在 Lync Server 2013 上配置 XMPP 网关Configure XMPP gateway on Lync Server 2013

 

上次修改的主题: 2013-10-28Topic Last Modified: 2013-10-28

迁移 XMPP 网关的最后一步是为 Lync Server 2013 Edge 服务器配置证书,部署 Lync Server 2013 XMPP 网关,并更新 XMPP 网关的 DNS 记录。The final steps for migrating your XMPP Gateway are to configure certificates for the Lync Server 2013 Edge Server, deploy the Lync Server 2013 XMPP Gateway, and update the DNS records for the XMPP Gateway. 这些步骤应该并行执行,以尽可能缩短 XMPP 网关的停机时间。These steps should be performed in parallel to minimize the down time of your XMPP Gateway. 在执行这些步骤之前,必须将所有用户移到 Microsoft Lync Server 2013 部署中。All users must be moved to your Microsoft Lync Server 2013 deployment before performing these steps.

重要

对于驻留在 survivable 分支设备上的用户,不支持 XMPP 联盟。XMPP federation is not supported for users who are homed on survivable branch appliances. 这适用于查看状态信息和交换 IM 消息。This applies to both seeing presence information and exchanging IM messages.

在 Lync Server 2013 边缘服务器上配置 XMPP 网关证书。Configure XMPP Gateway Certificates on the Lync Server 2013 Edge Server

  1. 在边缘服务器上,单击部署向导中“步骤 3:请求、安装或分配证书”**** 旁边的“再次运行”****。On the Edge Server, in the Deployment Wizard, next to Step 3: Request, Install, or Assign Certificates, click Run again.

    提示

    如果您第一次部署边缘服务器,您将看到“运行”而不是“再次运行”。If you are deploying the Edge Server for the first time, you will see Run instead of Run Again.

  2. 在“可用的证书任务”**** 页上,单击“创建新的证书请求”****。On the Available Certificate Tasks page, click Create a new certificate request.

  3. 在“证书请求”**** 页上,单击“外部边缘证书”****。On the Certificate Request page, click External Edge Certificate.

  4. 在“延迟的请求或即时请求”**** 页上,选中“立即准备请求,但是稍后发送”**** 复选框。On the Delayed or Immediate Request page, select the Prepare the request now, but send it later check box.

  5. 在 " 证书请求文件 " 页上,键入要将请求保存到的文件的完整路径和文件名 (例如,c: \ cert _ 外部 _ edge) 。On the Certificate Request File page, type the full path and file name of the file to which the request is to be saved (for example, c:\cert_exernal_edge.cer).

  6. 在“指定替代证书模板”**** 页上,要使用除默认 WebServer 模板之外的模板,请选中“对选定的证书颁发机构使用替代证书模板”**** 复选框。On the Specify Alternate Certificate Template page, to use a template other than the default WebServer template, select the Use alternative certificate template for the selected certification authority check box.

  7. 在“名称和安全设置”**** 页上,执行以下操作:On the Name and Security Settings page, do the following:

    1. 在“友好名称”**** 中,键入证书的显示名称。In Friendly name, type a display name for the certificate.

    2. 在“位长度”**** 中,指定位长度(通常默认值为 2048)。In Bit length, specify the bit length (typically, the default of 2048).

    3. 验证是否选中了“将证书私钥标记为可导出”**** 复选框。Verify that the Mark certificate private key as exportable check box is selected.

  8. 在“组织信息”**** 页上,键入组织和组织单位(例如分部或部门)的名称。On the Organization Information page, type the name for the organization and the organizational unit (for example, a division or department).

  9. 在“地理信息”**** 页上,指定位置信息。On the Geographical Information page, specify the location information.

  10. 在“使用者名称/使用者替代名称”**** 页上,将显示向导自动填充的信息。如果需要其他使用者替代名称,可以在接下来的两个步骤中指定。On the Subject Name/Subject Alternate Names page, the information to be automatically populated by the wizard is displayed. If additional subject alternative names are needed, you specify them in the next two steps.

  11. 在 " **使用者替代名称 (SANs) ** " 页上的 "SIP 域设置" 中,选中 "域" 复选框以添加 SIP。<sipdomain>On the SIP Domain Setting on Subject Alternate Names (SANs) page, select the domain check box to add a sip.<sipdomain> "主题备用名称" 列表中的条目。entry to the subject alternative names list.

  12. 在“配置其他使用者替代名称”**** 页上,指定所需的任何其他使用者替代名称。On the Configure Additional Subject Alternate Names page, specify any additional subject alternative names that are required.

    提示

    如果安装了 XMPP 代理,则默认情况下域名(如 contoso.com)填充在 SAN 条目中。如果您需要更多条目,请在此步骤中添加它们。If the XMPP proxy is installed, by default the domain name (such as contoso.com) is populated in the SAN entries. If you require more entries, add them in this step.

  13. 在“请求摘要”**** 页上,检查要用于生成请求的证书信息。On the Request Summary page, review the certificate information to be used to generate the request.

