After deploying our edge server and enabling federation in this article the next logical step may be to enable communication with other IM platforms such as Google Chat via the XMPP gateway. At the time of Lync RTM there was no updated XMPP server, so in this article we will utilize the OCS 2007 R2 version available from Microsoft here.
To start off with, this is what our environment will look like:
Since we will be adding another server, I have updated the hostname and IP address table below
| Server Name | Role | IP Address |
| LyncDC.lyncguy.local | Domain Controller/DNS/CA | 10.255.106.160 |
| LyncFE.lyncguy.local | Lync Standard Edition Front End | 10.255.106.161 |
| Lyncedge.lyncguy.local | Lync Edge server – not domain joined | 10.255.106.162 (internal NIC) |
| LyncXMPP.lyncguy.com | Lync XMPP Server – not domain joined | 10.255.110.166 |
For this scenario we will be using a single NIC on our XMPP server, with the NIC placed in the same DMZ network our edge server’s external interface is on. This will allow the edge and XMPP servers to communicate directly and to be protected by the corporate firewall.
No internal DNS changes are required to make this work, but since the XMPP server will be behind NAT and sharing the same network segment as the XMPP gateway we will update its host file so it can resolve the address of the XMPP gateway to the DMZ IP address and not the public IP.
To do that we will add an entry for the LyncXMPP.lyncguy.com on the edges host file pointing to its DMZ IP address (10.255.106.166).
Now we need to log into our XMPP server, set up the IP address and modify the hostname. First we’ll assign our IP Address:
Now we modify our hostname
And modify the primary DNS suffix
To allow the XMPP server to reach our access edge I have added an entry for sip.lyncguy.com pointing to the DMZ IP address of the access edge
These entries allow the XMPP gateway and the edge server to communicate directly, not sending the traffic back and forth through the firewall since they are on the same network.
I will not cover the XMPP Gateway install or configuration; there is a great article here that covers everything you need to know including external DNS and firewalls (although those are covered below as well).
Once you have completed the steps in the article above you are ready to configure your Lync environment for XMPP. To do that we start on the Front End server by opening the Lync Server Control Panel, going to “External Access” and then clicking on “Federated Domains”
Click New>Allowed Domain and add in the information for gmail.com and your XMPP server
Now click “Commit” to save your changes. The changes will automatically be pushed to your edge server, but you can also check the Event Viewer under the Lync Server section to verify you see the following event
Next you need to open NAT port 5269 inbound from the public IP to your private IP
| Rule | Public IP | Private IP | Allowed Protocol – Port |
| XMPP Access | XX.102.182.166 | 10.255.110.166 | TCP – 5269 |
Last but not least you need to create public DNS records. The first record will be an A record
| Record Type | Public Name | Public IP | Port |
| A | Lyncxmpp.lyncguy.com | XX.102.182.166 |
Then we will create an SRV Record
| Record Type | Public Name | Name | Port |
| SRV | _xmpp-server._tcp.lyncguy.com | Lyncxmpp.lyncguy.com | 5269 |
And now you should be able to chat with your google chat contacts via Lync. XMPP can also be used to communicate with other IM services, see the documentation for more detail.
Pingback: Lync Server 2010 features and how to configure them « msunified.net
Hello. What should i do if i have two DNS load balanced edge servers?
Hi Arturas,
DNS Load balancing is only supported between Lync servers and clients, not the OCS server roles and since XMPP hasn’t been updated yet, it isn’t supported. It may or may not work, so you can always give it a shot. THe other options is to hardcode the edge FQDN as just one IP address on your XMPP servers host file. If that edge goes down XMPP will be down but at least it will work.
Ok. i am stuck. Its not working. Just after installing xmpp gw it was working, but next day when i tried it stopped sending messages. We are using same domain name inside and outside network. also we are using wildcard certificate(go daddy), and TMG. Maybe you could suggest something useful?
And also on edge server i am getting events:
Federated partner *.mydomain.lt has sent a significant number of messages that have resulted in domain validation failures. There have been 3 such failures in the last 961 minutes.There have been 6 errors in total. This can happen when messages are sent to local users that don’t exist, messages are sent from domains that the partner isn’t allowed to send from, or when the partner sends messages destined to domains that this organization isn’t responsible for.
external edge fqdn: sip.mydomain.lt
internal edge fqdn: edge-1.mydomain.lt (workgroup computer with suffix)
external xmpp fqdn: xmpp.mydomain.lt
internal xmpp fqdn: xmpp-1.mydomain.lt (workgroup computer with suffix)
edge host file:
192.168.88.251 xmpp.mydomain.lt
xmpp gw host file:
192.168.88.2 sip.mydomain.lt
Hi Arturas,
I see from your information you have 2 NICs in your XMPP server. Although I’ve seen this listed as a supported configuration, I’ve never actually made it work. For ease of installation and configuration I would recommend just having one NIC on your XMPP server. This NIC should be on the same subnet as the outside interface of your edge server and should route all traffic only to the external interface. Please give that a shot and post back with your results.
Hope this helps!
-kp
Thank you for your reply. My xmpp have one NIC.
xmpp IP: 192.168.88.251
edge IPs: Internal: 192.168.77.73 External: 192.168.88.2
With wireshark i can see that xmpp gw receives message from google:
Hello my lync friend!
But these records are black and saying that checksum is bad:
Header checksum: 0x0000 [incorrect, should be 0x20de]
*That message was full code, but disappeared after posting comment.
Arturas,
I haven’t seen that error before, it’s probably a configuration issue on the XMPP server but I’m not sure what. It would probably be worth running back through this article and the one linked below to check your settings:
http://technet.microsoft.com/en-us/library/ee806452.aspx
Hope this helps!
-kp
Hello Kevin,
the problem is solved. I did lots of changes but i think this issue was because of my wildcard certificate(go daddy). On xmpp server i created self-signed certificate and put it to XMPP SIP configuration. I am not sure this was the only reason, but this was last change.
Hi Kevin,
Its me again:) We have added more sip domains to our Lync server. Is it possible to use xmpp with more than one domain, or do i have to add dedicated xmpp server for every domain?
Hi Arturas,
Currently only one SIP domain is supported per XMPP gateway (http://technet.microsoft.com/en-us/library/ee830332.aspx).
Hope this helps!
-kp
Hi Kevin & Arturas,
At this moment, I am trying to deploy a Lync server linked to an Asterisk-powered server (Asterisk is gateway).
Setting up a phone call works half, the receiving party does receive a phone call, but when I pick up, the Lync client does not start the conversation.
I’ve looked at packet traffic, and noticed that my Lync server is sending packets with an incorrect Header checksum (0×0000).
Since I’m not sure whether this is causing my problems, I wish to solve this problem.
Could you give me some hints on how to solve this issue, I guess it might be related to Arturas’ topic.
Cheers,
Gerard
Hi Kevin,
I am wondering if you could help me out, this has been killing my brain. I have followed all 3 of your blogs for setting up Lync, Edge and XMPP. Almost everything is working properly. The only issue I have is that I can not recieve IMs from gmail. I can send them and they go through but cannot get a reponse. I have run the logging tool and here is what I get:
TL_INFO(TF_PROTOCOL) [0]05E4.0CE4::05/10/2011-14:32:14.505.0000da07 (SIPStack,SIPAdminLog::TraceProtocolRecord:SIPAdminLog.cpp(125))$$begin_record
Trace-Correlation-Id: 910221276
Instance-Id: 00000389
Direction: incoming;source=”internal edge”;destination=”external edge”
Peer: XMPP.mydomain.com:2660
Message-Type: request
Start-Line: SUBSCRIBE sip:myaccount@mydomain.com:5061;maddr=edgeserver.mydomain.com;transport=Tls SIP/2.0
From: ;tag=8eee9a63cc
To:
CSeq: 46 SUBSCRIBE
Call-ID: 867cf3489dc34bf4b52a592bd0fedb73
MAX-FORWARDS: 70
VIA: SIP/2.0/TLS 172.16.100.89:2660;branch=z9hG4bK843fbbda
ACCEPT: application/pidf+xml
CONTACT:
CONTENT-LENGTH: 0
EVENT: presence
ms-asserted-verification-level: ms-source-verified-user=verified
Message-Body: –
$$end_record
************************************************
TL_WARN(TF_DIAG) [0]05E4.0CE4::05/10/2011-14:32:14.505.0000dc14 (SIPStack,SIPAdminLog::TraceDiagRecord:SIPAdminLog.cpp(145))$$begin_record
LogType: diagnostic
Severity: warning
Text: The request URI domain is internally supported and cannot be routed to a federated partner
Result-Code: 0xc3e93d75 SIPPROXY_E_EPROUTING_MSG_INTERNALDOMAIN_NOTALLOWED
SIP-Start-Line: SUBSCRIBE sip:myaccount@mydomain.com
SIP/2.0
SIP-Call-ID: 867cf3489dc34bf4b52a592bd0fedb73
SIP-CSeq: 46 SUBSCRIBE
Data: domain=”mydomain.com”
$$end_record
****************************************************
TL_INFO(TF_DIAG) [0]05E4.0CE4::05/10/2011-14:32:14.506.0000deb1 (SIPStack,SIPAdminLog::TraceDiagRecord:SIPAdminLog.cpp(147))$$begin_record
LogType: diagnostic
Severity: information
Text: Response successfully routed
SIP-Start-Line: SIP/2.0 404 Not Found
SIP-Call-ID: 867cf3489dc34bf4b52a592bd0fedb73
SIP-CSeq: 46 SUBSCRIBE
Peer: XMPP.mydomain.com:2660
Data: destination=”XMPP.mydomain.com”
$$end_record
************************************************
TL_INFO(TF_PROTOCOL) [0]05E4.0CE4::05/10/2011-14:32:14.506.0000deec (SIPStack,SIPAdminLog::TraceProtocolRecord:SIPAdminLog.cpp(125))$$begin_record
Trace-Correlation-Id: 910221276
Instance-Id: 0000038A
Direction: outgoing;source=”local”;destination=”internal edge”
Peer: XMPP.mydomain.com:2660
Message-Type: response
Start-Line: SIP/2.0 404 Not Found
From: ;tag=8eee9a63cc
To: ;tag=A4CF270669C3C57615B6E6432C0A4E8E
CSeq: 46 SUBSCRIBE
Call-ID: 867cf3489dc34bf4b52a592bd0fedb73
Via: SIP/2.0/TLS 172.16.100.89:2660;branch=z9hG4bK843fbbda;ms-received-port=2660;ms-received-cid=2100
ms-diagnostics: 1003;reason=”User does not exist”;TargetUri=”account@mydomain.com”;source=”edge.mydomain.com”
Server: RTC/4.0
Content-Length: 0
ms-edge-proxy-message-trust: ms-source-type=EdgeProxyGenerated;ms-ep-fqdn=edge.mydomain.com;ms-source-verified-user=verified
Message-Body: –
$$end_record
*******************************
I have changed my domain and server names but have verified they are correct in the logs. Do you have any ideas? It looks like a routing issue. Thank you for any help. Tim
I have a single server deployment of Lync and wanted to possible get Google and especially AIM for the users. Is it possible to get this sort of thing set up on a single server for smaller deployments? And is this similar to what is needed to get access to AIM? Unfortunately after getting things working internally for Lync and going through the process of getting AIM provisioned I have been unable to find how to get AIM itself working with Lync 2010 (OCS 2007 no problem)
Daniel,
You have to deploy an edge server to connect with AIM, more information in this article:
http://ocsguy.com/2010/11/21/deploying-an-edge-server-with-lync/
To federate with google you’d have to deploy an XMPP server (article above).
This cannot all be co-located on your single lync server.
Hope this helps!
-kp
Thanks for the great blog posting! We were able to use this to set up XMPP chat with Gmail.
I’m interested in using this to access Facebook’s chat function. They support XMPP but appear to have some additional restrictions for how authentication needs to occur through their platform that the OCS XMPP gateway doesn’t support. Any idea if this can work? Since Facebook is partly owned by Microsoft, and MS just bought Skype (and FB just integrated with Skype) I’d assume it is just a matter of time till someone works this out.
Oh, here’s a link to FB’s developer docs: https://developers.facebook.com/docs/chat/
Hi Trent,
This one would probably have to be a patch if the authentication requirements are different than what the current XMPP gateway supports. I’d imagine sooner or later there will be something, considering the heavy interest in social networking, but have no idea when that may be.
Thanks!
-kp
Hi,
First I would like to thanks you for your greats articles about Lync, they helped me a lot.
I have a problem with the gmail federation and hope anybody can help me
I have 3 servers :
- XMPP Gateway (lyncxmpp.domain.com) – not domain joigned
- Lync Edge (lync-edge.domain.local)
- Lync Front End (srv-lync01.domain.local)
From the lync client a user can add a gmail user and send him an IM, it work. The Lync user can see the presence of the gmail user too.
From the gmail client the user cannot send an IM to the Lync user, there is an error message that say “the user is disconnected”. The gmail user cannot see the presence of the Lync user and the Lync user appear as “invite”..
If the Lync user send an IM to the gmail user, the gmail user can answer him, it work too. But after a period of inactivity the gmail user is unable to send IM anymore.
So the XMPP seems to be working fine, the problem seems to come from the Edge server. I can see the following logs on the Edge if a gmail user try to send an IM to a Lync user :
Component: SIPStack
Level: TL_INFO
Flag: TF_COMPONENT
Function: CSIPRequest::IsTrustedForRouting
Source: SIPRequest.cpp(94)
Local Time: 09/08/2011-14:58:48.120
Sequence# : 0000419D
CorrelationId : 3195726454
ThreadId : 1290
ProcessId : 0CDC
CpuId : 0
Original Log Entry :
TL_INFO(TF_COMPONENT) [0]0CDC.1290::09/08/2011-12:58:48.120.0000419d (SIPStack,CSIPRequest::IsTrustedForRouting:SIPRequest.cpp(94))[3195726454]( 0000000003FD5770 ) routedByApplication [0x00000000(false)], routeHeadersValidated [0x00000000(false)], sourceTrusted [0x00000000(false)]. TrustedForRouting = 0×00000000(false)
*******************
Component: SIPStack
Level: TL_WARN
Flag: TF_COMPONENT
Function: CSIPRequest::RouteRequestUriAddr
Source: SIPRequest.cpp(3010)
Local Time: 09/08/2011-14:58:48.120
Sequence# : 0000419E
CorrelationId :
ThreadId : 1290
ProcessId : 0CDC
CpuId : 0
Original Log Entry :
TL_WARN(TF_COMPONENT) [0]0CDC.1290::09/08/2011-12:58:48.120.0000419e (SIPStack,CSIPRequest::RouteRequestUriAddr:SIPRequest.cpp(3010))( 3195726454 )( 0000000003FD5770 ) Exit – untrusted request that is ineligible for static routing. Returned 0xC3E93C5E(SIPPROXY_E_ROUTING)
*******************
Component: SIPStack
Level: TL_WARN
Flag: TF_DIAG
Function: SIPAdminLog::TraceDiagRecord
Source: SIPAdminLog.cpp(145)
Local Time: 09/08/2011-14:58:48.120
Sequence# : 0000419F
CorrelationId :
ThreadId : 1290
ProcessId : 0CDC
CpuId : 0
Original Log Entry :
TL_WARN(TF_DIAG) [0]0CDC.1290::09/08/2011-12:58:48.120.0000419f (SIPStack,SIPAdminLog::TraceDiagRecord:SIPAdminLog.cpp(145))$$begin_record
LogType: diagnostic
Severity: warning
Text: Non-trusted source with a request URI that is not eligible for static routing
Result-Code: 0xc3e93c5e SIPPROXY_E_ROUTING
SIP-Start-Line: INVITE sip:lyncuser@domain.com:5061;maddr=lync-edge.domain.local;transport=Tls SIP/2.0
SIP-Call-ID: f8aa6a28ae7c4412ac76a1da675e87b9
SIP-CSeq: 55 INVITE
Data: destination=”sip:lyncuser@domain.com:5061;maddr=lync-edge.domain.local;transport=Tls”;user=”lyncuser@domain.com”
$$end_record
*******************
Component: SIPStack
Level: TL_ERROR
Flag: TF_COMPONENT
Function: SIPRouterOutReqEPInt::RS_RouteRequest
Source: SIPRouterOutReqEPInt.cpp(155)
Local Time: 09/08/2011-14:58:48.120
Sequence# : 000041A0
CorrelationId :
ThreadId : 1290
ProcessId : 0CDC
CpuId : 0
Original Log Entry :
TL_ERROR(TF_COMPONENT) [0]0CDC.1290::09/08/2011-12:58:48.120.000041a0 (SIPStack,SIPRouterOutReqEPInt::RS_RouteRequest:SIPRouterOutReqEPInt.cpp(155))( 3195726454 )( 00000000035E7F58 ) Exit – failed to route the Request-URI. Returned 0xC3E93C5E(SIPPROXY_E_ROUTING)
Vindryn,
From the log “lync-edge.domain.local” is present in the line “SIP-Start-Line: INVITE sip:lyncuser@domain.com:5061;maddr=lync-edge.domain.local;transport=Tls SIP/2.0″, does this mean the XMPP server is trying to route to the internal NIC of the edge? If so that is most likely your problem, all routing to and from the XMPP server should hit the external NIC of the edge.
Hope this helps!
-kp
Hi, Great Doc, helped me loads when i was setting up XMPP server. wounding if you know anything with regards to ejabberd, we have lync talking with our ejabberd system and all seems to be working fine, however we seem to be getting authentication requests to the ejabberd users every few hours??? Even after they have accepted the initial request. I dont seem to be getting the same with gmail so assume it is something to do with ejabberd
Thanks
Hi Scott,
I am not familiar with ejabberd, but my guess is if everything is working with g-chat, it’s an incompatibility between ejabberd and Lync (as you expected). I’m not sure how it could be fixed.
-kp
Ok Kevin, Thanks for the help
Hi Scott,
Just as an FYI MSFT released an update for XMPP that fixes issues with ejabberd, looks like it should work now.
http://support.microsoft.com/kb/2404570
HTH
kp
Hi Kevin,
Thanks for the update, i will try the update asap. I also found an update for ejabberd http://www.ejabberd.im/ejabberd-2.0.5
which also fixes authorization requests to some systems, so have asked for that to be updated. (i don’t have any control over that system)
Thanks Again
I am getting the following on the xmpp server:
Log Name: Office Communications Server
Source: OCS Xmpp Gateway
Date: 10/20/2011 6:24:07 PM
Event ID: 33005
Task Category: (1090)
Level: Error
Keywords: Classic
User: N/A
Computer: XMPP..com
Description:
Office Communications Server SIPXMPPTGW: Configuration file not found.
Event Xml:
33005
2
1090
0×80000000000000
7
Office Communications Server
XMPP..com
The following is the c:\program files\microsoft office communications server 2007 R2\XMPP gateway\TGWConsoleGui.dll.config file: (10.10.10.8 is the only NIC and IP address on the XMPP server which is in our DMZ and NAT’d to external)
The system was running Windows 2008 R2. I rebuilt it with Windows 2008 SP2 and it is now working.
Hi Kevin,
Our XMPP server works great, but we have to constantly restart the service because we get the following errors:
Event 33009 – Office Communications Server SIPXMPPTGW: Maximum XMPP Incoming Connections reached.
Event 33013 – Office Communications Server SIPXMPPTGW: Throttling High Water Mark reached.
Is there anything I can do to keep it from hitting these limits? I’m almost ready to write a script to just restart the service daily.
Hi Rich,
Can you make sure you are running the latest patches on your XMPP server.
http://social.technet.microsoft.com/Forums/ar/ocsplanningdeployment/thread/d3c57447-b928-481f-837b-644fc69f2e4e
HTH
-kp
Hey Kevin,
Applied all the patches just to make sure I didn’t miss anything and so far no errors are being thrown, but we still see on the Lync client that when the gmail user is offline that after awhile the status goes from Offline to Updating….
This has always been the case and I guess I expected the patches to address this. Any ideas on the Updating issue?
Hi Rich,
I haven’t worked with XMPP in a while since the project I’ve been on for the past 6+ months doesn’t have it, so I can’t remember seeing that. I’m not sure what would cause it, but would need to be able to see it happen and have logs to troubleshoot.
-kp
Thank you very much for your excellent article.
I’m trying to connect lync to an XMPP Server.
I followed the directions in your blog post and the edge server is reporting the following error after it looks up the SRV record of the XMPP Server’s domain:
Data: domain=”nycvopfire04.msgtst.reuters.com”;fqdn1=”nycv-xmpptst01.lync.msgtst.reuters.comtrue5061″;reason=”The domain of the message resolved by DNS SRV but none of the FQDNs is in the same domain”
My XMPP Server domain is “nycvopfire04.msgtst.reuters.com” but the FQDN of my XMPP Gateway is “nycv-xmpptst01.lync.msgtst.reuters.com”. The error seems to indicate that the FQDNJ of the XMPP Gateway should be “nycv-xmpptst01.nycvopfire04.msgtst.reuters.com” so that it matches the domain.
Hi John,
That is definitely what the error is saying. Is the XMPP server that is throwing this error yours or someone elses and could it be updated?
HTH
kevin
Hi Kevin,
I have recently deployed xmpp gateway server in my OCS 2007 R2 Org. After installing & Configuring the XMPP Gateway S/W i encounter issues while starting up the xmpp gateway service. The following events are logged in my eventviewer:
Event ID: 3305 Office Communications Server SIPXMPPTGW: Configuration file not found.
The following pre-requisties have been completed:
1. Certificate for Xmpp.domain.com available.
2. A & SRV records for xmpp.domain.com & _xmpp-server._tcp.domain.com
3. Connectivity to Access Edge servers & XMPP Servers (google) working – i have checked it from Xmpp Gateway Console.
Any suggestions would greatly assist in completing my configuration.
Hi Sandeep,
Are you sure your XMPP config file is in the right directory? Maybe try an uninstall/reinstall of the app?
HTH
-kp
Thanks for the article.
It helped me very mutch
Everything works
Thanks for the article.
I followed the instructions and the instant message works well, but the presence works 50% of times.
When I click on a contact from the Lync buddy list, it is shown available, but if I click again on the same contact I see the status “presence unknown”, and if I click once again on the contact it will became available and so on…
Do you know why and how can I solve the issue?
Hi Joe,
I’d suggest doing some SIP stack logging on the edge and FE to see if there are any errors that might give you a clue.
HTH
-kp