployment, you must provide AOL with some details about the load balancer. Refer to the section in the Related topics for details.
10-8
Chapter 10
Configuring the Load Balancer for Redundancy for SIP Federation Configuring the Load Balancer
Related Topics
About the Requirements for SIP Federation with AOL, page 9-4
Configuring the Load Balancer

This topic gives an overview of the necessary tasks for configuring the Cisco CSS 11500 Content Services Switch for this integration. The Cisco CSS 11500 Content Services Switch must have an SSL Accelerator Module installed and configured in back-end SSL mode.For detailed information on each task, refer to the Cisco CSS 11500 Content Services Switch documentation at the following URL: http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_installation_and_configuration_g uides_list.html
Procedure
Task Configure certificate exchange between Cisco CSS 11500 Content Services Switch and Cisco Unified Presence. Configure certificate exchange between Cisco CSS 11500 Content Services Switch and Cisco Adaptive Security Appliance.
Additional Notes

CA or self-signed certificates can be used in the SSL module. You need to generate a certificate for the Cisco CSS 11500 Content Services Switch, and import this onto the remote server. You need to import the certificate from the remote server onto the Cisco CSS 11500 Content Services Switch. You must specify the IP address and port number that the Cisco Adaptive Security Appliance points to. You must specify the name of the existing certificate and key pair for the Cisco Adaptive Security Appliance. You must specify the Cisco Unified Presence server address. Note that the Cisco Unified Presence servers (back-end servers) must be on a different subnet than the VIP address. The back-end server connection can be a different TLS cipher suite than the front-end, or can be TCP. You must specify the port to receive the TLS traffic on the Cisco CSS 11500 Content Services Switch. You must specify the port to send the TLS traffic to the Cisco Unified Presence servers. When specifying the keepalive port, ensure that the port number is the same as those you configured for the Back-End SSL server entries. The keepalive message type value should be tcp.
You must define a virtual SSL server in an SSL proxy list for an SSL module to properly process and terminate SSL communications from the client and initiate a HTTP connection to the server. Create a Back-End SSL server entry in SSL Proxy List for each Cisco Unified Presence server.
Create an SSL service for SSL termination for each Cisco Unified Presence server.
10-9
Chapter 10 Configuring the Load Balancer
Task Create the SSL module.
Additional Notes
You must specify the physical slot number of the SSL module. Use the CSS command show chassis to retrieve this slot number. In the SSL module you must associate a Cisco Unified Presence server with an SSL service, for example add ssl-proxy-list called ssl_list1.
Create an internal content rule to route the decrypted data from the ASA to CUP server. Create content rule to route TLS data to the SSL module for decryption and load-balancing. Create a NAT association between the VIP and the back-end Cisco Unified Presence servers. When using a Cisco CSS 11500 Content Services Switch directly between Cisco Unified Presence and Microsoft OCS (no Cisco Adaptive Security Appliance), you must be able to resolve the certificate Subject Common Name for the Cisco Unified Presence server to Cisco Unified Presence IP address from OCS. Also each Cisco Unified Presence server Subject Common Name must be in the OCS host authorization list.
10-10
CH A P T E R
11
Configuring Cisco Unified Presence for XMPP Federation

April 4, 2011
How to Configure the General Settings for XMPP Federation, page 11-1 Configuring the Security Settings for XMPP Federation, page 11-3 Configuring the XMPP Federated Domains for Cisco Unified Personal Communicator Release 7.x Users, page 11-4 How to Configure DNS for XMPP Federation, page 11-4 How To Configuring the Policy Settings for XMPP Federation, page 11-9 Turning On Email for XMPP Federation, page 11-12 Turning On the XMPP Federation Service, page 11-12
How to Configure the General Settings for XMPP Federation

XMPP Federation Overview, page 11-1 Important Notes About Restarting Services for XMPP Federation, page 11-2 Turning on XMPP Federation on a Node, page 11-2 Configuring the Security Settings for XMPP Federation, page 11-3 Configuring the XMPP Federated Domains for Cisco Unified Personal Communicator Release 7.x Users, page 11-4
XMPP Federation Overview

Cisco Unified Presence Release 8.x supports XMPP federation with the following enterprises:

Cisco WebEx Connect Release 6.0 IBM Sametime Release 8.2 and 8.5 GoogleTalk (Another) Cisco Unified Presence Release 8.x enterprise
11-1
Chapter 11 How to Configure the General Settings for XMPP Federation
Note
Cisco Unified Presence does not support XMPP federation between a Cisco Unified Presence Release 8.x enterprise and a Cisco Unified Presence Release 7.x enterprise. When Cisco Unified Presence is federating with Webex Enterprise, it is not possible for Webex Connect client users to invite Cisco Unified Presence users to temporary or persistent chat rooms. This is due to a design constraint on the WebEx Connect client. To allow Cisco Unified Presence to federate over XMPP, you must enable and configure XMPP federation on Cisco Unified Presence, following the procedures we describe in this chapter. If you have multiple Cisco Unified Presence clusters, you must enable and configure XMPP federation on at least one node per cluster. The XMPP federation configuration must be identical across clusters. The Diagnostics Troubleshooter compares the XMPP federation configuration across clusters, and reports if the XMPP federation configuration is not identical across cluster. If you deploy Cisco Adaptive Security Appliance for firewall purposes, note the following:

See section About Integration Preparation, page 2-3 for considerations on routing, scale, public IP addresses and the CA authority. See section Prerequisite Configuration for Cisco Adaptive Security Appliance, page 2-7 for information on configuring the prerequisite information such as the hostname, timezone, clock and so on.
Important Notes About Restarting Services for XMPP Federation

If you make a change to any of the XMPP Federation settings, you must restart these services in Cisco Unified Serviceability: Cisco UP XCP Router (select Tools > Control Center - Network Services), Cisco UP XCP XMPP Federation Connection Manager (select Tools > Control Center - Feature Services). When you restart the Cisco UP XCP Router service, Cisco Unified Presence restarts all the XCP services. If you enable or disable XMPP federation on a node, you must restart the Cisco UP XCP Router on all nodes within a cluster, not just on the node where XMPP federation has been enabled or disabled. For all other XMPP federation settings, a Cisco UP XCP Router restart is only required on the node to which the setting is being changed.
Turning on XMPP Federation on a Node

This setting is turned off by default.
Procedure
Step 1
Select Cisco Unified Presence Administration > Presence > Inter Domain Federation > XMPP Federation > Settings. Select On in the XMPP Federation Status menu. Select Save.
Step 2
11-2
Chapter 11
Configuring Cisco Unified Presence for XMPP Federation How to Configure the General Settings for XMPP Federation
Troubleshooting Topics
You cannot start the XCP XMPP Federation Connection Manager service on the Cisco Unified Presence node, unless you turn on XMPP Federation on the node.
What To Do Next
Configuring the Security Settings for XMPP Federation, page 11-3
Configuring the Security Settings for XMPP Federation

Before You Begin

Determine whether the foreign domain that you are federating with supports TLS connections. The TLS and SASL specific settings are only configurable if you select the SSL mode TLS Optional or TLS Required. If you are configuring federation between Cisco Unified Presence and IBM using TLS, you must configure the SSL mode TLS Required, and you must enable SASL.
Procedure
Step 1 Step 2
Select Cisco Unified Presence Administration > Presence > Inter Domain Federation > XMPP Federation > Settings. Select a security mode from the menu:
No TLSCisco Unified Presence will not establish a TLS connection with the foreign domain. The system uses a non-encrypted connection to federate with the foreign domain, and uses the server dialback mechanism to verify the identity of the other server. TLS OptionalCisco Unified Presence attempts to establish a TLS connection with the foreign domain. If Cisco Unified Presence fails to establish a TLS connection, it reverts to server dialback to verify the identity of the other server. TLS RequiredThe system guarantees a secure (encrypted) connection with the foreign domain.
Step 3
Check Require client-side security certificates if you want to enforce strict validation of certificates from foreign domain servers against an installed root CA certificate. This setting turns on, by default, if you select either TLS Optional or TLS Required security settings.
Note
If you are configuring XMPP federation with WebEx, do not check Require client-side security certificates.
Step 4
Check Enable SASL EXTERNAL on all incoming connections to ensure that Cisco Unified Presence advertises support for SASL EXTERNAL on incoming connection attempts and will implement SASL EXTERNAL validation. Check Enabling SASL on outbound connections to ensure that Cisco Unified Presence sends a SASL auth id to the foreign domain if the foreign server requests SASL EXTERNAL. Enter the dialback secret if you want to use DNS to verify the identity of a foreign server that is attempting to connect to Cisco Unified Presence. Cisco Unified Presence will not accept any packets from the foreign server until DNS validates the identity of the foreign server.
Step 5 Step 6
11-3
Chapter 11 How to Configure DNS for XMPP Federation
Step 7
Select Save.

For further information on the security settings, see the Online Help. If the server is part of an intercluster deployment, then you must configure each cluster with the same security settings. Run the System Troubleshooter to ensure that your configuration is consistent on all nodes.
Related Topics

Turning on XMPP Federation on a Node, page 11-2 For further information on Server Dialback, see XEP:0220 in the XMPP Standards: http://xmpp.org/extensions/xep-0220.html
Configuring the XMPP Federated Domains for Cisco Unified Personal Communicator Release 7.x Users
Note
This topic is only applicable if your federation deployment contains Cisco Unified Personal Communicator Release 7.x users, otherwise you do not need to explicitly configure the domains for XMPP federation.
Procedure
Select Cisco Unified Presence Administration > Presence > Inter Domain Federation > XMPP Federation > Settings. Select Configure for domain(s). Select Add New. Enter the XMPP domain of the foreign server that you want to add. This must correspond to the domain configuration in DNS for the foreign enterprise. Cisco Unified Presence uses the domain in the XMPP JID/URIs of users from that domain. Enter a description that will help you distinguish between XMPP domain instances when you have more than one configured. Select Save.
Step 5 Step 6
Related Topics
How to Configure DNS for XMPP Federation, page 11-4
How to Configure DNS for XMPP Federation
DNS SRV Records for XMPP Federation, page 11-5
11-4
Chapter 11
Configuring Cisco Unified Presence for XMPP Federation How to Configure DNS for XMPP Federation
DNS SRV Records for Chat Feature for XMPP Federation, page 11-7 Configuring DNS SRV Record for Chat Node for XMPP Federation, page 11-7
DNS SRV Records for XMPP Federation

