This is the final post in the Cisco IM&P and MS Lync Intradomain Federation series. We will cover two super important topics - certificates and tr
This is the final post in the Cisco IM&P and MS Lync Intradomain Federation series. We will cover two super important topics – certificates and troubleshooting techniques. The previous posts in the series are as below:
- Lab overview: https://autrunk.com/step-by-step-cisco-imp-and-microsoft-lync-intradomain-federation-lab-1/
- Cisco IM&P configuration: https://autrunk.com/step-by-step-cisco-imp-and-microsoft-lync-intradomain-federation-lab-2/
- MS Lync configuration: https://autrunk.com/step-by-step-cisco-imp-and-microsoft-lync-intradomain-federation-lab-3/
Before we start, let’s review one of the instructions from the previous Cisco Intradomain setup wizard – details available in the Cisco IM&P configuration.
The following Cisco instruction asks us to export Lync topology as xml file, then update the trusted application (i.e. IM&Ps) IPs from 0.0.0.0 to the actual IPs of our IM&P servers. We don’t really have to do this to make the federation working, but it is probably a good idea for production, especially for security.
0.0.0.0 means Lync shall accept any IP from the IM&P servers; while updating it to IM&P IPs indicates only the specific IPs are acceptable.
3.1 Cisco IM&P Certificates
3.1.1 Install CA root certificate
Import the root CA certificate on the Cisco IM&P server by uploading to cup-trust. Reference 2 provides an instruction on how to export the domain root CA certificate.
Cisco IM&P server certificate is managed via Cisco Unified IM and Presence OS Administration > Security > Certificate Management.
3.2.2 Install CA-signed certificates
Request certificate by ‘Generate CSR‘ and then download the CSR.
Request certificate for cup and cup-ECDSA. Take a note of the existing self-signed certificate Enhanced Key Usage (EKU) and encryption type as below:
Use the domain CA to issue the required certificate, ensure the certificate template Cryptography and EKU meets the requirements.
Update the certificates to cup and cup-ECDSA respectively. We will change the certificates from self-signed to CA-signed for all IM&P nodes, IMP01 and IMP02 in our case.
Restart the ‘Cisco SIP proxy’ and ‘Cisco Presence Engine’ services to make the certificate change effective. IM&P services can be restarted from Cisco Unified IM and Presence Serviceability > Tools > Control Centre – Feature Services or Control Centre – Network Services.
Reference 1 elaborates on Cisco IM&P certificates.
3.2 Microsoft Lync Certificates
3.2.1 Install CA root certificate
Check whether the domain root certificate is trusted by the Lync server by running MMC > File > Add/Remove Snap-in…>Certificates>Computer account > Local computer. If the domain root CA is not listed under the ‘Trusted Root Certification Authorities‘, we will need to install the root CA on the Lync server. Reference 2 provides an instruction on how to export the domain root CA certificate.
3.2.2 Update Lync default certificate
In the previous post about the Lync-side configuration, we configured the static route on Lync to use the default certificate for peer authentication with the Cisco IM&P server, as below.
#Create a new static route and assign it to the variable'tlsRoute'
#-Destination:destination should be FQDN, not IP
#-usedefaultcertificate $true:Lync server default certificate is to be used for peer authentication
#-MatchUri altairx.lan:the SIP domain is expected to match altairx.lan. If your SIP URI is firstname.lastname@example.org, then -MatchUri test.altairx.lan or *.altairx.lan
$tlsRoute = New-CsStaticRoute -TLSRoute -Destination S01E01IMP01.altairx.lan -Port 5061
-usedefaultcertificate $true -MatchUri altairx.lan
The default certificate shall meet the following requirements for the successful peer authentication:
- Subject or Subject Alternative Name (SAN) includes the Lync server’s FQDN, S01E01LYC01.altairx.lan in our case; and
- Enhance Key Usage (EKU) includes both Server and Client Authentication.
My original Lync default certificate below failed to meet the EKU requirement, with server-only authentication.
It is probably easier to use the Lync Server Deployment Wizard to request and assign a new default certificate.
Select ‘Install or Update Lync Server System‘ from the wizard GUI, and ‘Run Again‘ ‘Step3: Request, Install or Assign Certificates‘.
We are going to ‘Request‘ a new default certificate and then ‘Assign‘ the new certificate.
Follow the certificate request wizard and fill in the required information. Do NOT use the default WebServer certificate, which only includes Server Authentication. Choose the certificate template with both Server and Client Authentication.
On the domain CA server, we published a new template called ‘WEB Server and Client Authen’. In the Lync certificate wizard, type in ‘WEBServerandClientAuthen’ without any space.
Reference 3 provides an introduction to managing MS certificate templates.
We then assign the newly generated certificate to the Lync default use. The certificate should show both server and client authentication in EKU now.
Result – Jabber and Lync User Chat
The Lync user John Smith and Jabber user Ben Lee can chat with each other. The presence works as well. Since we do not use the softphone function on Jabber in this lab, we removed the phone icon from the Jabber interface.
If things do not work out as expected, no panic, we can use the following tools for troubleshooting:
- Windows event log – provides Lync application events
- Lync Server Logging Tool – highly recommended, available from Lync installation disk and can capture and analyse SIP messages as below. Download link in Reference 4.
- Cisco Real-time Monitoring Tool (RTMT) – available form CUCM > Cisco Unified CM Administrator > Application > Plugins. It is the Cisco native voice troubleshooting tool. Admin guide in Reference 5.
- Configuration and Administration of the IM and Presence Service on Cisco Unified Communications Manager, Release 11.5(1):https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/im_presence/configAdminGuide/11_5_1/CUP0_BK_CE08159C_00_config-admin-guide-imp-1151/CUP0_BK_CE08159C_00_config-admin-guide-imp-1151_chapter_01000.html
- How to export Root Certification Authority Certificate: https://support.microsoft.com/en-us/help/555252
- PKI CA – Manage certificate templates: https://www.mowasay.com/2017/06/pki-ca-manage-certificate-templates/
- Microsoft Lync Server 2013 Debugging Tools:https://www.microsoft.com/en-us/download/details.aspx?id=35453
- Cisco Unified Real-Time Monitoring Tool Administration Guide, Release 11.5(1): https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/service/11_5_1/rtmt/CUCM_BK_C53F5FA7_00_cisco-unified-rtmt-administration-115.html