Jabber OCS Gateway. Setup Guide. Product: OCS Gateway Document Version: C

Transcription

1 Jabber OCS Gateway Setup Guide Product: OCS Gateway Document Version: C

2 Disclaimers Trademarks Copyright 2008 Jabber, Inc. The information contained in this document is proprietary to Jabber, Inc. This information is considered confidential and is not to be disclosed to any outside parties without the express written consent of Jabber, Inc. This document is provided for information purposes only, and the information herein is subject to change without notice. Jabber, Inc. does not provide any warranties covering and specifically disclaims any liability in connection with this document. JABBER and the light bulb logo are either trademarks or registered trademarks of Jabber, Inc. Windows, Windows Server, Microsoft, and OCS are registered trademarks of Microsoft Corporation in the United States and other countries. All other trademarks are the property of their respective owners. Contact Information 1899 Wynkoop Street, Suite 600 Denver, Colorado Jabber OCS Gateway Setup Guide Page ii

3 Contents Chapter 1. Introduction... 5 Setup Checklist 6 The OCS Gateway 6 System Requirements 7 Example Gateway Deployments 8 Support for SIP/SIMPLE Standards 10 Exceptions 10 Limitations 10 Chapter 2. Installation Before You Begin 12 Downloading the OCS Gateway 13 Installing the OCS Gateway 13 Removing Unneeded Components 14 Chapter 3. Network Access and Certificate Authentication Configuring Your OCS Server 17 Publishing an SRV Record on your DNS Server 17 Obtaining a Signed Certificate 18 Generating a Certificate Request and a Private Key 18 Generating a Domain Key 20 Obtaining the Signed Certificate 20 Combining the.pem Files 20 Verifying the Certificate 21 Chapter 4. OCS Gateway Configuration Setup Checklist 23 Configuring a Server-to-Server Connection Manager 23 Configuring the OCS Gateway 25 Adding an Outgoing Connection Attempt Rule in the S2SCP 30 Configuring an OpenPort Connection 31 Configuring Jabber Administrators 32 Configuring the Single Domain Name Support Component 34 Configuring Router-to-Router Connections 36 SIP/SIMPLE Gateway Parameter Reference 38 Jabber OCS Gateway Setup Guide Page iii

4 Basic Parameters 38 Intermediate Parameters 39 Advanced Parameters 39 Chapter 5. SIP Proxy Configuration Before You Begin 43 Configuring the SIP Proxy Component 43 Configuring a Router-to-Router Connection 49 SIP Proxy Parameter Reference 51 Basic Parameters 51 Intermediate Parameters 52 Advanced Parameters 54 Chapter 6. Non-Standard SIP Host Configurations Non-Standard SRV Records 58 Custom Gateway Connections 60 Jabber OCS Gateway Setup Guide Page iv

5 Chapter 1. Introduction The OCS gateway allows Jabber MomentIM users to communicate via instant messaging with users of Microsoft Office Communications Server (OCS). Jabber and OCS users can subscribe to one another s presence, send one-to-one messages, deny subscription requests, and unsubscribe from one another. The gateway does not require XMPP client users to have authorization on remote systems; from a user s perspective, it is completely transparent. The OCS gateway must be installed and run on a Jabber XCP 5.4 server. However, if you are running a Jabber XCP 5.2 SP2 server, you can configure a router-to-router connection on that server to connect to the Jabber XCP 5.4 server on which the OCS gateway is running. Jabber, Inc. recommends that you install and run each OCS gateway on its own computer. If you are running multiple gateways behind your firewall, you must also install the gateway software on a computer located in the DMZ. This computer will run the SIP Proxy, which relays SIP traffic coming from your OCS gateways through the firewall to the OCS Access Edge Server. The following sections are provided. Section Page Setup Checklist 6 The OCS Gateway 6 Support for SIP/SIMPLE Standards 10 Jabber OCS Gateway Setup Guide Introduction Page 5

6 Setup Checklist Setup Checklist The following checklist provides a summary of the tasks that you must perform to set up your OCS gateway in the Jabber XCP server environment. Read the OCS gateway overview information provided in this chapter. Install the Jabber XCP 5.4 server, core package only, on each gateway s computer. If you are planning to run multiple gateways behind your firewall, also install the Jabber XCP server on the computer that will run the SIP Proxy in the DMZ. Download the gateway installer as described on page 13. Install the gateway software on each gateway computer as described on page 13. If you are planning to run multiple gateways behind your firewall, also install the gateway software on the computer that will run the SIP Proxy in the DMZ. Remove unneeded components from the Jabber XCP server on each gateway s computer and on the SIP Proxy s computer as described on page 14. Create any necessary certificates and private keys, and enable network access for your gateway as described in Chapter 3. Configure the OCS gateways as described in Chapter 4. Configure the SIP Proxy (if you are using one) as described in Chapter 5. The OCS Gateway The OCS gateway allows the exchange of messages and presence between Jabber users and users of Microsoft Office Communications Server Using the gateway, Jabber users can add OCS contacts to their rosters in the same way they add Jabber contacts. OCS contact IDs use the same format as Jabber contacts; for example, jblack@example.com. In order for your OCS server to work correctly with the OCS gateway, the OCS server s certificate must be configured to act as both TLS client and server. The Extended Key Usage parameter in the certificate must either not be present, or it must contain both of the lines TLS Web Server Authentication and TLS Web Client Authentication. See Configuring Your OCS Server on page 17 for examples of correctly-configured certificates. Jabber OCS Gateway Setup Guide Introduction Page 6

7 The OCS Gateway System Requirements This section lists the system requirements for the OCS gateway. Jabber XCP The OCS gateway must be installed on version 5.4 of the Jabber XCP server on systems running: Jabber IM Client Redhat Enterprise Linux version 4.4 Microsoft Windows Enterprise Server 2003 The gateway will also runs against a Jabber XCP 5.2 SP2 server. In this case, a router-torouter connection must be configured on the Jabber XCP 5.2 SP2 server to connect to the 5.4 server on which the gateway is running. Jabber client users can use Jabber MomentIM version and later with the OCS gateway. OCS Your OCS server can run either OCS 2007 Standard Edition or Enterprise Edition. Your OCS Access Edge Server must be running OCS 2007 Standard Edition. The Enterprise edition of the OCS Access Edge Server has a problem that prevents it from routing some of its own messages to the OCS gateway. The Standard edition does not experience this problem. Enhanced federation must be enabled on the OCS server. The Jabber XCP domain must be configured as an authorized domain that is allowed to federate with the OCS server. Microsoft Office Communicator 2005 and 2007 are the supported clients for OCS users. Ports Port 5269 must be accessible to the Internet if you want your Jabber XCP server to communicate with other Jabber servers over the Internet. Port 5061 must be available for incoming SIP/SIMPLE over TLS traffic. Memory Allow at least 1 GB of memory for the OCS gateway above the 512 MB that is required for the Jabber XCP server. Jabber OCS Gateway Setup Guide Introduction Page 7

8 The OCS Gateway Gateway running on the primary Jabber XCP server Example Gateway Deployments You can run a single OCS gateway on your primary Jabber XCP server or in the DMZ if you only require one gateway. However, if you plan to run multiple OCS gateways, you must install them behind your firewall and configure a SIP Proxy that runs in the DMZ. Although Jabber, Inc. recommends that you install the OCS gateway on a computer that is separate from your primary Jabber XCP server, you can, if preferred, install and run the gateway on the primary server itself. To do this, your primary server must be running Jabber XCP 5.4 as illustrated in Figure 1. cindy@example.com jane@company.com Jabber XCP Server example.com XMPP Client OCS Client Jabber XCP 5.4 OpenPort Connection S2SCM S2SCP SIP/SIMPLE Gateway Director Port=5061 Port 5061 Port 5269 Firewall OCS Access Edge Server (Standard edition) OCS Standard or Enterprise Server Figure 1. OCS gateway running on primary Jabber XCP server Jabber OCS Gateway Setup Guide Introduction Page 8

9 The OCS Gateway Gateway running in DMZ Figure 2 illustrates the recommended method for setting up a single OCS gateway deployment. The gateway runs on a separate Jabber XCP 5.4 server located in the DMZ. cindy@example.com jane@company.com XMPP Client DMZ OCS Client Jabber XCP 5.2 or 5.4 Router-to-Router connection Jabber XCP 5.4 OpenPort Connection Jabber XCP Server example.com S2SCM S2SCP SIP/SIMPLE Gateway Director Port=5061 Port 5061 Port 5269 Firewall Figure 2. Single gateway running in the DMZ OCS Access Edge Server (Standard Edition) OCS Standard or Enterprise Server Multiple gateways cindy@example.com The following figure illustrates multiple OCS gateways running behind the firewall. This setup requires a SIP Proxy running on a Jabber XCP 5.4 server in the DMZ. DMZ XMPP Client SDNS Component Jabber XCP 5.2 or 5.4 Router-to-Router Connection jane@company.com Router-to-Router Connection Jabber XCP 5.4 Router-to-Router Connection OpenPort Jabber XCP 5.4 OCS Client Jabber XCP 5.4 OpenPort Connection Manager S2SCP SIP/SIMPLE Gateway Director Port=5061 Connection Manager S2SCP SIP/SIMPLE Gateway Director Port=5061 Firewall SIP Proxy Component Port 5061 Port 5269 Firewall OCS Access Edge Server Standard Edition OCS Standard or Enterprise Server Figure 3. Multiple gateways running behind the firewall Jabber OCS Gateway Setup Guide Introduction Page 9

10 Support for SIP/SIMPLE Standards Support for SIP/SIMPLE Standards The OCS gateway supports the following SIP/SIMPLE standards. Standard RFC SIP Core 3261 SIP: Session Initiation Protocol 3263 Session Initiation Protocol (SIP): Locating SIP Servers 3265 Session Initiation Protocol (SIP): Specific Event Notification SIMPLE 3428 Session Initiation Protocol (SIP) Extension for Instant Messaging 3856 A Presence Event Package for the Session Initiation Protocol (SIP) XMPP 3921 Extensible Messaging and Presence Protocol (XMPP): Instant Messaging and Presence IMPP 3859 Common Profile for Presence (CPP) 3860 Common Profile for Instant Messaging (CPIM) 3861 Address Resolution for Instant Messaging and Presence 3862 Common Presence and Instant Messaging (CPIM): Message Format 3863 Presence Information Data Format (PIDF) 4480 Rich Presence Extensions to the Presence Information Data Format (PIDF) Exceptions The OCS gateway does not support the following: The authentication of SIP/SIMPLE users Enhanced or custom presence functionality as defined by Microsoft The translation of RTF Cross-domain user searches Limitations The SIP/SIMPLE protocol imposes the following limitations for setting up subscriptions: Subscriptions must be set up on both sides. The OCS gateway user is added to the XMPP user s roster, and then the XMPP user is added to the gateway user s roster. Jabber OCS Gateway Setup Guide Introduction Page 10

11 Support for SIP/SIMPLE Standards When a Jabber user removes an OCS contact (or vice versa), the user is not automatically removed from the contact s roster. Unlike XMPP, SIP/SIMPLE does not facilitate the automatic removal of contacts from both rosters. OCS-to-XMPP subscriptions are refreshed every hour or at the SIP Subscription timeout interval that is set in the gateway. When the XMPP server is restarted, the presence of OCS users to XMPP users is determined by the subscription interval set up on the OCS server. Jabber OCS Gateway Setup Guide Introduction Page 11

12 Chapter 2. Installation The OCS gateway must be installed and run on a Jabber XCP 5.4 server. This server can be your primary Jabber XCP server, or it can running on a separate computer. If you install your OCS gateways on a separate computer (as recommended by Jabber, Inc.), your primary Jabber XCP server can be running either Jabber XCP 5.2 SP2 or 5.4. If you plan to run multiple OCS gateways, you must install Jabber XCP 5.4 and the OCS gateway software on each gateway computer, and on a computer located in the DMZ. This computer will run the SIP Proxy. The following sections are provided. Section Page Before You Begin 12 Downloading the OCS Gateway 13 Installing the OCS Gateway 13 Removing Unneeded Components 14 Before You Begin Before you install the OCS gateway software, make sure that you have done the following: Installed the core Jabber XCP 5.4 server on each computer that will run an OCS gateway Installed the core Jabber XCP 5.4 server on the computer that will run the SIP Proxy (if needed) Jabber OCS Gateway Setup Guide Installation Page 12

13 Downloading the OCS Gateway Downloading the OCS Gateway Before you can install the OCS gateway, you must download its installer, which is available on your web page on the Jabber Support site. On each computer on which you plan to install the gateway 1. Access the Jabber Support website at: 2. Log in using your username and password. 3. In the left pane, click Downloads. 4. In the Download column, locate and click the OCS gateway s installer to start the download. 5. Select the location on your server where you want to save the file, and click Save. 6. When the download has completed, extract the installation package. Installing the OCS Gateway Jabber, Inc. recommends that you install each gateway on its own Jabber XCP 5.4 server rather than on your primary Jabber XCP server. As a result, each gateway server is dedicated exclusively to handling gateway traffic. To install the OCS gateway 1. Make sure that the Jabber XCP 5.4 server and the controller are not running on the gateway s computer. 2. Change to the directory where you downloaded the gateway s installer. 3. If you are installing on a Jabber XCP for Linux system, enter the following command:./installer_name For example:./xcp-sipgw-installer x-rhel4-i686.bin 4. If you are installing on a Jabber XCP for Windows system, double-click the installer to start the install wizard, and follow the prompts. Jabber OCS Gateway Setup Guide Installation Page 13

14 Removing Unneeded Components 5. When you are asked where to install the gateway, enter the full system path to the location where the Jabber XCP server is installed. Removing Unneeded Components Before you begin configuring the OCS gateway(s) and the SIP Proxy, you need to remove the Jabber Session Manager, and the Connection Manager and Text Conferencing components from the respective Jabber XCP servers. Do not remove any components from your primary Jabber XCP server. This procedure is for the servers running the gateway(s) and the SIP Proxy only. On each gateway s computer and on the SIP proxy s computer 1. Start the Jabber XCP controller. 2. Access the controller in a browser window and start the Jabber XCP server. 3. In the Router area, click the Remove link for the Jabber Session Manager. 4. In the Components area, click Stop beside the Text Conferencing component, and then click Remove to remove it from the server. Jabber OCS Gateway Setup Guide Installation Page 14

15 Removing Unneeded Components 5. Stop and remove both Connection Manager components as well. 6. If you have multiple gateways, repeat this process on each gateway s Jabber XCP server and on the SIP Proxy s server. You are now ready to add and configure the SIP Proxy and the gateways as described in the following chapters. Jabber OCS Gateway Setup Guide Installation Page 15

16 Chapter 3. Network Access and Certificate Authentication This chapter provides instructions for enabling your OCS gateway to communicate with its network host, and for obtaining the proper certificate authentication from your Certificate Authority. To complete your OCS gateway configuration, you must ensure that your OCS server is configured properly. You must also publish an SRV record on your DNS server, and obtain a signed certificate for the gateway s server. The following sections are provided. Section Page Configuring Your OCS Server 17 Publishing an SRV Record on your DNS Server 17 Obtaining a Signed Certificate 18 Jabber OCS Gateway Setup Guide Network Access and Certificate Authentication Page 16

17 Configuring Your OCS Server Configuring Your OCS Server The certificate for any OCS server must be configured to act as both TLS client and server. The Extended Key Usage parameter in the certificate must either not be present, or it must contain both of the lines TLS Web Server Authentication and TLS Web Client Authentication. Two examples of correctly-configured certificates are shown below: Example 1 (Extended Key Usage parameter is not present): X509v3 Subject Key Identifier: 0B:F9:8F:DC:2E:74:F1:54:0C:BC:1B:03:3A:E8:D3:BA:D2:CA:D1:38 X509v3 Authority Key Identifier: keyid:09:46:07:f5:8e:e4:6d:50:6e:bb:d1:ea:3b:1e:36:2e:76:1a:e2:91 Example 2 (Extended Key Usage parameter has both lines): X509v3 Subject Key Identifier: F6:F1:88:4B:E1:B8:62:82:46:87:6F:BA:B6:0F:3D:AD:78:46:C2:D5 X509v3 Extended Key Usage: TLS Web Server Authentication TLS Web Client Authentication X509v3 Authority Key Identifier: keyid:09:46:07:f5:8e:e4:6d:50:6e:bb:d1:ea:3b:1e:36:2e:76:1a:e2:91 Publishing an SRV Record on your DNS Server In order for the OCS Access Edge Server to communicate with your OCS gateway, an SRV record must be published on your DNS server. An example SRV record for the OCS gateway is shown below: _SIPfederationTLS._TCP.example.com IN SRV ocsgw ocsgw IN A The SRV record maps the OCS gateway domain name to the IP address where the OCS gateway is going to run. Jabber OCS Gateway Setup Guide Network Access and Certificate Authentication Page 17

18 Obtaining a Signed Certificate Obtaining a Signed Certificate The connection between the OCS gateway and the OCS Access Edge Server must be mutual TLS. Certificates are presented by both sides as part of the TLS handshake. For the OCS gateway, you do not have to use a 3 rd -party CA; you can use a self-signed certificate if preferred. The certificate must conform to RFC 3280 certificate standards and include both server and client authentication EKU flags. OpenSSL, which is an Open Source toolkit for implementing SSL and TLS, can be used to generate the certificate request and the private key. OpenSSL is included in the Jabber XCP Server installation package. (You can read more about OpenSSL at The commands documented in the following sections for obtaining a signed certificate were used in the Jabber, Inc. environment during testing and should be considered examples only. You may need to alter the commands slightly to work in your own environment. Generating a Certificate Request and a Private Key You must generate a certificate request and a private key for each computer on which an OCS gateway is running, and on the computer running the SIP Proxy (if you are using one). On each gateway s computer and on the SIP Proxy s computer 1. Set the OPENSSL_CONF environment variable to the path where the openssl.cnf file resides. 2. If you are running one or more gateways on computers that are separate from the Jabber XCP server, and if you are running a SIP Proxy, you must modify the openssl.cnf file on those systems as follows: a. Open the openssl.cnf file in a text editor. (On RHEL4, this file is located in /usr/share/ssl/opeenssl.cnf.) b. Locate the [req] section and add the following line: req_extensions = v3_req c. Locate the following lines: [ v3_req ] # Extensions to add to a certificate request basicconstraints = CA:FALSE keyusage = nonrepudiation, digitalsignature, keyencipherment Jabber OCS Gateway Setup Guide Network Access and Certificate Authentication Page 18

19 Obtaining a Signed Certificate d. Underneath these lines, add the following lines: # Some CAs do not yet support subjectaltname in CSRs. # Instead the additional names are form entries on web # pages where one requests the certificate subjectaltname [alt_names] DNS.1 = FQDN_of_Primary_Jabber_XCP_Server DNS.2 = FQDN_of_local_system For DNS.1, enter the fully qualified domain name of your primary Jabber XCP server. For DNS.2, enter the fully qualified domain name of the local computer on which the gateway or the SIP Proxy is running. e. Save and close the openssl.cnf file. 3. Execute the following command on the computer where you installed the gateway. $ openssl req -nodes -new -out domaincert.csr 4. Answer the prompts described in the following table. Prompt Country Name (2 letter code) [AU]: State of Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Address []: A challenge password []: An optional company name []: Response Enter the 2-letter code for your country; for example, US Enter the name of your state or province; for example, Colorado Enter the name of your city; for example, Denver Enter the name of your company; for example, Example Inc Enter the name of your organization; for example, Product Development Enter the primary Jabber XCP server s domain; for example, example.com Enter your address; for example, rjones@example.com Caution! Do not enter anything at this prompt. Press ENTER to leave it blank. This prompt is optional. You can enter an optional company name or press ENTER to leave it blank. After you have answered the prompts, the following files are created: privkey.pem domaincert.csr Jabber OCS Gateway Setup Guide Network Access and Certificate Authentication Page 19

20 Obtaining a Signed Certificate Generating a Domain Key You must use the private key file to generate a domain key using OpenSSL. To generate a domain key Enter the following command on the gateway s server: openssl rsa -in privkey.pem -out domainkey.pem Obtaining the Signed Certificate You must submit the certificate request file to your Certificate Authority to be signed and returned to you. The steps may vary depending on your particular process. To obtain the signed certificate 1. Submit the certificate request file to your CA. This is the domaincert.csr file that you created in Generating a Certificate Request and a Private Key on page 18. When the CA has signed the certificate, they will send it back to you either in.pem format as domaincert.pem, or in DER format as domaincert.crt. If your CA sent you the certificate as a.pem file, skip to the next section, Combining the.pem Files. However, if the CS sent the certificate in DER format, you must convert it to PEM format as described in the following step. 2. In the directory that contains domaincert.crt, enter the following command: openssl x509 -in domaincert.crt -inform DER -out domaincert.pem This command converts the certificate file from DER to PEM format and creates the domaincert.pem file. Combining the.pem Files You must now combine the contents of the domainkey.pem and the domaincert.pem files into one.pem file and place it on the gateway s server. To combine the.pem files 1. Combine the contents of the domainkey.pem and the domaincert.pem files into one file named [some_name].pem. For example: signedcert.pem Jabber OCS Gateway Setup Guide Network Access and Certificate Authentication Page 20

21 Obtaining a Signed Certificate 2. Create a sips directory in $JABBER_HOME/certs on the gateway s server. 3. Copy the newly combined.pem file into $JABBER_HOME/certs/sips. 4. Delete the domainkey.pem and domaincert.pem files. 5. If you are using a SIP Proxy, perform this procedure on its.pem files as well. Verifying the Certificate To test that your certificate was created correctly, enter the following command: openssl x509 -text -noout -in [cert_filename] You should see information similar to the following: X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Subject Alternative Name: DNS: DNS: Jabber OCS Gateway Setup Guide Network Access and Certificate Authentication Page 21

22 Chapter 4. OCS Gateway Configuration This chapter provides instructions for setting up one or more OCS gateways. You can install and run a single gateway on your primary Jabber XCP 5.4 server if preferred. However, Jabber, Inc. recommends that you run even a single gateway on it s own dedicated system in order to increase performance (see Figure 2 on page 9). You can also run multiple OCS gateways behind your firewall as illustrated in Figure 3 on page 9. In this particular scenario, the gateways each run on their own Jabber XCP 5.4 servers and use a SIP Proxy located in the DMZ to communicate with the OCS Access Edge Server. The OCS gateway can be run against a Jabber XCP 5.2 SP2 server if needed. If your primary Jabber XCP server is running 5.2 SP2, follow the instructions in this chapter to configure the gateway. The gateway must be running on a separate Jabber XCP 5.4 server, and the 5.2 server must connect to the 5.4 server using a router-to-router connection. The following sections are provided. Section Page Setup Checklist 23 Configuring a Server-to-Server Connection Manager 23 Configuring the OCS Gateway 25 Adding an Outgoing Connection Attempt Rule in the S2SCP 30 Configuring an OpenPort Connection 31 Configuring Jabber Administrators 32 Configuring the Single Domain Name Support Component 34 Configuring Router-to-Router Connections 36 SIP/SIMPLE Gateway Parameter Reference 38 Jabber OCS Gateway Setup Guide OCS Gateway Configuration Page 22

23 Setup Checklist Setup Checklist Before you configure the OCS gateway, make sure that you have: Installed the core Jabber XCP 5.4 server and the OCS gateway software on each OCS gateway s computer as described in Chapter 2. Used the controller on the gateway to remove the Jabber Session Manager, and to stop and remove the Connection Managers and the Text Conferencing component. Obtained a signed certificate for each computer on which a gateway will run as described in Obtaining a Signed Certificate on page 18. Configuring OCS gateways involves the following tasks, which are described in this chapter. On each gateway server: Configure an S2S Connection Manager Configure the OCS gateway Add an outgoing connection attempt rule Configure an OpenPort connection On your primary Jabber XCP server: Configure Jabber administrators in the JSM Configure a Single Domain Name Support component (if you are running multiple gateways) Configure Router-to-Router connections (one for each gateway) Configuring a Server-to-Server Connection Manager For maximum performance and reliability, we recommend that you configure each gateway in its own Server-to-Server (S2S) Connection Manager. Perform this procedure on each OCS gateway s server. To configure the S2S Connection Manager 1. Access the Jabber XCP controller on the gateway s server. Jabber OCS Gateway Setup Guide OCS Gateway Configuration Page 23

24 Configuring a Server-to-Server Connection Manager 2. Change to the controller s Intermediate configuration view. 3. In the Components area on the controller s main page, click Go to add a new Connection Manager. 4. Under Add a New Command Processor, select S2S Command Processor in the list, and then click Go. 5. On the S2S Command Processor Configuration page, remove the two default XMPP directors. 6. Under Outgoing Connection Attempt Rules, remove the three default rules. 7. Add and configure the OCS gateway as described in the following section. Jabber OCS Gateway Setup Guide OCS Gateway Configuration Page 24

25 Configuring the OCS Gateway Configuring the OCS Gateway The OCS gateway is configured within the S2S Command Processor as a SIP/SIMPLE Gateway director. If you are running one or more gateways on computers that are separate from the Jabber XCP server, the certificate installed on each gateway s computer must contain the Subject Alternative Name with the hostnames of both the primary Jabber XCP server and the gateway. The CN must be the domain of the primary Jabber XCP server. See Obtaining a Signed Certificate on page 18 for more information. Perform this procedure on each OCS gateway s server. To configure the gateway 1. Change to the controller s Basic configuration view. 2. In the S2S Command Processor Configuration page under Director Configuration, select SIP/SIMPLE Gateway in the list, and then click Go. 3. In the SIP/SIMPLE Gateway Configuration page, make a note of the ID. You will need to use this ID later on in the gateway s configuration. Jabber OCS Gateway Setup Guide OCS Gateway Configuration Page 25

26 Configuring the OCS Gateway 4. If you are using a SIP Proxy, under Remote Host Configuration, select the ID of the component to get this configuration from option, and enter the ID of the SIP Proxy. 5. If you are not using a SIP Proxy: a. Change to the controller s Intermediate configuration view. b. Select Local Configuration, and then click Go to display the SIP Host Configuration page. c. Configure the following parameters. Parameter Remote server hostname Server Type Hostname Mapping Enter the FQDN of the OCS Access Edge Server to which the gateway is connecting; for example: ocsproxy.example.com Select ocs in the list. Enter the host names that map to the remote server host name. Jabber OCS Gateway Setup Guide OCS Gateway Configuration Page 26

27 Configuring the OCS Gateway A sample configuration is shown in the following figure. d. When you have finished configuring the SIP Host, click Submit. You are returned to the SIP/SIMPLE Gateway Configuration page. 6. Under Add a new SIP Transport, select TLS transport in the list, and then click Go. Jabber OCS Gateway Setup Guide OCS Gateway Configuration Page 27

28 Configuring the OCS Gateway 7. In the TLS Transport Configuration page, configure the transport using the parameter descriptions provided in the following table. The TLS transport parameters are described as follows: Parameter Logical domain of the XCP server IP address Port Use this transport by default for TLS requests Domain used for TLS certificate Full path to certificate file Full path to the CA certificate file Routes for this Transport Enter the fully qualified domain name of your primary Jabber XCP server. Enter the IP address of the local system on which this component is running. SIP servers will use this address to connect to the component. Enter the port on which this component listens for connections from SIP connectors. If you are using the default SIP routing rules in the SIP Proxy configuration to determine the destination route for SIP requests, select Yes. The first transport that is configured to be used by default will be used. Enter the domain name of the primary Jabber XCP server. This value is contained in the common name (CN) field in the certificate; for example, example.com. Enter the full path to the location of the certificate file. Both the certificate and the key are contained in this file. Optionally, enter the full path to the CA certificate file that is used to verify incoming client certificates. This file contains the certificates of the Certificate Authorities that you trust. You do not need to add a route in this TLS transport configuration. Jabber OCS Gateway Setup Guide OCS Gateway Configuration Page 28

29 Configuring the OCS Gateway 8. If you are running one or more gateways on computers that are separate from your primary Jabber XCP server: a. Change to the controller s Advanced configuration view. b. Define an external contact for SIP servers to use to contact this transport by configuring the following two parameters: Parameter External hostname that SIP servers will use for contact External port that SIP servers will use for contact Enter the fully qualified domain name of the local system on which the gateway is running. Enter the port on which the firewall is listening for incoming traffic. For example, When you have finished configuring the transport, click Submit to save your configuration. You are returned to the SIP/SIMPLE Gateway Configuration page. 10. If you are using a SIP Proxy, do the following: a. Change to the controller s Intermediate configuration view. b. Select the Outbound Proxy option, and configure the parameters as described in the following table. The Outbound Proxy parameters are described as follows. Parameter Proxy Hostname or IP address Proxy Port Proxy Transport Enter the IP address of the system on which the SIP Proxy is running. Enter the SIP stack port being used by the proxy. This is the port of the TLS transport. Select the TLS transport. c. Click Submit to save your configuration. You are returned to the SIP/SIMPLE Gateway Configuration page. 11. Click Submit again to return to the S2S Command Processor Configuration page. Jabber OCS Gateway Setup Guide OCS Gateway Configuration Page 29

30 Adding an Outgoing Connection Attempt Rule in the S2SCP Adding an Outgoing Connection Attempt Rule in the S2SCP On the S2S Command Processor Configuration page, you must add an outgoing connection attempt rule that is specific to your gateway. Perform this procedure on each OCS gateway s server. To add an outgoing connection attempt rule 1. On the S2S Command Processor Configuration page, scroll down to the Outgoing Connection Attempt Rules area. The S2SCP configuration includes three XMPP rules by default. If you have not done so already, remove each existing rule before adding the new rule. 2. Click Go to display the Rule Configuration page. 3. Configure the following parameters: Parameter Director ID DNS SRV lookup to use Enter the gateway director s ID without the realm; for example: cm-1_s2scp-1_sipsd-1 Enter any string. 4. Click Submit to save the rule. You are returned to the S2S Command Processor Configuration page. 5. Click Submit to save your configuration. Jabber OCS Gateway Setup Guide OCS Gateway Configuration Page 30