To allow Cisco Unified Presence to discover a particular XMPP federated domain, the federated enterprise must publish the DNS SRV record _xmpp-server in its public DNS server. Similarly, Cisco Unified Presence must publish the same DNS SRV record in the DNS for its domain. Both enterprises must publish the port 5269. The published FQDN must also be resolvable to an IP address in DNS. The record required is: _xmpp-server._tcp.<domain> See Figure 11-1 for a sample DNS configuration for the DNS SRV record _xmpp-server.
Figure 11-1 DNS SRV for _xmpp-server
If you have remote root access to Cisco Unified Presence, you can run nslookup to determine if the federated domain is discoverable.
Tip
Use this sequence of commands for performing a DNS SRV lookup:

nslookup set type=srv _xmpp-server._tcp.<domain>
(<domain> is the domain of the federated enterprise.) This command returns an output similar to this (where example.com is the domain of the federated server):
11-5
_xmpp-server._tcp.example.com service = 0 0 5269 hostname.example.com.
For a single cluster, you only need to enable XMPP federation on one node in the cluster. You publish one DNS SRV record for the enterprise in the public DNS. Cisco Unified Presence routes all incoming requests from foreign domains to the node running federation. Internally Cisco Unified Presence reroutes the requests to the correct node for the user. Cisco Unified Presence also routes all outgoing requests to the node running XMPP federation. You can also publish multiple DNS SRV records, for example, for scale purposes, or if you have multiple Cisco Unified Presence clusters and you must enable XMPP federation at least once per cluster. Unlike SIP federation, XMPP federation does not require a single point of entry for the Cisco Unified Presence enterprise domain. As a result, Cisco Unified Presence can route incoming requests to any one of the published nodes in the cluster that you enable for XMPP federation. In an intercluster and a multi-node cluster Cisco Unified Presence deployment, when a foreign XMPP federated domain initiates a new session, it performs a DNS SRV lookup to determine where to route the request. If you publish multiple DNS SRV records, the DNS lookup returns multiple results; Cisco Unified Presence can route the request to any of the servers that DNS publishes. Internally Cisco Unified Presence reroutes the requests to the correct node for the user. Cisco Unified Presence routes outgoing requests to any of the nodes running XMPP federation. If you have multiple nodes running XMPP federation, you can still choose to publish only one node in the public DNS. With this configuration, Cisco Unified Presence routes all incoming requests to that single node, rather than load-balancing the incoming requests across the nodes running XMPP federation. Cisco Unified Presence will load-balance outgoing requests and send outgoing request from from any of the nodes running XMPP federation.
Related Topics
DNS SRV Records for Chat Feature for XMPP Federation, page 11-7
11-6
Chapter 11
Configuring Cisco Unified Presence for XMPP Federation How to Configure DNS for XMPP Federation
DNS SRV Records for Chat Feature for XMPP Federation

If you configure the Chat feature on a Cisco Unified Presence server in an XMPP federation deployment, you must publish the chat node alias in DNS. The hostname, to which the DNS SRV record for the chat node resolves, resolves to a public IP address. Depending on your deployment, you may have a single public IP address, or a public IP address for each chat node within your network:
Single public IP address, multiple nodes internally:
To route all chat requests to the XMPP federation node, and then on to the chat node:
1. 2.
Configure the DNS SRV for the chat node alias to point to port 5269. Configure a NAT command configured on Cisco Adaptive Security Appliance or firewall\NAT server that maps publicIPAddress:5269 to XMPPFederationNodePrivateIPAddress:5269.
Multiple public IP addresses, multiple nodes internally:
If you have multiple public IP addresses, you can choose to route chat requests directly to the appropriate chat node.
1. 2.
Configure the DNS SRV for the chat node to use some arbitrary port other than 5269, for example, 25269. Configure a PAT command on Cisco Adaptive Security Appliance or firewall\NAT server that maps textChatServerPublicIPAddress:25269 to textChatServerPrivateIPAddress:5269. To allow the chat node handle incoming federated text requests, you must turn on the Cisco UP XCP XMPP Federation Connection Manager on the chat node.
Note
For information on configuring the Chat feature on Cisco Unified Presence, see Deployment Guide for Cisco Unified Presence Release 8.x.
Related Topics
Configuring DNS SRV Record for Chat Node for XMPP Federation, page 11-7
Configuring DNS SRV Record for Chat Node for XMPP Federation
Procedure
Step 1
To retrieve the chat node alias:

a.
Select Cisco Unified Presence Administration > Messaging > Conference Server Alias Mapping.
11-7
b. c. Step 2 Step 3 Step 4 Step 5
Select Find to display a list of chat node aliases. Select the chat node alias that you want to publish in DNS, for example conference-2.StandAloneCluster.example.com.
In the public DNS server for the example.com domain, create the domain StandAloneCluster. In the domain StandAloneCluster, create the domain conference-2. In the domain conference-2, create the domain _tcp. In the domain _tcp, create a new DNS SRV record for _xmpp-server. See Figure 11-2 and Figure 11-3 for a sample DNS configuration.
Note
If the text conference server alias is conference-2-StandAloneCluster.example.com then the domain at step 3 is conference-2-StandAloneCluster , and you skip step 4.
DNS SRV for _xmpp-server for Chat Feature
Figure 11-2
Figure 11-3
DNS configuration for Chat Feature
11-8
Chapter 11
Configuring Cisco Unified Presence for XMPP Federation How To Configuring the Policy Settings for XMPP Federation
Related Topics
Deployment Guide for Cisco Unified Presence Release 8.x: http://www.cisco.com/en/US/products/ps6837/products_installation_and_configuration_guides_lis t.html
DNS SRV Records for XMPP Federation, page 11-5
How To Configuring the Policy Settings for XMPP Federation

Policy Exception Configuration, page 11-9 Configuring the Policy for XMPP Federation, page 11-10
Policy Exception Configuration

You can configure exceptions to the default policy for XMPP federation. In the exception, you must specify the foreign domain to which you want to apply the exception, and a direction rule for the exception. When you configure the domain name for a policy exception, note the following:

If the URI or JID of the user is user@example.com, configure the foreign domain name in the exception as example.com. If the foreign enterprise uses hostname.domain in the URI or JID of the user, for example user@hostname.example.com, configure the foreign domain name in the exception as hostname.example.com. You can use a wildcard (*) for the foreign domain name in the exception. For example, the value *.example.com applies the policy on example.com and any subdomain of example.com, for example, somewhere.example.com.
You must also specify the direction that Cisco Unified Presence applies the policy exception. These direction options are available:

all federated packets from/to the above domain/hostCisco Unified Presence allows or denies all traffic going to and coming from the specified domain. only incoming federated packets from the above domain/hostAllow Cisco Unified Presence to receive inbound broadcasts from the specified domain, but Cisco Unified Presence does not send responses. only outgoing federated packets to the above domain/hostAllow Cisco Unified Presence to send outbound broadcasts to the specified domain, but Cisco Unified Presence does not receive responses.
Related Topics
Configuring the Policy for XMPP Federation, page 11-10
11-9
Chapter 11 Configuring Cisco Adaptive Security Appliance for XMPP Federation
Configuring the Policy for XMPP Federation

Caution
If you make a change to any of the XMPP Federation settings, you must restart these services in Cisco Unified Serviceability: Cisco UP XCP Router (select Tools > Control Center - Network Services), Cisco UP XCP XMPP Federation Connection Manager (select Tools > Control Center - Feature Services). When you restart the Cisco UP XCP Router service, Cisco Unified Presence restarts all the XCP services.
Procedure
Step 1 Step 2
Select Cisco Unified Presence Administration > Presence > Inter Domain Federation > XMPP Federation > Policy. Select the policy settings from the menu:

Allow - Cisco Unified Presence permits all federated traffic from XMPP federated domains, except those domains that you explicitly deny on the policy exception list. Deny - Cisco Unified Presence denies all federated traffic from XMPP federated domains, except those domains that you explicitly permit on the policy exceptions list. Select Add New. Specify the domain name or the hostname of the foreign server. Specify the direction to apply the policy exception. Select Save on the policy exception window.
Step 3
To configure a domain on the policy exception list:

a. b. c. d.
Step 4
Select Save on the policy window.
See the Online Help for federation policy recommendations.

Related Topics
Policy Exception Configuration, page 11-9
Configuring Cisco Adaptive Security Appliance for XMPP Federation

For XMPP Federation, Cisco Adaptive Security Appliance acts as a firewall only. You must open port 5269 for both incoming and outgoing XMPP federated traffic on Cisco Adaptive Security Appliance. These are sample access lists to open port 5269 on Cisco Adaptive Security Appliance Release 8.3. Allow traffic from any address to any address on port 5269:
access-list ALLOW-ALL extended permit tcp any any eq 5269
Allow traffic from any address to any single node on port 5269:
11-10
Chapter 11
Configuring Cisco Unified Presence for XMPP Federation Configuring Cisco Adaptive Security Appliance for XMPP Federation
access-list ALLOW-ALL extended permit tcp any host <private cup IP address> eq 5269
If you do not configure the access list above, and you publish additional XMPP federation nodes in DNS, you must configure access to each of these nodes, for example:
object network obj_host_<private cup ip address> #host <private cup ip address> object network obj_host_<private cup2 ip address> #host <private cup2 ip address> object network obj_host_<public cup ip address> #host <public cup ip address>
....
Configure the following NAT commands:

nat (inside,outside) source static obj_host_<private cup1 IP> obj_host_<public cup IP> service obj_udp_source_eq_5269 obj_udp_source_eq_5269 nat (inside,outside) source static obj_host_<private cup1 IP> obj_host_<public cup IP> service obj_tcp_source_eq_5269 obj_tcp_source_eq_5269
If you publish a single public IP address in DNS, and use arbitrary ports, configure the following: (This example is for two additional XMPP federation nodes)
nat (inside,outside) source static obj_host_<private cup2 ip> obj_host_<public cup IP> service obj_udp_source_eq_5269 obj_udp_source_eq_25269 nat (inside,outside) source static obj_host_<private cup2 ip> obj_host_<public cup IP> service obj_tcp_source_eq_5269 obj_tcp_source_eq_25269 nat (inside,outside) source static obj_host_<private cup3 ip> obj_host_<public cup IP> service obj_udp_source_eq_5269 obj_udp_source_eq_35269 nat (inside,outside) source static obj_host_<private cup3 ip> obj_host_<public cup IP> service obj_tcp_source_eq_5269 obj_tcp_source_eq_35269
If you publish multiple public IP addresses in DNS all using port 5269, configure the following: (This example is for two additional XMPP federation nodes)
nat (inside,outside) source static obj_host_<private cup2 ip> obj_host_<public cup2 IP> service obj_udp_source_eq_5269 obj_udp_source_eq_5269 nat (inside,outside) source static obj_host_<private cup2 ip> obj_host_<public cup2 IP> service obj_tcp_source_eq_5269 obj_tcp_source_eq_5269 nat (inside,outside) source static obj_host_<private cup3 ip> obj_host_<public cup3 IP> service obj_udp_source_eq_5269 obj_udp_source_eq_5269 nat (inside,outside) source static obj_host_<private cup3 ip> obj_host_<public cup IP> service obj_tcp_source_eq_5269 obj_tcp_source_eq_5269
Related Topics
Configuring Cisco Adaptive Security Appliance for SIP Federation, page 6-1
11-11
Chapter 11 Turning On Email for XMPP Federation
Turning On Email for XMPP Federation

When you turn on Cisco Unified Presence to use the email address for XMPP federation, Cisco Unified Presence changes the JID of each federated contact to the email address of the contact. To turn on email for XMPP federation, follow the same procedure as for SIP federation, see the procedure in the Related Topics section below. The email address for federation feature (in an XMPP federation deployment) does not currently support temporary or persistent chat rooms in a multi-cluster Cisco Unified Presence deployment. In the deployment scenario where there are multiple Cisco Unified Presence clusters in the local domain, the local users actual jid may be sent to the federated user. The only impact to the chat room is that the name that displays to the federated user s the userid of the local user, instead of the email address of the local user; all other chat room functionality operates as normal. This only occurs in temporary or persistent chat rooms with federated users.
Related Topics
Turning On Email for Federation, page 4-10
Turning On the XMPP Federation Service

You need to turn on the Cisco UP XCP XMPP Federation Connection Manager service on each Cisco Unified Presence node that runs XMPP federation. Once you turn on the Federation Connection Manager service from the Service Activation window, Cisco Unified Presence automatically starts the service; you do not need to manually start the service from the Control Center - Feature Services window.
Before You Begin
Turn on XMPP Federation for the node from Cisco Unified Presence Administration, see Turning on XMPP Federation on a Node, page 11-2.
Procedure
Select Cisco Unified Serviceability > Tools > Service Activation. Select the server from the Server list box. Select Go. Select the radio button next to the Cisco UP XCP XMPP Federation Connection Manager service in the CUP Services section. Select Save.
Related Topics
Configuring Serviceability for Federation, page 13-1
11-12
CH A P T E R
12
Configuring Security Certificates for XMPP Federation

April 4, 2011

Configuring the Domain for XMPP Certificate, page 12-1 How to Upload the XMPP Trust Certificates to Cisco Unified Presence, page 12-2
Configuring the Domain for XMPP Certificate

For XMPP Federation, the Subject Common Name (CN) for the certificate must contain the domain of the Cisco Unified Presence server.
Procedure
Step 1 Step 2
Select Cisco Unified Presence Administration > System > Security > Settings. In Domain name for XMPP Server-to-Server certificate Subject Common name, enter the domain name of the Cisco Unified Presence server. You can configure a wildcard domain here, for example, *.example.net if you deploy the Chat feature on Cisco Unified Presence, and the chat component is a subdomain of the parent domain.
Tip
Note
You can check Use Domain Name for XMPP Certificate Subject Common Name if you want the general XMPP certificate to use the same Domain Name as the XMPP server-to-server certificate. Select Save.
Step 3
If you make any changes to this configuration, you must restart the Cisco UP XCP Router service. Select Cisco Unified Serviceability > Tools > Control Center - Network Services to restart this service.
12-1
Chapter 12 How to Upload the XMPP Trust Certificates to Cisco Unified Presence
If you change server-to-server domain name value, you must regenerate affected XMPP S2S certificates before you restart the Cisco UP XCP Router service.
How to Upload the XMPP Trust Certificates to Cisco Unified Presence

Note
Cisco Unified Presence does not support third-party certificates for XMPP federation.

Importing the Root CA Certificate for XMPP Federation, page 12-2 Generating a Certificate Signing Request for XMPP Federation, page 12-3 Uploading the CA-Signed Certificate for XMPP Federation, page 12-4
Importing the Root CA Certificate for XMPP Federation

Note
This section describes how to manually upload the XMPP S2S trust certificates to Cisco Unified Presence. You can also use the Certificate Import Tool to automatically upload XMPP S2S trust certificates. To access the Certificate Import Tool, select Cisco Unified Presence Administration > System > Security > Certificate Import Tool, and see the Online Help for instructions on how to use this tool. If Cisco Unified Presence federates with an enterprise, and a commonly trusted Certificate Authority (CA) signs the certificate of that enterprise, you must upload the root certificate from the CA to Cisco Unified Presence server. If Cisco Unified Presence federates with an enterprise that uses a self-signed certificate rather than a certificate signed by a commonly trusted CA, you can upload the self-signed certificate using this procedure. Note that if your trust certificate is self-signed, you cannot turn on the Require client side certificates parameter in the XMPP federation security settings window.
Before You Begin
Download the root CA certificate and save it to your local machine.

Procedure
Select Cisco Unified Operating System Administration > Security > Certificate Management on Cisco Unified Presence. Select Upload Certificate. Select cup-xmpp-trust for Certificate Name.
Note
Leave the Root Name field blank.
12-2
Chapter 12
Configuring Security Certificates for XMPP Federation How to Upload the XMPP Trust Certificates to Cisco Unified Presence
Step 4 Step 5
Select Browse, and browse to the location of the root CA certificate that you previously downloaded and saved to you local machine. Select Upload File to upload the certificate to the Cisco Unified Presence server.
What To Do Next
Generating a Certificate Signing Request for XMPP Federation, page 12-3 Configuring the Security Settings for XMPP Federation, page 11-3
Generating a Certificate Signing Request for XMPP Federation

The procedure below outlines how to generate a Certificate Signing Request for a Microsoft Certificate Services CA.
Before You Begin
Complete the steps in Importing the Root CA Certificate for XMPP Federation, page 12-2
Procedure
Step 1 Step 2
Select Cisco Unified Operating System Administration > Security > Certificate Management on Cisco Unified Presence. To generate the CSR, perform these steps:
a. b. c. d.
Select Generate CSR. Select cup-xmpp-s2s for the certificate name. Select Generate CSR. Select Close, and return to the main certificate window. Select Download CSR. Select the cup-xmpp-s2s.csr file in the menu on the Download Certificate Signing Request window. Select Download CSR to download this file to your local machine.
Step 3
To download the .csr file to your local machine:

a. b. c.
Step 4 Step 5
Using a text editor, open the cup-xmpp-s2s.csr file. Copy the contents of the CSR file. You must copy all information from and including -----BEGIN CERTIFICATE REQUEST to and including END CERTIFICATE REQUEST-----
Step 6
On your internet browser, browse to your CA server, for example: http://<name of your Issuing CA Server>/certsrv Select Request a certificate. Select Advanced certificate request.
Step 7 Step 8
12-3
Select Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file. Paste the contents of the CSR file (that you copied in step 5) into the Saved Request field. Select Submit. On your internet browser, return to the URL: http://<name of your Issuing CA Server>/certsrv Select View the status of a pending certificate request. Click on the certificate request that you issued in the previous section. Select Base 64 encoded. Select Download certificate. Save the certificate to your local machine:
a. b.
Specify a certificate file name cup-xmpp-s2s.pem. Save the certificate as type Security Certificate.
What To Do Next
Uploading the CA-Signed Certificate for XMPP Federation, page 12-4
Uploading the CA-Signed Certificate for XMPP Federation

Before You Begin
Complete the steps in Generating a Certificate Signing Request for XMPP Federation, page 12-3
Procedure
Select Cisco Unified Operating System Administration > Security > Certificate Management on Cisco Unified Presence. Select Upload Certificate. Select cup-xmpp-s2s for Certificate Name. Specify the name of the root certificate in the Root Certificate Field. Select Upload File. Browse to the location of the CA-signed certificate that you saved to your local machine. Select Upload File.
What To Do Next
Restart the Cisco UP XCP Router service. Select Cisco Unified Serviceability > Tools > Control Center - Network Services to restart this service
12-4
Chapter 12
Configuring Security Certificates for XMPP Federation How to Upload the XMPP Trust Certificates to Cisco Unified Presence
12-5
12-6
CH A P T E R
13

April 4, 2011

How To Turn on and Capture Logging for Federation, page 13-1 How To Restart the Cisco UP XCP Router, page 13-2
How To Turn on and Capture Logging for Federation

Location of Log Files for SIP Federation, page 13-1 Location of Log Files for XMPP Federation, page 13-1 Turning On Logging for Federation, page 13-1
Location of Log Files for SIP Federation

The following log files are applicable for SIP federation:

sip-cm-3_0000000X.log esp0000000X.log
located in
/var/log/active/epas/trace/xcp/log
located in
/var/log/active/epas/trace/esp/sdi
You can also capture these logs from RTMT.
Location of Log Files for XMPP Federation

The following log files are applicable for XMPP federation:
xmpp-cm-4_0000000X.log
located in /var/log/active/epas/trace/xcp/log
You can also capture these logs from RTMT.
Turning On Logging for Federation

Procedure
Step 1 Step 2
Select Cisco Unified Serviceability > Trace > Configuration. Select the Cisco Unified Presence server, and select Go.
13-1
Chapter 13 How To Restart the Cisco UP XCP Router
Step 3 Step 4
Select CUP Services from the Service Group list box, and select Go. Perform one of the following steps:

For SIP federation, select the Cisco UP XCP SIP Federation Connection Manager service from the Service list box, and click Go. For XMPP federation, select the Cisco UP XCP XMPP Federation Connection Manager service from the Service list box, and click Go.
Step 5
Select Trace On. Select the Debug Trace Level in the Trace Filter Settings. If you want to enable Debug level on the traces select Debug for Debug Trace Level.
How To Restart the Cisco UP XCP Router

About the Cisco UP XCP Router, page 13-2 Restating the Cisco UP XCP Router, page 13-2
About the Cisco UP XCP Router

If you make any configuration changes for SIP or XMPP federation configuration, you must restart the Cisco UP XCP Router on Cisco Unified Presence. If you restart the Cisco UP XCP Router, Cisco Unified Presence automatically restarts all active XCP services. Note that you must restart the Cisco UP XCP Router, not turn off and turn on the Cisco UP XCP Router. If you turn off the Cisco UP XCP Router, rather than restart this service, Cisco Unified Presence stops all other XCP services. Subsequently when you then turn on the XCP router, Cisco Unified Presence will not automatically turn on the other XCP services; you need to manually turn on the other XCP services.
Restating the Cisco UP XCP Router

Procedure
Select Cisco Unified Serviceability > Tools > Control Center - Network Services. Select the server from the Server list box. Click Go. Select the radio button next to the Cisco UP XCP Router service in the CUP Services section. Click Restart. Click OK when a message indicates that restarting may take a while.
13-2
Chapter 13
Configuring Serviceability for Federation How To Restart the Cisco UP XCP Router
13-3
Chapter 13 How To Restart the Cisco UP XCP Router
13-4
CH A P T E R
14

April 4, 2011
Verifying the SIP Federation Configuration, page 14-1 Verifying the XMPP Federation Configuration, page 14-2
Verifying the SIP Federation Configuration

This procedure describes how to verify the configuration for a federated network between a Cisco Unified Presence enterprise deployment, and a Microsoft OCS enterprise deployment. Use this procedure as a guide for verifying the other types of integrations if necessary.
Procedure
Log on to the Cisco Unified Personal Communicator client or the third-party XMPP client. Log on to two federated Microsoft Office Communicator clients. Perform the following steps on the first Microsoft Office Communicator client:
a. b. c.
Add the Cisco Unified Presence user as a contact. A pop-up message displays on Cisco Unified Presence requesting that you accept or block or ignore the presence subscription of Microsoft Office Communicator user. Check that the Cisco Unified Presence user and the Microsoft Office Communicator user are able to see each other's availability. Add the second Microsoft Office Communicator user as a contact. Check that you can see the availability of the Microsoft Office Communicator user. A pop-up message should appear on the user client for the Microsoft Office Communicator user informing you that the Cisco Unified Personal Communicator user has been added as a contact.
Step 4
Perform the following steps on the client of the Cisco Unified Presence client:
a. b. c.
Step 5
Toggle between the availability states on both the clients of the Cisco Unified Presence user and the Microsoft Office Communicator clients. Check that the availability state changes for the contacts on each client. Initiate an IM from the client of a Cisco Unified Presence user to a Microsoft Office Communicator user. Check that the IM window appears on Microsoft Office Communicator with the message from the Cisco Unified Presence user.
Step 6 Step 7
14-1
Chapter 14 Verifying the XMPP Federation Configuration
Close both the IM window on the client of the Cisco Unified Presence user and IM window on the Microsoft Office Communicator client. Initiate an IM from Microsoft Office Communicator user to the Cisco Unified Presence user. Check that an IM window appears on the client of the Cisco Unified Presence user with the message from the Microsoft Office Communicator user. On the Cisco Unified Personal Communicator client, perform the following steps:
a.
Block one of the Microsoft Office Communicator users.
Note
Any third-party clients that do not support XEP-0016 - Privacy Lists, if you block from a third-party XMPP client, you only block IM; users can still exchange availability status. To block server-side IM and availability, the user configures their privacy settings from the Cisco Unified Presence Users Options interface, or from the Privacy configuration on Cisco Unified Personal Communicator.
b.
Check that this Microsoft Office Communicator user now sees that the availability of the Cisco Unified Presence user as offline. The second Microsoft Office Communicator user should still be able to see availability status for the Cisco Unified Presence user. On the client of the Cisco Unified Presence user, the blocked Microsoft Office Communicator user should still appear online, and you should be able to initiate an IM to the blocked Microsoft Office Communicator user.
c.
Step 12 Step 13
Block the Cisco Unified Presence user from the Microsoft Office Communicator client. Verify that the presence of the Microsoft Office Communicator user is no longer available on the client of the Cisco Unified Presence user.
Verifying the XMPP Federation Configuration

This procedure describes how to verify the configuration for a federated network between a Cisco Unified Presence Release 8.x enterprise deployment, and either a WebEx, an IBM Sametime. or another Cisco Unified Presence Release 8.x enterprise deployment. The procedure below describes the procedure for a Cisco Unified Presence Release 8.x and a WebEx deployment. Use this procedure as a guide to verify the other types of XMPP federations.
Procedure
Log on to the Cisco Unified Personal Communicator client or the third-party XMPP client connected to the Cisco Unified Presence Release 8.x server. Log on to two federated WebEx Connect clients. Perform the following steps on the first WebEx Connect client:
a. b. c.
Add the Cisco Unified Presence user as a contact. A pop-up message displays on client of the Cisco Unified Presence user requesting that you accept or block or ignore the presence subscription from the WebEx Connect user. Accept the subscription. Check that the Cisco Unified Presence user and the WebEx Connect user are able to see each other's availability.
14-2
Chapter 14
Verifying the Federation Integration Verifying the XMPP Federation Configuration
Step 4
Perform the following steps on the client of the Cisco Unified Presence user:
a. b. c.
Add the second WebEx Connect user as a contact. A pop-up should appear on the WebEx Connect client. Accept the subscription. Check that you can see the availability of the WebEx Connect user.
Toggle between the availability states on both the client of the Cisco Unified Presence user and the WebEx Connect client. Check that the availability state changes for the contacts on each client. Initiate an IM from the client of the Cisco Unified Presence user to a WebEx Connect contact. Check that the IM window displays on WebEx Connect client with the IM from the Cisco Unified Presence user. Close the IM window on both clients. Initiate an IM from the WebEx Connect user to the Cisco Unified Presence user. Check that an IM window displays on the client of the Cisco Unified Presence user with the IM from the WebEx Connect user. On the client of the Cisco Unified Presence user, perform the following steps:
a.
Block one of WebEx Connect users.
Note
If you block from a third-party XMPP client, you only block IM; users can still exchange availability status. To block server-side IM and availability, the user configures their privacy settings from the Cisco Unified Presence Users Options interface, or from the Privacy configuration on Cisco Unified Personal Communicator.
b.
Check that this WebEx Connect user now sees that the availability of the Cisco Unified Presence user as offline. The second WebEx Connect user should still be able to see availability status for the Cisco Unified Presence user. On the client of the Cisco Unified Presence user, the blocked WebEx Connect user should still appear as online, however you will not be able to send an IM to the blocked WebEx Connect user.
c. Step 12 Step 13
Block the Cisco Unified Presence user from the WebEx Connect client. Verify that the availability of the WebEx Connect user is no longer available on the client of the Cisco Unified Presence user.
14-3
Chapter 14 Verifying the XMPP Federation Configuration
14-4
CH A P T E R
15

April 4, 2011
Common Cisco Adaptive Security Appliance Problems and Recommended Actions, page 15-1 Common Integration Problems and Recommended Actions, page 15-4
Common Cisco Adaptive Security Appliance Problems and Recommended Actions

Certificate Configuration Problems, page 15-1 Errors When Creating the TLS Proxy Class Maps, page 15-3 Subscriptions Dont Reach Access Edge, page 15-3 Problems With Cisco Adaptive Security Appliance After Upgrade, page 15-4
Certificate Configuration Problems

Certificate Failure Between Cisco Unified Presence and Cisco Adaptive Security Appliance, page 15-1 Certificate Failure Between Cisco Adaptive Security Appliance and Microsoft Access Edge, page 15-2 Certificate Error in SSL Handshake, page 15-2 Error When Submitting Certificate Signing Request to VeriSign, page 15-2
Certificate Failure Between Cisco Unified Presence and Cisco Adaptive Security Appliance
Problem The certificate configuration between Cisco Unified Presence and Cisco Adaptive Security Appliance is failing. Solution The time and time zones on Cisco Adaptive Security Appliance may not be configured correctly.
Set the time and time zones on Cisco Adaptive Security Appliance. Check that the time and time zones are configured correctly on Cisco Unified Presence and Cisco Unified Communications Manager.
15-1
Chapter 15 Common Cisco Adaptive Security Appliance Problems and Recommended Actions
Related Topics
About Prerequisite Configuration Tasks for this Integration, page 2-7
Certificate Failure Between Cisco Adaptive Security Appliance and Microsoft Access Edge
Problem The certificate configuration between Cisco Adaptive Security Appliance and Microsoft Access Edge is failing at certificate enrollment on Cisco Adaptive Security Appliance. Solution If you are using SCEP enrollment on Cisco Adaptive Security Appliance, the SCEP add-on
may not be installed and configured correctly. Install and configure the SCEP add-on.
Related Topics
CA Trustpoints, page 5-6
Certificate Error in SSL Handshake

Problem A certificate error displays in the SSL handshake. Solution There is no FQDN in the certificate. You need to configure the domain on the
Cisco Unified Presence CLI, and regenerate the certificate on Cisco Unified Presence to have FQDN. You need to restart the SIP proxy on Cisco Unified Presence when you regenerate a certificate.
Related Topics
Configuring the Cisco Unified Presence Domain from the CLI, page 4-4
Error When Submitting Certificate Signing Request to VeriSign

Problem I am using VeriSign for certificate enrollment. When I paste the Certificate Signing Request into the VeriSign website, I get an error (usually a 9406 or 9442 error). Solution The subject-name in the Certificate Signing Request is missing information. If you are
submitting a renewal certificate signing request (CSR) file to VeriSign, the subject-name in the Certificate Signing Request must contain the following information:

Country (two letter country code only) State (no abbreviations) Locality (no abbreviations) Organization Name Organizational Unit Common Name (FQDN)
The format of the subject-name line entry should be:

(config-ca-trustpoint)# subject-name cn=<fqdn>, OU=<organisational_unit>,O=<organisation_name>,C=<country>,St=<state>,L=<locality>
Related Topics
Generating a New Trustpoint for VeriSign, page B-2
15-2
Chapter 15
Troubleshooting a SIP Federation Integration Common Cisco Adaptive Security Appliance Problems and Recommended Actions
SSL Errors When Cisco Unified Presence Domain or Hostname is Changed

Problem I changed the Cisco Unified Presence domain from the CLI, and I am getting SSL certificate errors between Cisco Unified Presence and Cisco Adaptive Security Appliance. Solution If you change the Cisco Unified Presence domain name from the CLI, the
Cisco Unified Presence self-signed cert, sipproxy.pem, regenerates. As a result you must reimport the sipproxy.pem certificate into Cisco Adaptive Security Appliance. Specifically you must delete the current sipproxy.pem certificate on Cisco Adaptive Security Appliance, and reimport the (regenerated) sipproxy.pem certificate.
Related Topics
How to Configure Security Certificate Exchange Between Cisco Unified Presence and Cisco Adaptive Security Appliance, page 5-1
Errors When Creating the TLS Proxy Class Maps

Problem The following errors are displayed when configuring the TLS Proxy class maps:
ciscoasa(config)# class-map ent_cup_to_foreign ciscoasa(config-cmap)# match access-list ent_cup_to_foreign ERROR: Specified ACL (ent_cup_to_foreign) either does not exist or its type is not supported by the match command. ciscoasa(config-cmap)# exit ciscoasa(config)# class-map ent_foreign_to_cup ciscoasa(config-cmap)# match access-list ent_foreign_to_cup ERROR: Specified ACL (ent_foreign_to_cup) either does not exist or its type is not supported by the match command. ciscoasa(config-cmap)#
Solution The access list for the foreign domain does not exist. In the example above the access list called
ent_foreign_to_cup does not exist. Create an extended access list for the foreign domain using the access list command.
Related Topics

Access List Configuration Requirements, page 7-2. TLS Proxy Debugging Commands, page C-3
Subscriptions Dont Reach Access Edge

Problem Subscriptions from Microsoft Office Communicator do not reach the Access Edge. OCS reports network function error with Access Edge as the peer. The Access Edge service will not start. Solution On Access Edge, the Cisco Unified Presence domain may be configured in both the Allow tab and the IM provider tab. The Cisco Unified Presence domain should only be configured in the IM Provider tab. On Access Edge, remove the Cisco Unified Presence domain entry from the Allow tab. Make sure there is an entry for the Cisco Unified Presence domain on the IM Provider tab.
15-3
Chapter 15 Common Integration Problems and Recommended Actions
Problems With Cisco Adaptive Security Appliance After Upgrade

Problem The Cisco Adaptive Security Appliance does not boot after a software upgrade. Solution You can download a new software image to the Cisco Adaptive Security Appliance using a TFTP server and using the ROM Monitor (ROMMON) on the Cisco Adaptive Security Appliance. ROMMON is command line interface used for image loading and retrieval over TFTP and related diagnostic utilities. Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Attach a console cable (the blue cable that is distributed with the Cisco Adaptive Security Appliance) from the console port to a port on a nearby TFTP server. Open hyperterminal or equivalent. Accept all default values as you are prompted. Reboot the Cisco Adaptive Security Appliance. Hit ESC during bootup to access ROMMON. Enter this sequence of commands to enable Cisco Adaptive Security Appliance to download the image from your TFTP server
ip <Cisco Adaptive Security Appliance inside interface> server <TFTP server> interface Ethernet 0/1 file <name of new image>
Note
The Ethernet interface you specify must equate to the Cisco Adaptive Security Appliance inside interface. Place the software image on the TFTP server in a recommended location (depending on your TFTP software). Enter this command to start the download:
tftpdnld
Step 7 Step 8
Note
You need to define a gateway if the TFTP server is in a different subnet.
Common Integration Problems and Recommended Actions

Unable to get Availability Exchange, page 15-5 Problems Sending and Receiving IMs, page 15-6 Losing Availability and IM Exchange After a Short Period, page 15-7 Delay in Availability State Changes and IM Delivery Time, page 15-7 403 FORBIDDEN Returned Following a Presence Subscription Attempt, page 15-8 Time Out on NOTIFY Message, page 15-8 Cisco Unified Presence Certificate Not Accepted, page 15-8
15-4
Chapter 15
Troubleshooting a SIP Federation Integration Common Integration Problems and Recommended Actions
Problems Starting the Front-End Server on OCS, page 15-9 Cisco Unified Personal Communicator Not Online after Login, page 15-10 Unable to Remote Desktop to Access Edge, page 15-10
Unable to get Availability Exchange

Problem Unable to exchange availability information between Cisco Unified Personal Communicator
and Microsoft Office Communicator.

