Cisco and Microsoft UC Integration: Part 1 – Intradomain Federation Messaging

Working through many conversations with customers has lead to example the steps required to complete some Microsoft and Cisco integrations within the Unified Communications (UC) space.  For the scope of this exercise, the Skype for Business and Jabber endpoints using the same domain will be enabled for direct messaging only communication.  This is the first post in an intended mini-series referencing the integration as well as user experiences.

Overview

To begin, the environment shown below includes a very basic deployment for both Microsoft and Cisco environments.  All the systems are single instance (I do have to pay for the electricity for the UCS servers!)  The Skype environment does not have an Edge Pool at this time and as such, we will be working with on-premise desktop endpoints.  The focus of this first post is the instant messaging and presence integrations.  We will be leveraging configurations on the Skype Front End server and the Cisco IM & Presence application.  The Active Directory server indicated also servers as the internal Certificate Authority (CA).

destephen.com Collaboration Overview

destephen.com Collaboration Overview

The focus of the first phase is to provide messaging and presence status and as such, the focus will be on completing the setup below.

Instant Messaging and Presence for destephen.com

The names and IP address of the servers involved within this environment are listed below.

Systems Associated to Integration

 

Configuration and Integration Steps

The Cisco Partitioned Intradomain Federation Guide for 11.5(1)SU2 does a great job of outlining the steps required, although with the interwoven Enterprise and Standard versions of Skype for Business, the instructions do require some reading.  In all reality, minus the few notes in the next section, the IM&P wizard did a great job of outlining the steps to complete the integration.  After giving the Cisco guide a thorough reading, lets get started!

Launching the Cisco IM&P, we will browse to the first page of the wizard under Presence -> Intradomain Federation Setup. After selecting the version of Lync/Skype for Business, click Next.

Intradomain Federation Wizard

Intradomain Federation Wizard

Next, you will need to remove previous configuration if you have attempted this wizard previously. Click next if you have not ran and/or removed previous configuration.

Intradomain Federation Wizard

Intradomain Federation Wizard

This screen is the first input screen.  We will need to go to the Skype for Business Front End server to collect the details.

Intradomain Federation Wizard

First, the Get-CsPool details from Power Shell.

Get-Cs

Get-CsPool Details

Second, the Get-CsSite details.

Get-CsSite Details

Get-CsSite Details

And the combination of the collected information has been added to the wizard.

Intradomain Federation Wizard

Intradomain Federation Wizard

Within the next page of the wizard, we will need to identify the Skype for Business server within the environment.

Intradomain Federation Wizard

Intradomain Federation Wizard

This screen indicates the desired domains to be considered for the Intradomain Federation.  While my specific environment leverages destephen.com as the email and URI integration, destephen.local is within the environment.

Intradomain Federation Wizard

Intradomain Federation Wizard

Next, the wizard indicates what changes are going to be completed on the IM&P server to complete the integration on the Cisco side.

Intradomain Federation Wizard

And the rest of the configuration.

Intradomain Federation Wizard

Intradomain Federation Wizard

On the following screen, there are indications of certificates that need created.  The environment may already have certificates loaded and if so, you are good to go.  From the referenced configuration guide, the cup process certificate needs to be signed by a CA.

Intradomain Federation Wizard

Intradomain Federation Wizard

Signed Certificates already existed within the cimp-1.destephen.local node. If the cluster being integrated needs to have signed certificates, a local certificate authority will suffice.

Cup and Cup-Trust Certificates

Cup and Cup-Trust Certificates

Next, there are commands to be ran within the Skype for Business server. After checking the “This is the first cluster” selection, we receive the full set of commands.  The Wizard provides the guidance.

Intradomain Federation Wizard

Continued Instructions from the wizard.

Intradomain Federation Wizard

Intradomain Federation Wizard

Copying and pasting the first series commands within the Skype for Business server Power Shell.  This will add the appropriate routing to the Skype environment.

Skype for Business Power Shell Commands

Next we will need to modify the topology to provide the proper address for the cimp-1.destephen.local node.

First we need to export the topology.

Exporting the Skype for Business Toplogy

Exporting the Skype for Business Toplogy

Next, we need to edit the xml file to identify the proper IP address.  If the IM&P address changes, this topology would need to be updated.

Updating the Topology XML File

Updating the Topology XML File

Publishing the Topology.

Publishing the Updated Topology

Publishing the Updated Topology

Lastly, we need to update the certificates. The Intradomain federation guide does reference using Power Shell, however I was not able to complete the steps successfully with the Power Shell.  After applying the certificate processed through the Power Shell, the Skype for Business Server Front-End Service failed to start.

The solution that worked for me was to leverage the Skype for Business Deployment Wizard to complete the Certificate Generation.  After Launching the Wizard, select Install or Update Skype for Business System.

Certificate Signing by CA

Next, we will want to select Run Again on Step 3.

Certificate Signing by CA

Certificate Signing by CA

We will want to Request a Certificate for the Default certificate within this Wizard.

Microsoft24

In the center of the screen, select the appropriate sip domains to be added to the SAN.  Click on the Advanced option to select the appropriate Certificate Template from your CA as well as complete the CSR submission. The window below will display over top to continue through the Certificate Request.

Certificate Request Process

Certificate Request Process

Selecting the appropriate Certificate Authority within the environment.

