brkcol-2610 interoperability microsoft part 1clnv.s3.amazonaws.com/2017/eur/pdf/brkcol-2610.pdf ·...

Cisco Interoperability with Microsoft Part 1 – Collaboration

Tobias Neumann

BRKCOL-2610

• Architecture Microsoft Lync / Skype for Business

• Enterprise Voice

• IM & Presence Business to Business Federation

• IM & Presence Partitioned Intradomain Federation

• Migration

• Application Interoperability

• What about Cisco Spark?

Agenda

Architecture Microsoft Lync / Skype for Business

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5BRKCOL-2610

Microsoft Lync / Skype for BusinessArchitecture Overview – on-premise

Front-EndSQL Server

Edge Archiving Role

Monitoring

Mediation

Office WebApps

XMPP Gateway AV Conferecing

Reverse Proxy

Director

Persistent ChatFront-End

Persistent ChatArchiving

Survivable Branch Appliance

Hardware Load Balancer

DNS Load Balancer

Phones

Video DevicesGateways

Transcoders

Storage Compute

Communication

Modalities

Many moving parts

Additional 3rd party components

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

Microsoft Lync / Skype for Business

Audio:

• Mediation Server (Enterprise Voice)

• Remote Call Control (RCC)

Instant Messaging and Presence:

• SIP/SIMPLE Federation

• XMPP Federation

For Microsoft Lync 2010 and Office Communication Server 2007 via a separate OCS 2007 R2 XMPP Gateway

For Microsoft Lync 2013 via the XMPP Proxy (Edge), XMPP Gateway (Front-End)

(only tested and supported by Microsoft for federation with Google Talkhttps://technet.microsoft.com/en-us/library/jj205134(v=ocs.15).aspx)

Interoperability and specifics Lync 2010 / Lync 2013 / Skype for Business

RCC no longer supported with Skype for Business, replaced by Call via Work – significantly different features and capabilities

Microsoft Skype for Business RCC Reference: https://technet.microsoft.com/en-us/library/gg558658.aspx

BRKCOL-2610 6

https://technet.microsoft.com/en-us/library/jj205134(v=ocs.15).aspx

https://technet.microsoft.com/en-us/library/gg558658.aspx


Microsoft Lync

• Microsoft Lync supports point to point and multipoint video capabilities

• A complex set of integrations are available to interoperate Microsoft’s vendor specific video implementation with a h.264 AVC standards based video environment

• Please see BRKCOL-2611 – Cisco Interoperability with Microsoft Part 2 (Video Interoperability) for details

Video interoperability with Lync 2010 / Lync 2013

BRKCOL-2610 7


Microsoft Skype for BusinessVideo interoperability with Skype for Business – Video Interop Server (VIS) Role

• Basic dial in capabilities for standard h.264 AVC video systems to join A/V MCU

• Basic call capabilities from Video Room System to Skype for Business client

• Long List of Caveats No support for calls from Skype for Business to Video Room System

No support for Desktop-Sharing

No support for Continuous Presence or Gallery View

No calls and/or presence from Skype/S4B to the TP-System

No external calls to the TP-System via VIS

No Drag and Drop of TP-Systems into Skype-Meetings

Very limited scalability – approx. 16 concurrent calls per Video Interop Server

On-Premise role only !!!

Please see BRKCOL-2611 – Cisco Interoperability with Microsoft Part 2

(Video Interoperability) for further details

Microsoft Skype for Business VIS Reference Known Limitations, Sizing:

https://technet.microsoft.com/en-us/library/ms.lync.plan.videointerop.aspx

BRKCOL-2610 8

https://technet.microsoft.com/en-us/library/ms.lync.plan.videointerop.aspx


Microsoft Skype for Business Online – Office 365Architecture Overview - SaaS

• Communication capabilities of Skype for Business as a cloud-based service

• Presence, instant messaging, audio and video calling, rich online meetings web conferencing capabilities

• PSTN connectivity

Where available, hybrid

• Closed community

no standards based interoperability (i.e. IM & Presence or Video)


Internet

10BRKCOL-2610

Instant Messaging and PresenceCapabilities

SIP

Interoperability only supported with OCS, Lync or Skype for Business on premise systems

No standards based federation interface supported by Microsoft

Microsoft Office 365 Skype for Business Online Federation and Public IM Connectivity:

https://technet.microsoft.com/en-us/library/skype-for-business-online-federation-and-public-im-conectivity.aspx

https://technet.microsoft.com/en-us/library/skype-for-business-online-federation-and-public-im-conectivity.aspx

Enterprise Voice - Plus CAL


Enterprise Voice Call RoutingCall Routing depends on the dialing habit of user AND license

User has multiple option to initiate call

Depending on dialing habit

Called party

License purchased

Different result

When dialing either SIP URI or phone number of Lync user (reverse number lookup), Lync to Lync call is initiated

Number is called, only available when Plus CAL has been purchased, called party is NOT Lync user, call routed via mediation server

Video call initiated, when called SIP URI is another Lync user – Lync to Lync call, if domain of SIP URI is not on Lync call routed via SIP routing logic (SIP static route, TrustedApplicationPool)


Enterprise Voice Call RoutingSIP Trunk / Direct SIP Options 1/2

OCS 2007 / Lync 2010 & 2013 (no media bypass)

OCS 2007 / Lync 2010 & 2013 (no media bypass), none G.711 on IP-PBX

G.711RTaudio

Lync Client Lync Front End Lync Med. Server Cisco UCM

G.711RTaudio

Lync Client Lync Front End Lync Med. Server Cisco UCM IOS Transcoder

G.729/iLBC

Flows show the SIP signaling and media paths in a SIP-trunk interoperability scenario

Lync Mediation Server only supports G.711, requires additional transcoding resources if any other codec is used by devices connected through SIP-trunk

Scenarios shown do not require the usage of a Media Termination Point (MTP)

BRKCOL-2610 13


Enterprise Voice Call RoutingSIP Trunk / Direct SIP Options 2/2

G.711

Lync 2010 & 2013 (with media bypass)

Lync Client Lync Front End Lync Med. Server Cisco UCM

With the introduction of Media Bypass in Lync 2010 the Lync client can initiate direct G.711 media streams. Media paths is not hair pinned through the Lync Mediation Server, no transcoding. Signaling still has to flow via the Mediation Server.

Review Microsoft guidance regarding Media Bypass http://technet.microsoft.com/en-us/library/gg412740.aspx

Straight forward in a centralized (single site) topology without WAN links.

More complicated in a distributed topology with one or more branch - check the following:

Media Bypass shall only be utilized between WAN sites without bandwidth constrains

Media Bypass and Call Admission Control (CAC) are mutually exclusive

Media Bypass mandatorily requires all media to be represented by a single IP address – the reason why in the above example a Media Termination Point (MTP) has to be inserted.

G.711

BRKCOL-2610 14


Enterprise Voice Call RoutingLync Media Bypass Design Considerations

Dynamic decision to bypass mediation server based on comparing “bypass IDs” of Lync client and gateway’s media processor IP

Media Bypass can be activated globally in two ways:

Always Bypass:

All subnets mapped to one and only one bypass ID

Not compatible with MSFT CAC

Use Site and region information:

Supports interaction with CAC

Single unique bypass ID per region

WAN connected site w/o BW constraint inherits region’s bypass ID

WAN connected site w/ BW constraint gets unique bypass ID

Subnets associated w/ site inherit site’s bypass ID

BRKCOL-2610 15


Enterprise Voice Call RoutingLync Media Bypass and CAC

Media bypass and CAC both based on same site and region information

For media bypass and CAC to “work” media bypass has to to be set to “Use Site and Region Information”

Media Bypass CAC Result

Use Site and Region Information On/Off Bypass decision based on bypass ID. CAC only for calls that

are not bypassed b/c media bypass assumes “LAN like”

connection to peer. CAC only applied if CAC is enabled AND

bypass IDs do not match

Always Bypass On Invalid

Always Bypass Off All calls bypass (single bypass ID), no CAC applied

Off On Mediation server always employed; CAC applied

BRKCOL-2610 16


Enterprise Voice Call RoutingCisco UCM SIP trunk characteristics for Direct SIP

Lync requires Early Offer inbound/outbound

Although UCM now can do early offer w/o relying on an MTP

SIP profile setting:

Media resource still has to be allocated (single media address in Lync GW definition)

Trunk setting: “MTP required”

For every trunk a dedicated MRGL/MRG and single media resource required

On UCM SIP trunk configure IP addresses of possible mediation server peer addresses

Multiple inbound SIP trunk with the same peer IP required different local signaling ports

Inbound trunk selection on UCM based on remote peer and local signaling port

Local signaling port defined in SIP trunk security profile

BRKCOL-2610 17


Site 2

Site 1

Enterprise Voice Call RoutingMultiple Site example (Lync to Cisco UCM)

To keep media local to a site each site requires a local media resource

Alternate media IP definition in Lync trunk configured matches IP address of single media resource in MRGL/MRG of the trunk on Cisco UCM side

Multiple sites require multiple trunks

… and multiple MRGs, MRGLs and media resources

… and multiple SIP security profiles, because unique identification of each trunk on Cisco UCM based on the signaling port (UCM side trunk identification based on peer IP address and local signaling port)

Mediation

server poolLync Front-End

server pool

Site

2

Site

1

Central

Central

BRKCOL-2610 18


Enterprise Voice Call RoutingMultiple Site example (Lync to Cisco UCM) with redundancy

Lync Front-End

server pool

Site

1a

Site

1b

Site

2a

Site

2b

Mediation

server pool

Central

Two sites with Lync to Unified CM SIP trunk redundancy already require:

4 trunks, 4 MTPs/TRPs

4 MRGS, 4 MRGLs

2 SIP trunk security profiles

Site 1

Site 2

BRKCOL-2610 19


Enterprise Voice Call RoutingLync Media Bypass implications on redundancy

Fixed media IP configuration for GW on Lync forces 1:1 relation between inbound SIP trunk on Unified CM and MTP

Can not use MRG and MRGL for intelligent MTP selection (scalability, redundancy)

Availability of SIP trunk depends on SIP signaling peer and MTP availability

… which can not be monitored via SIP OPTIONS ping

Only indication of failing MTP allocation for inbound EO call from Lync:

If UCM fails to allocate a MTP call can be signaled failed and left to Lync to reroute using different SIP trunk

Outbound calls from Unified CM need to be EO and have to be via MTP (MTP required – Media Bypass)

BRKCOL-2610 20


Site 1

WAN

Enterprise Voice Call RoutingMultiple Site example

Mediation

server pool

Lync Front-End

server pool

Site

2

Site

1

Central

Unified selects trunk to Lync based on called destination (+E.164 prefix)

MTP (assumed) local to Lync client selected

Alternate media IP definition in Lync trunk configured in same site as Lync client -> bypass activated

Local media

Site 2

BRKCOL-2610 21


Site 2

Site 1


Mediation

server pool

Lync Front-End

server pool

Site

2

Site

1

Unified selects trunk to Lync based on called destination (+E.164 prefix), but Lync client moved to other site

MTP (assumed) local to Lync client selected

Alternate media IP definition in Lync trunk configured not in same site as Lync client -> no media bypass

Mediation server in media path

Media hairpins through central site

BRKCOL-2610 22


Site 1

Site 2


False assumption about Lync client location could lead to even worse media path:

Unified CM selects trunk with MTP local to (assumed) location of Lync client: Site 2

Lync rejects media bypass, because MTP not local to IP address of Lync client

Mediation server in media path, Media hairpins through remote and central site

Mediation

server pool

Lync Front-End

server pool

Site

2

Site

1

BRKCOL-2610 23


Enterprise Voice Call RoutingMedia hairpinning: Root Cause Analysis

MSFT Lync trunk architectural limitations

MTP required to enable media bypass

MTP needs to be “local” to Lync client

Only call control authoritative for endpoint is aware of client location

Source call control aware of source client location

Destination call control aware of destination client location

Problem: what if destination client (Lync) locations determines required MTP location, but source call control (Unified CM) is not aware of the location?

