在 Lync Server 2013 上設定 XMPP 閘道Configure XMPP gateway on Lync Server 2013

 

主題上次修改日期: 2013-10-28Topic Last Modified: 2013-10-28

遷移 XMPP 閘道的最後步驟是設定 Lync Server 2013 Edge Server 的憑證,部署 Lync Server 2013 XMPP 閘道,並更新 XMPP 閘道的 DNS 記錄。The final steps for migrating your XMPP Gateway are to configure certificates for the Lync Server 2013 Edge Server, deploy the Lync Server 2013 XMPP Gateway, and update the DNS records for the XMPP Gateway. 您應平行執行這些步驟,以將 XMPP 閘道的停機時間降至最低。These steps should be performed in parallel to minimize the down time of your XMPP Gateway. 在執行這些步驟之前,必須先將所有使用者移至您的 Microsoft Lync Server 2013 部署。All users must be moved to your Microsoft Lync Server 2013 deployment before performing these steps.

重要

在 survivable branch 裝置上的使用者不支援 XMPP 同盟。XMPP federation is not supported for users who are homed on survivable branch appliances. 這適用于查看顯示狀態資訊和交換 IM 郵件。This applies to both seeing presence information and exchanging IM messages.

在 Lync Server 2013 Edge Server 上設定 XMPP 閘道憑證Configure XMPP Gateway Certificates on the Lync Server 2013 Edge Server

  1. 在 Edge Server 的 [部署精靈] 中,按一下 [步驟 3: 要求、安裝或指派憑證]**** 旁邊的 [再執行一次]****。On the Edge Server, in the Deployment Wizard, next to Step 3: Request, Install, or Assign Certificates, click Run again.

    提示

    如果是第一次部署 Edge Server,則會看到 [執行],而不是 [再執行一次]。If you are deploying the Edge Server for the first time, you will see Run instead of Run Again.

  2. [可用憑證工作] 頁面上,按一下 [建立新憑證要求]On the Available Certificate Tasks page, click Create a new certificate request.

  3. [憑證要求] 頁面上,按一下 [外部邊緣憑證]On the Certificate Request page, click External Edge Certificate.

  4. [延遲或立即要求] 頁面上,選取 [立即準備此要求,但稍後再傳送] 核取方塊。On the Delayed or Immediate Request page, select the Prepare the request now, but send it later check box.

  5. 在 [ 憑證要求 檔案] 頁面上,輸入要儲存要求的檔案完整路徑和檔案名 (例如,c: \ cert _ 外部 _ edge) 。On the Certificate Request File page, type the full path and file name of the file to which the request is to be saved (for example, c:\cert_exernal_edge.cer).

  6. 若要使用預設 WebServer 範本之外的其他範本,請在 [指定其他憑證範本] 頁面上,選取 [將其他憑證範本用於所選的憑證授權單位] 核取方塊。On the Specify Alternate Certificate Template page, to use a template other than the default WebServer template, select the Use alternative certificate template for the selected certification authority check box.

  7. [名稱和安全性設定] 頁面上,執行下列動作:On the Name and Security Settings page, do the following:

    1. 在 [易記名稱]**** 中,輸入憑證的顯示名稱。In Friendly name, type a display name for the certificate.

    2. 在 [位元長度]**** 中,指定位元長度 (預設值通常是 2048)。In Bit length, specify the bit length (typically, the default of 2048).

    3. 確認 [將憑證私密金鑰標示為可匯出]**** 核取方塊已經選取。Verify that the Mark certificate private key as exportable check box is selected.

  8. [組織資訊] 頁面上,輸入組織的名稱和組織單位 (例如部門)。On the Organization Information page, type the name for the organization and the organizational unit (for example, a division or department).

  9. [地理資訊] 頁面上,指定位置資訊。On the Geographical Information page, specify the location information.

  10. [主體名稱/主體別名] 頁面上,會顯示精靈將自動填入的資訊。如果您還需要其他主體別名,請在後續兩個步驟中指定。On the Subject Name/Subject Alternate Names page, the information to be automatically populated by the wizard is displayed. If additional subject alternative names are needed, you specify them in the next two steps.

  11. 在 [ **主體別名 (SANs) ** ] 頁面上的 [SIP 網域設定] 上,選取 [網域] 核取方塊以新增 SIP。<sipdomain>On the SIP Domain Setting on Subject Alternate Names (SANs) page, select the domain check box to add a sip.<sipdomain> 專案的主體替代名稱清單。entry to the subject alternative names list.

  12. [設定其他主體替代名稱] 頁面上,指定任何需要的其他主體替代名稱。On the Configure Additional Subject Alternate Names page, specify any additional subject alternative names that are required.

    提示

    如果已安裝 XMPP Proxy,則 SAN 項目中預設會填入網域名稱 (例如 contoso.com) 。如果您需要更多項目,請在此步驟中新增它們。If the XMPP proxy is installed, by default the domain name (such as contoso.com) is populated in the SAN entries. If you require more entries, add them in this step.

  13. [要求摘要] 頁面上,檢閱要用來產生要求的憑證資訊。On the Request Summary page, review the certificate information to be used to generate the request.

  14. 命令執行完畢後,您可以 查看記錄檔,或按 [下一步] 繼續。After the commands finish running, you can View Log, or click Next to continue.

  15. [憑證要求檔案] 頁面上,您可以按一下 [檢視] 來檢視所產生的憑證簽署要求 (CSR) 檔案,或者按一下 [完成] 以結束 [憑證精靈]。On the Certificate Request File page, you can view the generated certificate signing request (CSR) file by clicking View or exit the Certificate Wizard by clicking Finish.

  16. 複製要求檔案並提交公用憑證授權單位。Copy the request file and submit to your public certification authority.

  17. 接收、匯入並指派公用憑證之後,您必須停止並重新啟動 Edge Server 服務。作法是輸入 Lync Server 管理主控台:After receiving, importing and assigning the public certificate, you must stop and restart the Edge Server services. You do this by typing in the Lync Server Management console:

    Stop-CsWindowsService
    

     

    Start-CsWindowsService
    

設定新的 Lync Server 2013 XMPP 閘道Configure a new Lync Server 2013 XMPP Gateway

  1. 開啟 [Lync Server 控制台]。Open Lync Server Control Panel.

  2. 在左導覽列中,按一下 [同盟和外部存取]****,然後按一下 [XMPP 同盟協力廠商]****。In the left navigation bar, click Federation and External Access and then click XMPP Federated Partners.

  3. 若要建立新組態,請按一下 [新增]****。To create a new configuration, click New.

  4. 定義下列設定:Define the following settings:

  5. 主要網域     (必要) 。Primary domain    (Required). 主要網域為 XMPP 協力廠商的基本網域。The primary domain is the base domain of the XMPP partner. 例如,您可以為 XMPP 協力廠商網域名稱輸入 fabrikam.comFor example, you would enter fabrikam.com for the XMPP partner domain name. 此為必要項目。This is a required entry.

  6. 描述    描述是針對此特定設定的附注或其他識別資訊。Description   The description is for notes or other identifying information for this particular configuration. 此專案是選用專案。This entry is optional.

  7. 其他網域    其他網域是 XMPP 夥伴網域中的網域,應包含在允許的 XMPP 通訊中。Additional domains   Additional domains are domains that are a part of your XMPP partner’s domain that should be included as part of the allowed XMPP communication. 例如,如果主域是 fabrikam.com,則您會列出位於 fabrikam.com 的所有其他網域,您會透過 XMPP 的方式來進行通訊。For example, if the primary domain is fabrikam.com, then you would list all other domains that are under fabrikam.com that you will communicate with by way of XMPP.

  8. 合作夥伴類型    同伴類型是必要的設定。Partner type   The Partner type is a required setting. 您必須選擇下列其中一項來描述及強制執行哪些連絡人可以新增。You must choose one of the following to describe and enforce what contacts can be added. 您可以從下列選取:You can select from:

    • Federated同盟    同盟夥伴類型代表 Lync Server 部署與 XMPP 合作夥伴之間的高信任層級。Federated   A Federated partner type represents a high level of trust between the Lync Server deployment and the XMPP partner.建議使用此夥伴類型,以與相同企業內的 XMPP 伺服器同盟,或已建立的業務關係。  This partner type is recommended for federating with XMPP servers within the same enterprise or where there is an established business relationship.同盟合作夥伴中的 XMPP 連絡人可以:  XMPP contacts in Federated partners can:

      1. 新增 Lync 連絡人並檢視其目前狀態,而不需要 Lync 使用者的明確授權。Add Lync contacts and view their presence without express authorization from the Lync user.

      2. 不論 Lync 使用者是否將 Lync 連絡人新增至其連絡人清單,都可將立即訊息傳送給 Lync 連絡人。Send instant messages to Lync contacts whether or not the Lync user has added them into their contact list.

      3. 查看 Lync 使用者的狀態記事。See a Lync user’s status notes.

    • 公用驗證    公用驗證夥伴是一種公開的 XMPP 提供者,可供信任以驗證使用者的身分識別。Public verified   A Public verified partner is a public XMPP provider that is trusted to verify the identity of its users.XMPP 公用驗證網路中的連絡人可以新增 Lync 連絡人並查看其目前狀態,並傳送立即訊息給他們,但不需要 Lync 使用者的明確授權。  XMPP contacts in Public Verified networks can add Lync contacts and view their presence and send instant messages to them without express authorization from the Lync users.XMPP 公用驗證網路中的連絡人永遠不會看到 Lync 使用者的狀態筆記。  XMPP contacts in public verified networks never see a Lync users’ status notes.建議您不要使用此設定。  This setting is not recommended.

    • 公用未驗證    公用未驗證夥伴是不受信任的公用 XMPP 提供者,以驗證其使用者的身分識別。Public unverified   A Public unverified partner is a public XMPP provider that is not trusted to verify the identity of its users.XMPP 未驗證之網路上的使用者無法與 Lync 使用者通訊,除非 Lync 使用者已將其新增至連絡人清單以明確授權。  XMPP users on Public Unverified networks cannot communicate with Lync users unless the Lync user has expressly authorized them by adding them to the contact list.XMPP 公用未驗證網路上的使用者,永遠不會看到 Lync 使用者的狀態筆記。  XMPP users on public unverified networks never see Lync users’ status notes.對於任何使用 public XMPP 提供者(如 Google 談話)的同盟,建議使用此設定。  This setting is recommended for any federation with public XMPP providers such as Google Talk.

  9. 連線類型:定義各種規則及回撥設定。Connection Type: Defines the various rules and dialback settings.

    • TLS 協商    定義 TLS 協商規則。TLS Negotiation   Defines the TLS negotiation rules. XMPP 服務可以要求 TLS,也可以使用 tls 選用,或定義不支援 TLS。An XMPP service can require TLS, can make TLS optional, or you define that TLS is not supported. 選擇 [選用],將需求留給 XMPP 服務,以強制進行必要的協商決策。Choosing Optional leaves the requirement up to the XMPP service for a mandatory-to-negotiate decision. 若要查看所有可能的設定和詳細資料,以瞭解 SASL、TLS 和回撥的協商-包括沒有有效和已知的錯誤設定,請參閱 Lync Server 2013 中的 XMPP同盟協力廠商協商設定。To view all possible settings and details for SASL, TLS and Dialback negotiation –including not valid and known error configurations - see Negotiation settings for XMPP federated partners in Lync Server 2013.