  14. 在命令运行完毕后,您可以“查看日志”****,或单击“下一步”继续操作。After the commands finish running, you can View Log, or click Next to continue.

  15. 在“证书请求文件”**** 页上,您可以通过单击“查看”**** 来查看生成的证书签名请求 (CSR) 文件,或通过单击“完成”**** 来退出证书向导。On the Certificate Request File page, you can view the generated certificate signing request (CSR) file by clicking View or exit the Certificate Wizard by clicking Finish.

  16. 复制请求文件并提交至公共证书颁发机构。Copy the request file and submit to your public certification authority.

  17. 在接收、导入和分配公共证书后,您必须停止边缘服务器服务,然后重新启动它。为此,请在 Lync Server 管理控制台中键入:After receiving, importing and assigning the public certificate, you must stop and restart the Edge Server services. You do this by typing in the Lync Server Management console:

    Stop-CsWindowsService
    

     

    Start-CsWindowsService
    

配置新的 Lync Server 2013 XMPP 网关Configure a new Lync Server 2013 XMPP Gateway

  1. 打开“Lync Server 控制面板”。Open Lync Server Control Panel.

  2. 在左侧导航栏中,单击“联盟和外部访问”****,然后单击“XMPP 联盟伙伴”****。In the left navigation bar, click Federation and External Access and then click XMPP Federated Partners.

  3. 要创建新配置,请单击“新建”****。To create a new configuration, click New.

  4. 定义以下设置:Define the following settings:

  5. 主域     (必需的) 。Primary domain    (Required). 主域是 XMPP 合作伙伴的基本域。The primary domain is the base domain of the XMPP partner. 例如,可为 XMPP 合作伙伴域名输入 fabrikam.comFor example, you would enter fabrikam.com for the XMPP partner domain name. 这是必填项。This is a required entry.

  6. 说明    该说明针对此特定配置的注释或其他标识信息。Description   The description is for notes or other identifying information for this particular configuration. 此条目是可选的。This entry is optional.

  7. 其他域    其他域是作为 XMPP 合作伙伴的域一部分的域,应作为允许的 XMPP 通信的一部分包括在内。Additional domains   Additional domains are domains that are a part of your XMPP partner’s domain that should be included as part of the allowed XMPP communication. 例如,如果主域为 fabrikam.com,则将列出位于 fabrikam.com 中的所有其他域,您将使用 XMPP 的方式进行通信。For example, if the primary domain is fabrikam.com, then you would list all other domains that are under fabrikam.com that you will communicate with by way of XMPP.

  8. 合作伙伴类型    "合作伙伴类型" 是必需的设置。Partner type   The Partner type is a required setting. 您必须选择以下项之一来描述和强制添加可添加的联系人。You must choose one of the following to describe and enforce what contacts can be added. 您可以从以下选项中进行选择:You can select from:

    • 联合    联合合作伙伴类型表示 Lync Server 部署与 XMPP 合作伙伴之间的高信任级别。Federated   A Federated partner type represents a high level of trust between the Lync Server deployment and the XMPP partner.建议使用此合作伙伴类型与同一企业内的 XMPP 服务器进行联盟,或者存在已建立的业务关系。  This partner type is recommended for federating with XMPP servers within the same enterprise or where there is an established business relationship.联盟伙伴中的 XMPP 联系人可以执行以下操作:  XMPP contacts in Federated partners can:

      1. 添加 Lync 联系人并查看其状态,而无需明确的 Lync 用户授权。Add Lync contacts and view their presence without express authorization from the Lync user.

      2. 向 Lync 联系人发送即时消息,无论 Lync 用户是否已将他们添加到其联系人列表。Send instant messages to Lync contacts whether or not the Lync user has added them into their contact list.

      3. 查看 Lync 用户的状态注释。See a Lync user’s status notes.

    • 公共验证    公共验证合作伙伴是一个公开的公共 XMPP 提供程序,可信任它来验证其用户的身份。Public verified   A Public verified partner is a public XMPP provider that is trusted to verify the identity of its users.公共验证的网络中的 XMPP 联系人可以添加 Lync 联系人并查看它们的状态,并向其发送即时消息,而无需通过 Lync 用户的认证。  XMPP contacts in Public Verified networks can add Lync contacts and view their presence and send instant messages to them without express authorization from the Lync users.公共验证的网络中的 XMPP 联系人永远不会看到 Lync 用户的状态笔记。  XMPP contacts in public verified networks never see a Lync users’ status notes.建议不要使用此设置。  This setting is not recommended.

    • 公共未验证    未经验证的公共合作伙伴是一个公共 XMPP 提供程序,它不受信任,无法验证其用户的身份。Public unverified   A Public unverified partner is a public XMPP provider that is not trusted to verify the identity of its users.公共未验证网络上的 XMPP 用户无法与 Lync 用户通信,除非 Lync 用户已通过将其添加到联系人列表中进行了明确授权。  XMPP users on Public Unverified networks cannot communicate with Lync users unless the Lync user has expressly authorized them by adding them to the contact list.公共未验证网络上的 XMPP 用户永远不会看到 Lync 用户的状态说明。  XMPP users on public unverified networks never see Lync users’ status notes.对于具有公共 XMPP 提供商(如 Google 谈话)的任何联盟,建议使用此设置。  This setting is recommended for any federation with public XMPP providers such as Google Talk.

  9. 连接类型: 定义各种规则和回拨设置。Connection Type: Defines the various rules and dialback settings.

    • TLS 协商    定义 TLS 协商规则。TLS Negotiation   Defines the TLS negotiation rules. XMPP 服务可能需要 TLS,可以使 TLS 成为可选的,也可以定义不支持 TLS。An XMPP service can require TLS, can make TLS optional, or you define that TLS is not supported. 选择 "可选" 将要求留给 XMPP 服务进行强制性协商决策。Choosing Optional leaves the requirement up to the XMPP service for a mandatory-to-negotiate decision. 若要查看所有可能的设置和有关 SASL、TLS 和回拨的详细信息(包括无效和已知的错误配置),请参阅 Lync Server 2013 中的 XMPP 联盟伙伴的协商设置To view all possible settings and details for SASL, TLS and Dialback negotiation –including not valid and known error configurations - see Negotiation settings for XMPP federated partners in Lync Server 2013.


      • 必需    XMPP 服务需要 TLS 协商。Required   The XMPP service requires TLS negotiation.


      • 可选    XMPP 服务指示 TLS 是强制性的协商。Optional   The XMPP service indicates that TLS is mandatory-to-negotiate.


      • 不支持    XMPP 服务不支持 TLS。Not Supported   The XMPP service does not support TLS.

    • SASL 协商    定义 SASL 协商规则。SASL negotiation   Defines the SASL negotiation rules. XMPP 服务可能需要 SASL,可以使 SASL 成为可选的,也可以定义不支持 SASL。An XMPP service can require SASL, can make SASL optional, or you define that SASL is not supported. 选择 "可选" 将要求留给合作伙伴 XMPP 服务进行强制性的协商决策。Choosing Optional leaves the requirement up to the partner XMPP service for a mandatory-to-negotiate decision.


      • 必需    XMPP 服务需要 SASL 协商。Required   The XMPP service requires SASL negotiation.


      • 可选    XMPP 服务指示 SASL 是强制性的协商。Optional   The XMPP service indicates that SASL is mandatory-to-negotiate.


      • 不支持    XMPP 服务不支持 SASL。Not Supported   The XMPP service does not support SASL.

    • 支持服务器回拨协商 支持服务器回拨协商进程使用域名系统 (DNS) 和权威服务器来验证请求是否来自有效的 XMPP 合作伙伴。Support server dialback negotiation The support server dialback negotiation process uses the domain name system (DNS) and an authoritative server to verify that the request came from a valid XMPP partner. 若要执行此操作,起始服务器将使用生成的回拨密钥创建特定类型的邮件,并在 DNS 中查找接收服务器。To do this, the originating server creates a message of a specific type with a generated dialback key and looks up the receiving server in DNS. 源服务器将 XML 流中的密钥发送到生成的 DNS 查找,大概是接收服务器。The originating server sends the key in an XML stream to the resulting DNS lookup, presumably the receiving server. 在 XML 流上收到密钥后,接收服务器不会响应原始服务器,但会将密钥发送到已知的权威服务器。On receipt of the key over the XML stream, the receiving server does not respond to the originating server, but sends the key to a known authoritative server. 权威服务器验证密钥有效或无效。The authoritative server verifies that the key is either valid or not valid. 如果无效,则接收服务器不会对原始服务器做出响应。If not valid, the receiving server does not respond to the originating server. 如果密钥有效,则接收服务器会通知发起服务器标识和密钥有效,并且会话可以开始。If the key is valid, the receiving server informs the originating server that the identity and key is valid and the conversation can commence.

      回拨协商具有两种有效状态:There are two valid states for Dialback negotiation:


      • True    如果应收到来自发起服务器的请求,则将 XMPP 服务器配置为使用回拨协商。True   The XMPP server is configured to use Dialback negotiation if a request should be received from an originating server.


      • False    未将 XMPP 服务器配置为使用回拨协商,如果应收到来自发起服务器的请求,则将忽略该请求。False   The XMPP server is not configured to use Dialback negotiation and if a request should be received from an originating server, it will be ignored.

  10. 单击“提交”**** 保存对站点或用户策略的更改。Click Commit to save your changes to the site or user policy.

更新 Lync Server 2013 XMPP 网关的 DNS 记录Update DNS Records for Lync Server 2013 XMPP Gateway

  1. 若要为 XMPP 联合配置 DNS,请将以下 SRV 记录添加到外部 DNS: _ XMPP-server。 _rdp-tcp.<domain name>To configure DNS for XMPP federation, you add the following SRV record to your external DNS:_xmpp-server._tcp.<domain name> SRV 记录将解析为边缘服务器的访问边缘 FQDN,端口值为5269。The SRV record will resolve to the Access Edge FQDN of the Edge server, with a port value of 5269.