Federation

With Federation the following features are available for contacts linked from external systems:

  • Presence status

  • Chat

Federation requires the following licensing:

  • XPhone Connect Server

  • XPhone Connect user: Office Plus pack license

Federation can be activated or deactivated for Users at the location or in a configuration group.

DNS configuration

It is mandatory that FQDN’s are resolved to IP addresses. The usual way to do this is to publish the IP address belonging to the FQDN in an A or ALIAS record in the public DNS.

Hint

The FQDN must comply with the server’s domain or a direct subdomain, otherwise problems can arise with Skype for Business Servers where Open Federation is set up.

Examples of the connect.acme.com domain

  • connect.acme.com-> valid

  • xphone.connect.acme.com -> valid

  • company.xphone.acme.com -> not valid

  • acme.com-> not valid

  • xphone.acme.com -> not valid

If the federating servers should (also) be able to reach the Connect Server via Open Federation, then another SRV record _sipfederationtls._tcp must be created in the DNS, which points from the domain of the Connect Server to the FQDN of the Connect Server.

Sample configuration

The Connect Server belonging to acme has the internal IP address 192.168.1.100 and complies with the port 5061. This Connect Server should be reached via the public IP address 63.201.34.21 and the port 5061. Therefore, the rules need to be set up on the firewall:

  • All TCP packs received by the IP address 63.201.34.21 / port 5061 from any IP addresses and ports must be directed to the internal IP address 192.168.1.100 / port 5061.

  • It must be possible for the internal Connect Server to reach any other IP address (including on the Internet) on port 5061 from any port.

The company’s Connect Server domains are called acme.de. The external FQDN of the Connect Server is called connect.acme.com. In the acme.com domain’s public DNS server, the A-entry “connect” must be created which refers to the IP address 63.201.34.21.

Here you can see a test if the resolution works:

nslookup -nosearch -type=A connect.acme.com 8.8.8.8
Server: google-public-dns-a.google.com
Address: 8.8.8.8

Nicht autorisierende Antwort:
Name: connect.acme.com

Address: 63.201.34.21

As the company wishes to support Open Federation an SRV entry in the public DNS server of the acme.de is also necessary: _sipfederationtls._tcp.ergos.de references to connect.acme.com / Port 5061.

Here you can see a test if the resolution works:

nslookup -nosearch -type=SRV _sipfederationtls._tcp.acme.de 8.8.8.8
Server: google-public-dns-a.google.com
Address: 8.8.8.8

Nicht autorisierende Antwort:
_sipfederationtls._tcp. ergos.de SRV service location:
priority = 0
weight = 0
port = 5061
svr hostname = connect.acme.com

Finally, a certificate for server authentication must be requested from a public certificate authority for the connect.acme.com requester. This certificate must be uploaded to the certificate store of the local computer on the Connect server.

Direct Federation (Static routes)

In the case of Direct Federation, the FQDN to be used is configured in the Connect Server in order to reach a certain domain where there is an indication that sip.acme.com is to be contacted on port 5061, for example, in order to reach the acme.com domain.

The DNS of the Connect server must be able to resolve the FQDN to an IP address. If necessary, check this function on the server using the command nslookup -nosearch -type=A <FQDN>. You can test whether the server can be reached on port 5061 using telnet <FQDN> 5061 .

In order to use static routes, this connection type must be activated first. The following route information is required for connecting to the federated system:

  • Domain

  • FQDN (or IP address) of the SIP Server

    Hint

    When using an IP address instead of the FQDN, problems can arise when checking the certificate as it is issued for a domain!

  • Port (5061) for incoming connections

  • The MTLS protocol is specified.

The routes - and therefore the connections to external systems - can be activated or deactivated without changing the configuration of the route or other connections.

Open Federation

If Open Federation is enabled, the Connect Server searches for the FQDN to use based on the federating domain via the DNS. For example, to federate with the domain acme.com, the SRV record _sipfederationtls._tcp.acme.com must exist in the DNS. Likewise, the FQDN referenced in the SRV record must be resolvable to the IP address via the DNS. Whether the SRV record exists can be tested with this command: nslookup -nosearch -type=SRV _sipfederationtls._tcp.<DOMAIN>

Network interfaces

Select the server’s network interface (IP address and port) to be used for the inbound connections of federated systems. MTLS is specified as the protocol.

For Federation, the XPhone Connect Server requires a public IP address accessible from the Internet at which the server must be available at port 5061. The connections are set up by any servers on the Internet or by the Skype for Business servers for federating from any (dynamic) port.

The XPhone Connect Server must be able to reach any server or the Skype for Business servers for federating on port 5061. The Connect Server sets up these connections from any (dynamic) port.

The domain of the XPhone Connect Server (see General server settings) is also used publicly for Federation, i.e. the Connect Server users can be reached in the Skype For Business Clients of the federating partners under this domain.

The IP address at which the Connect Server is publicly available (see above) must be assigned a public name (FQDN). This name need not have any connection with the domain of the Connect Server.

As communication, e.g. with Skype for Business Servers, is secured via TLS, a certificate must be made available to the Connect Server in the Windows certificate memory of the local computer (see also Certificates).

Encryption

As communication, e.g. with Skype for Business Servers, is secured via TLS, a certificate must be made available to the Connect Server in the Windows certificate memory of the local computer or in the local user’s Windows certificate memory.

Hint

Provision in the user’s certificate memory is only possible if the Connect Server runs with a user’s account and the certificate is stored in this user’s certificate memory.

  • This certificate must have been issued to the public name (FQDN) of the Connect Server and must not be a wildcard certificate, as these are not accepted by a federating Skype for Business server, for example.

  • The certificate must be suitable for server authentication and client authentication, and must contain a private key to which the Connect server has access.

  • The certificate must be trusted by the servers to be federated with. It is therefore advisable to have a certificate issued by a public certification authority, e.g. at letsencrypt.org .

If the Connect Server runs in the context of a user account, the operating system denies access to the private key of a certificate in the Windows certificate store of the local computer. To allow access anyway, you must either add the user to the local administrators group or grant explicit permissions to the user account. See docs.secureauth.com

The information about the currently used server certificate for connecting to federated systems is displayed, the list of installed certificates and the active certificate can be viewed and edited using the Certificates button.

Certificates

The list shows all of the relevant information on the installed server certificates. Select a certificate from the list which is to be used for encrypting the connection to federated systems.

Example: Create certificate with Let’s Encrypt

For Federation, a certificate from a recognised certificate agency is required (i.e. not a certificate which has been signed by yourself). Let’s Encrypt (https://letsencrypt.org ) is such a certification agency. The certificates are free of charge, but they expire after some time and then need to be renewed. Although automatic renewal is possible, selection of the renewed certificate in the Federation configuration on the XPhone Connect Server still needs to be done manually. This example shows the certificate agency at Let’s Encrypt using the ACME Client Win-ACME.

Requirement
  • An ACME client is installed on the server (e.g. connect.acme.com) to create the server certificate, e.g. the tool Win-ACME.

    Hint

    The use of the ACME client is documented at the respective manufacturer, here: Win-ACME.

  • In order to create the certificate, correct DNS resolution and availability of the server from the outside must be ensured as the wwwroot directory is used for validating the domain on the server. Alternatively, validation can be via the DNS entry.

Create certificate
  1. Start the command line with administration rights on the server.

  2. Go to the ACME client directory (z.B. C:\win-acme).

  3. Execute the command:

    .\wacs.exe --target manual --host connect.acme.com --store certificatestore --certificatestore My --validation filesystem --webroot C:\inetpub\wwwroot --accepttos --closeonfinish
    
  4. Start certificate management for computer certificates (certlm.msc) as administrator.

  5. The newly created certificate should appear under Own certificates > Certificates.

  6. The newly created certificate should appear under Own certificates > Certificates.

  7. Add the Authenticated users group for code access and confirm with OK.

  8. In the Federation configuration of the XPhone Connect Server, select the certificate as an active certificate and save the change.

Microsoft Teams

If Open Federation is enabled, the Connect Server searches for the FQDN to use based on the federating domain via the DNS. For example, to federate with the domain “acme.com”, the SRV record _sipfederationtls._tcp.acme.com must exist in the DNS. Likewise, the FQDN referenced in the SRV record must be resolvable to the IP address via the DNS. Whether the SRV entry is present can be tested with this command:

nslookup -nosearch -type=SRV _sipfederationtls._tcp.<DOMAIN>

The creation of the SRV record for a Microsoft 365 domain is described in the Microsoft Docs.

In addition, Microsoft Teams must be enabled for external communication. In the MS Teams Admin Center, the setting can be found under Organization-wide settings > External access > Users can communicate with Skype for Business and Teams users. More information on this Microsoft site.

Hint

The list of allowed or blocked domains may have an impact on the ability to pen with XPhone Connect Server. The effect of entries in the list is described on the page in the Teams Admin Center.

Have you found an mistake on this page?

Please send us a hint about this error by mail to doku@c4b.de. Thank you very much!