Configuring XMPP Connectivity to Jabber XCP 5.4
Author: Geoff Clark
Publication date: November 2009
Product version: Microsoft Office Communications Server 2007 R2, Office Communications Server 2007 R2 XMPP Gateway, and Jabber XCP 5.4
This article walks you through setting up the XMPP Gateway and configuring it to work with Jabber XCP 5.4. For those who have been anticipating this release, I am happy to say, here it is, and it’s been worth the wait if you require Jabber or GMail connectivity.
You will be required to complete the following steps to successfully configure Office Communications Server 2007 R2 XMPP Gateway with Jabber XCP 5.4.
Office Communications Server Edge Configuration
Office Communications Server XMPP Gateway Configuration
Jabber XCP (s2s Configuration)
Enable your current environment to work with the new Office Communications Server 2007 R2 XMPP Gateway
Office Communications 2007 R2 Edge Server
Permissions to request a server certificate from a private or public certification authority
Permissions to create DNS records in your internal Enterprise, as well as public DNS servers
Windows 2003 x64 or Windows 2008 x64 for your new XMPP Gateway
Jabber XCP 5.4
To help you visualize the environment, Figure 1 shows how you could implement the XMPP Gateway. This design will change depending on where your Jabber server is deployed in your environment. I am assuming that your Jabber server is deployed in your network perimeter.
Figure 1. XMPP Topology
If you have firewalls in the network perimeter that will prohibit communication between your Edge Server and Jabber server, you must open TCP port 5269 in both directions for communication to be successful.
Most of this configuration has already been done when deploying your Office Communications Server 2007 R2 pool and Edge Server. Therefore, I will just go over the recommended DNS SRV records and what records are required for the XMPP Gateway.
SRV record: _sipinternaltls._tcp.contoso.com
Host record: pool.contoso.com
Port number: 5061
SRV record: _sip._tls.contoso.com
Host record: edge.contoso.com
Port number: 443
SRV record: _sipfederationtls._tcp.contoso.com
Host record: edge.contoso.com
Port number: 5061
The previous three records are the standard records used when deploying Office Communications Server for internal automatic configuration, external automatic configuration, and enhanced federation. To configure the XMPP Gateway requires the following additional DNS records.
SRV record: _xmpp-server._tcp.contoso.com
Host record: xmpp-gw.contoso.com
Port number: 5269
SRV record: _sipfederationtls.tcp.jabber.contoso.com
Host record: sip-xmpp.jabber.contoso.com
Port number: 5061
Let me explain these records in more detail. Only one record is required. The required record is xmpp-server._tcp.contoso.com. This SRV record is used for TCP Dialback.
The basic idea behind TCP Dialback is that a receiving server does not accept XMPP traffic from a sending server until it has "called back" the sending server. This is accomplished with the _xmpp-server SRV record.
Think about it this way: When the Contoso XMPP Gateway attempts to connect to the Jabber server, it first needs to locate it. This is performed by resolving the DNS SRV record for _xmpp-server._tcp.jabber.contoso.com. DNS returns the A record associated with this SRV record, in this case, jabber.contoso.com. The XMPP Gateway then proceeds to connect the Jabber server who’s FQDN is jabber.contoso.com. Then the Jabber server must "call back" the XMPP Gateway by looking at the domain of the request, which in our example is contoso.com, and then performing a DNS lookup for the SRV record, _xmpp-server._tcp.contoso.com. This will resolve to the XMPP Gateway (xmpp interface) from where the request originated.
In Figure 2, you will find the same image as shown in Figure 1, but this time it shows the DNS SRV records. Only the _xmpp-server SRV records are required for TCP Dialback.
Figure 2. XMPP Topology with SRV Records
Edge Server configuration is fairly simple. The process is the same as adding another federated partner. You can use enhanced federation if you have the SRV records created for that domain. In our example, jabber.contoso.com, we will need a record of _sipfederationtls._tcp.jabber.contoso.com that points to the SIP interface of the XMPP Gateway. Again this can be done with manual configuration as well.
Figure 3. Edge Server Allow List
In Figure 3, I used manual configuration. The Edge Server must be able to resolve sip-xmpp.jabber.contoso.com to the SIP Interface of the XMPP Gateway. If you do not have any DNS in the network perimeter, you can add an entry in the local host file of the Edge Server for this record.
Example of local host file:
I am not going to walk you through the process of installing the XMPP Gateway. However, I will spend some time on how to configure the gateway. Install the XMPP Gateway on a Windows 2008 or Windows 2003 x64 workgroup server in the network perimeter. The XMPP Gateway requires only a single NIC (network interface card). Your SIP and XMPP interfaces can share a single IP address. You can use multiple IP addresses if you want to, but it is not required for the XMPP Gateway configuration.
Figure 4. XMPP Gateway Server IP Configuration
Configuring the XMPP Gateway IP address is different. This is done in a configuration file. Everything else we will do will be from the XMPP Gateway MMC. This configuration file can be located on the server running the XMPP Gateway, in the following directory. I am using the IP address assigned to the XMPP Gateway in the TGWConsoleGUI.dll.config file for the SIP & XMPP Interface:
"%ProgramFiles%\Microsoft Office Communications Server 2007 R2\XMPP Gateway\TGWConsoleGUI.dll.config"
Figure 5. XMPP Gateway IP Configuration File
There is one issue that you should watch out for: the DNS suffix of the server. The FQDN of the server should be the same as the certificate assigned to the SIP interface of the XMTP Gateway.
Figure 6. DNS Suffix
If you skip the step shown in Figure 6, you will see the following TLS failures between the Edge Server and the XMPP Gateway.
Text: Message cannot be routed because the peer's certificate does not contain a
Result-Code: 0xc3e93d67 SIPPROXY_E_ROUTING_MSG_CERT_MISMATCH
SIP-Start-Line: INFO sip:sip-xmpp:5061 SIP/2.0
SIP-CSeq: 2 INFO
Data: Peer certificate with name [sip-xmpp.jabber.contoso.com] does not contain any expected FQDN(s): sip-xmpp
Here’s what happens: When the XMTP Gateway responds with a 200 OK to our INVITE, it populates a Contact header of the XMPP Gateway FQDN. You will encounter two separate issues. First, you will be unable to resolve "sip-xmpp". Second, if you can resolve the host name, you will see the above error, because the host name is not on the certificate assigned to the SIP interface.
Now that the DNS suffix is updated and IP addresses are assigned to the XMPP Gateway, we can move on to SIP configuration. Again, this can be done by using SRV records or manual configuration.
Depending on DNS resolution, this might be easier to do with manual configuration and host files. The XMPP Gateway can support only a single SIP domain per server but is able to support multiple XMPP or Jabber domains. On the SIP configuration screen, you will specify the SIP domain and the Access Edge FQDN.
Figure 7. XMPP SIP Domains
The TLS certificate is fairly simple to set up. We will not be going through how to request a certificate, as we only need a server EKU certificate. This is an internal server, so you do not need to use a public certificate. After the certificate has been requested and installed on the XMPP Gateway, we can select the certificate that was installed on the TLS Certificate tab.
Figure 8. SIP TLS Certificate
Now that the SIP configuration is complete, we can move to the XMPP configuration. The first screen you will see is the Allow List. In most cases, you will not specify the server name and will use the SRV records we discussed and created earlier in this article.
Figure 9. XMPP Allow List
We will now configure a domain for the allow list. Again, we are using TCP Dialback, there is not a password required, and the username is auto populated from the SIP domain that you configured in the previous steps. In my Jabber setup, I am not using TLS, but if you are, you will select the appropriate option for your configuration and assign a certificate to the XMPP interface on the TLS Certificate tab.
We will cover TLS configuration between XMPP Gateway and Jabber XCP 5.4 in another article.
Figure 10. XMPP Domain Configuration
We have now configured the XMPP Gateway and Edge Server. The next steps are to configure the server to server (s2s) Jabber XCP 5.4 configuration. There are only two steps to configure.
From the main Jabber XCP System Controller page, we will concentrate on the Components section. First, edit the Connection Manager and add the s2s component.
Figure 11. Jabber XCP Components
In Connection Manager, click Edit. Then, under Connection Manager Configuration, in the Add a new drop-down box, select S2S Command Processor, and then click Go.
Figure 12. Jabber XCP Connect Manager Configuration
On the S2S Command Processor Configuration screen, click Submit. No changes are required to this screen. The default configuration is correct for our example. Make note of the Processor ID for the next step. In my configuration, it is "cm-1_s2scp-1".
Figure 13. Jabber XCP S2S Command Process Configuration
This returns you to the Connection Manager Configuration screen. Click Submit, and you are returned to the main XCP Main Controller page.
Figure 14. Jabber XCP Components-Save Changes
Click Apply, and then click Restart the System Link. After the system restarts, it will move to the last step. At this point, if you skip the next step, you can add Jabber contacts from the Office Communications Server clients. However, Jabber will be unable to see your presence or participate in any IM conversations. This next step is important to complete the setup. This is what allows the Jabber server to route connections to other servers.
Under the Components section, from the Add a new drop-down box, select Open Port, and then click Go.
Figure 15. Jabber XCP Components-Add OpenPort
You will be prompted to enter the Processor ID that was created during the s2s configuration.
Figure 16. Jabber XCP OpenPort-S2S Processor ID
On this page, you must change Configuration view to Intermediate before continuing. Then add * to Hostnames for this Component, and then click Submit.
Figure 17. Jabber XCP OpenPort Configuration
Again, click Apply, and then click Restart System Link on the Open Port component.
Figure 18. Jabber XCP Components-Save Changes
The last step is for users to add Jabber users to their Contact list in Office Communicator. Ensure that the Office Communicator users are configured for federation, as shown in Figure 19. Otherwise, Office Communicator users will not be able to communicate with external users.
Figure 19. User Configuration Federation
Visit the Office Communications Server main page at http://go.microsoft.com/fwlink/?LinkId=132607.
View the complete Office Communications Server documentation library at http://go.microsoft.com/fwlink/?LinkId=132106.
Follow tweets from the Office Communications Server team at http://go.microsoft.com/fwlink/?LinkId=167909.
Download all the Office Communications Server content as a Word document at http://go.microsoft.com/fwlink/?LinkId=133609.
Download all the Office Communications Server content as a compiled help file at http://go.microsoft.com/fwlink/?LinkId=160355. (Make sure you scroll down to the Additional Information section to download OCSDocumentation.chm.)