CUPS 8.6 - Supporting Multiple SIP Domains on a per-user basis

Similar Messages

• Lync 2013 certificate requirements for multiple SIP domains

  Hi All,
  I am engaged with a client in respect of a Lync 2013 implementation initially as a conferencing platform with a view to enabling EV functions (inc. PSTN conferencing) in the future. They initially need to support 30 SIP domains and eventually
  around 100 SIP domains which is proving to be either not possible or severely cost prohibitive. Their current certificate provider, Thawte, can only support up to 25 SANs and have quoted them 5 figures. We tend to use GeoTrust as they are cheaper but they
  appear to have a limit of 25 SANs. GoDaddy appear to support up to 100 SANs for a pretty reasonable cost. My questions are as follows:
  Is there a way that I’m missing of reducing the number of SANs required on the Edge server?
  Use aliases for access edge FQDNs - Supported by desktop client but not by other devices so not really workable
  Don’t support XMPP federation therefore removing the need for domain name FQDNs for each SIP domain
  Is there a way that I’m missing of reducing the number of SANs required on the Reverse Proxy server?
  Friendly URL option 3 from this page:
  http://technet.microsoft.com/en-us/library/gg398287.aspx
  Client auto-configuration:
  i.     
  Don’t support mobile client auto-configuration in which case no lyncdiscover.sipdomain1.com DNS records or SANs would be required.
  ii.     
  Support mobile client auto-configuration over HTTP only in which case CNAME records are required for each SIP domain (lyncdiscover.sipdomain1.com, etc. pointing to lyncdiscover.designateddomain.com) but no SANs are required.
  iii.     
  Support mobile client auto-configuration over HTTPS in which case DNS records are required for each SIP domain and a SAN entry for each SIP domains is also required. This is because a DNS CNAME to another domain is not supported over
  HTTPS.
  If the answer to 1 and/or 2 is no, are there certificate providers that support over 100 SANs?
  How do certificate requirements differ when using the Lync 2013 hosting pack? I would think that this issue is something that a hosting provider would need to overcome.
  Would the Lync 2013 Hosting Pack work for this customer? The customer uses SPLA licensing so I think is eligible to use the hosting pack but not 100% sure it will work in their environment given that client connections are supposed
  to all come through the Edge where their tenants will be internal and also given the requirement for an ACP for PSTN conferencing.
  Many thanks,

  Many thanks for the response.
  I was already planning to use option 3 from the below page for simple URLs to cut down on SAN requirement.
  http://technet.microsoft.com/en-us/library/gg398287.aspx
  What are the security concerns for publishing autodiscover over port 80? I.e. Is this only used for the initial download of the discovery record and then HTTPS is used for authentication? This seems to be the case from the following note on the below page:
  http://technet.microsoft.com/en-gb/library/hh690030.aspx
  Mobile device clients do not support multiple Secure Sockets Layer (SSL) certificates from different domains. Therefore, CNAME redirection to different domains is not supported over HTTPS. For example, a DNS CNAME record for lyncdiscover.contoso.com that redirects
  to an address of director.contoso.net is not supported over HTTPS.
  In such a topology, a mobile device client needs to use HTTP for the first request, so that the CNAME redirection is resolved over HTTP. Subsequent requests then use HTTPS. To support this scenario, you need to configure your reverse proxy with a web publishing
  rule for port 80 (HTTP).
  For details, see "To create a web publishing rule for port 80" in Configuring the Reverse Proxy for Mobility. CNAME redirection to the same domain is supported over HTTPS. In this case, the destination domain's certificate covers the originating
  domain.”
  I don’t think SRV records for additional SIP domain access edge is a workable solution as this is not supported by some devices.
  As per the below article:
  http://blog.schertz.name/2012/07/lync-edge-server-best-practices/
  “The recommended approach for external client Automatic Sign-In when supporting multiple SIP domains is to include a unique Access Edge FQDN for each domain name in the SAN field.  This is no longer a requirement (it was in OCS) as it is possible to
  create a DNS Service Locator Record (SRV) for each additional SIP domain yet have them all point back to the same original FQDN for the Access Edge service (e.g. sip.mslync.net). 
  This approach will trigger a security alert in Windows Lync clients which can be accepted by the user, but some other clients and devices are unable to connect when the Automatic Sign-In process returns a pair of SRV and Host (A) records which do not share
  the same domain namespace.  Thus it is still best practice to define a unique FQDN for each additional SIP domain and include that hostname in the external Edge certificate’s SAN field”.
  ===================
  1. Basically the requirement is to initially provide Lync conferencing services (minus PSTN conferencing) to internal, external, federated and anonymous participants with a view to providing PSTN conferencing and therefore enterprise voice services later.
  2. The customer currently supports close to 100 SMTP domains and wants to align their SIP domains with these existing domains. The structure of their business is such that “XXX IT Services” provide the IT infrastructure for a collection of companies who
  fall under the XXX umbrella but are very much run as individual entities.
  Question:
  Would you agree that I’m going to need a SAN for every SIP domain’s access edge FQDN?
  Thanks.

• LDAP supporting multiple DNS domains

  I have an environment with multiple DNS domains, and am configuring a Directory server (DS 6.3.1) to centralize various OS configuration maps including user authentication. None of the DNS domains have unique data, so I'd like to do something like storing all the real data in one suffix, then somehow have all clients look to that primary suffix. I am aware that the Solaris Native LDAP client wants to bind to a nisDomainObject that matches its DNS domain. I'm just having a hard time believing that I really need to manage all those individual suffixes when they don't have unique data requirements.
  Take as an example the following domains to be supported: foo.example.com, bar.example.com, dev.example.com, qa.example.com, prd.example.com (no hosts are actually in "example.com", they are all in subdomains). Again, all share common configuration data, same user IDs, etc - no unique maps are required.
  I created a suffix, "dc=example, dc=com", set it up with idsconfig. All is well there.
  [A] My first thought is to bind all Solaris clients, regardless of their DNS domain, to the baseDN of "dc=example, dc=com" in order to avoid having a separate suffix for each DNS domain. I tried to do this using "-a defaultSearchPath=dc=example,dc=com" with ldapclient init, but it failed with an error indicating it wants to see the nisDomainObject of its real DNS domain.
  The second though I had, which I don't believe is possible, is to find some sort of a LDAP equivalent of a symbolic link so that I could actually have an object for each DNS domain, but it would simply point back to "dc=example,dc=com". I can't find anything in the documentation which suggests this is possible, but I'd love to be wrong!
  [C] Perhaps this could be somehow done with a rats nest of SSDs, but that really seems unwieldy, right? I plan on using a fair amount of the available objects, so it would be many SSDs per suffix. Yuck.
  Can anyone comment on my above thoughts, or provide how they would go about supporting multiple DNS domains that have common configuration data?
  Thank you,
  Chris

  Ok, I answered my own question. Turns out it's pretty easy. Just use the "-a domainName=example.com" option with `ldapclient` then make sure that the FQDN of the LDAP server is available (or use its IP address). My problem was that the ldapclient overwriting nsswotch.conf was clobbering the SSL session because I used the FQDN which couldn't resolve.
  This leaves an interesting condition of having the output of "domainname" not match the DNS domain. I'm testing now to see if this causes any unexpected issues with our environmnet, but I suspect it's not a problem.

• SPNego supports multiple AD Domains?

  As far as I know, SPNego has been tested on Windows 2000 Advanced Server SP4 as Active Directory Server and Domain Controller (Single Domain). I know that works on Windows 2003 also, but do anyone knows if supports multiple AD domains?
  Thanks
  Ofelia

  Hi Christian,
  Regarding user mapping: we don't want to use user mapping to map samaccountname to R/3 user (administration issue, we don't want to administer one more system!!), then, not using user mapping I have the option to develop and deploy a login module in UME to strike the domain name and pass only the samaccountname to the R/3, but there is a security vulnerability since two persons with same ID logged on to the portal could eventually execute a SAP Transaction from the portal and since R/3 does not receive the domain data, it should'n know who is running the transaction. Do you understand what I mean? So, we are in a deadlock!! We cannot implement this!!
  Thanks for the suggestion. If you know how to solve this issue, I'll appreciate your comment!
  Regards,
  Ofelia

• Lab setup multiple SIP domains for federation

  I have been setting up multiple Lync 2013 lab environments and have a question about my external DNS environment. I have installed server 2012R2 on the host running the lab with its own domain (contoso.local). I have this server which hosts a separate domain,
  Hyper-V and a CA, this is what I am using for my external environment. The network IP is 10.0.0.0/16.
  I set up a server called vRouter that has 3 NICs. In Hyper-v I have 3 virtual switches configured. One for the External environment - 10.0.0.0/16 (not necessary for lab, setup to transfer needed files from internet to VMs), one for 192.168.1.0/24, and one
  with 192.168.2.0/24. The virtual router has RRAS installed and can route traffic between 192.168.1.0/24 and 192.168.2.0/24.
  My VMs for the lab are as follows.
  1test.local
  AD1.1test.local -192.168.1.100
  FE1.1test.local - 192.168.1.200
  Edge1 - 192.168.1.210int, 10.0.5.10ext
  2test.local
  AD2.1test.local -192.168.1.100
  FE2.1test.local - 192.168.1.200
  Edge2.1test.local - 192.168.1.210int, 10.0.6.10ext
  Both environments have users that can log into lync and message each other.
  When installing the Edge servers I used the same FQDN and IP for the external interface since all ports are open and firewalls have been disabled internally. I installed the internal certificate from the AD server which has CA role in each environment. On
  the external device I used the Host's CA to get certificates for both Edge servers. The Edge servers have 2 NICs one on their expected internal environment with no Gateway. And one on the external environment. These servers are not part of any domain. however
  I did add the contoso.local to the primary DNS suffix when domain membership changes under system properties. I then created the two following A records on the host computer (10.0.0.0\16 network, contoso.local) to be able to see router their external traffic.
  Edge1.contoso.local 10.0.5.10
  Edge2.contoso.local 10.0.6.10
  Both of these FQDNs are what is in my topology for the Access Edge service, Web Conferencing Edge Service, and A/v Edge Service with the same IP using different ports in both environments.
  Both environments are set up to support the other SIP domain. However when I try to add a user from the other domain I cannot communicate with that user nor see their presence.
  I looked over my external DNS settings and realized that I had not set a SRV record on the 10.0.0.0\16 network(external).
  I then realized that if I try to add the traditional _sipfederationtls._tcp.contoso.local I will have 2 conflicting entries.
  One for:
  _sipfederationtls._tcp.contoso.local - 10.0.5.10 (1test.local edge)
  and one for:
  _sipfederationtls._tcp.contoso.local - 10.0.6.10 (2test.local edge)
  Should I spin up another VM and make that a DC with a CA and trust it to the host computer, set up conditional forwarders. Something like Trust.local and correct the DNS, topology builder FQDN, and certificates on the second edge server?
  Edge2.trust.local
  Or can I add a new zone to my host computer then correct the DNS, topology builder FQDN, Certificates?
  Or am I missing another external DNS record on my contoso.local environment?
  Can I set up a CNAME entry that will mask the second edge server?
  Any input would be appreciated.
  Thanks

  If contoso.com is not a sip domain, then you won't need that DNS record at all.  Those records are autodiscover records that Lync uses based upon the sip domain. 
  So you'd need
  _sipfederationtls._tcp.1test.local
  and
  _sipfederationtls._tcp.2test.local
  What effectively happens, is when someone on the outside tries to IM
  [email protected], their Lync edge server will see the 1test.local and query the appropriate above record for it so it knows where to communicate.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications

• Lync 2013 mobile app does not work internally, SIP domain is Different than users UPN. not sure if that matters.

  using the lync client connectivity tester on a pc on the same lan as my mobile client everything is green and it says its ready for use.
  using my android galaxy s5 client on wifi on the same lan i get a screen with waiting to sign in spinning and an error at the top "we cant connect to the server check your network connection and server address, and try again."
  i have uploaded the full client log files
  here: client log file
  some errors that stand out from this log file are:
  1. ERROR HttpEngine: Certificate check fails: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
  2. <h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2>
    <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
  i am using the correct creds, same creds i used on the analyzer tool.
  in the analyzer tool i did have to fill in the username field because my sip domain is different then my users UPN. which from what ive read its required to use the username field.
  i also filled in the username field in the mobile app with domain\username
  3. ERROR LYNC: ERROR TRANSPORT /Volumes/ServerHD2/buildagent/workspace/200604/tps/ucmp/platform/networkapis/privateandroid/CHttpConnection.cpp/295:CHttpConnection exception: java.lang.NullPointerException
  Jan 14, 2015 8:40:49 AM INFO LYNC: INFO TRANSPORT /Volumes/ServerHD2/buildagent/workspace/200604/tps/ucmp/ucmp/transport/requestprocessor/private/CHttpRequestProcessor.cpp/173:Received response of request(UcwaAutoDiscoveryRequest) with status = 0x22020001
  Jan 14, 2015 8:40:49 AM INFO LYNC: INFO TRANSPORT /Volumes/ServerHD2/buildagent/workspace/200604/tps/ucmp/ucmp/transport/requestprocessor/private/CHttpRequestProcessor.cpp/201:Request UcwaAutoDiscoveryRequest resulted in E_ConnectionError (E2-2-1). The retry
  counter is: 0
  4. Jan 14, 2015 8:40:50 AM ERROR LYNC: ERROR TRANSPORT /Volumes/ServerHD2/buildagent/workspace/200604/tps/ucmp/ucmp/transport/authenticationresolver/private/CAuthenticationResolver.cpp/431:Failing the original request as we weren't able to get the token
  this is the same type of error i was getting in the lync connectivity analyzer until i filled in the username field. but its filled in, in my client.
  again you can see the full log file is `HERE
  thank you in advance for any help. im trying to get internal working before i try external.

  Eric,
  I am trying to configure a reverseproxy on my netscaler which is in a 2 arm mode(dmz/internal) but I keep getting an error when configuring the monitor.
  i used this guide to configure it
  http://www.lynced.com.au/2014/04/configure-citrix-netscaler-vpx-as.html
  but continue to get this error in the netscaler monitor "Failure - TCP connection successful, but application timed out"
  so the virtual server is never up, thinking about just changing it to tcp as a monitor so it stays up and i can at lesat get the vip up.
  Also your link to the diagram shows it going to the reverse  proxy but the one im using has it going directly to the front end servers.
  http://www.lync-solutions.com/Documents/Lync_2013_protocol_poster_v6_7.pdf
  I'm guessing Microsoft's is the correct one but wonder why the config differential?
  I see that your diagram says "mobility url", what is the mobility url? i though that was the lyncdiscoverinternal.internal.com
  current setup is
  2 fe servers on internal
  1 edge server on dmz
  1 almost done reverse proxy netscaler load balancer.
  also this ms link i used to configure dns entries, along with the pdf linked above.
  http://technet.microsoft.com/en-us/library/jj945644.aspx
  i currently have these external dns entries and they all point to the edge server on the dmz.
  dialin .external.com
  lync .external.com
  lyncweb .external.com
  lyncdiscover.external.com
  meet .external.com
  sip .external.com
  webconf .external.com
  av .external.com
  _autodiscover._tcp.external.com.
  the internal dns links point to 1 of the front end servers
  1. lyncdiscoverinternal.internal.com
  2. lyncdiscover.internal.com
  3. _sipinternaltls._tcp.internal.com
  4. _sipinternal._tcp.internal.com
  5. sipinternal.internal.com
  6. sip.internal.com
  thanks again for your help.

• Cisco Jabber client to support Multiple e-mail domains

  Hi All,
  Per the following link, CUCM an IM&Presence starts supporting multiple domains at version 10:
  http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/rel_notes/10_0_1/delta/CUCM_BK_C206A718_00_cucm-new-and-changed-1001/CUCM_BK_C206A718_00_cucm-new-and-changed-1001_chapter_010.html#CUCM_RF_I31EA3AB_00
  However, we have heard from Cisco that there is NO Jabber client that works with version 10 to support multiple email domains.
  This may or not may be true.
  Can someone who has connection with BU confirm this? If there is Jabber client that supports multiple email domains, what is the version and when is it going to be available?
  Thanks,
  Mustafa

  Per-Olov
  How are you dealing with this DA restriction?
  Also, what are your comments about the use of Domain Alias vs. Domain with inetdomainbaseDN pointing to my organization? Which one was your choice?
  Thanks,
  Ivo

• Multiple DNS Domain support in Single instance of Portal

  Can BEA portal support multiple DNS domains in a single instance of BEA Portal.
  For example can I setup portal to respond as bothe www.xxx.com and www.yyy.com
  and keep those urls as trhough the entire portal?

  Hi,
  thanks for your quick response. You mean we should run only one copy of the package I mentioned and seperate the plants and machines by logic implemented in the package? Well, I think this is critical in case of deploying a new version, since all machines at all sites won't have the system available at the same time. At the moment we do not have things in the system that are needed to go on with production, but we have planned to implement some things that will be indispensable and in this stage we need a clear seperation of the plants to minimize the risk of a simultaneous stand at all plants.
  Thanks for your suggestion and best regards,
  Matthias

• Can ACS support multiple Active Directory Domains for 802.1x EAP-TLS?

