- 1 Lync Server 2010 Enterprise Pool (IP: 188.8.131.52)
- 1 Cisco CUPS version 184.108.40.20600-20 (IP: 10.143.18.83)
- IM/Presence integration between Lync 2010 and Cisco Jabber
During the integration between Lync Server 2010 and CUPS with TLS I found that Cisco Jabber could make IM to Lync, but not vice versa. This is what we found on the Snooper and the Wireshark.
Obviously there is a problem with the TLS negotiation. But at this point you can’t figure out who was sending the error, so here it is the Wireshark capture
On the packet 25595, Lync Server presents to CUPS the certificate for TLS, but on packet 25600, CISCO returns an “Alert: Fatal, Description: Unsupported Certificate”.
After researching on the web and CISCO papers for Integration problems, I found that there is a known issue between platforms regarding the certificate on the Edge Server, the solution states that the certificate configured on the Edge Server has to have OIDs 220.127.116.11.18.104.22.168.1 and 22.214.171.124.126.96.36.199.2, these numbers means “Server Authentication” and “Client Authentication” respectively.
I assumed that it applies the same for an internal Lync Enterprise Pool. So I checked the Lync Server Default Certificate, and it was issued from Web Server certificate template, the one that comes by default on a Certification Authority 2003 version. But the problem is that Web Server certificate template only has the “Server Authentication” as Application Policy Extension (Certificate Purposes).
So, you need to create a new Certificate Template on your CA that has Server Authentication and Client Authentication as Application Policy Extensions and request a certificate for Lync Server with the new template. Now I know why the Request Certificate Wizard of Lync Server allows you to select a different certificate template 😀 .
Once we issued the new certificate from a new Certificate Template, IM and presence started to flow on both directions with no problem.
NOTE: On the side of CUPS, we also issued a certificate for CUPS with the same certificate template to avoid any problem with TLS handshake.