Lync-Openfire XMPP Federation
1. Lync Topology Setup
On the Lync Server FE, run the Topology Builder and create a new Edge Pool.
a) First you enter the FQDN of the Edge Server’s Internal Interface:
b) On the next screen make sure you enable XMPP federation on the pool.
c) Next you have to define the FQDN and ports of the Edge External Services. Depending on your selection in the previous screen, you will need to enter either 1 or 3 FQDNs.
d) Next you’ll define the Internal IPv4 Address of the Edge Server.
e) The last part to define is the IPv4 address of the External Edge NIC.
f) Finally, save and publish the topology.
2. Lync Control Panel
In the Lync Control Panel go to the “Federation and External Access” tab.
a) Under “External Access Policy“, edit the Global scope and make sure the following boxes are checked the click “Commit“:
> Enable communications with federated users
> Enable communications with XMPP federated users
> Enable communications with remote users
> Enable communications with public users
b) Under “Access Edge Configuration” make sure the following boxes are checked and click “Commit“:
> Enable federation and public IM connectivity
> Enable partner domain discovery
> Enable remote user access
c) Under “XMPP Federated Partners” click “New” and enter the details below then click “Commit“:
> Primary Domain – The domain/FQDN of the XMPP partner
> Partner Type – Select “Federated”
> TLS negotiation – Select “Not Supported”
> SASL negotiation – Select “Not Supported”
> Support server dial back negotiation – Select “True”
3. Lync Management Console
Now you need to export the configuration for the Edge Server to use.
a) Run the Lync Management Console and enter the command below:
Export-CsConfiguration -File C:\<path>\export.zip
Now copy this export.zip to you Edge Server
4. Edge Server Setup
You must ensure you have two separate NICs on the Edge server, each with it’s own IP and FQDN (will require firewall settings).
You can install a new NIC either from the VM management (If it is a virtual machine) or from Windows Device Manager.
Make sure the XMPP server can ping this external interface, and that Edge can ping the XMPP server.
5. Installing the Edge Server
Run the standard Lync Deployment Wizard that comes with the Lync Server 2013 CD.
a) When the Wizard is run, select the option “Install or Update Lync Server System”
b) On the next screen select “Install Local Configuration Store” and then choose “Import from a file”. Click “Browse” and choose the file exported from Lync in step 3a).
c) Next to do is run the step “Set up Lync Server Components”. This will install the required components for the Edge Server.
d) This step involves setting up the certificates. If you are not importing, you can request for each of the options (Internal and External).
Note that you can use and internal CA for Openfire federation, but it would need a certified CA for external Lync access.
e) Once the certificates are set up, you can start the services from the deployment wizard.
Initially starting services from the Deployment Wizard is recommended as it will show any errors in the setup in the log (which can be accessed directly from the wizard).
Otherwise, run services.msc to view the services as shown below.
6. DNS Records
If all the services are running, you will need to set up the DNS records.
The main DNS record required (where the external NIC sits) is “_xmpp-server._tcp.<domain> 5269 <edge external NIC FQDN>“.
It may also be worth adding a service record for the XMPP server in you DNS where Lync sits.
a) To do this on Windows DNS Server:
> Create a new “Forward Lookup Zone” with the FQDN of the XMPP server
> Add an A record which points to the IP of the XMPP server (no need to add an FQDN, it will just use the same as the parent folder).
> Create the SRV record “_xmpp-server._tcp.<FQDN of xmpp server> 5269 <FQDN of xmpp server>”
> E.g. _xmpp-server._tcp.openfire.domain.com 5269 openfire.domain.com
b) Secondly, the internal DNS need some new records within the local domain. These are below:
> Create the SRV record “_sipfederationtls._tcp.<internal domain> 5061 <FQDN of edge external interface>”
> E.g. _sipfederationtls._tcp.test.local 5061 externaledge.test.com
> Create the SRV record “_sip._tls.<internal domain> 443 <FQDN of edge external interface>”
> E.g. _sip._tls.test.local 443 externaledge.test.com
7. Openfire Server
Now some changes need to be made to the Openfire server.
a) Go to “Server > Server Settings > Security Settings” and under “Server Connection Security” do the following, then click “Save Settings“:
> Check the radio button “Custom”
> For “Server Dialback“, check “Available”
> For “TLS Method“, check “Not Available”
> Check “Accept self-signed certificates. Server dialback over TLS is now available.”
b) Under “Server > Server Settings > Server to Server” ensure:
> Under “Service Enabled“, “Enabled” is checked, with port “5269”
> Under “Allowed to Connect“, “Anyone” is checked
If either of these isn’t checked, check it and click “Save Settings”
c) Next, you need to add the internal domain where lync is to the XMPP server’s hosts file, and point it to the edge server’s external IP address.
The reason is that the request from Lync comes from/goes to the user “email@example.com“, so the federation must be made with the domain internallync.test.local. Therefore the XMPP Server needs to know where this domain can be found.
d) If running a linux box, follow the steps below:
> Open a console to the linux machine and run the command in the next step
> Add the line “<external Edge NIC IP> <internal Lync user domain>”
e) Finally, you may need to download a new openfire.jar with changes to the TCP Dialback protocol. This can be downloaded at the following location:
Note that this only works on Openfire 3.8.2.
8. Adding the contact
You are now ready to add the contact.
a) On the Lync server, select the add contact button then go to “Add a Contact Not in My Organisation > Other”
b) In the form, add the Openfire contact “firstname.lastname@example.org”
c) From the Openfire User’s XMPP Client, add the user “lyncuser@<internal lync domain>“.
On the Openfire Admin Console, you can check the server-to-server sessions and will see one created with the internal Lync domain.
Tags: federation, lync, openfire, xmpp