Certificate Request Process

Certificate Request Process

If you are not signed in with appropriate credentials to sign certificates, specify alternatives.

Certificate Request Process

Certificate Request Process

On the next screen, we will need to specify an alternate certificate template to meet the needs of the Skype for Business Server Front End process.

Certificate Request Process

Certificate Request Process

The certificate template needs to have both Client and Server Authentication per the IM&P integration guide.  In my case, the Expressway Web Server template meets those needs.

Certificate Authority Templates

Certificate Authority Templates

Adding the appropriate template name into the wizard. Note the lack of spaces.

Certificate Request Process

Certificate Request Process

Option to change the certificate friendly name.

Certificate Request Process

Certificate Request Process

Option to specify any desired SAN’s which was not needed for this situation.

Certificate Request Process

Certificate Request Process

Back to the main Certificate Request window, we can now continue.

Certificate Request Process

Certificate Request Process

Confirmation window of the Certificate Request.

Certificate Request Process

Certificate Request Process

After a short execution period, we have success.  If you have a failure, check the name of the Certificate Template.  The Certificate Template name displayed may not be the name needed to be referenced within the wizard.  Note the lack of spaces in the template image above. This did cause me to go back to the Certificate Authority to verify naming.

Certificate Request Process

Lastly, we can complete the certificate creation wizard and begin the certificate assignment process.

Certificate Request Process

Certificate Request Process

With a successful certificate request, the wizard prompts for the next series of steps to begin the Assignment Process.

Certificate Assignment Process

Certificate Assignment Process

Certificate Assignment Process

Certificate Assignment Process

Assignment success! we can now finish the wizard and close out of the Deployment Wizard.  It also never hurts to double check the Skype for Business services are running as expected.

Certificate Assignment Process

Certificate Assignment Process

With the task list completed on the Skype for Business side, click next on the Cisco IM&P Wizard. If the web page has timed out, the Wizard can resume once logged back in. This is the last page of the wizard indicating that the SIP Proxy service needs started.  If you followed the Cisco documentation, do not forget to re-enable the Presence Engine, XCP Connection Manager and XCP Authentication Service within the IM&P server to allow Jabber client login.  Stopping of the IM&P services was not required for this documented integration.

Wizard Completion

Wizard Completion

 

A Few Notes Above and Beyond the Wizards

Within Cisco Live 2017 BRKCOL-2610, it does suggest to use the msRTCSIP-PrimaryUserAddress for the SIP URI synchronization. At this first phase, my previously synchronized mail field for URI reference is being used. The fields would match if needed for this environment.  At this point, no impact is being noticed. LDIF edits would be your friend if you wanted to update for an organization.

The Certificates were best created using the Skype for Business Installation.  Attempting to create the input/output using PowerShell did not work well in my environment.

The wizard does require advanced configuration to set the Directory URI function. This is displayed as a warning on the Presence -> Domains and is referenced within the BRKCOL-2610 in the references section.

Domain and IM Address Scheme

TLS Context Configuration needed manual efforts to create the association to the TLS peer subject and the Skype for Business server.  Note the TLS cipher required per the Cisco Partitioned Intradomain Federation Guide states that only one cipher is required.

Opening IM&P to the System -> Security -> TLS Context Configuration, we are able to see, at least in this implemented version, there is only one configuration with Skype and it has two ciphers.

Microsoft48

User Experience

After integrating the systems, lets load up the clients to view the experience.  One important detail is to verify that the end user slated for Skype is not automatically imported into CUCM/IM&P and enabled for IM&P.  This can be seen under the individual user within CUCM.

User Enabled for Cisco IM&P

User Enabled for Cisco IM&P

Directory Integration and contact lists did pose a little bit of a hurdle in this environment. Switching around accounts may have had something to do with the query, but I did not dig too far to determine the root cause. To resolve the names as expected, Skype for Business needed to query the server for the address book.  With the option for local caching, only the email address could be added. Presence did work for either the full name (once corrected) as well as the email address.

Also note that the tests are focused on a 1:1 message as group messaging does break down between the solutions.

First thing that is witness while adding a contact on the opposite system is that presence not available when searching.

Presence Unknown While Searching

Presence Unknown While Searching

As soon as we add the contact, presence is displayed.

Presence Is Displayed Once Added

Presence From Skype for Business Client Is Displayed Once Added

Presence is also displayed on the Jabber client.

Presence from the Jabber Client

Presence from the Jabber Client

Communication works well between the clients, including Emoji’s.

Skype Chat Window

Skype for Business Chat Window

Chat from Jabber

Chat from Jabber

Final Thoughts

While the integration did take some time to setup while documenting, it ultimately was not overly complex.  While this could have been in part to my overly simplified environment.  When working with resources that are familiar with each environment, they can be integrated.  Stay tuned for Part 2 where the focus will be to enable an Expressway with the Microsoft Interoperability.

Ultimately one collaboration platform does enable the most efficient communication across audio, video and messaging channels, but an integration can be leveraged while the best fit for an organization is determined.  The documentation sourced from Cisco does provide some level of integration when attempting to please multiple platforms.

References and Further Reading

BRKCOL-2610, Cisco Live 2016

Cisco Partitioned Intradomain Federation Guide for 11.5(1)SU2

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *