[en] Lync Server 2010 – CUPS Integration No IM/Presence to CUPS


Scenario:

  • 1 Lync Server 2010 Enterprise Pool (IP: 140.140.21.93)
  • 1 Cisco CUPS version 8.6.3.10000-20 (IP: 10.143.18.83)

Requirement:

  • IM/Presence integration between Lync 2010 and Cisco Jabber

During the integration between Lync Server 2010 and CUPS with TLS I found that Cisco Jabber could make IM to Lync, but not vice versa. This is what we found on the Snooper and the Wireshark.

image

Obviously there is a problem with the TLS negotiation. But at this point you can’t figure out who was sending the error,  so here it is the Wireshark capture

image

On the packet 25595, Lync Server presents to CUPS the certificate for TLS, but on packet 25600, CISCO returns an “Alert: Fatal, Description: Unsupported Certificate”.

After researching on the web and CISCO papers for Integration problems, I found that there is a known issue between platforms regarding the certificate on the Edge Server, the solution states that the certificate configured on the Edge Server has to have OIDs 1.3.6.1.5.5.7.3.1 and 1.3.6.1.5.5.7.3.2, these numbers means “Server Authentication” and “Client Authentication” respectively.

image

I assumed that it applies the same for an internal Lync Enterprise Pool. So I checked the Lync Server Default Certificate, and it was issued from Web Server certificate template, the one that comes by default on a Certification Authority 2003 version. But the problem is that Web Server certificate template only has the “Server Authentication” as Application Policy Extension (Certificate Purposes).

image

So, you need to create a new Certificate Template on your CA that has Server Authentication and Client Authentication as Application Policy Extensions and request a certificate for Lync Server with the new template. Now I know why the Request Certificate Wizard of Lync Server allows you to select a different certificate template 😀 .

image

Once we issued the new certificate from a new Certificate Template, IM and presence started to flow on both directions with no problem.

NOTE: On the side of CUPS, we also issued a certificate for CUPS with the same certificate template to avoid any problem with TLS handshake.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s