Welcome to Community Server Sign in | Join | Help
Search
BlogsVideosPhotosFiles

Syndication

This Blog

Post Categories

Archives

Configuring XMPP Connectivity to Gmail

Important edit October 7- the original post stated Windows 2008 R2. This is incorrect we do not support that version at this time. The correct version should be Windows 2003 or Windows 2008.

Check out the following figure. That's no illusion-it's an Office Communicator user communicating with a Gmail user.

If you can't wait to try this, you have come to the right place. Before you start, ensure that the following requirements are met:

  1. You organization has a properly configured Office Communications Server 2007 R2 environment.
  2. There is a properly configured Edge Server in your Office Communications Server environment.
  3. You have permissions to request a server certificate from a public or private CA.
  4. You have permissions to create DNS SRV and A records on the Internet.
  5. There is a server that is running Windows Server 2008 on which to install the XMPP Gateway in your network perimeter.

The rest of this article assumes that you have an environment running Office Communications Server 2007 R2 complete with an Edge Server (see requirements 1 and 2 in the previous list) that is configured to allow internal users to federate with external domains. You will have to request a certificate for your XMPP Gateway (requirement 3). For Gmail to locate your XMPP Gateway, you will have to create SRV and A records on your public facing DNS (requirement 4). To install the XMPP Gateway, you must have a separate server running Windows Server 2008 (requirement 5).

Figure 1 illustrates the topology of the configuration that you will be setting up. Because the XMPP Gateway connects directly to your Edge Server and the Gmail gateways on the Internet, it should be deployed in the network perimeter. Let's get started!

Figure 1   XMPP Topology

Configure Firewall Rules

To allow the Gmail gateway to communicate with your XMPP Gateway, you must open port 5269 on your external firewall and map incoming and outgoing TCP traffic on that port to your XMPP Gateway FQDN or IP address. Gmail uses port 5269. If you do not configure your firewall to allow incoming traffic on port 5269 to your XMPP Gateway, Gmail users will not be able to send instant messages to Office Communicator users.

Configure XMPP Gateway

Because your XMPP Gateway connects directly to your Edge Server and your Edge Server is located in your network perimeter, your XMPP Gateway also must be located in the network perimeter. It must be accessible to the Gmail gateway. This placement of your XMPP Gateway means that you will have to be mindful of the security implications and take appropriate action to secure your XMPP Gateway.

To configure the XMPP Gateway, do the following:

  1. Set up a server that is running Windows Server 2008. Ensure that the latest security updates are installed. This computer will be referred to as the XMPP Gateway.
  2. Install Office Communications Server 2007 R2 XMPP Gateway software.
  3. Define the FQDNs to the XMPP Gateway.
  4. Configure the domain name on the XMPP Gateway.
  5. Request and install a server certificate in the computer's Personal store for the XMPP Gateway.
  6. Create SRV record and A records for the XMPP Gateway on your public facing DNS server.
  7. Configure the XMPP Gateway.

Step 1: Set Up a Server that Is Running Windows Server 2008

Microsoft requires that the XMPP Gateway be installed on a separate server. Unless you use a separate Active Directory in your network perimeter to manage the servers in your network perimeter, configure this Windows server in a stand-alone workgroup. Under no circumstance should this server be joined to your internal Active Directory domain.

Because this Windows server is in your network perimeter, ensure it is hardened against attack. Reduce the attack surface area by turning off unnecessary services and allowing incoming traffic to the XMPP Gateway only on ports 5061 (used by the Edge Server) and 5269 (used by the Gmail gateways).

Step 2: Install Office Communications Server 2007 R2 XMPP Gateway Software

This article does not cover the installation process in detail because this process is very simple. However, the following are two things to keep in mind:

  • First, your XMPP Gateway needs only a single network interface (NIC). When I think of a gateway, two NICs automatically come to mind. I had originally configured my Windows server to have two network interfaces, but it is not necessary. You can keep things less complicated by using a single NIC.
  • Second, after you complete the installation wizard, make sure that you specify the IP address of your network interface in the following file:

"%ProgramFiles%\Microsoft Office Communications Server 2007 R2\XMPP Gateway\TGWConsoleGUI.dll.config"

This is the configuration file used by the XMPP Gateway service. Because Setup does not prompt for this information during installation, it can be easily overlooked. The example shows the contents of the config file. Assuming your XMPP Gateway uses a single network interface, specify the server's IP address as the value for the SipIP and XmppIP fields.

<?xml version="1.0" standalone="yes"?>

<configuration>

<appSettings>

<add key= "cultureName" value = "en-US"/>

<add key= "SipIP" value= "XXX.XXX.XXX.XXX"/>

<add key= "XmppIP" value="XXX.XXX.XXX.XXX"/>

</appSettings>

</configuration>

In our example, the XMPP Gateway's IP address, 192.168.1.20, is entered in the SipIP and XmppIP fields in the preceding example.

Step 3: Define the FQDNs to the XMPP Gateway

Define the FQDNs for the XMPP Gateway. I recommend using two FQDNs. One of the FQDNs is internal and is used by your Edge Server to connect to your XMPP Gateway. This internal FQDN is not exposed to the Internet and maps to the actual IP address of the XMPP Gateway. This FQDN is used by the Edge Server to validate the XMPP Gateway's server certificate when establishing an MTLS connection. In this example, the internal FQDN is called srv_xmpp.litwareinc.com.

The other FQDN is for external use by the Gmail gateways to locate your XMPP Gateway. This external FQDN is exposed to the Internet and maps to your firewall's public IP address, which you have configured to route TCP traffic for port 5269 to your XMPP Gateway. This external FQDN is called xmpp.litwareinc.com in our example.

You might be wondering why not use a single FQDN instead of two? And you're correct. You can use a single FQDN. If you use a single FQDN, you must use the public FQDN. In this configuration, the Edge Server connects to your XMPP Gateway through the public FQDN. This results in the traffic between your Edge Server and XMPP Gateway going across your external firewall. However, if your firewall does not allow loopbacks, the connection will fail.

Step 4: Configure the Domain Name on the XMPP Gateway

After you define an FQDN for your XMPP Gateway, you must configure the domain name portion of this FQDN on your XMPP Gateway. (This assumes that the server running the XMPP Gateway is configured in a stand-alone Workgroup).

In our example, the internal FQDN of the XMPP Gateway is srv_xmpp.litwareinc.com. The domain name portion of this FQDN is litwareinc.com. You must configure this value in the Primary DNS suffix of this computer field of the XMPP Gateway.

To do this:

  1. Click Start, right-click Computer, and then click Properties.
  2. Under Computer name, domain, and workgroup settings, click Change settings.
  3. On the Computer name tab, click Change.
  4. In the Computer Name/Domain Changes dialog box, click More as shown in Figure 2.
  5. In the Primary DNS suffix of this computer field, enter the domain name.

Figure 2   Configuring computer's DNS suffix

Step 5: Request and Install a Server Certificate in the Computer's Personal Store for the XMPP Gateway

Your XMPP Gateway requires a server certificate to communicate with your Edge Server. This certificate with its corresponding private key must be installed in the local computer's Personal store.

Without a certificate, the authentication will fail and the MTLS connection will be refused. This can often be a source of frustration and can be caused by a variety of reasons such as an untrusted root CA or a mismatch between the XMPP Gateway's FQDN and the certificate's CN in the Subject Name field. If you run into issues, use the ocslogger.exe tool to help you troubleshoot. It's a great tool. If you run into problems, let us know and we'll produce an article on this topic.

Everyone has their favorite way of requesting certificates, so I will not cover all the ways this can be done. However, there are two things to keep in mind: First, make sure the Common Name (CN) of the certificate is identical to the internal FQDN that is assigned to the XMPP Gateway. Second, use at least 2048 encryption strength. For more information, a great resource about certificates for Office Communications Server is the Microsoft Office Communications Server 2007 R2 Documentation: OCS Deploying Certificates.

If your sole purpose for setting up an XMPP Gateway is to connect to Gmail, this certificate will be used only to authenticate to your Edge Server. In this case, you can use a certificate from your private CA. Make sure that your XMPP Gateway trusts the root of your Edge Server's certificate and vice versa.

Step 6: Create SRV and A records for the XMPP Gateway on Your Public Facing DNS Server

For this step, you must publish the external FQDN of your XMPP Gateway so that the Gmail gateways can locate your XMPP Gateway. Remember your XMPP Gateway's external FQDN should be mapped to your external firewall's IP address unless you expose your XMPP Gateway directly on the Internet (not recommended). In our example, the external firewall's IP address is 207.46.197.32.

After you name your XMPP Gateway's external FQDN (we picked xmpp.litwareinc.com for our example), you must create an A record in your public DNS to map this FQDN, <server name>.<domain>.com, to your external IP address. In our example, xmpp.litwareinc.com maps to 207.46.197.32.

In addition to creating this A record, you must create an SRV record in the following form:

_xmpp-server._tcp.<domain>.com

This is the service record locator that is used by Gmail gateways to discover the external FQDN of your XMPP Gateway. Figure 3 shows how to create this SRV record for Litware Inc.

Note   The protocol must be set to _tcp, and the port number must be set to 5269. The domain name of both the A record and the SRV record must match your SIP domain.

If you own your own domain names and use godaddy.com, you might recognize Figure 3. The at sign (@) translates to your domain name. This is litwareinc.com in our example.

Figure 3   DNS SRV record for XMPP Gateway

Step 7: Configure the XMPP Gateway

The final step is to configure your XMPP Gateway to connect to your Edge Server and Gmail gateways. On the XMPP Gateway, under Administrative tools, open the Office Communications Server 2007 R2 XMPP Gateway console.

Select the SIP Configuration node (Figure 4). Configure the connection to the Edge Server first by doing the following:

  1. On the Domain tab, specify your domain name in the Domain field. For our example, this is litwareinc.com.
  2. Specify the FQDN of your Edge Server in the Host Name field. In our example, the Edge Server's external FQDN is srv.litwareinc.com. See Figure 4.

Figure 4   SIP Configuration of XMPP Gateway

For the Edge Server to trust your XMPP Gateway, you must configure the certificate that you requested in step 5. To do this:

  1. In the Office Communications Server 2007 R2 XMPP Gateway console, click the TLS Certificate tab (Figure 5).
  2. Click Select Certificate, and then select the certificate that you requested in step 5. If you are unable to find it, you installed the certificate in the wrong certificate store.

Note   The certificate's common name must match the XMPP Gateway's FQDN as shown in Figure 5.

Figure 5 TLS Certificate Configuration of XMPP Gateway

3. After you finish the SIP configuration, click the Validate Connection tab to validate your configuration to the Edge Server.

Next, configure the connection to the Gmail gateways by doing the following:

  1. In the left pane, click the XMPP Configuration node (Figure 6).
  2. On the Allow List tab, click Add.
  3. In the Federated XMPP Domain names dialog box, in the Domain Name field, enter gmail.com, and then select TCP Dialback (required) as shown in Figure 6. Click OK.

Figure 6   XMPP Configuration of XMPP Gateway

Because Gmail does not use any authentication or encryption (TLS), no certificate is required to be configured in the TLS Certificate tab. To validate your configuration, click the Validate Connection tab.

Configure the Edge Server

The configuration on the Edge Server is very simple. You just have to add an entry in the Allow list of the Edge Server by doing the following:

1. In the Computer Management console, right-click the Edge Server node, and then click Properties (Figure 7).

Figure 7   Edge Server Configuration

2. On the Allow tab, click Add, and then make the entry to the Allow list.

When you add a new federated partner to the Allow list, the Federated partner domain name must be set to gmail.com, and the Federated partner Access Edge Server field must be set to the internal FQDN of your XMPP Gateway. This instructs your Edge Server to route messages for the domain name, gmail.com, to your XMPP Gateway. Because you do not own the domain name, gmail.com, you must specify the next hop to direct traffic for gmail.com to your XMPP Gateway. The internal FQDN of the XMPP Gateway maps to the private IP address of your XMPP Gateway instead of its public address. If you specify the public FQDN of your XMPP Gateway, your Edge Server will connect to your XMPP Gateway through your external firewall.

If you host a DNS server in your network perimeter, you should create an A record to map the FQDN of your XMPP Gateway to the private IP address of your gateway. If you do not have a private DNS server in your network perimeter, you will have to add an entry in the local hosts file of your Edge Server. To edit the local hosts file, use local administrator's permissions. This hosts file is located in the %windir%\system32\drivers\etc\hosts directory. Use your favorite editor to add the following entry at the end of the file:

<private IP address of XMPP Gateway> <internal FQDN of XMPP Gateway>

In our example, this maps to the following entry:

192.168.1.20 srv_xmpp.litwareinc.com

Adding Gmail Contacts

The last step is for users to add Gmail users to their contact list in Office Communicator. Ensure that the Office Communicator users are configured for Federation (Figure 8); otherwise, Office Communicator users will not be able to communicate with external users.

Figure 8   User Configuration for Federation

Conclusion

Configuring your XMPP Gateway to connect to Gmail is pretty painless when you know what to do (of course). Hopefully, this article helped you get on the fast track to making this happen. I did not cover how to request the certificate for the XMPP Gateway in detail or how to troubleshoot connectivity issues. If you experience difficulties and would like help, leave DrRez a request on twitter.com.

Rui Maximo

Published Thursday, October 01, 2009 2:59 PM by ocsteam
Filed Under: ,

Comments

 

eswindelles said:

I spent all of the morning getting our OCS domain federated with Gmail, before this blog posting went live.  Go figure!  This is better and more clear than the documentation that was on the download.microsoft.com page for the gateway.
October 2, 2009 8:06 PM
 

Alvin Chen said:

"5.There is a server that is running Windows Server 2008 R2 "

But from the looks of the Start Menu in the Figure 2 that the server you have in your example is Windows Server 2008, not Windows Server 2008 R2.

Could you clarify?
October 3, 2009 12:32 PM
 

casper_ru said:

As usual problem with non asci symbols, whet talking with gmail contacts we get ????? Any ideas how to fix it?
October 5, 2009 6:30 AM
 

eswindelles said:

Can you detail the process for requesting a TLS certificate from an AD certificate authority from a computer that is not a domain member?  I ended up joining the domain for my XMPP server because of this...
October 5, 2009 9:16 AM
 

cm103 said:

Very nice writeup. I've been waiting for this ever since we implemented R2 in our org in the first quarter of this year.

I work for an educational institution that outsources student mail to Gmail. The domain suffix is the same for both our fac/staff accounts hosted internally and the student accounts hosted on Gmail. Are there any special considerations when federating under this situation?
October 5, 2009 9:46 PM
 

snagovskyi said:

Yep, the integration process is quite staight-forward, but the issue with non-ascii characters dissapointes me. Is there any workaround?
October 6, 2009 9:00 AM
 

jasonagutierrez said:

Clear documentation, and though I've followed all the steps - it still doesn't appear to work. I'm using the one NIC card scenario doing loopback through the external FW. I have connectivity, google servers validate, certificates in order and nothing. Will try again, but other than the manual config gotcha, anything else I should be aware of?
October 16, 2009 4:08 PM
 

jasonagutierrez said:

Update to my previous comment:

I got my gateway to work. Few things I needed to understand to make this clear.
Step 6 above, The SRV record: _xmpp-server._tcp.<domain>.com ,   is better understood as _xmpp-server._tcp.<yoursipdomain> . The <domain> is not the servers domain, but specifically the sip domain you are answering for. We have several sip domains in our organization. Each one needs to have it's own record, so that when Google tries to communication with user@school.edu, it gets the proper route.

Step 7 above, the SIP configuration domain name must match the SIP domain that you registered in Step 6. If you have user@school.edu and user@college.edu, then you will need to register SRV records for each, and configure SIP domain names in the wizard for both (one at a time fo course).

After this was done, I got immediate connectivity.
October 19, 2009 4:29 PM
 

banthorpe said:

Having some trouble getting this working at present. In my setup my access edge has a public IP and and private IP (not NAT'd). This is what I have:

Edge:
       sip.voicelab.org.uk 213.123.57.134 (ext)
       ocsedge.voicelab.org.uk  10.1.1.20 (int)

XMPP:
      xmpp.voicelab.org.uk  213.123.57.140 (ext)
      ocsxmpp.voicelab.org.uk 10.1.1.21 (int)

_xmpp-server.voicelab.org.uk public SRV record resolves to xmpp.voicelab.org.uk (213.123.57.140)

On the SIP domain tab in the XMPP configruation window I tell it to connect to the edge on it's internal IP (10.1.1.20) - this verifies OK.

The Edge is told to connect to XMPP on it's internal IP (10.1.1.21) - TLS connections are fine.

However, when I add an OCS contact to Gtalk it tries to send the invite then I get errors in the XMPP logs on my server stating at the end:

received unrecognized content from NULL:<db:result to="voicelab.org.uk" from="googlemail.com">CAESBxDqk4PexyQaEAegNPCcQL1GUVcIx7HfIXo=</db:result>

Outbound IM's from OCS to GTalk result in XMPP negotiation with GTalk (successful dialback negotiation etc.) but alas no IM gets transferred (lots of negitation between my XMPP and GTalk - won't post the logs here, too long! - but I get things like Call Leg/Transaction does not exist etc))


Can you verify my config as it was not clear in your outline above whether you were using public IPs on your Edge or private NAT'd IPs?

October 22, 2009 9:46 AM
 

reuben said:

Hi. The gateway only seems to work explicitly for "gmail.com", not googlemail.com or other Google Apps domains. Is this correct?

Also, when will ejabberd and the United Internet brands be supported?

Thank you.
October 23, 2009 5:21 AM
 

Anatoly said:

Worked beautifully, thank you!
November 17, 2009 12:38 PM
 

Deepali said:

Hey,
Does Office Communications Server 2007 R2 XMPP Gateway have APIs that can be used to retrieve presence information? I want to write a separate application that acts as a "watcher" using the API to get presence information for users. Is that possible with XMPP Gateway?

Thanks,
Deepali
January 5, 2010 7:17 PM
Anonymous comments are disabled

News

This is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified in the Terms of Use.

Poll:

MSFT Product Team Blogs

MVP Blogs, Forums and Sites

Other UC Blogs

Microsoft UC Sites

Community
Powered by Community Server, by Telligent Systems