Skype for Business Intradomain Federation
To configure Microsoft Skype for Business for partitioned Intradomain federation, you must complete the following procedures in the order they are presented.
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
To configure Microsoft Skype for Business for partitioned Intradomain federation, you must complete the following procedures in the order they are presented.
Complete these tasks to set up intradomain federation with Skype for Business.
Command or Action | Purpose | |
---|---|---|
Step 1 |
Select an IM and Presence node to act as the routing node. The routing node routes traffic to and from Skype for Business. There should be no users assigned to the routing node. |
|
Step 2 |
Start essential feature services for your IM and Presence Service cluster nodes. Complete this task on all nodes except the routing node. |
|
Step 3 |
Use the Federation wizard to configure partitioned intradomain federation with Skype for Business. The wizard configures items such as TLS static routes, TLS peers, access control lists, and application listener ports. |
|
Step 4 |
Complete these tasks to set up CA certificates for IM and Presence Service. |
|
Step 5 |
On the Skype for Business servers, set up static routes that point to the IM and Presence Service routing node. |
|
Step 6 |
On the Skype for Business server, assign the IM and Presence Service as a trusted application and add the IM and Presence cluster nodes to a trusted servers pool. |
|
Step 7 |
After you add the IM and Presence Service cluster nodes, publish the Skype for Business topology. |
|
Step 8 |
Exchange certificates between IM and Presence and Skype for Business. |
For multi-node IM and Presence Service deployments, select an IM and Presence routing node. There should be no users assigned to the routing node. The routing node routes traffic to and from the Skype for Business server.
Step 1 |
From the Cisco Unified IM and Presence Serviceability user interface, choose . |
Step 2 |
From the Server drop-down menu, choose the cluster node that you want to designate as the routing node. The routing node should have no users assigned. |
Step 3 |
Check the Cisco SIP Proxy feature service. |
Step 4 |
Uncheck the following feature services:
|
Step 5 |
Click Save. |
Step 6 |
Confirm that the CIsco XCP Router network service is running. Because the service is a network service it is running by default, unless you previously disabled it.
|
Start essential feature services for your IM and Presence Service cluster nodes. Complete this task for all nodes except the routing node.
Step 1 |
From the Cisco Unified IM and Presence Serviceability interface, choose . |
Step 2 |
From the Server menu, choose the cluster node and click Go. |
Step 3 |
Check the following services:
|
Step 4 |
Click Save. |
Step 5 |
Confirm that the CIsco XCP Router network service is running. Because the service is a network service it is running by default, unless you previously disabled it.
|
Step 6 |
Repeat this procedure for all cluster nodes, except the routing node. |
Use the wizard to set up partitioned intradomain federation with Skype for Business.
Make sure that you know your Skype for Business deployment details.
Step 1 |
From Cisco Unified CM IM and Presence Administration, choose . |
Step 2 |
Select Skype for Business and click Next. |
Step 3 |
Enter the following details for your Skype for Business deployment:
|
Step 4 |
Click Next. |
Step 5 |
Enter the Skype for Business front end server FQDN and IP address. Click Add if you need to enter additional servers. |
Step 6 |
Click Next. |
Step 7 |
Enter your Presence Domains and click Next. |
Step 8 |
Review your configuration. |
Step 9 |
Click Next. |
Step 10 |
When you are done, click Finish. |
After setting up partitioned intradomain federation, the wizard provides general instructions on additional configuration tasks, such as configuring certificates on IM and Presence Service and setting up static routes on the Skype for Business server. For detailed procedures, see:
To configure CA certificates on IM and Presence Service, go to Configure CA Certificates for IM and Presence
To proceed with the Skype for Business setup, go to Configure Static Route from Skype for Business
Complete these tasks to set up CA certificates for the IM and Presence Service.
Command or Action | Purpose | |
---|---|---|
Step 1 |
Upload the root certificate of the CA into the IM and Presence Service trust store. |
|
Step 2 |
Generate Certificate Signing Request for IM and Presence Service |
Request a CA-signed certificate. |
Step 3 |
Generate and download a CSR from IM and Presence Service. |
All Skype for Business security certificates are generally signed by a Certificate Authority (CA). The IM and Presence Service certificates should also be signed by the same Certificate Authority used by the Microsoft server. In order for the IM and Presence Service to use a certificate signed by the Microsoft server CA, and to accept Microsoft server certificates signed by that same CA, the root certificate of the CA must be uploaded into the IM and Presence Service trust store.
Before importing the root certificate, retrieve the certificate from the certificate authority and copy it to your local computer.
Step 1 |
Log in to the Cisco Unified IM and Presence OS Administration user interface. Choose . |
Step 2 |
Click Upload Certificate/ Certificate Chain. |
Step 3 |
For the Certificate Purpose drop-down list, choose cup-trust. |
Step 4 |
In the Description (friendly name) field, enter a description for the certificate, for example, Certificate Authority Root Certificate. |
Step 5 |
Click Browse to find the root certificate on your local computer. |
Step 6 |
Click Upload to upload the certificate to the IM and Presence Service node. |
Step 7 |
Restart the Cisco SIP Proxy service on all IM and Presence Service nodes in the cluster. To restart the Cisco SIP Proxy service, log in to the Cisco Unified IM and Presence Serviceability user interface and choose . Click the CUCM IM and Presence Service server, select Cisco SIP Proxy and click Restart. |
Generate Certificate Signing Request for IM and Presence Service
IM and Presence Service certificates should be signed by the same Certificate Authority (CA) that is used by Skype for Business. You must complete the following two-step process to obtain a CA-signed certificate:
Generate an IM and Presence Service Certificate Signing Request (CSR).
Upload the CA signed certificate onto IM and Presence Service.
The following procedure describes how to generate and download a CSR from IM and Presence Service. IM and Presence Service CSRs are 2048 bit in size.
Step 1 |
Log in to the Cisco Unified IM and Presence Administration user interface. Choose on IM and Presence Service. |
Step 2 |
Click Generate CSR. |
Step 3 |
From the Certificate Purpose drop-down list, choose cup. |
Step 4 |
Click Generate CSR. |
Step 5 |
When the Status shows "Success: Certificate Signing Request Generated" click Close. |
Step 6 |
Click Download CSR. |
Step 7 |
From the Certificate Name drop-down list, choose cup. |
Step 8 |
Click Download CSR to download the certificate to your local computer. |
Step 9 |
After the certificate has downloaded, click Close. |
After you download the CSR, you can use it to request a signed certificate from your chosen CA. This can be a well-known public CA or an internal CA. For details, see Import Signed Certificate from CA.
The following procedure describes how to upload the CA signed certificate to IM and Presence Service.
Step 1 |
Log in to the Cisco Unified IM and Presence Administration user interface. Choose . |
Step 2 |
Click Upload Certificate/Certificate chain and the Upload Certificate/Certificate chain dialog box opens. |
Step 3 |
From the Certificate Name drop-down list, choose cup. |
Step 4 |
In the Description (friendly name) field, enter a description of the certificate, for example, CA Signed Certificate. |
Step 5 |
Click Browse to find the certificate file on your local computer. |
Step 6 |
Click Upload to upload the certificate to the IM and Presence Service node. |
Step 7 |
After the certificate has uploaded, restart the Cisco SIP Proxy service on all IM and Presence nodes in the cluster. To restart the Cisco SIP Proxy service, log in to the Cisco Unified IM and Presence Serviceability user interface. Choose . Click the Cisco Unified IM and Presence Service server, select Cisco SIP Proxy and click Restart. |
On the Skype for Business server, configure TLS static routes that point to the IM and Presence Service routing node.
Step 1 |
Log in to the Skype for Business command shell interface. |
||||||||||
Step 2 |
Enter the following command to define a TLS route:
where:
|
||||||||||
Step 3 |
Make the newly created static route persistent in the Central Management store. Enter the following command:
|
||||||||||
Step 4 |
If you made the new static route persistent, verify that the command was successful. Enter the following command:
|
On the Skype for Business server, assign the IM and Presence Service as a trusted application and add all IM and Presence cluster nodes to a trusted server pool.
Step 1 |
Log in to the Skype for Business command shell. |
||||||||||||||||
Step 2 |
Run the following command to create a trusted application server pool on the Skype for Business server:
where:
|
||||||||||||||||
Step 3 |
Run the following command to add your IM and Presence Service cluster nodes to the trusted application pool. You must run this command for each IM and Presence node, except the routing node.
|
||||||||||||||||
Step 4 |
Enter the following command to create a new trusted application for the IM and Presence Service and add it to the new application pool:
where:
|
Step 1 |
Log in to the Skype for Business PowerShell. |
Step 2 |
Run the following command: Enable-CsTopology. |
To deploy Intradomain Federation, you must follow this process to exchange CA-signed certificates between the IM and Presence Service deployment and the Skype for Business deployment.
Step 1 |
Download CA-signed certificates from IM and Presence Service. |
Step 2 |
Download CA-signed certificates from the Skype for Business edge server. |
Step 3 |
Upload Skype for Business certificates to the IM and Presence Service. |
Step 4 |
Upload IM and Presence certificates to the Skype for Business edge server. |
For IM and Presence Service, you can download and upload certificates from the Certificate Management window of Cisco Unified IM OS Administration (choose ). For detailed procedures, see the "Security Configuration" chapter of the Configuration and Administration Guide for IM and Presence Service at http://www.cisco.com/c/en/us/support/unified-communications/unified-presence/products-installation-and-configuration-guides-list.html.
For Skype for Business certificates, you can use the Skype for Business Deployment Wizard to install or download certificates. Run the wizard and select the Request, Install or Assign Certificates option. For details, see your Microsoft Skype for Business documentation.