Solution
OCS/Access Edge:
1.
The certificate may have been configured incorrectly on the public interface of Access Edge. If you are using a Microsoft CA, ensure that you are using an OID value of 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2. The incorrect value displays on the general tab of the certificate (if it is correct it will not be visible). You can also see the incorrect value on an ethereal trace of the TLS handshake between Cisco Unified Presence and Access Edge. Regenerate the certificate for the public interface of the Access Edge with a certificate type of "Other" and OID value of 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
2.
The front end server may not be running on OCS. Ensure that the "Office Communications Server Front-End" service is running. You can check this service by selecting Start > Programs > Administrative Tools > Computer Management. In Services and Applications, select Services and locate the "Office Communications Server Front-End" service. If running, this service should have a status of "Started".
Cisco Unified Presence:

1.
The certificate may have been configured incorrectly on Cisco Unified Presence. Generate the correct sipproxy-trust certificate for Cisco Unified Presence. If you are using static routes, a static route may have been configured incorrectly. Also, the SIP Proxy domain may not have been properly set to the domain that the Cisco Unified Presence server resides in. Please note that the SIP Proxy will default to domain that was setup during fresh install. If you are using static routes, configure a static route that points to the public interface of the Access Edge. The static route should have a route type set to "domain" and have a reversed destination pattern set e.g. if the federated domain is abc.com then the destination address pattern should be set to .com.abc.*. Static routes are configured in Cisco Unified Presence Administration by selecting Presence > Routing > Static Routes.
2.
Cisco Unified Personal Communicator client: The DNS settings on the Cisco Unified Personal Communicator client may be configured incorrectly. Ensure that the client machine is pointing to the correct DNS. Logout and login of the Cisco Unified Personal Communicator client.
Related Topics

How to Configure the Certificate for External Access Edge Interface, page 5-9 Generating a New Certificate on Cisco Unified Presence, page 5-4 DNS Configuration for SIP Federation, page 4-3
15-5
Problems Sending and Receiving IMs

Problem Problems sending and receiving IM's between a Microsoft Office Communicator user and a Cisco Unified Personal Communicator 7.0 user. Solution
DNS Settings: DNS SRV records may not have been created, or configured incorrectly. To check if the DNS SRV records have been configured correctly, perform an nslookup for type=srv from both Cisco Unified Presence and Access Edge. On Access Edge:
a. From a command prompt on Access Edge, enter nslookup. b. Enter set type=srv. c. Enter the SRV record for the Cisco Unified Presence domain e.g.
_sipfederationtls._tcp.abc.com where abc.com is the domain name. If the SRV record exists, the FQDN for Cisco Unified Presence/Cisco Adaptive Security Appliance is returned. On Cisco Unified Presence:
a. Using a remote access account, ssh into the Cisco Unified Presence server. b. Perform the same steps as per the Access Edge above, except in this case use the OCS domain
name. Microsoft Office Communicator client: The Microsoft Office Communicator 2007 user may have their presence set to "Do Not Disturb" (DND). If Microsoft Office Communicator 2007 is set to DND then it will not receive IM's from other users. Set the presence of the Microsoft Office Communicator user to another state. Cisco Unified Presence:
1.
If you are using static routes instead of DNS SRV, a static route may have been configured incorrectly. Configure a static route that points to the public interface of the Access Edge. The static route should have a route type set to "domain" and have a reversed destination pattern set e.g. if the federated domain is abc.com then the destination address pattern should be set to .com.abc.*. Static routes are configured in Cisco Unified Presence Administration by selecting Presence > Routing > Static Routes. The Federation IM Controller Module Status may be disabled. In Cisco Unified Presence Administration, select System > Service Parameters, and select the SIP Proxy service. At the end of the screen, check that the Federation IM Control Module Status parameter is set to On. The Federated Domain may have not have been added, or configured incorrectly. In Cisco Unified Presence Administration, select Presence > Inter-Domain Federation and check that the correct federated domain has been added.
2.
3.
Related Topics

DNS Configuration for SIP Federation, page 4-3 Adding a SIP Federated Domain, page 4-2
15-6
Chapter 15
Losing Availability and IM Exchange After a Short Period

Problem Can share availability and IMs between Cisco Unified Personal Communicator and Microsoft
Office Communicator but after a short period, they start to lose each others availability, and then can no longer exchange IM's.
Solution
OCS/Access Edge:
1.
On Access Edge, both the internal and external edges may have the same FQDN. Also in DNS there may be two "A" record entries for that FQDN, one resolving to the IP address of the external edge and the other to the IP address of the internal edge. On Access Edge, change the FQDN of the internal edge, and add an updated record entry in DNS. Remove the DNS entry that was originally resolving to the internal IP of the Access Edge. Also reconfigure the certificate for the internal edge on Access Edge.
2.
On OCS, under global settings and front end properties, the FQDN for the access edge may have been entered incorrectly. On OCS, reconfigure the server to reflect the new FQDN of the internal edge.
DNS Settings: DNS SRV records may not have created, or configured incorrectly. Add the necessary "A" records and SRV records.
Related Topics
Delay in Availability State Changes and IM Delivery Time

Problem There is a delay in the delivery time of IMs and presence state changes between Cisco Unified Personal Communicator and Microsoft Office Communicator. Solution On the Cisco Unified Presence server, the Disable Empty TLS Fragments option may not be selected for the Default_Cisco_UPS_SIP_Proxy_Peer_Auth_TLS_Context. Step 1 Step 2 Step 3 Step 4
Select Cisco Unified Presence Administration > System > Security > TLS Context Configuration. Click Default_Cisco_UPS_SIP_Proxy_Peer_Auth_TLS_Context. Check Disable Empty TLS Fragments. Click Save.
15-7
403 FORBIDDEN Returned Following a Presence Subscription Attempt

Problem Cisco Unified Presence attempts to subscribe to the presence of a Microsoft Office Communicator user and receives a 403 FORBIDDEN message from the OCS server. Solution On the Access Edge server, the Cisco Unified Presence server may not have been added to the IM service provider list. On the Access Edge server, add an entry for the Cisco Unified Presence server to the IM service provider list. On the DNS server for Access Edge, ensure that there is a _sipfederationtls record for the Cisco Unified Presence domain that points to the public address of the Cisco Unified Presence server
or On the Access Edge server, the Cisco Unified Presence server may have been added to the Allow list. On the Access Edge server, remove any entry from the Allow list that points to the Cisco Unified Presence server.
Related Topics
Time Out on NOTIFY Message

Problem Cisco Unified Presence times out when sending a NOTIFY message (when federating directly between Cisco Unified Presence and Microsoft OCS using TCP). Solution On the Cisco Unified Presence server, the Use Transport in Record-Route Header may need to be enabled. Step 1 Step 2 Step 3 Step 4
Select Cisco Unified Presence Administration > System > Service Parameters. Select the Cisco UP SIP Proxy service. In the SIP Parameters (Clusterwide) section, select On for the Use Transport in Record-Route Header parameter. Click Save.
Cisco Unified Presence Certificate Not Accepted

Problem Access Edge is not accepting the certificate from Cisco Unified Presence. Solution The TLS handshake between Cisco Unified Presence/Cisco Adaptive Security Appliance and
the Access Edge may be failing. OCS/Access Edge:

1.
Ensure that the IM Provider list on the Access Edge contains the public FQDN of the Cisco Unified Presence server, and it matches the subject CN of the Cisco Unified Presence certificate. If you have opted not to populate the Allow List with the FQDN of Cisco Unified Presence, then you must ensure that the subject CN of the Cisco Unified Presence certificate resolves to the FQDN of the SRV record for the Cisco Unified Presence domain.
15-8
Chapter 15
2. 3. 4.
Ensure that FIPS is enabled on Access Edge (use TLSv1). Ensure that Federation is enabled globally on OCS, and enabled on the front end server. If failing to resolve DNS SRV, ensure that DNS is set up correctly and perform an nslookup for type=srv from Access Edge:
a. From a command prompt on Access Edge, enter nslookup. b. Enter set type=srv. c. Enter the SRV record for the Cisco Unified Presence domain, for example.
_sipfederationtls._tcp.abc.com where abc.com is the domain name. If the SRV record exists, the FQDN for Cisco Unified Presence/Cisco Adaptive Security Appliance is returned. Cisco Unified Presence/Cisco Adaptive Security Appliance: Check the ciphers on Cisco Unified Presence and Cisco Adaptive Security Appliance. In Cisco Unified Presence Administration, select System > Security > TLS Context Configuration > Default Cisco UP SIP Proxy Peer Auth TLS Context, and ensure that the "TLS_RSA_WITH 3DES_EDE_CBC_SHA" cipher is selected.
Related Topics

Configuring the Foreign Server Components for SIP Federation, page 9-1 Adding the TLS Peer to the Selected TLS Peer Subjects List, page 4-6
Problems Starting the Front-End Server on OCS

Problem The front-end server on OCS will not start. Solution On OCS, the FQDN of the private interface of the Access Edge may have been defined in the
list of Authorized Hosts. Remove the private interface of the Access Edge from the list of Authorized Hosts on OCS. During OCS install, two Active Directory user accounts are created called RTCService and RTCComponentService. These accounts are given an administrator-defined password, however, on both of these accounts the "Password never expires" option is not selected by default so the password will expire periodically. To reset the password of the RTCService or RTCComponentService on the OCS server, follow the procedure below.
Step 1 Step 2
Right-click on the user account. Select Reset Password. Right-click on the user account. Select Properties. Select the Account tab. Check Password never expires. Click OK.
15-9
Cisco Unified Personal Communicator Not Online after Login

Problem Cisco Unified Personal Communicator client does not have available online status after login. Solution The client computer may be pointing to the incorrect DNS server. Update the correct DNS
server on the client PC and then login to Cisco Unified Personal Communicator again.
Unable to Remote Desktop to Access Edge

Problem Unable to successfully remote desktop to the Access Edge Server with FIPS enabled on Windows XP. Solution This is a known Microsoft issue. The workaround to resolve the issue involves installing a
Remote Desktop Connection application on the Windows XP computer. To install Remote Desktop Connection 6.0, follow the instructions at the following Microsoft URL: http://support.microsoft.com/kb/811770
15-10
CH A P T E R
16
Troubleshooting an XMPP Federation Integration

April 4, 2011
Checking the System Troubleshooter, page 16-1
Checking the System Troubleshooter