31 Configuring an OpenPort Connection Configuring an OpenPort Connection You must add an OpenPort connection to allow the S2S Command Processor to connect to the Jabber XCP router. Perform this procedure on each OCS gateway s server. To configure an OpenPort 1. Using the controller on the gateway s computer, change to the Intermediate configuration view. 2. In the Components area on the controller s main page, select OpenPort in the list, and click Go. 3. When you are asked for the ID of the OpenPort, enter the ID of the gateway s S2S Command Processor without the realm; for example: cm-1_s2scp-1 4. Click OK. 5. On the OpenPort Configuration page, enter a new. 6. If you are configuring only one OCS gateway, enter an asterisk (*) in the Host Filters box. If you are configuring multiple gateways, leave the Host Filters box blank. 7. Click Submit to save your configuration. You are returned to the controller s main page. Jabber OCS Gateway Setup Guide OCS Gateway Configuration Page 31

32 Configuring Jabber Administrators Configuring Jabber Administrators You must add the ID and realm of each OCS gateway s S2S Command Processor as a Jabber administrator on your primary Jabber XCP server. This configuration is necessary to push presence and roster subscriptions to the remote service s network. Perform this procedure on your primary Jabber XCP server. To add the S2SCP as a Jabber administrator 1. On your primary Jabber XCP server, change to the controller s Intermediate configuration view. 2. In the Router area on the controller s main page, click Edit beside Jabber Session Manager. 3. In the Optional Modules section on the Jabber Session Manager Configuration page, make sure that the check box beside mod_admin is checked as shown in the following figure. 4. Scroll down to the Jabber Administrators section, and enter the ID and realm of each OCS gateway s S2S Command Processor in the Administrator(s) box. For example: cm-1_s2scp-1.gateway1 cm-1_s2scp-1.gateway2 Jabber OCS Gateway Setup Guide OCS Gateway Configuration Page 32

33 Configuring Jabber Administrators If you do not know the gateway server s realm, access the gateway s controller, and click the Edit link beside Global router settings in the Router area. The Realm is the second parameter on the Global Settings Configuration page. 5. Scroll to the bottom of the Jabber Session Manager Configuration page, and click Submit to save your configuration. Jabber OCS Gateway Setup Guide OCS Gateway Configuration Page 33

34 Configuring the Single Domain Name Support Component Configuring the Single Domain Name Support Component If you are running multiple OCS gateways, you must configure a Single Domain Name Support (SDNS) component on your primary Jabber XCP server to balance the outgoing requests between the gateways. The SDNS component distributes the load of outgoing requests for a single domain over multiple gateways. SDNS allows the gateways to function side by side, thereby reducing performance bottlenecks and increasing the number of concurrent users that each gateway supports. Perform this procedure on your primary Jabber XCP server. To configure the SDNS component 1. On your primary Jabber XCP server, change to the controller s Advanced configuration view. 2. In the Components area on the controller s main page, select Single Domain Name Support in the list, and click OK. 3. Scroll down to the Hostnames for this Component area. 4. Enter an asterisk (*) in the Host Filters box. Jabber OCS Gateway Setup Guide OCS Gateway Configuration Page 34

35 Configuring the Single Domain Name Support Component 5. Scroll down to the Single Domain Name Support Configuration area, and click the radio button next to Modulo Mapping Algorithm to enable the feature. 6. Under Algorithm Input Generator, select originator_algo_input in the Load list. 7. Leave the Use component presence parameter set to No, since the gateways are stateful components. 8. In the Component ID(s) text box, enter the ID and realm of each OCS gateway s S2S Command Processor; for example: cm-1_s2scp-1.gateway1 cm-1_s2scp-1.gateway2 9. Scroll to the bottom of the page and click Submit to save your configuration. The SDNS component requires no further configuration for the gateways. Jabber OCS Gateway Setup Guide OCS Gateway Configuration Page 35

36 Configuring Router-to-Router Connections Configuring Router-to-Router Connections You must configure a Router-to-Router (R2R) connection for each gateway on your primary Jabber XCP server to enable the servers to communicate. Perform this procedure on your primary Jabber XCP server. You must configure a separate Router-to-Router connection for each gateway server. To configure a router-to-router connection 1. On your primary Jabber XCP server, change to the controller s Advanced configuration view. 2. In the Components area on the controller s main page, select Router-to-Router Connection in the list. Jabber OCS Gateway Setup Guide OCS Gateway Configuration Page 36

37 Configuring Router-to-Router Connections 3. Click Go to display the Router-to-Router Connection Configuration page. 4. On the Router-to-Router Connection Configuration page, configure the following parameters: Parameter Component IP Port Password Enter the gateway server s IP address. Enter the gateway server s Master Accept Port (the default Master Accept Port is 7400). Enter the password specified for the gateway server s Master Accept Port. 5. Click Submit to save your configuration. 6. Restart your Jabber XCP system. Jabber OCS Gateway Setup Guide OCS Gateway Configuration Page 37

38 SIP/SIMPLE Gateway Parameter Reference SIP/SIMPLE Gateway Parameter Reference This section provides a reference for all of the parameters associated with the SIP/SIMPLE gateway director. The parameters are divided into subsections based on the configuration view in which they display. Basic Parameters The following table describes the parameters that display in the controller s Basic configuration view. The basic parameters are sufficient to configure an operational SIP/SIMPLE director. Parameter Percentage of max memory to use for the SIP stack This value is the amount of memory that is allocated when the SIP Proxy s sytem starts. Make sure that you have the memory available. Remote Host Configuration ID of the component to get this configuration from Local Configuration Add a new SIP Transport Timeout for notify response to subscriptions with expires=0 (seconds) This parameter is specific to SIP gateways. If you already have a SIP Host configured for the SIP Proxy or for another gateway, you can enter the ID of the component here to use the same configuration. Select this option and click Go to configure a new SIP host. Select the type of transport protocol that the SIP clients are using, and then click Go. If you are configuring the OCS gateway, add a TLS transport. Enter the number of seconds to wait before the system times out the response for a presence request. Jabber OCS Gateway Setup Guide OCS Gateway Configuration Page 38

39 SIP/SIMPLE Gateway Parameter Reference Intermediate Parameters The following table describes the parameters that display in the controller s Intermediate configuration view. Parameter Outbound Proxy For the OCS Gateway, select this option if you are using a SIP Proxy. Proxy IP address Proxy Port Proxy Transport Enter the IP address of the system on which the SIP Proxy is running. Enter the SIP stack port being used by the proxy. This is the port of the TLS transport. Select the TLS transport. Advanced Parameters The following table describes the parameters that are displayed in the controller s Advanced configuration view. Most of the advanced parameters are used for adjusting system performance. Default values have been provided for these parameters, and in most cases, these values are sufficient. We recommend contacting Jabber Support if you want to change the values. Parameter Threads to use for processing outgoing XMPP messages Server Connection Idle Timeout (seconds) Pass PIDF through the gateway Treat incoming subscribes as temporary subscribes Thread count for SIP processing The number of threads you want to use for processing outgoing XMPP messages. The number of seconds of idle time after which the SIP Proxy connection closes. If you prefer, you can enter -1 to prevent the connection from ever timing out or 0 to timeout immediately after this component sends a final response to a SIP request. Setting the timeout to 0 is not recommended. If the Jabber XCP server is configured to use PIDF and you set this option to Yes, the gateway will pass any PIDF through rather than creating its own PIDF for XMPP presence. When set to No, all incoming subscribes are durable rather than temporary. The number of threads you want to use for SIP processing. Jabber OCS Gateway Setup Guide OCS Gateway Configuration Page 39

40 SIP/SIMPLE Gateway Parameter Reference Parameter Max TCP Connections Max TLS Sessions Interval (in seconds) to wait for SIP dialogs to shutdown cleanly before exiting the application Maximum SIP subscription duration (seconds) Default SIP subscription duration (seconds) Minimum SIP subscription duration (seconds) Maximum SIP publish duration (seconds) Default SIP publish duration (seconds) Minimum SIP publish duration (seconds) Send/Receive Buffer Size (bytes) TLS connection strict checking of hostname TLS connection strict certificate usage The maximum number of active TCP connections allowed at one time. The maximum number of active TLS sessions allowed at one time. The number of seconds to wait for SIP dialogs to shut down before the SIP Proxy stops. The maximum number of seconds after which SIP subscriptions refresh. The Jabber Presence server negotiates with the SIP host within the range created by this value and the minimum value. The default number of seconds after which SIP subscriptions refresh. The minimum number of seconds after which SIP subscriptions refresh. The Jabber Presence server negotiates with the SIP host within the range created by this value and the maximum value. The maximum number of seconds after which SIP publishes refresh. The Jabber Presence server negotiates with the SIP host within the range created by this value and the minimum value. The default number of seconds after which SIP publishes refresh. The minimum number of seconds after which SIP publishes refresh. The Jabber Presence server negotiates with the SIP host within the range created by this value and the maximum value. The number of bytes in the buffer that is used to send and receive SIP messages. The buffer must be large enough to hold the largest SIP Notify message and the largest pidf presence body that you plan to support. When set to Yes, the Jabber XCP server verifies that the name of the host making the TLS connection matches the hostname that is in the certificate from that TLS connection. When set to Yes, this parameter enforces proper usage of the x509 certificate usage field. Microsoft certificates contain only the server or the client hosts; however, it is very common for the same certificate to be used on both hosts. If you are communicating with an OCS server, you may have to set this option to No. Jabber OCS Gateway Setup Guide OCS Gateway Configuration Page 40

41 SIP/SIMPLE Gateway Parameter Reference Parameter Expiration for a DNS Cache entry (seconds) Enable logging of SIP packets Enable full SIP stack logging The number of seconds that the Jabber XCP server caches the Jabber Presence server host s DNS entry. When set to Yes, debug logging of SIP packets is enabled. Caution! Enabling this option can severely slow down the performance of the Jabber Presence server or the OCS gateway. When set to Yes, debug logging of the SIP stack is enabled. Caution! Enabling this option can severely slow down the performance of the Jabber Presence server or the OCS gateway. Jabber OCS Gateway Setup Guide OCS Gateway Configuration Page 41

42 Chapter 5. SIP Proxy Configuration This chapter describes how to configure the SIP Proxy, which is required only when you are running multiple OCS gateways behind your firewall. The SIP Proxy runs in the DMZ, and relays SIP traffic coming from your OCS gateways through the firewall to the OCS Access Edge Server. Configure the SIP Proxy on a computer that is located in the DMZ. The core Jabber XCP server package and the gateway software must both be installed on this computer. The certificate installed on the SIP Proxy s computer must contain the Subject Alternative Name with the hostnames of both the primary Jabber XCP server and the gateway. The CN must be the domain of the primary Jabber XCP server. See Obtaining a Signed Certificate on page 18 for more information. The following sections are provided. Section Page Before You Begin 43 Configuring the SIP Proxy Component 43 Configuring a Router-to-Router Connection 49 SIP Proxy Parameter Reference 51 Jabber OCS Gateway Setup Guide SIP Proxy Configuration Page 42

43 Before You Begin Before You Begin Before you configure the SIP Proxy, make sure that you have: Installed the core Jabber XCP server and the OCS gateway software on the system in the DMZ that will run the SIP Proxy. Used the Jabber XCP controller on the SIP Proxy s system to remove the Jabber Session Manager, and to stop and remove the Connection Manager and Text Conferencing components. Obtained a signed certificate for the computer on which the SIP Proxy will run as described in Obtaining a Signed Certificate on page 18. Configuring the SIP Proxy Component This section describes how to configure the SIP Proxy component. To configure the SIP Proxy component 1. On the Jabber XCP server in the DMZ, change to the controller s Intermediate configuration view. 2. In the Components area on the controller s main page, select SIP Proxy in the list, and then click Go. Jabber OCS Gateway Setup Guide SIP Proxy Configuration Page 43

44 Configuring the SIP Proxy Component 3. In the SIP Proxy Configuration page under SIP Proxy Routing Rules, click Go to add a routing rule. Routing rules let you specify several criteria, all of which must be matched by incoming or outgoing SIP requests before they are routed to their final destinations. 4. In the SIP Proxy Routing Rule Configuration page, configure the parameters as described in the following table. Parameter SIP Methods Invert this selection and make this rule not match these methods? To Hosts Invert this selection and make this rule not match these to hosts? From Hosts Invert this selection and make this rule not match these from hosts? Select this option if you want to enter one or more SIP methods that SIP requests must match in order to be approved. For example, SUBSCRIBE, PUBLISH, OPTIONS, and so on. Requests that match the methods listed here are sent on to be tested against the To Hosts criteria. If you do not select this option, any SIP method will be considered a match by default. Select Yes if you want to invert the logic so that this rule does not match the methods that you specify. Select this option if you want to enter one or more to host names. SIP requests that are directed to these hosts are approved and sent on to be tested against the From Hosts criteria. If you do not select this option, any to host will be approved by default. Select Yes if you want to invert the logic so that this rule does not match the to hosts that you specify. Select this option if you want to enter one or more from host names. SIP requests that are sent from these hosts are considered approved and sent on to be tested against the next criteria. If you do not select this option, any from host will be approved by default. Select Yes if you want to invert the logic so that this rule does not match the from hosts that you specify. Jabber OCS Gateway Setup Guide SIP Proxy Configuration Page 44

45 Configuring the SIP Proxy Component Parameter Header Rules All Headers Must Match? Header Pairs Required Manual TLS Destinations Use default SIP routing rules Select this option if you want to use headers in SIP requests as matching criteria. Select Yes if all headers within the SIP request must match the configured header pairs in order to be approved. Click Go to configure a header pair, which consists of a name and a value. This feature performs a substring match, so any SIP requests whose headers contain the strings you enter here will be approved. In the Header Pair Configuration page, configure the parameters as follows: Header Name Enter the name of the header for example, rock. Header Value Enter the value contained in the header for example, base. Using these examples, the header rockies:baseball would be approved, because it contains the strings rock and base. Select Yes if you specified a list of Mutually Trusted TLS Hostnames in the global router settings and want incoming SIP requests to be only from hosts that are on that list. Select this option if you want the approved SIP request to be forwarded to specific hosts. Enter the host names in the box. Select this option if the routing rule that you are configuring pertains to outbound SIP requests. 5. Click Submit in the SIP Proxy Routing Rule Configuration page to save your configuration. You are returned to the SIP Proxy Configuration page. You can configure as many additional routing rules as needed. The rules are processed in the order in which you configure them. Jabber OCS Gateway Setup Guide SIP Proxy Configuration Page 45

46 Configuring the SIP Proxy Component 6. In the SIP Proxy Configuration page under Default Rule, select the option that you want to use to handle SIP requests that do not meet any of the routing rules. The Default Rule options are described in the following table. Parameter Forward Request Bounce Request Select this option if you want the system to forward SIP requests that do not meet any of the configured routing rules to specific hosts. Enter the host names in the box. Requests from a given user will always be sent to the same host. Select this option if you want the system to bounce SIP requests that do not meet any of the configured routing rules. 7. Optionally, change the Percentage of max memory to use for the SIP stack parameter setting. This value is the amount of memory that is allocated when the SIP Proxy s system starts. Make sure that you have the memory available. 8. Under Remote Host Configuration, select the Local Configuration option, and then click Go to display the SIP Host Configuration page. Jabber OCS Gateway Setup Guide SIP Proxy Configuration Page 46

47 Configuring the SIP Proxy Component 9. In the SIP Host Configuration page configure the following parameters. Parameter Remote server hostname Server Type Hostname Mapping Enter the FQDN of the OCS Access Edge server to which the SIP Proxy is connecting; for example: ocsproxy.example.com Select lcs in the list. Enter the host names that map to the remote server host name. A sample configuration is shown in the following figure. 10. When you have finished configuring the SIP Host, click Submit. You are returned to the SIP Proxy Configuration page. 11. Under Add a new SIP Transport, select TLS transport in the list, and then click Go. Jabber OCS Gateway Setup Guide SIP Proxy Configuration Page 47

48 Configuring the SIP Proxy Component 12. In the TLS Transport Configuration page, configure the following parameters. Parameter Hostname of external interface IP Address Port Use this transport by default for TLS requests Domain used for TLS certificate Full path to certificate file Full path to the CA certificate file Enter the fully qualified domain name of your primary Jabber XCP server. Enter the IP address of the local system on which this component is running. SIP servers will use this address to connect to the component. Enter the port on which this component listens for connections from SIP connectors. If you are using the default SIP routing rules in the SIP Proxy configuration to determine the destination route for SIP requests, select Yes. The first transport that is configured to be used by default will be used. Enter the domain name of the primary Jabber XCP server. This value is contained in the common name (CN) field in the certificate; for example, example.com. Enter the full path to the location of the certificate file. Both the certificate and the key are contained in this file. Optionally, enter the full path to the CA certificate file that is used to verify incoming client certificates. This file contains the certificates of the Certificate Authorities that you trust. A sample configuration is shown in the following figure. Jabber OCS Gateway Setup Guide SIP Proxy Configuration Page 48

49 Configuring a Router-to-Router Connection 13. Select the Routes for this Transport option, and then click Go. You must configure at least one route for the transport. 14. In the Route Configuration page, configure the parameters as follows: Parameter ID IP address Port Enter the ID of the S2S Command Processor; for example, cm- 2_s2scp-1.jabber. Enter the IP address of the system on which the S2SCP is running. Enter the port being used by the S2SCP. The port used by this type of transport is supplied by default. 15. Click Submit to save the route configuration. You are returned to the TLS transport Configuration page. 16. Click Submit to save the transport configuration. You are returned to the SIP Proxy Configuration page. 17. Change to the controller s Advanced configuration view. 18. Locate the Enable LCS routing compatibility parameter, and set it to Yes. 19. Locate the TLS connection strict certificate usage parameter, and set it to No. 20. Click Submit to save the SIP Proxy configuration. Configuring a Router-to-Router Connection You must configure a Router-to-Router (R2R) connection for the SIP Proxy on your primary Jabber XCP server to enable the servers to communicate. To configure a router-to-router connection 1. On your primary Jabber XCP server, change to the controller s Advanced configuration view. Jabber OCS Gateway Setup Guide SIP Proxy Configuration Page 49

50 Configuring a Router-to-Router Connection 2. In the Components area on the controller s main page, select Router-to-Router Connection in the list. 3. Click Go to display the Router-to-Router Connection Configuration page. 4. On the Router-to-Router Connection Configuration page, configure the following parameters: Parameter Component IP Port Enter the SIP Proxy server s IP address. Enter the SIP Proxy server s Master Accept Port (the default Master Accept Port is 7400). Jabber OCS Gateway Setup Guide SIP Proxy Configuration Page 50

51 SIP Proxy Parameter Reference Password Parameter Enter the password specified for the SIP Proxy server s Master Accept Port. 5. Click Submit to save your configuration. 6. Restart your Jabber XCP system. SIP Proxy Parameter Reference This section provides a reference for all of the parameters associated with the SIP Proxy component. The parameters are divided into subsections based on the configuration view in which they display. Basic Parameters The following table describes the parameters that display in the controller s Basic configuration view. The basic parameters are sufficient to configure an operational SIP Proxy. Parameter Realm of the global configuration SIP Proxy Routing Rules The description is displayed in the Components area on the controller s main page and should help you distinguish between components of the same type when you have more than one configured. You can change the description as needed. If you configured a list of trusted TLS hosts in the Global Settings Configuration page on your primary Jabber XCP server, enter the primary server s realm here. Click Go to add a routing rule for the SIP Proxy. You can add as many rules as needed. Default Rule Select the option that you want to use to handle SIP requests that do not meet any of the configured routing rules. Forward Request Select this option if you want the system to forward SIP requests that do not meet any of the configured routing rules to specific hosts. Enter the host names in the box. Requests from a given user will always be sent to the same host. Jabber OCS Gateway Setup Guide SIP Proxy Configuration Page 51

52 SIP Proxy Parameter Reference Parameter Bounce Request Percentage of max memory to use for the SIP stack Add Record-Route header Select this option if you want the system to bounce SIP requests that do not meet any of the configured routing rules. This memory is allocated when the SIP Proxy s system starts, so make sure that you have the memory available. Select Yes if you want to force all related SIP requests and responses to go through the SIP proxy. Remote Host Configuration ID of the component to get this configuration from Local Configuration Add a new SIP Transport Timeout for notify response to subscriptions with expires=0 (seconds) This parameter is specific to SIP gateways. If you already have a SIP Host configured for the SIP Proxy or for another gateway, you can enter the ID of the component here to use the same configuration. Select this option and click Go to configure a new SIP host. Select the type of transport protocol that the SIP clients are using, and then click Go. If you are configuring the OCS gateway, add a TLS transport. Enter the number of seconds to wait before the system times out the response for a presence request. Intermediate Parameters The following table describes the parameters that display in the controller s Intermediate configuration view. Parameter Router Outbound Connection Information Select this option only if you want the Jabber XCP router to connect to the component. For example, if the component is running outside your firewall, this option allows the router to connect to the component safely rather than introducing security risks by letting the component connect to it. By default, components connect to the router using the router s Master Accept Port. Component IP Port Password Enter the IP address or hostname of the system on which the component is installed. Enter the port that the component uses for communications. Enter the password that the router uses to authenticate the component. Jabber OCS Gateway Setup Guide SIP Proxy Configuration Page 52

53 SIP Proxy Parameter Reference Parameter Execute an External Command This option allows the router to start the component automatically. If you prefer to start the component from a command line, disable this option. If you are using Jabber XCP for Windows, the Execute an External Command option is irrelevant. Leave it as is. Command line to run A command that runs the component automatically is provided by default. You can modify it if needed. Do not use the -B argument with this component. Since jabberd is already a daemon process, its children must not be daemons. You should not redirect output, because all output to STDOUT and STDERR will be redirected to /dev/null. Host Names for this Component This option specifies the hosts for which this component will handle packets. Specify a host filter only if you want the component to be externally addressable; for example, if you want clients and other components or programs to communicate with it. This is because the mod_disco module in JSM uses host filters to return the component as something that should be discoverable. Host Filters Enter the hostnames or IP addresses for which you want this component to handle packets. Separate each hostname or address with a line break. Host filters must be hostnames, or IPv4 or IPv6 addresses. If you use an IP address, the packet address must also use this IP address. Outbound Proxy You can ignore this option unless you are chaining SIP Proxy components. If you need to chain SIP proxies, contact Jabber Support. Proxy IP address Proxy Port Proxy Transport Enter the IP address of the system on which the SIP Proxy is running. Enter the SIP stack port being used by the proxy. This is the port of the transport the proxy is using. Select the type of transport being used by the SIP Proxy. Component Logging (Jlog) Select the Component Logging (Jlog) option only if you want to configure filtered level loggers that log messages to syslog and to a stream (stderr or stdout). You can enable either or both the syslog and stream loggers. These parameters are displayed in the controller s Intermediate and Advanced configuration views. Jabber OCS Gateway Setup Guide SIP Proxy Configuration Page 53

54 SIP Proxy Parameter Reference Parameter SNMP Configuration Select this option if you want to configure SNMP for the component. Enable SNMP Leave this parameter set to Yes. Advanced Parameters The following table describes the parameters that are displayed in the controller s Advanced configuration view. Most of the advanced parameters are used for adjusting system performance. Default values have been provided for these parameters, and in most cases, these values are sufficient. We recommend contacting Jabber Support if you want to change the values. Runlevel Parameter Timeout for shutdown Enter the order in which this component shuts down. The runlevel must be an integer value greater than or equal to 0. Component shutdown is executed in reverse order of the specified runlevel; components with the highest level (typically 70) shut down first. Do not change the runlevel unless you know exactly what you are doing and understand the effects that changing it will have. The default runlevel is provided to help the system shut down as smoothly as possible, and is based on this component's dependencies upon other components. Enter the number of seconds that the server waits to receive acknowledgement from the component that the shutdown process has completed. If the component has not shut down by the time this time period has elapsed, the router leaves the process in its current state and continues shutting down other processes. Component Properties Number of packets buffered when component is down Bounce error packets to stderr Enter the number of packets bound for the component that should be buffered if the component goes down. Select Yes if you want the router to send warnings to stderr when the component is down. Router Outbound Connection Information Buffer size in bytes for outgoing data Enter the number of bytes the router should buffer when it sends information to the component. You may want to modify this element when working on performance enhancements. Jabber OCS Gateway Setup Guide SIP Proxy Configuration Page 54

55 SIP Proxy Parameter Reference Parameter Buffer size in bytes for incoming data Send keepalives Log the delivery of packets to this component Enter the number of bytes the router should buffer when it receives information from the component. You may want to modify this element when working on performance enhancements. Select Yes if you want the router to send keep-alives to the component. The keep-alive helps prevent firewalls from dropping an unused connection to the component. If this option is set to No, keep-alives are disabled. Select Yes if you want to log the data that the router delivers to the component. The information is logged to the logger(s) you set up during Jabberd Logger configuration (syslog, file, or stderr). Socket-level logging happens only at the debug level. Execute an External Command Maximum interval in seconds to wait before restarting component Maximum number of times to restart component Interval in seconds at which to reset this value to 1 second Path to binary Enter the maximum number of seconds after which the router tries to restart the component. If the component goes down, the router tries to restart it after 1 second. If the component does not start, the router multiplies the wait time by 1.5, and tries again. Once the maximum time interval that you specify for this parameter is reached, the router continues to retry after waiting this amount of time. Enter the total number of restarts allowed. The default setting, -1, means unlimited. Enter the number of seconds that the component has been up and running, after which to set the restart time back to 1 second. Enter the directory path to the shell that launches the component. You can change the default setting if needed. SIP Proxy Tuning Parameters Server Connection Idle Timeout (seconds) Max TCP Connections Max TLS Sessions Enable LCS routing compatibility The number of seconds of idle time after which the SIP Proxy connection closes. If you prefer, you can enter -1 to prevent the connection from ever timing out or 0 to timeout immediately after this component sends a final response to a SIP request. Setting the timeout to 0 is not recommended. The maximum number of active TCP connections allowed at one time. The maximum number of active TLS sessions allowed at one time. Set this parameter to Yes if you are using the OCS gateway. Jabber OCS Gateway Setup Guide SIP Proxy Configuration Page 55

56 SIP Proxy Parameter Reference Parameter Thread count for SIP processing Interval (in seconds) to wait for SIP dialogs to shutdown cleanly before exiting the application Maximum SIP subscription duration (seconds) Default SIP subscription duration (seconds) Minimum SIP subscription duration (seconds) Maximum SIP publish duration (seconds) Default SIP publish duration (seconds) Minimum SIP publish duration (seconds) Send/Receive Buffer Size (bytes) TLS connection strict checking of host name Expiration for a DNS Cache entry (seconds) Enable logging of SIP packets Enable full SIP stack logging The number of threads you want to use for SIP processing. The number of seconds to wait for SIP dialogs to shut down before the SIP Proxy stops. The maximum number of seconds after which SIP subscriptions refresh. The Jabber Presence server negotiates with the SIP host within the range created by this value and the minimum value. The default number of seconds after which SIP subscriptions refresh. The minimum number of seconds after which SIP subscriptions refresh. The Jabber Presence server negotiates with the SIP host within the range created by this value and the maximum value. The maximum number of seconds after which SIP publishes refresh. The Jabber Presence server negotiates with the SIP host within the range created by this value and the minimum value. The default number of seconds after which SIP publishes refresh. The minimum number of seconds after which SIP publishes refresh. The Jabber Presence server negotiates with the SIP host within the range created by this value and the maximum value. The number of bytes in the buffer that is used to send and receive SIP messages. The buffer must be large enough to hold the largest SIP Notify message and the largest pidf presence body that you plan to support. When set to Yes, the Jabber XCP server verifies that the name of the host making the TLS connection matches the host name that is in the certificate from that TLS connection. The number of seconds that the Jabber XCP server caches the Jabber Presence server host s DNS entry. When set to Yes, debug logging of SIP packets is enabled. Caution! Activating this option can severely slow down the Jabber Presence server s performance. When set to Yes, debug logging of the SIP stack is enabled. Caution! Activating this option can severely slow down the Jabber Presence server s performance. Jabber OCS Gateway Setup Guide SIP Proxy Configuration Page 56

57 SIP Proxy Parameter Reference Parameter Component Logging (Jlog) Add a new custom logger If you have created a custom logger for logging component information using the libjcore library, click Go to access the Custom Logger Configuration page. For more information, see the Adding a New Custom Logger section in the Component Logging chapter in the Jabber XCP Server Configuration Guide. SNMP Configuration Count errors Select Yes only if you want to enable SNMP error counting. This option takes a great deal of server resource, so use it with caution. Jabber OCS Gateway Setup Guide SIP Proxy Configuration Page 57

58 Chapter 6. Non-Standard SIP Host Configurations The SIP Host Configuration page, which is accessible from the SIP Proxy and the gateway director s configuration pages contains additional parameters that you can use to configure your gateway to communicate with remote services that have non-standard setups. For example, you might need to configure these parameters if your gateway communicates with a remote service that uses a non-standard SRV record. You may also need to configure custom parameters to attempt to establish communication with services that Jabber, Inc. does not support. This chapter covers the following non-standard configurations. Section Page Non-Standard SRV Records 58 Custom Gateway Connections 60 Non-Standard SRV Records If your gateway connects to a remote service that uses non-standard SRV records, you must configure one or more DNS lookup rules. These rules specify the order and DNS lookup properties for the gateway to use when making outbound connections. To configure DNS lookup rules 1. Change to the controller s Intermediate configuration view. 2. On the SIP Host Configuration page, enter the hostname of the remote server. Jabber OCS Gateway Setup Guide Non-Standard SIP Host Configurations Page 58

59 Non-Standard SRV Records 3. Select the remote server type in the list. 4. Under DNS Lookup Rules, click Go to add a rule. 5. On the DNS Lookup Rule Configuration page, enter a description of the rule, and select one of the options. The gateway will try this option first when establishing an outgoing connection. The DNS Lookup Rule Configuration options are described below: Parameter Custom DNS SRV record to use Port to use instead of DNS SRV record Use a well known DNS SRV record Enter the path to a custom DNS SRV record. Enter a port to use if no DNS SRV record is available. Select standard or service in the list. Jabber OCS Gateway Setup Guide Non-Standard SIP Host Configurations Page 59