Cisco Cisco Expressway
Configuring Cisco Expressway-E for XMPP Federation
We recommend that you make XMPP federation configuration changes during a time of day when users will
not be impacted. Enabling XMPP federation will restart the XCP router on all Cisco Expressway-E systems
within the cluster. Any existing mobile and remote access IM and Presence Service client sessions will be
interrupted. Depending on the number of clients, full client reconnection may take several minutes. See
not be impacted. Enabling XMPP federation will restart the XCP router on all Cisco Expressway-E systems
within the cluster. Any existing mobile and remote access IM and Presence Service client sessions will be
interrupted. Depending on the number of clients, full client reconnection may take several minutes. See
for more information.
1. On Cisco Expressway-E, go to
Configuration > Unified Communications
.
2. Set XMPP federation support to On.
When you apply this change, you may need to restart the XCP Routers on the IM and Presence Service
server(s). The other settings on this page will not require a restart.
server(s). The other settings on this page will not require a restart.
3. Configure the remaining fields as follows:
Use static
routes
routes
Indicates whether a controlled list of static routes are used to locate the federated XMPP
domains and chat node aliases, rather than DNS lookups. See
domains and chat node aliases, rather than DNS lookups. See
.
Dialback
secret
secret
Enter a dialback secret to use for identity verification with federated XMPP servers. If you have
multiple Cisco Expressway-E systems in the same deployment, they must all be configured with
the same dialback secret.
multiple Cisco Expressway-E systems in the same deployment, they must all be configured with
the same dialback secret.
For more information about server dialback, see
.
Security
mode
mode
Indicates if a Transport Layer Security (TLS) connection to federated XMPP servers is required,
preferred or not required.
preferred or not required.
TLS required: the system guarantees a secure (encrypted) connection with the foreign domain.
TLS optional: the system attempts to establish a TLS connection with the foreign domain. If it
fails to establish a TLS connection, it reverts to TCP..
fails to establish a TLS connection, it reverts to TCP..
No TLS: the system will not establish a TLS connection with the foreign domain. It uses a non-
encrypted connection to federate with the foreign domain.
encrypted connection to federate with the foreign domain.
In all cases, server dialback is used to verify the identity of the foreign server. The foreign server
must be configured to use server dialback. Note that SASL External is not a supported
configuration on the local server. Foreign servers may be configured to use SASL, but SASL
exchanges will not be supported by the local server.
must be configured to use server dialback. Note that SASL External is not a supported
configuration on the local server. Foreign servers may be configured to use SASL, but SASL
exchanges will not be supported by the local server.
The default, and recommended setting, is TLS required.
Require
client-side
security
certificates
client-side
security
certificates
Controls whether the certificate presented by the external client is verified against the current
Cisco Expressway trusted Certificate Authority (CA) list and, if loaded, the revocation list.
Cisco Expressway trusted Certificate Authority (CA) list and, if loaded, the revocation list.
This setting does not apply if Security mode is No TLS.
Note that the federated domain name and any chat node aliases must be present in the
certificate's subject alternate name, regardless of this setting.
certificate's subject alternate name, regardless of this setting.
Cisco Unified Communications XMPP Federation Deployment Guide (1.4)
Page 11 of 59