If you deploy multiple Cisco Unified Presence clusters and you configure XMPP federation, you must turn on XMPP federation on at least one node per cluster. You must configure the same XMPP federation settings and policy on each cluster; Cisco Unified Presence does not replicate the XMPP federation configuration across cluster. The System Troubleshooter reports if XMPP federation settings across clusters are not synchronized. The System Troubleshooter performs the following checks:

XMPP federation is enabled consistently across intercluster peers. The SSL Mode is configured consistently across intercluster peers. The Required Valid client-side certificates is configured consistently across intercluster peers. The SASL settings are configured consistently across intercluster peers. The dialback secret is configured consistently across intercluster peers. The default Admin Policy for XMPP Federation is configured consistently across inter-cluster peers. The Policy hosts are configured consistently across inter-cluster peers.
Procedure
Step 1 Step 2
Select Cisco Unified Presence Administration > Diagnostics > System Troubleshooter. Ensure there are green checks beside the following checks:

Verify the XMPP Federation settings match on all interclustered peers. Verify that SASL settings have been correctly configured for all intercluster peers. Verify that XMPP has been uniformly disabled or enabled on at least one node in each all clusters. Verify that the default Admin Policy is consistent across all intercluster peers. Verify that the Host Policy is consistent across all intercluster peers.
The System Troubleshooter provides recommended actions if it reports a problem with any of these checks.
16-1
Chapter 16 Checking the System Troubleshooter
Troubleshooting an XMPP Federation Integration
Related Topics
Location of Log Files for XMPP Federation, page 13-1
16-2
A P P E N D I X
Sample Cisco Adaptive Security Appliance Configuration

April 4, 2011
Sample PAT Commands and Access List Configuration for SIP Federation, page A-1 Sample Access List Configuration for XMPP Federation, page A-3 Sample NAT Configuration for XMPP Federation, page A-4
Sample PAT Commands and Access List Configuration for SIP Federation
This section provides a sample configuration for a Cisco Unified Presence server that is federating with a foreign OCS enterprise deployment. There are two additional intercluster Cisco Unified Presence servers in the local enterprise deployment. The following values are used in this sample configuration:

Public Cisco Unified Presence IP Address = 10.10.10.10 Private Routing Cisco Unified Presence IP Address = 1.1.1.1 Private Second Cisco Unified Presence IP Address = 2.2.2.2 Private Third Cisco Unified Presence IP Address = 3.3.3.3 Peer Auth Listener Port on Cisco Unified Presence = 5062 Netmask = 255.255.255.255 Foreign Domain = abc.com Microsoft OCS External Interface = 20.20.20.20
These PAT commands are defined for the (routing) Cisco Unified Presence server: (Cisco Adaptive Security Appliance Release 8.2:)
static (inside,outside) tcp 10.10.10.10 5061 1.1.1.1 5062 netmask 255.255.255.255 static (inside,outside) tcp 10.10.10.10 5080 1.1.1.1 5080 netmask 255.255.255.255 static (inside,outside) tcp 10.10.10.10 5060 1.1.1.1 5060 netmask 255.255.255.255
(Cisco Adaptive Security Appliance Release 8.3:)
A-1
Appendix A Sample PAT Commands and Access List Configuration for SIP Federation
nat (inside,outside) source static obj_host_1.1.1.1 obj_host_10.10.10.10 service obj_tcp_source_eq_5061 obj_tcp_source_eq_5062 nat (inside,outside) source static obj_host_1.1.1.1 obj_host_10.10.10.10 service obj_tcp_source_eq_5080 obj_tcp_source_eq_5080 nat (inside,outside) source static obj_host_1.1.1.1 obj_host_10.10.10.10 service obj_tcp_source_eq_5060 obj_tcp_source_eq_5060
These PAT commands are defined for the two additional intercluster Cisco Unified Presence servers in the enterprise deployment: (Cisco Adaptive Security Appliance Release 8.2:)
static static static static static (inside,outside) (inside,outside) (inside,outside) (inside,outside) (inside,outside) tcp udp tcp udp tcp 10.10.10.10 10.10.10.10 10.10.10.10 10.10.10.10 10.10.10.10 45080 55070 55070 45062 55062 2.2.2.2 3.3.3.3 3.3.3.3 2.2.2.2 3.3.3.3 5080 5070 5070 5062 5062 netmask netmask netmask netmask netmask 255.255.255.255 255.255.255.255 255.255.255.255 255.255.255.255 255.255.255.255

nat (inside,outside) source static obj_host_2.2.2.2 obj_tcp_source_eq_5080 obj_tcp_source_eq_45080 nat (inside,outside) source static obj_host_3.3.3.3 obj_tcp_source_eq_5070 obj_tcp_source_eq_55070 nat (inside,outside) source static obj_host_3.3.3.3 obj_udp_source_eq_5070 obj_udp_source_eq_55070 nat (inside,outside) source static obj_host_2.2.2.2 obj_tcp_source_eq_5062 obj_tcp_source_eq_45062 nat (inside,outside) source static obj_host_3.3.3.3 obj_tcp_source_eq_5062 obj_tcp_source_eq_55062 obj_host_10.10.10.10 service obj_host_10.10.10.10 service obj_host_10.10.10.10 service obj_host_10.10.10.10 service obj_host_10.10.10.10 service
The corresponding access lists for this configuration are provided below. Note that for each foreign domain that you federate with, you must add access lists similar to these access lists for the domain abc.com. (Cisco Adaptive Security Appliance Release 8.2:)
access-list access-list access-list access-list access-list 45061 access-list 55061 ent_cup_to_abc extended permit tcp host 1.1.1.1 host 20.20.20.20 eq 5061 ent_abc_to_cup extended permit tcp host 20.20.20.20 host 10.10.10.10 eq 5061 ent_secondcup_to_abc extended permit tcp host 2.2.2.2 host 20.20.20.20 eq 5061 ent_thirdcup_to_abc extended permit tcp host 3.3.3.3 host 20.20.20.20 eq 5061 ent_abc_to_secondcup extended permit tcp host 20.20.20.20 host 10.10.10.10 eq ent_abc_to_thirdcup extended permit tcp host 20.20.20.20 host 10.10.10.10 eq

access-list access-list access-list access-list access-list access-list ent_cup_to_abc extended permit tcp host 1.1.1.1 host 20.20.20.20 eq 5061 ent_abc_to_cup extended permit tcp host 20.20.20.20 host 1.1.1.1 eq 5062 ent_secondcup_to_abc extended permit tcp host 2.2.2.2 host 20.20.20.20 eq 5061 ent_thirdcup_to_abc extended permit tcp host 3.3.3.3 host 20.20.20.20 eq 5061 ent_abc_to_secondcup extended permit tcp host 20.20.20.20 host 2.2.2.2 eq 5062 ent_abc_to_thirdcup extended permit tcp host 20.20.20.20 host 3.3.3.3 eq 5062
Associate each of your access lists with the a class map:

class-map ent_cup_to_abc match access-list ent_cup_to_abc class-map ent_abc_to_cup match access-list ent_abc_to_cup
A-2
Appendix A
Sample Cisco Adaptive Security Appliance Configuration Sample Access List Configuration for XMPP Federation
class-map ent_secondcup_to_abc match access-list ent_secondcup_to_abc class-map ent_thirdcup_to_abc match access-list ent_thirdcup_to_abc class-map ent_abc_to_secondcup match access-list ent_abc_to_secondcup class-map ent_abc_to_thirdcup match access-list ent_abc_to_thirdcup
Update the global policy map for each class map you created. In this example, the TLS proxy instance for TLS connections initiated by Cisco Unified Presence is called cup_to_foreign, and the TLS proxy instance for TLS connections initiated by a foreign domain is called foreign_to_cup.
policy-map global_policy class ent_cup_to_abc inspect sip sip_inspect tls-proxy ent_cup_to_foreign policy-map global_policy class ent_abc_to_cup inspect sip sip_inspect tls-proxy ent_foreign_to_cup policy-map global_policy class ent_secondcup_to_abc inspect sip sip_inspect tls-proxy ent_cup_to_foreign policy-map global_policy class ent_thirdcup_to_abc inspect sip sip_inspect tls-proxy ent_cup_to_foreign policy-map global_policy class ent_abc_to_secondcup inspect sip sip_inspect tls-proxy ent_foreign_to_cup policy-map global_policy class ent_abc_to_thirdcup inspect sip sip_inspect tls-proxy ent_foreign_to_cup
Sample Access List Configuration for XMPP Federation

Note
The examples in this section are applicable to Cisco Adaptive Security Appliance Release 8.3. Example 1: This example access list configuration allows from any address to any address on port 5269:
access-list ALLOW-ALL extended permit tcp any any eq 5269
Example 2: This example access list configuration allows from any address to any single XMPP federation node on port 5269. The following values are used in this example:

Private XMPP federation Cisco Unified Presence Release 8.x IP address = 1.1.1.1 XMPP federation listening port = 5269
access-list ALLOW-ALL extended permit tcp any host 1.1.1.1 eq 5269
A-3
Appendix A Sample NAT Configuration for XMPP Federation
Example 3: This example access list configuration allows from any address to specific XMPP federation nodes published in DNS.
Note
The public addresses are published in DNS, but the private addresses are configured in the access-list command. The following values are used in this sample configuration: Private XMPP federation Cisco Unified Presence Release 8.x IP address = 1.1.1.1 Private second Cisco Unified Presence Release 8.x IP address= 2.2.2.2 Private third Cisco Unified Presence Release 7.x IP address = 3.3.3.3 XMPP federation listening port = 5269
access-list ALLOW-ALL extended permit tcp any host 1.1.1.1 eq 5269 access-list ALLOW-ALL extended permit tcp any host 2.2.2.2 eq 5269 access-list ALLOW-ALL extended permit tcp any host 3.3.3.3 eq 5269
Example 4: This example access list configuration allows only from a specific federated domain interface to specific XMPP federation nodes published in DNS.
Note
The public addresses are published in DNS, but the private addresses are configured in the access-list command. The following values are used in this sample configuration:

Private XMPP federation Cisco Unified Presence Release 8.x IP address = 1.1.1.1 Private second Cisco Unified Presence Release 8.x IP address = 2.2.2.2 Private third Cisco Unified Presence Release 7.x IP address = 3.3.3.3 XMPP federation listening port = 5269 External interface of the foreign XMPP enterprise = 100.100.100.100
access-list ALLOW-ALL extended permit tcp host 100.100.100.100 host 1.1.1.1 eq 5269 access-list ALLOW-ALL extended permit tcp host 100.100.100.100 host 2.2.2.2 eq 5269 access-list ALLOW-ALL extended permit tcp host 100.100.100.100 host 3.3.3.3 eq 5269
Sample NAT Configuration for XMPP Federation

Example 1: Single node with XMPP federation enabled The following values are used in this sample configuration:

Public Cisco Unified Presence IP address = 10.10.10.10 Private XMPP federation Cisco Unified Presence Release 8.x IP address = 1.1.1.1 XMPP federation listening port = 5269
nat (inside,outside) source static obj_host_1.1.1.1 obj_host_10.10.10.10 service obj_udp_source_eq_5269 obj_udp_source_eq_5269 nat (inside,outside) source static obj_host_1.1.1.1 obj_host_10.10.10.10 service
A-4
Appendix A
Sample Cisco Adaptive Security Appliance Configuration Sample NAT Configuration for XMPP Federation
obj_tcp_source_eq_5269 obj_tcp_source_eq_5269
Example 2: Multiple nodes with XMPP federation, each with a public IP address in DNS The following values are used in this sample configuration:

Public Cisco Unified Presence IP addresses = 10.10.10.10, 20.20.20.20, 30.30.30.30 Private XMPP federation Cisco Unified Presence Release 8.x IP address = 1.1.1.1 Private second Cisco Unified Presence Release 8.x IP address = 2.2.2.2 Private third Cisco Unified Presence Release 7.x IP address = 3.3.3.3 XMPP federation listening port = 5269
nat (inside,outside) source static obj_host_1.1.1.1 obj_host_10.10.10.10 service obj_udp_source_eq_5269 obj_udp_source_eq_5269 nat (inside,outside) source static obj_host_1.1.1.1 obj_host_10.10.10.10 service obj_tcp_source_eq_5269 obj_tcp_source_eq_5269 nat (inside,outside) source static obj_host_2.2.2.2 obj_host_20.20.20.20 service obj_udp_source_eq_5269 obj_udp_source_eq_5269 nat (inside,outside) source static obj_host_2.2.2.2 obj_host_20.20.20.20 service obj_tcp_source_eq_5269 obj_tcp_source_eq_5269 nat (inside,outside) source static obj_host_3.3.3.3 obj_host_30.30.30.30 service obj_udp_source_eq_5269 obj_udp_source_eq_5269 nat (inside,outside) source static obj_host_3.3.3.3 obj_host_30.30.30.30 service obj_tcp_source_eq_5269 obj_tcp_source_eq_5269
Example 3: Multiple nodes with XMPP federation, but a single public IP address in DNS with arbitrary ports published in DNS (PAT). The following values are used in this sample configuration:

Public Cisco Unified Presence IP Address = 10.10.10.10 Private XMPP federation Cisco Unified Presence Release 8.x IP address = 1.1.1.1, port 5269 Private second Cisco Unified Presence Release 8.x IP address = 2.2.2.2, arbitrary port 25269 Private third Cisco Unified Presence Release 7.x IP address = 3.3.3.3, arbitrary port 35269
nat (inside,outside) source static obj_host_1.1.1.1 obj_host_10.10.10.10 service obj_udp_source_eq_5269 obj_udp_source_eq_5269 nat (inside,outside) source static obj_host_1.1.1.1 obj_host_10.10.10.10 service obj_tcp_source_eq_5269 obj_tcp_source_eq_5269 nat (inside,outside) source static obj_host_2.2.2.2 obj_host_10.10.10.10 service obj_udp_source_eq_5269 obj_udp_source_eq_25269 nat (inside,outside) source static obj_host_2.2.2.2 obj_host_10.10.10.10 service obj_tcp_source_eq_5269 obj_tcp_source_eq_25269 nat (inside,outside) source static obj_host_3.3.3.3 obj_host_10.10.10.10 service obj_udp_source_eq_5269 obj_udp_source_eq_35269 nat (inside,outside) source static obj_host_3.3.3.3 obj_host_10.10.10.10 service obj_tcp_source_eq_5269 obj_tcp_source_eq_35269
A-5
Appendix A Sample NAT Configuration for XMPP Federation
A-6
A P P E N D I X
Configuring Security Certificate Exchange Between Cisco Adaptive Security Appliance and Microsoft Access Edge Using VeriSign
April 4, 2011
How to Configure the Security Certificates on Cisco Adaptive Security Appliance, page B-1 Importing the VeriSign Certificates onto Microsoft Access Edge, page B-8
How to Configure the Security Certificates on Cisco Adaptive Security Appliance

Deleting the Old Certificates and Trustpoints, page B-1 Generating a New Trustpoint for VeriSign, page B-2 Importing the Intermediate Certificate, page B-6 Importing the Root Certificate, page B-3 Generating the Certificate Signing Request, page B-4 Submitting the Certificate Signing Request to VeriSign, page B-4 Deleting the Certificate Used for the Certificate Signing Request, page B-5 Importing the Intermediate Certificate, page B-6 Creating a Trustpoint for the Root Certificate, page B-6 Importing the Root Certificate, page B-7 Importing the Signed Certificate, page B-7
Deleting the Old Certificates and Trustpoints

This procedure describes how to delete the old intermediate and signed certificate, and the trustpoint for the root certificate on Cisco Adaptive Security Appliance.
Before You Begin
Ensure you carried out the configuration tasks described in the following chapters:
B-1
Appendix B Configuring Security Certificate Exchange Between Cisco Adaptive Security Appliance and Microsoft How to Configure the Security Certificates on Cisco Adaptive Security Appliance
Configuring Cisco Unified Presence for SIP Federation, page 4-1 Configuring Cisco Adaptive Security Appliance for SIP Federation, page 6-1
Procedure
Step 1

Step 2
Enter this command to display the trustpoints:

show crypto ca trustpoints
Step 3
Enter this command to delete the trustpoint and associated certificates:

no crypto ca trustpoint <name of trustpoint>

WARNING: Removing an enrolled trustpoint will destroy all certificates received from the related Certificate Authority.
Step 4
Enter yes when you are prompted to delete the trustpoint.
What To Do Next
Generating a New Trustpoint for VeriSign, page B-2
Generating a New Trustpoint for VeriSign

Procedure
Step 1

Step 2
Enter this command to generate the key pair for this certification:
crypto key generate rsa label keys_for_verisign
Step 3
Enter the following sequence of commands to create a trustpoint for Cisco Unified Presence:
crypto ca trustpoint <name of trustpoint> (config-ca-trustpoint)# enrollment terminal (config-ca-trustpoint)# subject-name cn=<fqdn>, OU=<organisational_unit>,O=<organisation_name>,C=<country>,St=<state>,L=<locality> (config-ca-trustpoint)# keypair keys_for_verisign (config-ca-trustpoint)# fqdn none (config-ca-trustpoint)# exit
Note
If you are submitting a renewal certificate signing request (CSR) file to VeriSign, the subject-name value must contain the following information:
B-2
Appendix B
Configuring Security Certificate Exchange Between Cisco Adaptive Security Appliance and Microsoft How to Configure the Security Certificates on Cisco Adaptive Security Appliance
Country (two letter country code only) State (no abbreviations) Locality (no abbreviations) Organization Name Organizational Unit Common Name (FQDN) - This value must be the FQDN of the public Cisco Unified Presence.
Enter the command show crypto key mypubkey rsa to check that the key pair is generated.
What To Do Next
Importing the Intermediate Certificate, page B-6
Importing the Root Certificate

Before You Begin
Complete the steps in Generating a New Trustpoint for VeriSign, page B-2.
Procedure
Step 1

Step 2
Enter this command to import the certificate onto Cisco Adaptive Security Appliance:
crypto ca authenticate <name of trustpoint>
Step 3
Enter the CA certificate, for example:

-----BEGIN CERTIFICATE----MIIDAzCCAmwCEQC5L2DMiJ+hekYJuFtwbIqvMA0GCSqGSIb3DQEBBQUAMIH... -----END CERTIFICATE----quit
Note Step 4
Finish with the word "quit" on a separate line. Enter yes when you are prompted to accept the certificate.
What To Do Next
Generating the Certificate Signing Request, page B-4
B-3
Generating the Certificate Signing Request

Before You Begin
Complete the steps in Importing the Root Certificate, page B-3.

Procedure
Step 1

Step 2
Enter this command to send an enrollment request to the CA:

crypto ca enroll <name of trustpoint>

%WARNING: The certificate enrollment is configured with an fqdn that differs from the system fqdn. If this certificate will be used for VPN authentication this may cause connection problems.
Step 3
Enter yes when you are prompted to continue with the enrollment.
% Start certificate enrollment.. % The subject name in the certificate will be: <fqdn>, OU=<organisational_unit>,O=<organisation_name>,C=<country>,St=<state>,L=<locality>
Step 4 Step 5
Enter no when you are prompted to include the device serial number in the subject name. Enter yes when you are prompted to display the certificate request in the terminal. The certificate request displays.
What To Do Next
Submitting the Certificate Signing Request to VeriSign, page B-4
Submitting the Certificate Signing Request to VeriSign

When you submit the Certificate Signing Request, VeriSign will provide you with the following certificate files:

verisign-signed-cert.cer (signed certificate) trial-inter-root.cer (subordinate intermediate root certificate) verisign-root-ca.cer (root CA certificate)
Save the certificate files in separate notepad files once you have downloaded them.
Before You Begin

Complete the steps in Generating the Certificate Signing Request, page B-4. You will need the challenge password that you defined when generating the Certificate Signing Request.
B-4
Appendix B
Procedure
Go to the VeriSign website. Follow the procedure to enter a Certificate Signing Request. When prompted, submit the challenge password for the Certificate Signing Request. Paste the Certificate Signing Request into the window provided. You need to paste from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- inclusive.
Note
What To Do Next
Deleting the Certificate Used for the Certificate Signing Request, page B-5
Deleting the Certificate Used for the Certificate Signing Request

You must delete the temporary root certificate used to generate the Certificate Signing Request.
Before You Begin
Complete the steps in Submitting the Certificate Signing Request to VeriSign, page B-4.
Procedure
Step 1

Step 2
Enter this command to display the certificates:

show running-config crypto ca look for crypto ca certificate chain <name of trustpoint>
Step 3
Enter this command to delete the certificate:

(config)# crypto ca certificate chain <name of trustpoint> (config-cert-chain)# no certificate ca 00b92f60cc889fa17a4609b85b70$

WARNING: The CA certificate will be disassociated from this trustpoint and will be removed if it is not associated with any other trustpoint. Any other certificates issued by this CA and associated with this trustpoint will also be removed.
Step 4
Enter yes when you are prompted to delete the trustpoint.
What To Do Next
Importing the Intermediate Certificate, page B-6
B-5
Importing the Intermediate Certificate

Before You Begin
Complete the steps in Deleting the Certificate Used for the Certificate Signing Request, page B-5.
Procedure
Step 1

Step 2
crypto ca authenticate <name of trustpoint>
Step 3

-----BEGIN CERTIFICATE----MIIEwDCCBCmgAwIBAgIQY7GlzcWfeIAdoGNs+XVGezANBgkqhkiG9w0BAQU.... -----END CERTIFICATE----quit
Note Step 4
What To Do Next
Creating a Trustpoint for the Root Certificate, page B-6
Creating a Trustpoint for the Root Certificate

Before You Begin
Complete the steps in Importing the Intermediate Certificate, page B-6.

