Working through many conversations with customers has lead to example the steps required to complete some Microsoft and Cisco integrations within the Unified Communications (UC) space. For the scope of this exercise, the Skype for Business and Jabber endpoints using the same domain will be enabled for direct messaging only communication. This is the first post in an intended mini-series referencing the integration as well as user experiences.
Overview
To begin, the environment shown below includes a very basic deployment for both Microsoft and Cisco environments. All the systems are single instance (I do have to pay for the electricity for the UCS servers!) The Skype environment does not have an Edge Pool at this time and as such, we will be working with on-premise desktop endpoints. The focus of this first post is the instant messaging and presence integrations. We will be leveraging configurations on the Skype Front End server and the Cisco IM & Presence application. The Active Directory server indicated also servers as the internal Certificate Authority (CA).
The focus of the first phase is to provide messaging and presence status and as such, the focus will be on completing the setup below.
The names and IP address of the servers involved within this environment are listed below.
Configuration and Integration Steps
The Cisco Partitioned Intradomain Federation Guide for 11.5(1)SU2 does a great job of outlining the steps required, although with the interwoven Enterprise and Standard versions of Skype for Business, the instructions do require some reading. In all reality, minus the few notes in the next section, the IM&P wizard did a great job of outlining the steps to complete the integration. After giving the Cisco guide a thorough reading, lets get started!
Launching the Cisco IM&P, we will browse to the first page of the wizard under Presence -> Intradomain Federation Setup. After selecting the version of Lync/Skype for Business, click Next.
Next, you will need to remove previous configuration if you have attempted this wizard previously. Click next if you have not ran and/or removed previous configuration.
This screen is the first input screen. We will need to go to the Skype for Business Front End server to collect the details.
First, the Get-CsPool details from Power Shell.
Second, the Get-CsSite details.
And the combination of the collected information has been added to the wizard.
Within the next page of the wizard, we will need to identify the Skype for Business server within the environment.
This screen indicates the desired domains to be considered for the Intradomain Federation. While my specific environment leverages destephen.com as the email and URI integration, destephen.local is within the environment.
Next, the wizard indicates what changes are going to be completed on the IM&P server to complete the integration on the Cisco side.
And the rest of the configuration.
On the following screen, there are indications of certificates that need created. The environment may already have certificates loaded and if so, you are good to go. From the referenced configuration guide, the cup process certificate needs to be signed by a CA.
Signed Certificates already existed within the cimp-1.destephen.local node. If the cluster being integrated needs to have signed certificates, a local certificate authority will suffice.
Next, there are commands to be ran within the Skype for Business server. After checking the “This is the first cluster” selection, we receive the full set of commands. The Wizard provides the guidance.
Continued Instructions from the wizard.
Copying and pasting the first series commands within the Skype for Business server Power Shell. This will add the appropriate routing to the Skype environment.
Next we will need to modify the topology to provide the proper address for the cimp-1.destephen.local node.
First we need to export the topology.
Next, we need to edit the xml file to identify the proper IP address. If the IM&P address changes, this topology would need to be updated.
Publishing the Topology.
Lastly, we need to update the certificates. The Intradomain federation guide does reference using Power Shell, however I was not able to complete the steps successfully with the Power Shell. After applying the certificate processed through the Power Shell, the Skype for Business Server Front-End Service failed to start.
The solution that worked for me was to leverage the Skype for Business Deployment Wizard to complete the Certificate Generation. After Launching the Wizard, select Install or Update Skype for Business System.
Next, we will want to select Run Again on Step 3.
We will want to Request a Certificate for the Default certificate within this Wizard.
In the center of the screen, select the appropriate sip domains to be added to the SAN. Click on the Advanced option to select the appropriate Certificate Template from your CA as well as complete the CSR submission. The window below will display over top to continue through the Certificate Request.
Selecting the appropriate Certificate Authority within the environment.
If you are not signed in with appropriate credentials to sign certificates, specify alternatives.
On the next screen, we will need to specify an alternate certificate template to meet the needs of the Skype for Business Server Front End process.
The certificate template needs to have both Client and Server Authentication per the IM&P integration guide. In my case, the Expressway Web Server template meets those needs.
Adding the appropriate template name into the wizard. Note the lack of spaces.
Option to change the certificate friendly name.
Option to specify any desired SAN’s which was not needed for this situation.
Back to the main Certificate Request window, we can now continue.
Confirmation window of the Certificate Request.
After a short execution period, we have success. If you have a failure, check the name of the Certificate Template. The Certificate Template name displayed may not be the name needed to be referenced within the wizard. Note the lack of spaces in the template image above. This did cause me to go back to the Certificate Authority to verify naming.
Lastly, we can complete the certificate creation wizard and begin the certificate assignment process.
With a successful certificate request, the wizard prompts for the next series of steps to begin the Assignment Process.
Assignment success! we can now finish the wizard and close out of the Deployment Wizard. It also never hurts to double check the Skype for Business services are running as expected.
With the task list completed on the Skype for Business side, click next on the Cisco IM&P Wizard. If the web page has timed out, the Wizard can resume once logged back in. This is the last page of the wizard indicating that the SIP Proxy service needs started. If you followed the Cisco documentation, do not forget to re-enable the Presence Engine, XCP Connection Manager and XCP Authentication Service within the IM&P server to allow Jabber client login. Stopping of the IM&P services was not required for this documented integration.
A Few Notes Above and Beyond the Wizards
Within Cisco Live 2017 BRKCOL-2610, it does suggest to use the msRTCSIP-PrimaryUserAddress for the SIP URI synchronization. At this first phase, my previously synchronized mail field for URI reference is being used. The fields would match if needed for this environment. At this point, no impact is being noticed. LDIF edits would be your friend if you wanted to update for an organization.
The Certificates were best created using the Skype for Business Installation. Attempting to create the input/output using PowerShell did not work well in my environment.
The wizard does require advanced configuration to set the Directory URI function. This is displayed as a warning on the Presence -> Domains and is referenced within the BRKCOL-2610 in the references section.
TLS Context Configuration needed manual efforts to create the association to the TLS peer subject and the Skype for Business server. Note the TLS cipher required per the Cisco Partitioned Intradomain Federation Guide states that only one cipher is required.
Opening IM&P to the System -> Security -> TLS Context Configuration, we are able to see, at least in this implemented version, there is only one configuration with Skype and it has two ciphers.
User Experience
After integrating the systems, lets load up the clients to view the experience. One important detail is to verify that the end user slated for Skype is not automatically imported into CUCM/IM&P and enabled for IM&P. This can be seen under the individual user within CUCM.
Directory Integration and contact lists did pose a little bit of a hurdle in this environment. Switching around accounts may have had something to do with the query, but I did not dig too far to determine the root cause. To resolve the names as expected, Skype for Business needed to query the server for the address book. With the option for local caching, only the email address could be added. Presence did work for either the full name (once corrected) as well as the email address.
Also note that the tests are focused on a 1:1 message as group messaging does break down between the solutions.
First thing that is witness while adding a contact on the opposite system is that presence not available when searching.
As soon as we add the contact, presence is displayed.
Presence is also displayed on the Jabber client.
Communication works well between the clients, including Emoji’s.
Final Thoughts
While the integration did take some time to setup while documenting, it ultimately was not overly complex. While this could have been in part to my overly simplified environment. When working with resources that are familiar with each environment, they can be integrated. Stay tuned for Part 2 where the focus will be to enable an Expressway with the Microsoft Interoperability.
Ultimately one collaboration platform does enable the most efficient communication across audio, video and messaging channels, but an integration can be leveraged while the best fit for an organization is determined. The documentation sourced from Cisco does provide some level of integration when attempting to please multiple platforms.
References and Further Reading
Cisco Partitioned Intradomain Federation Guide for 11.5(1)SU2