      • 必要    XMPP 服務需要 TLS 協商。Required   The XMPP service requires TLS negotiation.


      • 選用    XMPP 服務表示 TLS 必須協商。Optional   The XMPP service indicates that TLS is mandatory-to-negotiate.


      • 不支援    XMPP 服務不支援 TLS。Not Supported   The XMPP service does not support TLS.

    • SASL 協商    定義 SASL 協商規則。SASL negotiation   Defines the SASL negotiation rules. XMPP 服務可能需要 SASL,可以進行 SASL 選用,或者您定義的是不支援 SASL。An XMPP service can require SASL, can make SASL optional, or you define that SASL is not supported. 選擇 [選用],將需求留給夥伴 XMPP 服務,以進行強制協商決策。Choosing Optional leaves the requirement up to the partner XMPP service for a mandatory-to-negotiate decision.


      • 必要    XMPP 服務需要 SASL 協商。Required   The XMPP service requires SASL negotiation.


      • 選用    XMPP 服務指出必須對 SASL 進行協商。Optional   The XMPP service indicates that SASL is mandatory-to-negotiate.


      • 不支援    XMPP 服務不支援 SASL。Not Supported   The XMPP service does not support SASL.

    • 支援伺服器的回撥協商 支援伺服器回撥協商程式會使用網域名稱系統 (DNS) 和授權伺服器以驗證要求來自有效的 XMPP 合作者。Support server dialback negotiation The support server dialback negotiation process uses the domain name system (DNS) and an authoritative server to verify that the request came from a valid XMPP partner. 為做到這一點,始發伺服器會使用產生的回撥機碼來建立特定類型的郵件,並在 DNS 中查閱接收伺服器。To do this, the originating server creates a message of a specific type with a generated dialback key and looks up the receiving server in DNS. 原始伺服器會將 XML 資料流程中的金鑰傳送到所產生的 DNS 查詢(大概是接收伺服器)。The originating server sends the key in an XML stream to the resulting DNS lookup, presumably the receiving server. 當您在 XML 資料流程上收到金鑰時,接收伺服器不會回應始發伺服器,但會將金鑰傳送至已知的授權伺服器。On receipt of the key over the XML stream, the receiving server does not respond to the originating server, but sends the key to a known authoritative server. 授權伺服器會驗證機碼是否有效或無效。The authoritative server verifies that the key is either valid or not valid. 如果無效,則接收伺服器不會回應始發伺服器。If not valid, the receiving server does not respond to the originating server. 若機碼是有效的,則接收伺服器會通知始發伺服器身分識別和金鑰是有效的,交談可以開始。If the key is valid, the receiving server informs the originating server that the identity and key is valid and the conversation can commence.

      回撥交涉具備兩種有效狀態:There are two valid states for Dialback negotiation:


      • True    如果應該從始發伺服器接收要求,則將 XMPP 伺服器設定為使用回撥協商。True   The XMPP server is configured to use Dialback negotiation if a request should be received from an originating server.


      • False    XMPP server 並未設定為使用回撥協商,而且若應該從始發伺服器接收要求,則會被忽略。False   The XMPP server is not configured to use Dialback negotiation and if a request should be received from an originating server, it will be ignored.

  10. 按一下 [認可]**** 以儲存對網站或使用者原則的變更。Click Commit to save your changes to the site or user policy.

更新 Lync Server 2013 XMPP 閘道的 DNS 記錄Update DNS Records for Lync Server 2013 XMPP Gateway

  1. 若要設定 DNS 以進行 XMPP 同盟,您可以將下列 SRV 記錄新增至您的外部 DNS: _ XMPP-server。 _Tcp。<domain name>To configure DNS for XMPP federation, you add the following SRV record to your external DNS:_xmpp-server._tcp.<domain name> SRV 記錄會解析為 Edge server 的 Access Edge FQDN,埠值為5269。The SRV record will resolve to the Access Edge FQDN of the Edge server, with a port value of 5269.