Step 1

Step 2
Enter this command to generate the trustpoint:

crypto ca trustpoint verisign_root
Step 3
Enter the following sequence of commands:

(config-ca-trustpoint)# (config-ca-trustpoint)# (config-ca-trustpoint)# (config-ca-trustpoint)# revocation-check none keypair keys_for_verisign enrollment terminal exit
B-6
Appendix B
Importing the Root Certificate

Before You Begin
Complete the steps in Creating a Trustpoint for the Root Certificate, page B-6.
Procedure
Step 1

Step 2
crypto ca authenticate verisign_root
Step 3

-----BEGIN CERTIFICATE----MIICmDCCAgECECCol67bggLewTagTia9h3MwDQYJKoZIhvcNAQECBQAw.... -----END CERTIFICATE----quit
Note Step 4
What To Do Next
Importing the Signed Certificate, page B-7
Importing the Signed Certificate

Before You Begin
Complete the steps in Importing the Root Certificate, page B-7.

Procedure
Step 1

Step 2
crypto ca import verisignca certificate
B-7
Appendix B Configuring Security Certificate Exchange Between Cisco Adaptive Security Appliance and Microsoft Importing the VeriSign Certificates onto Microsoft Access Edge

WARNING: The certificate enrollment is configured with an fqdn that differs from the system fqdn. If this certificate will be used for VPN authentication this may cause connection problems.
Step 3 Step 4
Enter yes when you are prompted to continue with the certificate enrollment. Enter the CA certificate, for example:
-----BEGIN CERTIFICATE----MIIFYTCCBEmgAwIBAgIQXtEPGWzZ0b9gejHejq+HazANBgkqhkiG9w0B.... -----END CERTIFICATE----quit
Note Step 5
What To Do Next
Importing the VeriSign Certificates onto Microsoft Access Edge, page B-8
Importing the VeriSign Certificates onto Microsoft Access Edge

This procedure describes how to import the VeriSign root and intermediate certificates onto the Microsoft Access Edge server.
Before You Begin
Save the certificates that were provided by VeriSign to the Access Edge server, for example, in C:\.
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11 Step 12 Step 13
On the Access Edge server, enter mmc from the run command. Select File-> Add/Remove Snap-in. Click Add. Click Certificates. Click Add. Select Computer account. Click Next. Select Local computer. Click Finish. Click OK to close the Add/Remove Snap-In window. In the main console, expand the Certificates tree. Open the Trusted Root Certificates branch. Right-click on Certificates.
B-8
Appendix B
Configuring Security Certificate Exchange Between Cisco Adaptive Security Appliance and Microsoft Importing the VeriSign Certificates onto Microsoft Access Edge
Select All Tasks > Import. Click Next on the certificate wizard. Browse for a VeriSign certificate in the C:\ directory. Click Place all certificates in the following store. Select Trusted Root Certification Authorities as the certificate store. Repeat steps 13 to 18 to import the additional VeriSign certificates.
B-9
Appendix B Configuring Security Certificate Exchange Between Cisco Adaptive Security Appliance and Microsoft Importing the VeriSign Certificates onto Microsoft Access Edge
B-10
A P P E N D I X

April 4, 2011,
Debugging Information for Cisco Adaptive Security Appliance, page C-1 Debugging Access Edge and OCS Server, page C-5
Debugging Information for Cisco Adaptive Security Appliance

Cisco Adaptive Security Appliance Debugging Commands, page C-1 Capturing the Output on the Internal and External Interfaces, page C-3 TLS Proxy Debugging Commands, page C-3
Cisco Adaptive Security Appliance Debugging Commands

Table C-1 lists the debugging commands for the Cisco Adaptive Security Appliance.
Table C-1 Cisco Security Appliance Debugging Command
To Show ICMP packet information for pings to the Cisco Adaptive Security Appliance interfaces
Use the Command debug icmp trace
Notes We strongly recommend that you disable debug messages once you have completed your troubleshooting. To disable ICMP debug messages, use the no debug icmp trace command. You can increase log level on ASA by adding the log level parameter to this command, for example: debug crypto ca 3 Shows only debug messages for input and output messages Shows only debug messages for transactions
Show messages relating to the debug crypto ca certificate validation between Cisco Unified Presence/Cisco Adaptive Security Appliance or Cisco Adaptive Security Appliance/for debug crypto ca messages eign domain debug crypto ca transactions Show the SIP messages sent through Cisco Adaptive Security Appliance debug sip
C-1
Appendix C Debugging Information for Cisco Adaptive Security Appliance
Table C-1
Cisco Security Appliance Debugging Command (continued)
To
Use the Command
Notes
Send log messages to a buffer (for later terminal monitor viewing) Enable system log messages logging on We strongly recommend that you disable system log messages once you have completed your troubleshooting. To disable system log messages, use the no logging on command.
Send system log messages to a buffer Set system log messages to be sent to Telnet or SSH sessions Designate a (syslog) server to receive the system log messages
logging buffer debug logging monitor debug logging host <interface_name> <ip_ address>
The interface_name argument specifies the Cisco Adaptive Security Appliance interface through which you access the syslog server. The ip_address argument specifies the IP address of the syslog server.
Ping the Interfaces
ping
Refer to the Troubleshooting section of the Cisco Security Appliance Command Line Configuration Guide for details on pinging the Cisco Adaptive Security Appliance interfaces, and also pinging between hosts on different interfaces to ensure that the traffic can pass successfully through the Cisco Adaptive Security Appliance. You can also ping an interface in ASDM by selecting Tools > Ping.
Note
You will not be able to ping the public Cisco Unified Presence IP address. However the MAC address of the ASA outside interface should appear in the ARP table (arp a).
Trace the route of a packet Trace the life span of a packet through the Cisco Adaptive Security Appliance
Related Topics
traceroute packet-tracer
You can also trace the route of a packet in ASDM via Tools > Traceroute. You can also trace the life span of a packet in ASDM via Tools > Packet Tracer.
TLS Proxy Debugging Commands, page C-3
C-2
Appendix C
Integration Debugging Information Debugging Information for Cisco Adaptive Security Appliance
Capturing the Output on the Internal and External Interfaces

Procedure
Step 1
Enter config mode:

Step 2
Define an access-list to specify the traffic to be captured, for example:

access-list cap extended permit ip 10.53.0.0 255.255.0.0 10.53.0.0 255.255.0.0
Step 3
It is recommended that you clear the capture content before starting the tests. Use the command clear capture in to clear the internal interface capture, and the command clear capture out to clear the external interface capture. Enter this command to capture the packets on the internal interface:
cap in interface inside access-list cap
Step 4
Step 5
Enter this command to capture the packets on the external interface:

cap out interface outside access-list cap
Step 6
Enter this command to capture TLS specific packets:

capture <capture_name> type tls-proxy interface <interface_name>
Step 7
Enter this command to retrieve the packet capture:

copy /pcap capture:in tftp://xx.xx.xx.xx copy /pcap capture:out tftp://xx.xx.xx.xx
Enter this command to copy the output to disk and retrieve using ASDM (Actions > File Management > File Transfer):
copy /pcap capture:in disk0:in_1
TLS Proxy Debugging Commands

Table C-2 lists the debugging commands for the TLS Proxy.
Table C-2 TLS Proxy Debugging Commands
To Enable TLS proxy-related debug and syslog output
Use the Command(s) debug inspect tls-proxy events debug inspect tls-proxy errors debug inspect tls-proxy all
Show a TLS proxy session output
show log
C-3
Appendix C Debugging Information for Cisco Adaptive Security Appliance
Table C-2
TLS Proxy Debugging Commands
To Check the active TLS proxy sessions View the detail of the current TLS proxy sessions (Use when Cisco Adaptive Security Appliance successfully establishes connections with Cisco Unified Presence and the foreign domain)
Use the Command(s) show tls-proxy show tls-proxy session detail
C-4
Appendix C
Integration Debugging Information Debugging Access Edge and OCS Server
Debugging Access Edge and OCS Server

Initiating a Debug Session on OCS/Access Edge, page C-5 Verifying the DNS Configuration on Access Edge, page C-5
Initiating a Debug Session on OCS/Access Edge

Procedure
Select Start > Administrative Tools > Computer Management on the external Access Edge server. Right-click Microsoft Office Communications Server 2007 in the left pane. Select Logging Tool > New Debug Session. Select SIP Stack in the Logging Options. Select All for the Level value. Select Start Logging. Select Stop Logging when complete. Select Analyze Log Files.
Verifying the DNS Configuration on Access Edge

Procedure
On the external Access Edge server, select Start > Administrative Tools > Computer Management. Right-click on Microsoft Office Communications Server 2007in the left pane. Select the Block tab. Check that the domain not blocked. Ensure that the following options are selected in the Access Methods pane:

Federate with other domains Allow discovery of federation partners
Step 6
Check the Access Edge is publishing DNS SRV records.
C-5
Appendix C Debugging Access Edge and OCS Server
C-6

Federation

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Federation

Uploaded by

Copyright:

Available Formats

Integration Guide for Configuring Cisco Unified Presence Release 8.

5 for Interdomain Federation

Overview of this Integration Basic Federated Network

Planning for this Integration Hardware Requirements Software Requirements

Supported Interdomain Federation Integrations

DNS Configuration 2-6 Certificate Authority (CA) Server

Configuration Workflows for Interdomain Federation

3-1 3-1 3-2

Configuration Workflow for Direct SIP Federation with Microsoft OCS

Cisco Adaptive Security Appliance Upgrade Options for Existing Deployments

Access List Configuration Requirements Configuring the TLS Proxy Instances

Configuring Cisco Adaptive Security Appliance for an Intercluster Deployment

Configuring Interdomain Federation to Microsoft OCS within an Enterprise

Updating the Cisco Unified Presence Servers

Configuring Cisco Adaptive Security Appliance for XMPP Federation

Configuring Serviceability for Federation

Verifying the Federation Integration

14-1 14-1 14-2

Troubleshooting a SIP Federation Integration

Common Cisco Adaptive Security Appliance Problems and Recommended Actions

Troubleshooting an XMPP Federation Integration Checking the System Troubleshooter

Integration Debugging Information

Overview of this Integration

Basic Federated Network

Chapter 1 Basic Federated Network

Overview of this Integration

Overview of this Integration Basic Federated Network

Enterprise Y DMZ private network AD

*Cisco Adaptive Security Appliance

ASA functions as: TLS Proxy PAT Firewall

Chapter 1 About SIP Federation with AOL

Overview of this Integration

Enterprise Z DMZ private network Directory

IBM Sametime Gateway

IBM Sametime Sametime Gateway Server

XMPP Client (Ann)

XMPP Client (Tom)

Sametime Sametime (Bob) (Bill)

About SIP Federation with AOL

Intercluster Deployments and SIP Federation with AOL

*Cisco Adaptive Security Appliance

ASA functions as: Firewall Open Port 5269

Overview of this Integration About Intercluster and Multi-node Deployments

Limitation with AOL Federation

AOL sends out this modified JID for this user:

About Intercluster and Multi-node Deployments

Chapter 1 About Intercluster and Multi-node Deployments

Overview of this Integration

SIP Federation Deployments

XMPP Federation Deployments

Overview of this Integration About High Availability and Federation

About High Availability and Federation

High Availability for SIP Federation

Chapter 1 About High Availability and Federation

Overview of this Integration

Enterprise Y DMZ private network AD

High Availability for XMPP Federation

*Cisco Adaptive Security Appliance

Overview of this Integration About High Availability and Federation

High Availability for Inbound Request Routing

IBM Sametime Federation

Chapter 1 Cisco Adaptive Security Appliance Deployment Options

Overview of this Integration