Fundamental limitation of Lync that can not be solved by Unified CM

… or any other call control

… unless “Always bypass” is configured which prohibits MSFT CAC (and still requires MTPs)

BRKCOL-2610 24

Instant Messaging and PresenceFederation - Interdomain


Instant Messaging and PresenceBusiness to Business – Interdomain Federation (SIP SIMPLE)

Domain atlanta.com

Lync Client

Lync Front End

LyncEdge

SIP SIP

Cisco ASATLS Proxy

Cisco UCMIM&Presence

Cisco Jabber

SIP XMPP

Domain biloxi.com

SIP

Internet

[email protected] [email protected] & Presence

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/im_presence/interdomain_federation/11_0_1/CUP0_BK_IA5F44AB_00_interdomain-federation-110.html

BRKCOL-2610 26

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/im_presence/interdomain_federation/11_0_1/CUP0_BK_IA5F44AB_00_interdomain-federation-110.html


Instant Messaging and PresenceBusiness to Business – Interdomain Federation (SIP SIMPLE)

Domain atlanta.com

Lync Client

Lync Front End

LyncEdge

SIP SIP

Expressway-E Cisco UCMIM&Presence

Cisco Jabber

SIP XMPP

Domain biloxi.com

SIP

Internet


Recommended deployment

http://www.cisco.com/c/en/us/support/unified-communications/expressway-series/tsd-products-support-series-home.html

Support for IM&P Federations requires Cisco UCM IM&P 11.5.1SU2 please check release notes for transition from preview status to GA http://www.cisco.com/c/en/us/support/unified-communications/expressway/model.html#ReleaseNotes

BRKCOL-2610 27

Breaking News!

Expressway X8.9

Expressway-C

http://www.cisco.com/c/en/us/support/unified-communications/expressway-series/tsd-products-support-series-home.html

http://www.cisco.com/c/en/us/support/unified-communications/expressway/model.html#ReleaseNotes


Instant Messaging and PresenceBusiness to Business – Interdomain Federation (XMPP Cisco UCM on premise)

Domain atlanta.com

Lync Client

Lync 2013(*)Front EndXMPP GWY

LyncEdge

SIP XMPP

CiscoExpressway


Cisco Jabber

XMPP XMPP

Domain biloxi.com

XMPP

Internet


Not recommended for Cisco UCM IM & Presence on premise deployments

Standard XMPP federation, works with IBM Sametime and other XMPP server Issues observed with Lync 2013…(*) Lync 2010 and OCS 2007/2007 R2 use standalone OCS 2007 XMPP Gateway, no longer maintained

Microsoft tested and supported only for Google Talk https://technet.microsoft.com/en-us/library/jj205134(v=ocs.15).aspx

BRKCOL-2610 28



Cisco Webex Messenger cloud service only supports XMPP Federation

Standard XMPP federation, works with IBM Sametime and other XMPP server Issues observed, see next slide for additional reference…(*) Lync 2010 and OCS 2007/2007 R2 use standalone OCS 2007 XMPP Gateway, no longer maintained

Microsoft tested and supported only for Google Talk https://technet.microsoft.com/en-us/library/jj205134(v=ocs.15).aspx

Instant Messaging and PresenceBusiness to Business – Interdomain Federation (XMPP Cisco Webex Messenger)

Domain atlanta.com

Lync Client

Lync 2013(*)Front EndXMPP GWY

LyncEdge

SIP XMPP

Cisco Webex MessengerCloud Service

Cisco Jabber

XMPP

Domain biloxi.com

XMPP

Internet

[email protected]

[email protected]

Messaging & Presence

BRKCOL-2610 29



Instant Messaging and PresenceBusiness to Business – Interdomain Federation (XMPP Cisco Webex Messenger)

Caveats

• Connection lost under loadConnection are lost when Lync XMPP Gateway is under load. The gateway will close the connection, log that there was an error talking

to the far side but give no explanation as to why. Under modicum of load (around 90 messages/second), connections can be lost as far

as every 2.3 minutes. Increasing the load to around 250 messages/second connections can be dropped every 10 seconds. This leads to

delays in delivery and outright packet loss.

• No id-on-xmppAddr support (RFC3920)The Lync XMPP Gateway does not look for id-on-xmppAddr in the certificate. Information will be ignored.

• No presence update after a subscriptionIntermittent: Directly after the Lync contact accepts the Webex Messenger user subscription, an unavailable is sent from the Lync

contact, no available presence is sent until the Lync contact resigns in.

• Messages routed to wrong clientLync XMPP Gateway does not follow the XMPP rules for addressing of messages which can lead to messages unexpected delivered to

the wrong client in a multiple client per user situation.

• Webex Messenger user showing as offline when onlineLync XMPP Gateway does not correctly track presence with multiple clients logged in for a single user. If a user has two clients

connected and the Lync user sess him as online, then logs out one of the clients the Lync user will see Webex Messenger user as

offline.

• No Group Chat supportLync XMPP Gateway does not understand MUC or Group Chat protocol. Lync users can not join or be invited to a group chat session.

BRKCOL-2610 30

Instant Messaging and PresenceFederation - Intradomain


Instant Messaging and Presence Within in a Business (Partitioned Intra Domain Federation)

Domain atlanta.com

Lync Client

Lync 2013Front End

SIP

[email protected]


Cisco Jabber

[email protected]

SIP XMPP

Same domain for both systems

• Partitioned Intra Domain solution for migration and long term coexistence

• Only available with Cisco UCM IM & Presence for on premise deployments

• Uses standard SIP routing mechanism

• Cisco UCM 10.x supports multiple distinct presence domains

• Cisco Expressway X8.8 supports full integration of IM & Presence with Audio/Video calling

[email protected] [email protected]

BRKCOL-2610 32


Instant Messaging and PresencePartitioned Intra Domain Federation – Deep Dive … (1/13)

Domain(s)

atlanta.com

atlanta.de

atlanta.au

Lync Client

Lync 2013Front End

SIP

[email protected]


Cisco Jabber

[email protected]

SIP XMPP

Same domains for both systems

[email protected] [email protected]

Active Directory

• Full Contact Search available to each end-user regardless of whether they exist on Cisco or Microsoft

• The end-user is not aware what back end the buddy resides on

• Temporary Presence subscription’s not supported in both directions (during search the user’s presence is “not available”) unless user is added to the buddy list

• Once added to the buddy list, users can exchange presence and instant messaging

• Recommended to utilize “msRTCSIP-primaryuseraddress” attribute as SIP/IM address

• LDS supported for complex AD scenarioBRKCOL-2610 33



New functionality in Cisco UCM 10.x – why do I care?

• Use email address as your SIP aka multimodal communication address for messaging, presence audio and video calling

• Most Lync server deployments map email address as attribute for SIP communication

• Require more than one presence/SIP domain to match email domains (atlanta.com, atlanta.de, atlanta.au)

• Pre 10.x default URI format sAMAccountName@<domain>

• Pre 10.x only single presence domain supported on cluster

BRKCOL-2610 34



New functionality in Cisco UCM 10.x – why do I care?

• msRTCSIP-primaryuseraddress or mail directory attribute supported as JabberID

• Multiple domains supported on single UCM IM&P system

Single or multi server environment

• Post 10.x advanced configuration allows for selecting either msRTCSIP-primaryuseraddress or mail as URI

• Multiple domains supported including for partitioned intra domain federation

• Security Certificates enhanced to reflect multi domain operations

• Cisco Jabber version 10.6 or higher of clients required

BRKCOL-2610 35



Advanced Presence Configuration - Cisco UCM IM & Presence 10.x+

• Configure directory URI mapping in Cisco UCM Active Directory LDAP Sync Statement

msRTCSIP-primaryuseraddress recommended for Partitioned Intra Domain Federation

• Configure Cisco UCM IM & Presence Advanced Presence Settings

IM Address Schema – Directory URI

Systems will automatically import all domains configured in Active Directory

BRKCOL-2610 36



Required Configuration Steps …

• Configure certificates on Lync and Cisco UCM

Highly recommended to use CA based certificates on both systems (Enterprise CA)

• Configure security parameters on Cisco UCM IM&P (ACL, TLS peer, TLS context)

• Configure SIP static route(s) on Cisco UCM IM&P

• Configure security parameters on Microsoft Lync (Trusted Application, Computer, etc.)

• Configure SIP static route(s) on Microsoft Lync

This sounds awfully complicated …

BRKCOL-2610 37



Introducing Intradomain Federation Setup Wizard - Cisco IM & Presence 11.5

• One stop shop to configure Intradomain federation

• Provides detailed Lync powershell commands for configuration required on Lync

BRKCOL-2610 38



Intradomain Federation Setup Wizard - Cisco IM & Presence 11.5

Example uses a Lync 2013 Standard Server without Load Balancer

Wizard does support Lync 2013 Enterprise Pools. Additional parameters must be configured depending on the configured topology.

BRKCOL-2610 39




Wizard will list all domains configured on Cisco UCM for use with Intradomainfederation. Static routes will be created based this configuration screen.

Wizard allows to specify additional servers (example single Lync 2013 Standard Server). In case topology uses Lync SBA/SBS these need to be added here.

BRKCOL-2610 40




Wizard review configuration screen

Required steps for Certificate Management

BRKCOL-2610 41




Wizard provided Lync Server PowerShell configuration commands to enable Intradomain Federation

BRKCOL-2610 42




Cisco IM & Presence Service Restart

After the wizard is complete certain Cisco IM & Presence services require a restart

A word on Certificates..

Cisco UCM 11.5 introduces support for strong cryptography

(Elliptic Curve Diffie-Hellman)

Lync 2013 does NOT support EC cipher cryptography!

To accommodate this new capabilities Cisco UCM 11.5 supports distinct certificates for RSA and EC cryptography.The primary RSA certificate is using a default common name (cn) equal to the DNS full qualified domain name (FQDN). TheEC certificate is using a cn of fqdn with a suffix of -EC, including the DNS FQDN as subject alternate name (SAN).

Even with Lync not supporting EC cipher TLS negotiation with Lync doesn’t work as Lync will not accept communication because the DNS FQDN and the certificate common name do not match. Per RFC/TLS standard this should not be the case as the SAN contains the FQDN. Never the less to overcome this issue the san including the –EC suffix needs to be added to the Cisco UCM IM & Presence CUP –C certificate.

Please see next slides for an example how to achieve this… BRKCOL-2610 43



Intradomain Federation Certificates - Cisco IM & Presence 11.5

Add additional Subject Alternate Name to Cisco UCM IM & Presence CUP Service –EC Certificate

Example uses a Windows Server 2012 R2 Microsoft Enterprise CA

Create new certificate signing request for CUP service

Cisco UCM Platform Administration does provide the capability to add SANs to the CSR directly.

Download the CSR for submission to the CA

BRKCOL-2610 44



Intradomain Federation Certificates - Cisco IM & Presence 11.5

Through the Microsoft CA Web Enrollment site submit the request to the CA

By default the CA policy does NOT allow to add attributes such as SANs to the CSR

The following commands can be used to change the CA policy

Certutil –setreg policy\Edit Flags +EDITF_ATTRIBUTESUBJECTALTNAME2

Net stop certsrv

Net start certsrv

In the additional Attributes dialog enter:

san:dns=<hotsname>-EC.<dns-domain>&dns=<hostname>.<dns-domain>

san:dns=cup01-EC.bootcamp.com&dns=cup01.bootcamp.com

BRKCOL-2610 45

Suggested changes to CA policy might be considered to have adverse security implications, verify before production use.


Instant Messaging and PresencePartitioned Intra Domain Federation – User Experience

BRKCOL-2610 46


Instant Messaging and PresencePartitioned Intra Domain Federation – Additional Topics to Consider

Lync Address Book – Contact resolution

Address bookDownload

Lync 2013Front End

Cisco UCM

Cisco Jabber

LDAPSync

Active Directory

LDAP

Lync Enabled UsersmsRTCSIP….

Imported to Addressbook

Lync only imports RTC enabled user into addressbook

For new Cisco Jabber users never configured on Lync before migration – msRTCSIP-primaryuseraddress must be set

User imported with msRTCSIP… attribute imported into Lyncaddressbook – new Cisco Jabber user searchable for Lync users

User imported with msRTCSIP… attribute imported into Cisco UCM via LDAP sync

BRKCOL-2610 47

Instant Messaging and PresenceFederation – Intradomain

What about Audio/Video at the same time?


Instant Messaging and PresencePartitioned Intra Domain Federation – Messaging, Presence and Audio/Video

Remember this picture?

To split IM & Presence traffic from Audio/Video a additional VCS was required running a CPL script

Complicated to configure and resource incentive

No longer supported with Expressway above version X7.x

BRKCOL-2610 49



Breaking News! Cisco Expressway X8.8 SIP Broker – Call Flow Lync to Cisco Jabber Instant Messaging

Lync Client

Lync 2013Front End


Cisco JabberCisco UCMCisco Expressway X8.8

SIP Broker

MSFT

Gateway

SIP1

SIP2SIP3

XMPP4

SIP5SIP6

Messaging Session

BRKCOL-2610 50


Instant Messaging and PresencePartitioned Intra Domain Federation – Messaging, Presence and Audio/VideoCisco Expressway X8.8 SIP Broker – Call Flow Jabber to Lync Instant Messaging

Lync Client

Lync 2013Front End



SIP Broker

MSFT

Gateway

XMPP1

SIP2SIP3

Message Session 4

BRKCOL-2610 51



Cisco Expressway X8.8 SIP Broker - Call Flow Lync to Cisco Jabber A/V Call

Lync Client

Lync 2013Front End



SIP Broker

MSFT

Gateway

SIP6

SIP1

SIP2SIP3

SIP4

SIP5

SIP7

Audio/Video Session 7BRKCOL-2610 52



Lync Client

Lync 2013Front End



SIP Broker

MSFT

Gateway

Cisco Expressway X8.8 SIP Broker - Call Flow Cisco Jabber to Lync A/V Call

SIP1SIP2

SIP3

SIP4

Audio/Video Session 5BRKCOL-2610 53



Cisco Expressway X8.8 SIP Broker – Configuration Steps

Instructions assume that Cisco UCM IM & Presence Intradomain Federation is already configured

Configuration steps for Cisco Expressway X8.8 SIP Broker (1/2)

Cisco UCM

Configure Secure SIP Trunk Profile

Configure Secure SIP Trunk to Expressway

Configure SIP Route Pattern for URI Routing

Configure UCM Cluster Mixed Mode for End to End Encrypted Calls (SRTP) (not covered in the reference material)

Cisco UCM IM & Presence

Configure Incoming ACLs for traffic from Expressway

Configure TLS Peer Subject for Expressway

Configure TLS Context for Expressway

Cisco Expressway X8.8

Configure required certificates for SIP signaling over TLS

Enable SIP Broker / Trusted Hosts

Configure Zones and Search Rules

BRKCOL-2610 54





Configuration steps for Cisco Expressway X8.8 SIP Broker (2/2)

Microsoft Lync

Modify SIP static route to send all traffic to Expressway SIP Broker

Configure Trusted Application Pool for Expressway

BRKCOL-2610 55





Configuration steps for Cisco Expressway X8.8 SIP Broker

Cisco UCM (1/2)

Configure Secure SIP Trunk Profile Configure Secure SIP Trunk to Expressway






Cisco UCM (2/2)

Configure SIP Route Pattern

In a multi domain environment this step needs to be repeated for each SIP domain.

BRKCOL-2610 57






Cisco UCM IM & Presence (1/2)

Configure Incoming ACL

Add the DNS FQDN and the Expressway IP address to the incoming ACLs

BRKCOL-2610 58






Cisco UCM IM & Presence (2/2)

Configure TLS Peer Subject Configure TLS

Context

BRKCOL-2610 59






Cisco Expressway (1/3)

Configure Neighbor Zone Configure Microsoft

Interoperability

BRKCOL-2610 60







Configure Trusted Hosts Configure Dialplan Search Rules

When using Lync SBA/SBS add as trusted hosts

One search rule required per domain and direction (CUCM to Lync and Lync to CUCM)

BRKCOL-2610 61







Search Rule CUCM to Lync Search Rule Lync to CUCM

Replicate both rules for each domain serviced by the system

BRKCOL-2610 62






Microsoft Lync (1/2)

Verify existing SIP routing configuration with Lync PowerShell command:

Get-CsStaticRoutingConfiguration -Identity global | Select-Object -ExpandProperty Route | Where-Object {$_.MatchUri -eq “<domain>”}

Output bellow shows the SIP static route(s) that have been configured

Example:Transport : TransportChoice=Certificate=Microsoft.Rtc.Management.WritableConfig.Settings.SipProxy.UseDefaultCert;Fqdn=cup01sevt.bootcamp.com;Port=5061MatchUri : bootcamp.comMatchOnlyPhoneUri : FalseEnabled : TrueReplaceHostInRequestUri : FalseElement : <Route xmlns="urn:schema:Microsoft.Rtc.Management.Settings.SipProxy.2008"

MatchUri="bootcamp.com" MatchOnlyPhoneUri="false" Enabled="true" ReplaceHostInRequestUri="false">

<Transport Port=”5061"> <TLS Fqdn=”cup01sevt.bootcamp.com">

<UseDefaultCert /> </TLS>

</Transport> </Route>

BRKCOL-2610 63


Instant Messaging and PresencePartitioned Intra Domain Federation – Messaging, Presence and Audio/VideoCisco Expressway X8.8 SIP Broker – Configuration Steps



Microsoft Lync (2/2)

Delete existing SIP route configuration with Lync PowerShell command:

x$ = Get-CsStaticRoutingConfiguration -Identity global | Select-Object -ExpandProperty Route | Where-Object {$_.MatchUri -eq “<SIP domain>”}

Set-CsStaticRoutingConfiguration –Identity global -Route @{Remove=$x}

(this has to be repeated for each domain configured on the system)

Add a new SIP static route that points the Lync server to send traffic to Expressway SIP Broker

$tlsRouteNo1 = new-csstaticroute -TLSRoute -Destination <expressway FQDN> -p 65072 -usedefaultcertificate $true -matchURI <SIP domain>

Set-CsStaticRoutingConfiguration -Route @{Add=$tlsRouteNo1}

(Expressway SIP broker listens for traffic from Lync on non-standard port 65072)

Create TrustedApplicationPool for Cisco Expressway

New-CsTrustedApplicationPool -Identity <expressway FQDN> -Registrar <Lync Server FQDN> -Site 1 -TreatAsAuthenticated $true -ThrottleAsServer $true -RequiresReplication $false -OutboundOnly $false

Add Cisco Expressway to TrustedApplication

New-CsTrustedApplication -ApplicationID interop.bootcamp.com -TrustedApplicationPoolFqdn exp02sevt.bootcamp.com -port 5061

BRKCOL-2610 64






Verify Configuration – Cisco Expressway Microsoft B2BUA / SIP Broker

BRKCOL-2610 65


Instant Messaging and PresencePartitioned Intra Domain Federation – SIP Broker User Experience

BRKCOL-2610 66


Migration…


Instant Messaging and PresencePartitioned Intra Domain Federation – Migration...

Remember the Command Line Migration Tools ?

ExportContacts.EXE, DisableAccount.EXE, DeleteAccount.EXE

More Breaking News! Cisco UCM IM & Presence 11.5 Provides New GUI Based Migration Tool

• Replaced 3 tools with one easy to use Windows application

• Old tools had to be run on EVERY server in the deployment with multiple command line

arguments

• New application is run on the Front-End server. Will connect remotely to all of the other

servers in the deployment .

• Added progress bars/counters for each stage of the migration

• Error handling / reporting has been greatly improved

• Added support for validating user accounts, before they get migrated:

• Validates that accounts exist and are enabled in Active Directory

• Validates that accounts exist and are enabled on the LCS/OCS/Lync server

BRKCOL-2610 68


Instant Messaging and PresencePartitioned Intra Domain Federation – Migration...

• Added validation at every step of the process

• Does not let the admin continue without validating previous stages

• Contextual tool tip help guides the admin through the process

BRKCOL-2610 69


Migration and External Federation


Instant Messaging and PresencePartitioned Intra Domain Federation – Adding External B2B Federation

Both Solutions Cisco and Microsoft do support external Business to Business Federation via SIP SIMPLE

SIP Federation is based on DNS SRV records. DNS SRV for a particular SIP domain can only be represented by one of the two solution – Highlander: “There can be only one!“

Internet

[email protected]

Lync Edge Expwy-E

ASA TLS proxy

Who handles

federation for

company.com?DNS SRV Records

_sipfederationtls._tcp.

DNS SRV Records

_sipfederationtls._tcp.

Domain company.com

Standards based A/V externalfederation for _sip. and _sips aswell as XMPP federation can stillbe terminated to Cisco Expresswayfor B2B federation

BRKCOL-2610 71


Internet

Instant Messaging and PresencePartitioned Intra Domain Federation – Adding External B2B FederationExternal SIP B2B Federation during Migration

Lync Client

Lync 2013Front End


Cisco Jabber

Cisco UCM


DNS SRV Records_sipfederationtls._tcp.atlanta.com

[email protected]

[email protected]

Alice on Lync initiates or receives communication with Bob Lync @ external domain

BRKCOL-2610 72


Internet


Lync Client

Lync 2013Front End


Cisco Jabber

Cisco UCM



MSFT Gateway

[email protected]

[email protected]

Alice migrated to Jabber initiates communication Audio/Video call with Bob Lync @ external domain

BRKCOL-2610 73


Internet


Lync Client

Lync 2013Front End


Cisco Jabber

Cisco UCM



Outgoing IM bypasses Expressway

[email protected]

[email protected]

Alice migrated to Jabber initiates chat communication with Bob Lync @ external domain

BRKCOL-2610 74


Internet


Lync Client

Lync 2013Front End


Cisco Jabber

Cisco UCM



[email protected]

SIPBroker

[email protected]

Bob Lync @ external domain initiates chat communication with Alice migrated to Jabber

BRKCOL-2610 75


Internet


Lync Client

Lync 2013Front End


Cisco Jabber

Cisco UCM



[email protected]

SIPBroker

MSFT Gateway

[email protected]

Bob Lync @ external domain initiates Audio/Video communication with Alice migrated to Jabber

BRKCOL-2610 76



External SIP B2B Federation during Migration - Configuration

Cisco UCM

Configure SIP Route Pattern for External Domain URI Routing

Configure Calling Search Space for incoming/outgoing class of service

Cisco UCM IM & Presence

Configure SIP Federated Domain

Add Static Route for Federated Domain via Lync Front End


Add search rules for outgoing federated communication via Lync Front End

Microsoft Lync Server

External Federation should already be in place screenshots provided for documentation purpose

BRKCOL-2610 77




Cisco UCM Cisco UCM IM & Presence

BRKCOL-2610 78




Cisco Expressway

Cisco Expressway does allow for wildcard routing – it is recommended to configure explicit routes for externally federated domains

BRKCOL-2610 79




Microsoft Lync Server

SIP Federation Next HopFQDN discovered through_sipfederationtls DNS SRVrecord

BRKCOL-2610 80


Migration and External Federation


Jabber

Clients

Communication

Manager

IM & Presence

Server

Expressway C

XMPP

SIP/BFCP

5061

SIP/BFCP

IM to IM&P

Voice/Video

Alice

Expressway E

Cisco Meetings

Server

Media

Transcoding

& Adaption

Share

Bob

RDP RDP

RDP

RDP

Lync

Edge

Lync

Front End

B2B

Federated

Partner

(Lync)

Federate Jabber / Skype user with

Voice/Video & Desktop Share

Translate Video and

RDP<->BFCP

IM to

IM&

P

Instant Messaging and

Presence

82BRKCOL-2610

Cisco to Microsoft Federation


Configuring Cisco SIP B2B Federation with Microsoft

SIP Trunk Security Profile

SIP Trunk


Configure Cisco SIP B2B Federation with Microsoft

SIP Route Pattern for Federated Domain


Configure Cisco SIP B2B Federation with MicrosoftExpressway C Neighbor Zone for CUCM (Audio/Video)


Configure Cisco SIP B2B Federation with MicrosoftExpressway C Neighbor Zone for CUCM IM&P


Configure Cisco SIP B2B Federation with MicrosoftExpressway C Neighbor Zone for Cisco Meeting Server


Configure Cisco SIP B2B Federation with MicrosoftExpressway C Traversal Zone


Configure Cisco SIP B2B Federation with MicrosoftExpressway C – Search Rule routing A/V inbound Microsoft traffic to CMS

Regex must match all internal domains


Configure Cisco SIP B2B Federation with MicrosoftExpressway C – Search Rule routing A/V inbound traffic from CMS to UCM


Configure Cisco SIP B2B Federation with MicrosoftExpressway C – Search Rule routing outbound A/V traffic from UCM to CMS

Regex must match external federated domain


Configure Cisco SIP B2B Federation with MicrosoftExpressway C – Search Rule routing outbound A/V traffic from CMS to Expressway E


Configure Cisco SIP B2B Federation with MicrosoftExpressway C – Search Rule routing inbound IM/P traffic to UCM IM&P


Configure Cisco SIP B2B Federation with MicrosoftExpressway C – Search Rule routing outbound IM/P traffic from UCM IM/P


Configure Cisco SIP B2B Federation with MicrosoftExpressway C – Additional configuration currently required for Presence

New zone per CUP server


Configure Cisco SIP B2B Federation with MicrosoftExpressway C – Additional configuration currently required for Presence

Search Rule for Presence

FQDN or IP address


Configure Cisco SIP B2B Federation with MicrosoftExpressway E – Traversal Zone, B2B DNS Zone


Configure Cisco SIP B2B Federation with MicrosoftExpressway E – Search Rules

Inbound Route

Outbound Route


Configure Cisco SIP B2B Federation with MicrosoftCisco UCM IM&P Configuration

TLS Peer Subject Configuration for Expressway C

TLS Context Configuration



TLS Peer Subject Configuration for Expressway C

TLS Context Configuration



SIP Federation Domain Configuration

Needs to be configured for each B2B federated domain



SIP Federation Route Configuration

Needs to be configured for each B2B federated domain


Configure Cisco SIP B2B Federation with MicrosoftExternal DNS Configuration

Microsoft specific DNS Federation SRV record for your domain

In case of multi domain deployment make sure that you have configured SRV for each domain

Application Interoperability


Same Lync client integration points now supported on

the 64-bit Skype for Business 2015 & 2016 clients!

NOTE: Previous version was 32-bit only support.

Integration Points:

Presence

Audio and Video Calling

Instant WebEx Meetings

Click to Call

105BRKCOL-2610

Cisco UC Integration for Microsoft Lync Skype for Business 64-bit Support


Platform Features

• Skype for Business 64-Bit Support

• Microsoft Office 2016 Support

• Click-to-Call for Office - 64Bit Applications

• Windows 10 Support

• Intel Atom Support

• IPv6 Support

New Voice and Video Features

• Appear Offline Presence Support

• Survivable Remote Site Telephony Support

• Opus Codec Support

• Far End Camera Control

• DTMF Digit Management

• Headset Selection from Hub Window

• Display Call Duration

• Classic Ringtone

• Audio and Video Bridge Conferencing

• Sign Out on Inactivity Timer

Cisco UC Integration™ for Microsoft Lync Release 11.6 Highlights

Accessibility

• Windows notification sound played when a contact search returns a result

User Interface Updates

• High DPI

Security Features

• Encryption and Decryption of PRTs

• PRT Logging Levels

• Invalid Certificate Behavior

• Customer Signature for Installer

• Protocol Rate Limiting

BRKCOL-2610 106


Application InteroperabilityMicrosoft Office client and server side interoperability

Cisco Jabber Collaboration

Solution

Fully integrated into

Microsoft Office, on-premise

or Office 365(*)

(*) Check Release Notes for supported Office 365 deployment models

Cisco Jabber 11.x support

BRKCOL-2610 107


Application Interoperability

• Cisco Jabber can integrate with the Microsoft Office suite • Click-to-X (click-to-call, click-to-IM, click-to-conference)

• Presence light up of Microsoft Contact card

• Store Instant Messaging conversation history in Outlook/Exchange

• Microsoft Exchange integration (Exchange on-premise and Exchange online)• Calendar integration (client or server side)

• Unified Messaging integration – Cisco Unity Connection

• Microsoft SharePoint integration (SharePoint on-premise and SharePoint online)• Click-to-X (click-to-call, click-to-IM, click-to-conference)

• Presence light up of Microsoft Contact card

Functionality available at the application level


Application InteroperabilityAdditional integrations powered by Cisco Jabber…

Jabborate integrations with Cisco Jabber Web SDK

Web based user experience cross multiple platforms

• Microsoft SharePoint

• IBM Connections

• SAP

www.jabborate.com

BRKCOL-2610 109


Application InteroperabilityOrganizations moving commodity workloads to the cloud

Collaboration services integrated with cloud based applications (i.e. Exchange, SharePoint)

…while maintaining today’s required telephony functionality and PSTN access

…while enhancing communication services with standards based interoperable business to

business and consumer functionality

Internet

PSTN B2B

C2B

BRKCOL-2610 110


Application InteroperabilityOrganizations moving commodity workloads to the cloud

• Active Directory proxyAddresses attribute required for Office integration and light up

• Cisco Unity Connection messaging integration with Exchange Online via Exchange Web

Services (EWS)

Internet

PSTN B2B

C2B

ProxyAddresses

AD attribute

EWS

BRKCOL-2610 111

What about Cisco Spark?


Cisco Spark Hybrid Service - Connected Calling

113

Call Service Connect - connects Cisco Spark & the enterprise phone system – so they behave as one

Your Spark app becomes an enterprise softphone

Provides voice and video interoperability between Jabber and Spark

User benefits:

• Choice: use Jabber or Spark to call anyone without worrying about which you or the other person is using

• One number: be reached on Spark, Jabber, or a deskphone. Choose to take the call on whichever suits you best at that moment

• Reach everyone: call company extensions, PSTN numbers, Spark only users, and even video bridge numbers

• Company dial plan: dial from the Spark app as you would from your deskphone - call PSTN numbers via enterprise phone system

• Make the most of video assets: en-route to the office start a call on a mobile device and hand off to a room system when you arrive

CiscoOn-Premises & Partner Hosted HCS

CiscoCollaboration

Cloud

BRKCOL-2610


Cisco Spark Hybrid Service - Connected Calling

When Cisco Spark User is enabled for Hybrid Call Service Connect Business to Business

Calls are routed via the Enterprise (Cisco UCM, Expressway B2B)

Combining Cisco Spark Hybrid Call Service Connect with Expressway X8.9 Cisco to

Microsoft B2B Federation, Cisco Spark Users can call Lync 2013, Skype for Business

or Skype for Business Online Users (audio, video and two way screen sharing)

At this point there is no messaging interoperability available

BRKCOL-2610 114


Call Routing from Spark via Hybrid ServiceConfiguration Outgoing to O365

Cisco Collaboration

CloudSIP call from Spark (Hybrid) signaled to Enterprise CC

Destination URI Bob@<office365 domain>

Routed through Spark Traversal Zone

http REST

SIP Route Pattern <office365 domain>

towards Expressway-C

Search Rule <office365 domain>

to CMS

Incoming Call

Forwarding <office365 domain>

Outbound Call

<office365 domain> as Lync call

Expressway-C

Search Rule

<office365 domain> to

B2B/MRA Traversal Zone

Search Rule

<office365 domain>

to DNS Zone

Expressway Hybrid Services

Connectors

AXL

DNS lookup for _sipfederationtls._tcp.<office365 domain>

mailto:[email protected]


Call Routing from S4B (O365) to Spark via Hybrid Configuration incoming from O365

Cisco Collaboration

CloudSIP call to Spark, destination cloud

URI Alice@<xyz>.ciscospark.com

Through Spark Traversal Zone

http REST

SNR / Hybrid Services

Search Rule <customer domain>

from CMS to UCM

Incoming Call

Forwarding <customer domain>

Outbound Call

<customer domain> as standard SIP

Call Expressway-C

Search Rule

Type MSFT SIP

<customer domain>

to CMS

Incoming Search Rule

<customer domain>

To B2B Traversal Zone

DNS lookup for _sipfederationtls._tcp.<customer domain>

Expressway Hybrid Services

Connectors

AXL

mailto:tneumann@<xyz>.ciscospark.com

Summary


Cisco Interoperability with Microsoft

• Identify your requirements and select the right scenario for your environment

User experience

Technical feasibility

Complexity

Operational implications

• Understand the pros and cons of the selected scenario

• “Mileage” of certain functionalities might vary when applied to a real life environment

• …Media Bypass in multi site deployment

• Thoroughly evaluate (PoC)

• Cisco remains committed to support interoperability scenarios

Many options to interoperate


How to get hands on experience?

Cisco UCM 11.5, Jabber 11.7 and Expressway X8.8 hands on lab available in Cisco dCloud demo and lab environment

Cisco UCM 11.5, Jabber 11.7 and Expressway X8.9 hands on lab available @CL Berlin and via Cisco dCloud

Go to http://dcloud.cisco.com (CCO login required)

119BRKCOL-2610

http://dcloud.cisco.com/


Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

• Please complete your Online Session Evaluations after each session

• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt

• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

BRKCOL-2610 120

CiscoLive.com/Online


Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Lunch & Learn

• Meet the Engineer 1:1 meetings

• Related sessions

BRKCOL-2610 121

Thank You

brkcol-2610 interoperability microsoft part 1clnv.s3.amazonaws.com/2017/eur/pdf/brkcol-2610.pdf ·...

Documents