Export (0) Print
Expand All

Configuring XMPP Connectivity to Jabber XCP 5.4

Communications Server 2007 R2

Author: Geoff Clark

Publication date: November 2009

Product version: Microsoft Office Communications Server 2007 R2, Office Communications Server 2007 R2 XMPP Gateway, and Jabber XCP 5.4

This article walks you through setting up the XMPP Gateway and configuring it to work with Jabber XCP 5.4. For those who have been anticipating this release, I am happy to say, here it is, and it’s been worth the wait if you require Jabber or GMail connectivity.

You will be required to complete the following steps to successfully configure Office Communications Server 2007 R2 XMPP Gateway with Jabber XCP 5.4.

  1. DNS Configuration

  2. Office Communications Server Edge Configuration

  3. Office Communications Server XMPP Gateway Configuration

  4. Jabber XCP (s2s Configuration)

  • Enable your current environment to work with the new Office Communications Server 2007 R2 XMPP Gateway

  • Office Communications 2007 R2 Edge Server

  • Permissions to request a server certificate from a private or public certification authority

  • Permissions to create DNS records in your internal Enterprise, as well as public DNS servers

  • Windows 2003 x64 or Windows 2008 x64 for your new XMPP Gateway

  • Jabber XCP 5.4

To help you visualize the environment, Figure 1 shows how you could implement the XMPP Gateway. This design will change depending on where your Jabber server is deployed in your environment. I am assuming that your Jabber server is deployed in your network perimeter.

Figure 1. XMPP Topology

87e7112c-0d65-42bb-a088-0b7bfd6628d0

If you have firewalls in the network perimeter that will prohibit communication between your Edge Server and Jabber server, you must open TCP port 5269 in both directions for communication to be successful.

Most of this configuration has already been done when deploying your Office Communications Server 2007 R2 pool and Edge Server. Therefore, I will just go over the recommended DNS SRV records and what records are required for the XMPP Gateway.

  • SRV record: _sipinternaltls._tcp.contoso.com

    • Host record: pool.contoso.com

    • Port number: 5061

  • SRV record: _sip._tls.contoso.com

    • Host record: edge.contoso.com

    • Port number: 443

  • SRV record: _sipfederationtls._tcp.contoso.com

    • Host record: edge.contoso.com

    • Port number: 5061

The previous three records are the standard records used when deploying Office Communications Server for internal automatic configuration, external automatic configuration, and enhanced federation. To configure the XMPP Gateway requires the following additional DNS records.

  • SRV record: _xmpp-server._tcp.contoso.com

    • Host record: xmpp-gw.contoso.com

    • Port number: 5269

  • SRV record: _sipfederationtls.tcp.jabber.contoso.com

    • Host record: sip-xmpp.jabber.contoso.com

    • Port number: 5061

Let me explain these records in more detail. Only one record is required. The required record is xmpp-server._tcp.contoso.com. This SRV record is used for TCP Dialback.

The basic idea behind TCP Dialback is that a receiving server does not accept XMPP traffic from a sending server until it has "called back" the sending server. This is accomplished with the _xmpp-server SRV record.

Think about it this way: When the Contoso XMPP Gateway attempts to connect to the Jabber server, it first needs to locate it. This is performed by resolving the DNS SRV record for _xmpp-server._tcp.jabber.contoso.com. DNS returns the A record associated with this SRV record, in this case, jabber.contoso.com. The XMPP Gateway then proceeds to connect the Jabber server who’s FQDN is jabber.contoso.com. Then the Jabber server must "call back" the XMPP Gateway by looking at the domain of the request, which in our example is contoso.com, and then performing a DNS lookup for the SRV record, _xmpp-server._tcp.contoso.com. This will resolve to the XMPP Gateway (xmpp interface) from where the request originated.

In Figure 2, you will find the same image as shown in Figure 1, but this time it shows the DNS SRV records. Only the _xmpp-server SRV records are required for TCP Dialback.

Figure 2. XMPP Topology with SRV Records

d199060f-28e8-4119-bb2b-fde9e04d6953

Edge Server configuration is fairly simple. The process is the same as adding another federated partner. You can use enhanced federation if you have the SRV records created for that domain. In our example, jabber.contoso.com, we will need a record of _sipfederationtls._tcp.jabber.contoso.com that points to the SIP interface of the XMPP Gateway. Again this can be done with manual configuration as well.

Figure 3. Edge Server Allow List

68ce773c-424d-41e7-913d-19b986451519

In Figure 3, I used manual configuration. The Edge Server must be able to resolve sip-xmpp.jabber.contoso.com to the SIP Interface of the XMPP Gateway. If you do not have any DNS in the network perimeter, you can add an entry in the local host file of the Edge Server for this record.

Example of local host file:

sip-xmpp.jabber.contoso.com172.16.10.253

I am not going to walk you through the process of installing the XMPP Gateway. However, I will spend some time on how to configure the gateway. Install the XMPP Gateway on a Windows 2008 or Windows 2003 x64 workgroup server in the network perimeter. The XMPP Gateway requires only a single NIC (network interface card). Your SIP and XMPP interfaces can share a single IP address. You can use multiple IP addresses if you want to, but it is not required for the XMPP Gateway configuration.

Figure 4. XMPP Gateway Server IP Configuration

0e6e162d-9d4b-427c-9660-c872bffb8fc9

Configuring the XMPP Gateway IP address is different. This is done in a configuration file. Everything else we will do will be from the XMPP Gateway MMC. This configuration file can be located on the server running the XMPP Gateway, in the following directory. I am using the IP address assigned to the XMPP Gateway in the TGWConsoleGUI.dll.config file for the SIP & XMPP Interface:

"%ProgramFiles%\Microsoft Office Communications Server 2007 R2\XMPP Gateway\TGWConsoleGUI.dll.config"

Figure 5. XMPP Gateway IP Configuration File

b54e52b9-6b77-4e33-9ef5-8a6ad169c4e0

There is one issue that you should watch out for: the DNS suffix of the server. The FQDN of the server should be the same as the certificate assigned to the SIP interface of the XMTP Gateway.

Figure 6. DNS Suffix

0f697d91-c24c-4408-9413-ae5a8475432e

If you skip the step shown in Figure 6, you will see the following TLS failures between the Edge Server and the XMPP Gateway.

TL_ERROR(TF_SECURITY) [0]085C.0AA4::08/24/2009-19:39:02.063.0000b52f (SIPStack,SIPAdminLog::WriteSecurityEvent:SIPAdminLog.cpp(413))$$begin_record

LogType: security Text: Message cannot be routed because the peer's certificate does not contain a

matching FQDN

Result-Code: 0xc3e93d67 SIPPROXY_E_ROUTING_MSG_CERT_MISMATCH Connection-ID: 0x700

Peer-IP: 172.16.10.253:5061

Peer: sip-xmpp.jabber.contoso.com:5061

SIP-Start-Line: INFO sip:sip-xmpp:5061 SIP/2.0

SIP-Call-ID: 00783283efb94bd6bb9a4dcd80c5a2ba

SIP-CSeq: 2 INFO

Data: Peer certificate with name [sip-xmpp.jabber.contoso.com] does not contain any expected FQDN(s): sip-xmpp

$$end_record

Here’s what happens: When the XMTP Gateway responds with a 200 OK to our INVITE, it populates a Contact header of the XMPP Gateway FQDN. You will encounter two separate issues. First, you will be unable to resolve "sip-xmpp". Second, if you can resolve the host name, you will see the above error, because the host name is not on the certificate assigned to the SIP interface.

Now that the DNS suffix is updated and IP addresses are assigned to the XMPP Gateway, we can move on to SIP configuration. Again, this can be done by using SRV records or manual configuration.

Depending on DNS resolution, this might be easier to do with manual configuration and host files. The XMPP Gateway can support only a single SIP domain per server but is able to support multiple XMPP or Jabber domains. On the SIP configuration screen, you will specify the SIP domain and the Access Edge FQDN.

Figure 7. XMPP SIP Domains

c48ac078-ae30-423c-8308-eb5fde0dd39f

The TLS certificate is fairly simple to set up. We will not be going through how to request a certificate, as we only need a server EKU certificate. This is an internal server, so you do not need to use a public certificate. After the certificate has been requested and installed on the XMPP Gateway, we can select the certificate that was installed on the TLS Certificate tab.

Figure 8. SIP TLS Certificate

1ff0d840-e013-4ad8-bda7-d8eeae60e2db

Now that the SIP configuration is complete, we can move to the XMPP configuration. The first screen you will see is the Allow List. In most cases, you will not specify the server name and will use the SRV records we discussed and created earlier in this article.

Figure 9. XMPP Allow List

806c549d-946c-4ef4-bc0a-0fc93e4c5fe7

We will now configure a domain for the allow list. Again, we are using TCP Dialback, there is not a password required, and the username is auto populated from the SIP domain that you configured in the previous steps. In my Jabber setup, I am not using TLS, but if you are, you will select the appropriate option for your configuration and assign a certificate to the XMPP interface on the TLS Certificate tab.

We will cover TLS configuration between XMPP Gateway and Jabber XCP 5.4 in another article.

Figure 10. XMPP Domain Configuration

351c8b66-163d-4564-b636-c3caa570d67b

We have now configured the XMPP Gateway and Edge Server. The next steps are to configure the server to server (s2s) Jabber XCP 5.4 configuration. There are only two steps to configure. 

From the main Jabber XCP System Controller page, we will concentrate on the Components section. First, edit the Connection Manager and add the s2s component.

Figure 11. Jabber XCP Components

0efb4771-9682-41e6-85ad-05c8f2530493

In Connection Manager, click Edit. Then, under Connection Manager Configuration, in the Add a new drop-down box, select S2S Command Processor, and then click Go.

Figure 12. Jabber XCP Connect Manager Configuration

2bc0c8fd-594b-4c02-9415-b2de61f5a91d

On the S2S Command Processor Configuration screen, click Submit. No changes are required to this screen. The default configuration is correct for our example. Make note of the Processor ID for the next step. In my configuration, it is "cm-1_s2scp-1".

Figure 13. Jabber XCP S2S Command Process Configuration

e722ed74-8415-4baa-bf2a-06b9b4d71a6b

This returns you to the Connection Manager Configuration screen. Click Submit, and you are returned to the main XCP Main Controller page.

Figure 14. Jabber XCP Components-Save Changes

6f219358-d0da-4109-bee2-fcad87dd36ba

Click Apply, and then click Restart the System Link. After the system restarts, it will move to the last step. At this point, if you skip the next step, you can add Jabber contacts from the Office Communications Server clients. However, Jabber will be unable to see your presence or participate in any IM conversations. This next step is important to complete the setup. This is what allows the Jabber server to route connections to other servers.

Under the Components section, from the Add a new drop-down box, select Open Port, and then click Go.

Figure 15. Jabber XCP Components-Add OpenPort

effc895c-5ea4-4a22-9aa5-0d59e8d813ff

You will be prompted to enter the Processor ID that was created during the s2s configuration.

Figure 16. Jabber XCP OpenPort-S2S Processor ID

1125de58-eb87-40fc-8d57-bf9491ea1775

On this page, you must change Configuration view to Intermediate before continuing. Then add * to Hostnames for this Component, and then click Submit.

Figure 17. Jabber XCP OpenPort Configuration

7f38ecc8-e175-4d44-9476-db770ed3397c

Again, click Apply, and then click Restart System Link on the Open Port component.

Figure 18. Jabber XCP Components-Save Changes

2145bb38-6b41-435d-9b0c-3070da37c559

The last step is for users to add Jabber users to their Contact list in Office Communicator. Ensure that the Office Communicator users are configured for federation, as shown in Figure 19. Otherwise, Office Communicator users will not be able to communicate with external users.

Figure 19. User Configuration Federation

48f599e2-c9f9-4e03-916c-e3c550f4c0c5

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft