Configuring XMPP Connectivity to Gmail
Author: Rui Maximo
Publication date: November 2009
Product version: Microsoft Office Communications Server 2007 R2
Check out the following figure. That’s no illusion-it’s an Office Communicator user communicating with a Gmail user.
If you can’t wait to try this, you have come to the right place. Before you start, ensure that the following requirements are met:
Your organization has a properly configured Office Communications Server 2007 R2 environment.
There is a properly configured Edge Server in your Office Communications Server environment.
You have permissions to request a server certificate from a public or private CA.
You have permissions to create DNS SRV and A records on the Internet.
There is a server that is running Windows Server 2008 on which to install the XMPP Gateway in your network perimeter.
The rest of this article assumes that you have an environment running Office Communications Server 2007 R2 complete with an Edge Server (see requirements 1 and 2 in the previous list) that is configured to allow internal users to federate with external domains. You will have to request a certificate for your XMPP Gateway (requirement 3). For Gmail to locate your XMPP Gateway, you will have to create SRV and A records on your public facing DNS (requirement 4). To install the XMPP Gateway, you must have a separate server running Windows Server 2008 (requirement 5).
Figure 2 illustrates the topology of the configuration that you will be setting up. Because the XMPP Gateway connects directly to your Edge Server and the Gmail gateways on the Internet, it should be deployed in the network perimeter. Let’s get started!
To allow the Gmail gateway to communicate with your XMPP Gateway, you must open port 5269 on your external firewall and map incoming and outgoing TCP traffic on that port to your XMPP Gateway FQDN or IP address. Gmail uses port 5269. If you do not configure your firewall to allow incoming traffic on port 5269 to your XMPP Gateway, Gmail users will not be able to send instant messages to Office Communicator users.
Because your XMPP Gateway connects directly to your Edge Server and your Edge Server is located in your network perimeter, your XMPP Gateway also must be located in the network perimeter. It must be accessible to the Gmail gateway. This placement of your XMPP Gateway means that you will have to be mindful of the security implications and take appropriate action to secure your XMPP Gateway.
To configure the XMPP Gateway, do the following:
Set up a server that is running Windows Server 2008. Ensure that the latest security updates are installed. This computer will be referred to as the XMPP Gateway.
Install Office Communications Server 2007 R2 XMPP Gateway software.
Define the FQDNs to the XMPP Gateway.
Configure the domain name on the XMPP Gateway.
Request and install a server certificate in the computer’s Personal store for the XMPP Gateway.
Create SRV record and A records for the XMPP Gateway on your public facing DNS server.
Configure the XMPP Gateway.
Step 1: Set Up a Server that Is Running Windows Server 2008
Microsoft requires that the XMPP Gateway be installed on a separate server. Unless you use a separate Active Directory in your network perimeter to manage the servers in your network perimeter, configure this Windows server in a stand-alone workgroup. Under no circumstance should this server be joined to your internal Active Directory domain.
Because this Windows server is in your network perimeter, ensure it is hardened against attack. Reduce the attack surface area by turning off unnecessary services and allowing incoming traffic to the XMPP Gateway only on ports 5061 (used by the Edge Server) and 5269 (used by the Gmail gateways).
Step 2: Install Office Communications Server 2007 R2 XMPP Gateway Software
This article does not cover the installation process in detail because this process is very simple. However, the following are two things to keep in mind:
First, your XMPP Gateway needs only a single network interface (NIC). When I think of a gateway, two NICs automatically come to mind. I had originally configured my Windows server to have two network interfaces, but it is not necessary. You can keep things less complicated by using a single NIC.
Second, after you complete the installation wizard, make sure that you specify the IP address of your network interface in the following file:
%ProgramFiles%\Microsoft Office Communications Server 2007 R2\XMPP Gateway\TGWConsoleGUI.dll.config
This is the configuration file used by the XMPP Gateway service. Because Setup does not prompt for this information during installation, it can be easily overlooked. The example shows the contents of the config file. Assuming your XMPP Gateway uses a single network interface, specify the server’s IP address as the value for the SipIP and XmppIP fields.
<?xml version="1.0" standalone="yes"?> <configuration> <appSettings> <add key= "cultureName" value = "en-US"/> <add key= "SipIP" value= "XXX.XXX.XXX.XXX"/> <add key= "XmppIP" value="XXX.XXX.XXX.XXX"/> </appSettings> </configuration>
Step 3: Define the FQDNs to the XMPP Gateway
I recommend using two FQDNs. One of the FQDNs is internal and is used by your Edge Server to connect to your XMPP Gateway. This internal FQDN is not exposed to the Internet and maps to the actual IP address of the XMPP Gateway. This FQDN is used by the Edge Server to validate the XMPP Gateway’s server certificate when establishing an MTLS connection. In this example, the internal FQDN is called srv_xmpp.litwareinc.com.
The other FQDN is for external use by the Gmail gateways to locate your XMPP Gateway. This external FQDN is exposed to the Internet and maps to your firewall’s public IP address, which you have configured to route TCP traffic for port 5269 to your XMPP Gateway. This external FQDN is called xmpp.litwareinc.com in our example.
You might be wondering why not use a single FQDN instead of two? And you’re correct. You can use a single FQDN. If you use a single FQDN, you must use the public FQDN. In this configuration, the Edge Server connects to your XMPP Gateway through the public FQDN. This results in the traffic between your Edge Server and XMPP Gateway going across your external firewall. However, if your firewall does not allow loopbacks, the connection will fail.
Step 4: Configure the Domain Name on the XMPP Gateway
After you define an FQDN for your XMPP Gateway, you must configure the domain name portion of this FQDN on your XMPP Gateway. (This assumes that the server running the XMPP Gateway is configured in a stand-alone Workgroup).
In our example, the internal FQDN of the XMPP Gateway is srv_xmpp.litwareinc.com. The domain name portion of this FQDN is litwareinc.com. You must configure this value in the Primary DNS suffix of this computer field of the XMPP Gateway.To configure the domain name portion of the FQDN:
Click Start, right-click Computer, and then click Properties.
Under Computer name, domain, and workgroup settings, click Change settings.
On the Computer name tab, click Change.
In the Computer Name/Domain Changes dialog box, click More as shown in Figure 3.
In the Primary DNS suffix of this computer field, enter the domain name.
Step 5: Request and Install a Server Certificate in the Computer’s Personal Store for the XMPP Gateway
Your XMPP Gateway requires a server certificate to communicate with your Edge Server. This certificate with its corresponding private key must be installed in the local computer’s Personal store.
Without a certificate, the authentication will fail and the MTLS connection will be refused. This can often be a source of frustration and can be caused by a variety of reasons such as an untrusted root CA or a mismatch between the XMPP Gateway’s FQDN and the certificate’s CN in the Subject Name field. If you run into issues, use the ocslogger.exe tool to help you troubleshoot. It’s a great tool. If you run into problems, let us know and we’ll produce an article on this topic.
Everyone has their favorite way of requesting certificates, so I will not cover all the ways this can be done. However, there are two things to keep in mind: First, make sure the Common Name (CN) of the certificate is identical to the internal FQDN that is assigned to the XMPP Gateway. Second, use at least 2048 encryption strength. For more information about certificates for Office Communications Server, see the topics about certificates in the Microsoft Office Communications Server 2007 R2 Documentation at http://go.microsoft.com/fwlink/?linkid=163250.
If your sole purpose for setting up an XMPP Gateway is to connect to Gmail, this certificate will be used only to authenticate to your Edge Server. In this case, you can use a certificate from your private CA. Make sure that your XMPP Gateway trusts the root of your Edge Server’s certificate and vice versa.
Step 6: Create SRV and A records for the XMPP Gateway on Your Public Facing DNS Server
For this step, you must publish the external FQDN of your XMPP Gateway so that the Gmail gateways can locate your XMPP Gateway. Remember your XMPP Gateway’s external FQDN should be mapped to your external firewall’s IP address unless you expose your XMPP Gateway directly on the Internet (not recommended). In our example, the external firewall’s IP address is 22.214.171.124.
After you name your XMPP Gateway’s external FQDN (we picked xmpp.litwareinc.com for our example), you must create an A record in your public DNS to map this FQDN, <server name>.<domain>.com, to your external IP address. In our example, xmpp.litwareinc.com maps to 126.96.36.199.
In addition to creating this A record, you must create an SRV record in the following form:
This is the service record locator that is used by Gmail gateways to discover the external FQDN of your XMPP Gateway. Figure 3 shows how to create this SRV record for Litware Inc.
|The protocol must be set to _tcp, and the port number must be set to 5269. The domain name of both the A record and the SRV record must match your SIP domain.|
If you own your own domain names and use godaddy.com, you might recognize Figure 4. The at sign (@) translates to your domain name. This is litwareinc.com in our example.
