Best practice: Set up SIP federation with ProCall Enterprise – build trust network
May 2020
Release note: ProCall Enterprise Versionen 6.x and 7.x
Best Practice
Best practice requires detailed IT expertise in network configuration and administration.
Set up a federation
Setting up a trusted network via federation can be done with ProCall Enterprise using the following methods:
- Open federation (DNS)
- Static routes
To set up a federation and create a trusted network via ProCall Enterprise, the availability of the UCServer must be announced to all communication partners.
The two configuration variants via open federation and static routes are described below.
After completing the configuration, permissions for publishing presence and contact details still need to be set up.
Open federation
DNS
If you have not set up a point-to-point (P2P) connection but use "Open federation", then a DNS configuration is necessary. A publicly accessible service location record must be set up there that points to the UCServer. You can also determine whether a domain is using ProCall Enterprise with "Open federation" by querying a DNS zone via nslookup.
Certificate
A certificate is mandatory for encrypted communication.
- The "Open federation" must be a public certificate so that it is trusted by other companies.
- If a "P2P Federation" is used via static routes, private certificates are sufficient because the issuing CA can be added as trusted on the other side.
Installation of the UCServer
After downloading and unpacking the ProCall Enterprise ZIP archive, run the UCServer_xxx.msi file that matches the system architecture.
Do not install the software from the packed ZIP folder (ex. ProCall_Enterprise.X.XXXen.zip).
Configure presence domain in UCServer
Presence domain
The presence domain is an essential part of each user's identity and uniquely identifies them. It can therefore only be modified later to a limited extent.
UCServer Setup – Set presence domain
In UCServer Setup, follow the installation wizard and specify the presence domain.
Example: Set presence domain: Martin.Meier@ucsoftware.de
Then complete the configuration.
Configuration of incoming connection (SIP to a SIP server)
To configure federation, start the UCServer Administration and log in to the system.
Menu: UCServer Administration – SIP Federation
Configure how the connection to other systems is to be established here:
To create an "Open federation", the "Direct" option and the "Use open federation..." option must be selected.
Note
If you do not enable "Use federation service" or "Use open federation" under the "Direct" option, you must have at least one static route configured to use federation.
A restart of the UCServer may be required to apply the settings.
Menu: UCServer Administration – Federation – SIP Server
Here, enable the network interfaces that are necessary to receive incoming SIP messages via the Use SIP server... checkbox.
Add a network interface to the "SIP Server". To do this, click on the "Add..." button to display the corresponding configuration dialog.
Configuration of the network interface/selection of the own IP address
If the computer has multiple network ports, a list of available ones is offered. The IP address must be public (accessible via the internet).
Specify port number and protocol here:
- You should leave the port set to 5061 by default.
- For accessibility, it is necessary to choose the MTLS protocol (Mutual Transport Layer Security) with the necessary certificate.
Confirm your entries for the new network interface with "OK" to add it to the list of network interfaces.
Finally, save the configuration by clicking the "Apply" button.
A restart of the UCServer service is required to apply the settings.
Connection security (transmission protocols)
Various transmission protocols can be selected to secure communication between the systems involved. MTLS (Mutual Transport Layer Security) is required for "Open federation".
MTLS
The MTLS protocol requires a DNS SRV record in addition to the certificate and is more secure than TLS (Transport Layer Security). Unlike TLS, which requires only one side to present the certificate, MTLS requires both sides (servers) to be able to present their certificate.
Certificate
If TLS or MTLS is selected, the certificate issued by a certification authority must have been set in the system beforehand. This can then be accessed via the "Certificate..." button or "Select certificate...".
Access to the SIP server
"Open federation" requires a service resource record in the public DNS (Domain Name System) to respond to name resolution requests.
Setting up a DNS service resource record
A service resource record (SRV) must be entered in the public DNS to make the SIP server discoverable. Additional information can be provided for this service (priority, etc.).
Such a service resource record is entered as follows:
_sipfederationtls._tcp Service Location (SRV) [0][1][5061] <Domain>
| Properties Service Location (SRV) | |
|---|---|
_sipfederationtls._tcp | Name of the SIP service under which it is found in DNS. Example: _sipfederationtls._tcp.ucsoftware.de |
Service Location (SRV) | Entry type |
[0] | Service priority. This can be used to prioritize the various similar entries. The UCServer prioritizes the lowest numeric value. |
[1] | Entry weighting. The UCServer prioritizes the highest numeric value. |
[5061] | Port number under which the service provides the service. |
<Domain> | Computer providing the service e.g. estos UCServer. |
For information on how and where to set up the service resource records for specific DNS servers, please refer to the corresponding documentation provided by the manufacturer. You can also find notes in the "RFC 2052" specification.
Here are instructions on how to test a DNS record for Open federation.
After that, please follow then instructions on publishing presence and contact details, rejecting federations and managing certificates.
Static routes
When using static routes, the point-to-point federation is configured between two companies (UCServers used). This takes place between the SIP servers implemented in the UCServer.
Certificate
A certificate is mandatory for encrypted communication. If a "point-to-point federation" is used via static routes, private certificates are sufficient because the issuing CA can then be added as trustworthy on the other side.
Note
When configuring "Static routes", make sure to also "classify them as trusted".
Installation of the UCServer
After downloading and unpacking the ProCall Enterprise ZIP archive, run the UCServer_xxx.msi file that matches the system architecture.
Do not install the software from the packed ZIP folder (ex. ProCall_Enterprise.X.XXXen.zip).
Configure presence domain in UCServer
Presence domain
The presence domain is an essential part of each user's identity and uniquely identifies them. It can therefore only be modified later to a limited extent.
UCServer Setup – Set presence domain
In UCServer Setup, follow the installation wizard and specify the presence domain.
Example: Set presence domain: Martin.Meier@ucsoftware.de
Then complete the configuration.
Configuration of incoming connection (SIP to a SIP server)
To establish a "Federation via static routes" with a partner, the SIP server included in the UCServer must be activated and configured.
Start the "UC Server Administration" to configure federation. To configure federation, start UCServer Administration and log on to the system.
Menu: UCServer Administration – SIP – SIP server setup
Here, enable the network interfaces that are necessary to receive incoming SIP messages via the "Use SIP server..." checkbox.
Add a network interface to the "SIP server". To do this, click on the "Add..." button to display the corresponding configuration dialog.
If the computer has multiple network ports, a list is offered when selecting the own IP address. All available addresses can also be used.
One entry is also sufficient for communication with several partners.
The port number should only be changed if there is a compelling reason (already occupied or not available for other reasons).
Confirm your entries for the new network interface with "OK" to add it to the list of network interfaces.
Finally, save the configuration by clicking the "Apply" button.
A restart of the UCServer service is required to apply the settings.
Connection security (transmission protocols)
Various transmission protocols can be selected to secure the communication between the systems involved.
| TCP (Transmission Control Protocol) | The default protocol is TCP. No certificate is required for this since communication is unencrypted. If the IP address and port are known, communication is free. This protocol is reliable and well usable within local area networks (LAN) without any effort. |
|---|---|
| UDP (User Datagram Protocol) | This protocol is intended for special cases only and is not recommended due to its disadvantages regarding poor reliability and security (no certificate) and other limitations. |
| TLS (Transport Layer Security) | Formerly SSL (Secure Sockets Layer) This protocol is recommended for secure connections. A certificate is required. For connections via WAN (internet), a secured certificate from a certification authority (Trusted Root Certification Authority, CA) is required. |
| MTLS (Mutual Transport Layer Security) | The MTLS protocol requires a DNS SRV record in addition to the certificate and is more secure than TLS (Transport Layer Security). |
Certificates for TLS and MTLS
If TLS or MTLS is selected, the certificate issued by a certification authority must have been set in the system beforehand. This can then be accessed via the "Certificate..." button or "Select certificate...".
Configuration of outgoing connection (static routes)
For "Federation via static routes", the static routes to the partner in the trusted network are defined in addition to the SIP server, i.e. the return channel to the partner is defined.
Menu: UCServer Administration – SIP – Static routes
Activate "Use static routes" in the configuration overview.
Add static routes for outgoing connections.
Here you have to specify the target systems you want to federate with. Click on the "Add..." button to add another static route to the list.
| Configuration static route |
|---|
| Domain name |
| Access server and port |
| Activate route |
Connection security (transmission protocols)
To secure the communication between the systems involved, the same transmission protocols as mentioned above can be selected.
Note
- The selected protocol must match that of the federation partner.
- The certificate must be identical to that of the SIP server.
- If TLS is selected, no certificate can be selected because the partner's certificate is sufficient.
After that, please follow the Instructions on publishing presence and contact details, rejecting federations and managing certificates.
Publication of presence and contact details
After the configuration requirements have been met, it is a matter of the visibility of presence states and contact data.
UCServer Administration – Federation – Domain authorization
Here you can define the maximum presence and contact information that can be offered by UCServer users to external federation contacts on the basis of the authorization levels.
Global authorization level
To do this, make sure that the "Global permission level" is enabled and not set to "Locked". With "Locked", all permission requests from other presence domains would be rejected.
It is recommended not to soften this strict authorization level if possible.
This means that it is not possible for individual users to exceed the globally administratively defined authorization level and, for example, set it to "personal" if this is not administratively desired.
Explicit authorization level
For particularly trusted contacts, exceptions can be defined under "Explicit permission levels". Click the "Add..." button to configure a new "Explicit permission level" and then add it to the list by clicking the "OK" button.
Domains inserted here override the global setting and can thus be individually set to the authorization levels "Public", "In-house", "Team member" or "Personal.
Reject federation/blacklist for specific domains
If no federation is desired with a certain institution, it can be administratively entered into the domain blacklist.
UCServer Administration – Federation – Lock domains
Here you can enter the domains that should explicitly not be included in a trusted network via federation. You can lock a domain via the "Add..." button.
To lock a domain including subdomains, put * in front of the domain name. Example: *.example.com
Client installation
The identity of the user with general user information is important for using the federation. The identity allows other participants to exchange presence information and chat messages with this user. Presence and user information can be set via permission levels in the favorites and in the monitor.
Normally, this identity is specified by the UC Administrator via the system.
If users can enter this themselves in the ProCall workstation settings, please note that lower case is required here and no special characters and umlauts are allowed.
Users can enable other contacts from shared domains for presence and messaging or send an authorization request as follows:
- Add contact
- Search for a contact and apply
- Drag-and-drop a contact from Microsoft Outlook or business card (VCF) with IM address.
After adding the contact, the authorization request appears at the partner. The display varies depending on whether the speech bubble for authorization requests is activated or deactivated.
After confirmation is applied by the partner, the contact is visible under their own favorites with the presence.
Certificates in Windows operating systems
Manage certificates
How to manage certificates for a computer:
1. Log on to the system as an administrator.
2. Click "Start" and then "Run", type mmc, and then click "OK“.
3. Click "Add/Remove Snap-in" in the "File" menu, and then click "Add".
4. Double-click "Certificates" under "Snap-In", then click "Computer Account", and then click "Next".
5. Perform one of the following actions:
- To manage certificates for the local computer, click "Local Computer" and then "Finish".
- To manage certificates for a remote computer, click "Other computer", type the computer name or select it by clicking "Browse", and then click "Finish".
6. Click on "Close".
7. The "Certificates (computer name)" entry is displayed in the list of selected snap-ins for the new console.
8. If you do not want to add any more snap-ins to the console, click "OK".
9. To save this console, click on "Save" in the "File" menu.
Import a certificate
Certificates should be imported from a file (Microsoft Common Console document) and not simply moved from the user area, for example. This is especially important for computers that do not belong to a domain.
Diagnosis
After setting up the federation via Open Federation or Static Routes, you can run diagnostics in the UCServer Administration in the Federation – Diagnostics item.
Via these, errors in the setup (certificates, DNS entries, etc.) are made visible.