Step 7: Configure the XMPP Gateway
The final step is to configure your XMPP Gateway to connect to your Edge Server and Gmail gateways.To configure your XMPP Gateway to connect to your Edge Server and Gmail gateways
On the XMPP Gateway, under Administrative tools, open the Office Communications Server 2007 R2 XMPP Gateway console.
Select the SIP Configuration node (Figure 4). Configure the connection to the Edge Server first by doing the following:
On the Domain tab, specify your domain name in the Domain field. For our example, this is litwareinc.com.
Specify the FQDN of your Edge Server in the Host Name field. In our example, the Edge Server’s external FQDN is srv.litwareinc.com.
- On the Domain tab, specify your domain name in the Domain field. For our example, this is litwareinc.com.
For the Edge Server to trust your XMPP Gateway, you must configure the certificate that you requested in step 5. To do this:
In the Office Communications Server 2007 R2 XMPP Gateway console, click the TLS Certificate tab (Figure 5).
Click Select Certificate, and then select the certificate that you requested in step 5. If you are unable to find it, you installed the certificate in the wrong certificate store.
Note: The certificate’s common name must match the XMPP Gateway’s FQDN as shown in Figure 6.
After you finish the SIP configuration, click the Validate Connection tab to validate your configuration to the Edge Server.
- In the Office Communications Server 2007 R2 XMPP Gateway console, click the TLS Certificate tab (Figure 5).
Next, configure the connection to the Gmail gateways by doing the following:
In the left pane, click the XMPP Configuration node (Figure 6).
On the Allow List tab, click Add.
In the Federated XMPP Domain names dialog box, in the Domain Name field, enter gmail.com, and then select TCP Dialback (required) as shown in Figure 7. Click OK.
- In the left pane, click the XMPP Configuration node (Figure 6).
Because Gmail does not use any authentication or encryption (TLS), no certificate is required to be configured in the TLS Certificate tab. To validate your configuration, click the Validate Connection tab.
The configuration on the Edge Server is very simple. You just have to add an entry in the Allow list of the Edge Server.To add an entry in the Allow list of the Edge Server
In the Computer Management console, right-click the Edge Server node, and then click Properties (Figure 8).
On the Allow tab, click Add, and then make the entry to the Allow list.
When you add a new federated partner to the Allow list, the Federated partner domain name must be set to gmail.com, and the Federated partner Access Edge Server field must be set to the internal FQDN of your XMPP Gateway. This instructs your Edge Server to route messages for the domain name, gmail.com, to your XMPP Gateway. Because you do not own the domain name, gmail.com, you must specify the next hop to direct traffic for gmail.com to your XMPP Gateway. The internal FQDN of the XMPP Gateway maps to the private IP address of your XMPP Gateway instead of its public address. If you specify the public FQDN of your XMPP Gateway, your Edge Server will connect to your XMPP Gateway through your external firewall.
If you host a DNS server in your network perimeter, you should create an A record to map the FQDN of your XMPP Gateway to the private IP address of your gateway. If you do not have a private DNS server in your network perimeter, you will have to add an entry in the local hosts file of your Edge Server. To edit the local hosts file, use local administrator’s permissions. This hosts file is located in the %windir%\system32\drivers\etc\hosts directory. Use your favorite editor to add the following entry at the end of the file:
<private IP address of XMPP Gateway><internal FQDN of XMPP Gateway>
In our example, this maps to the following entry:
The last step is for users to add Gmail users to their contact list in Office Communicator. Ensure that the Office Communicator users are configured for Federation (Figure 9); otherwise, Office Communicator users will not be able to communicate with external users.
Configuring your XMPP Gateway to connect to Gmail is pretty painless when you know what to do (of course). Hopefully, this article helped you get on the fast track to making this happen. I did not cover how to request the certificate for the XMPP Gateway in detail or how to troubleshoot connectivity issues. If you experience difficulties and would like help, leave Dr. Rez a request on twitter.com.
Visit the Office Communications Server main page at http://go.microsoft.com/fwlink/?LinkId=132607.
View the complete Office Communications Server documentation library at http://go.microsoft.com/fwlink/?LinkId=132106.
Follow tweets from the Office Communications Server team at http://go.microsoft.com/fwlink/?LinkId=167909.
Download all the Office Communications Server content as a Word document at http://go.microsoft.com/fwlink/?LinkId=133609.
Download all the Office Communications Server content as a compiled help file at http://go.microsoft.com/fwlink/?LinkId=160355. (Make sure you scroll down to the Additional Information section to download OCSDocumentation.chm.)