  Hi
  I'm looking to implement ACS 5.2 using 802.1X, we have two seperate AD domains.
  Now.. this is the tricky part...
  A single switch will need to support both ADs, so if a machine in AD1 is connected, it will be authenticated to the ACS using AD1 and applied to VLAN1, while a machine that is in AD2 will be authenticated to AD2 and applied to VLAN 2.
  I'm looking at machine authentication, not user authentication, so I assume that I will need to import two certs from each AD.
  Can any expert please let me know if they think that this will be possible please??
  Many thanks

  Yes ACS can support multiple AD domains but you will have to configure one as your AD domain and the other as an LDAP database and this will work since you are planning to use eap-tls.
  The question I have is which version of ACS are you using? If you are using ACS 5.x then you can setup and identity store sequence so if the user is not found you can move to the next store and this will prevent you from installing two certificates on every machine.
  You can then setup an authorization rule for the seperate containers on where the workstations are located (this is assuming machine authentication is being used) for the AD database or the LDAP database and then assign the vlan based off that.
  Thanks and I hope this helps!
  Tarik Admani

• RDBMS Security Store supporting multiple domains

  Can one instance of the RDBMS Security Store be utilized to support multiple WLS 10.3.2 domains?
  I have several 10.3.2 domains, all of which have clusters and role requirements? The documentation 'suggests' one Store per domain, but all of the tables in the schema contain DOMN (domain) and REALMN (realm) columns that would seem to indicate domain independence. It would be nice to be able to manage one Store schema that supports several Domains.

  Hi,
  The document which you are referring is for WLS 10.0 and RDBMS security is introduced from WLS 10.3.0 onwards.
  The reason why RDBMS security store should not be stored between two domains is RDBMS security store is used by authorization, role mapping, credential mapping, and certificate registry providers.
  Once the RDBMS security store is configured in a domain, an instance of any of the preceding security providers that has been created in the security realm automatically uses only the RDBMS security store as a datastore, and not the embedded LDAP server.
  It is just the replacement for Embedded LDAP.
  Thanks & Regards,
  Murali.
  ============

• Supporting Multiple domains in IM&P with and Expressway deployment?

  Hello everyone. This is long winded but the context is needed to explain what I'm looking for. Any help is appreciated.
  My customer has piloted IM&P for 1 year now and is looking to take it to the next level. They purchased Expressway Core & Edge and they are looking to enable Mobile Remote Access, B2B Video and XMPP Federation. One issue is that the Jabber domain that was selected 1 year ago for the pilot was a local domain. The reason for this is because the multidomain support was not available at the time. Internally there are 3 domains. example.ca, examplesales.ca, and examplebanannas.com. Their Jabber ID they use today is example.root.local. I am reading through the guides and it seems as though IM&P allows you to map a JABBER ID to an email address or a directory URI. This will allow multiple presence domains within one Presence cluster. The problem is that it appears as though federation will not work through expressway core / edge if you use this method. Can this be confirmed?
  I am providing you these URL's only for guidance, to show you how I arrived at my situation where I’m asking for help on a configuration change to my customers IM&P settings.
  note the section on page 41 of the following guide http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/X8-5/Mobile-Remote-Access-via-VCS-Deployment-Guide-X8-5-1.pdf
  One would presume that Multi-domain support is now supported with expressway core & edge. The caveat I found on page 4 of the following guide in relation to xmpp federation.
  http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/XMPP-Federation-with-Cisco-VCS-and-IM-and-Presence-Service.pdf
  and page 10 of the following guide
  http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/X8-5/XMPP-Federation-with-Cisco-VCS-and-IM-and-Presence-Service.pdf
  and this section
  http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/im_presence/interdomain_federation/10_5_1/CUP0_BK_I07B7052_00_integration-guide-interdomain-federation-105/CUP0_BK_I07B7052_00_integration-guide-interdomain-federation-105_chapter_01010.html#CUP0_RF_CAF8AEDD_00
  Expressway-E does not support XMPP address translation (of email addresses, for example). If you are using Expressway-E for XMPP federation, you must use native presence Jabber IDs from IM and Presence Service.
  This being said
  Based on my findings, I believe Cisco now supports multi-domain setup for IM&P with the "caveat" federation still doesn't work. My customer is not happy with this but still would like to proceed with the rest of the benefits that MRA brings to the table for their Jabber deployment. 
  To support the above scenario it is my understanding I need to make an adjustment to the configuration of IM&P. As I stated when I opened the case my customer’s current IM&P domain is “example.root.local” their JID is made up of [email protected]. It’s my understanding we cannot use this domain and activate MRA so we need to adjust everyone’s JID to be a Publicly routable DNS name. Since everyone that has a JABBER account also has an email account I was thinking we map the JID to the email. I’m trying to understand how to get from where we are to where we need to be. I found this guide but it doesn’t talk about the effects of doing this on a live system setup the way my customer is setup.
  http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/im_presence/interdomain_federation/10_5_1/CUP0_BK_I07B7052_00_integration-guide-interdomain-federation-105/CUP0_BK_I07B7052_00_integration-guide-interdomain-federation-105_chapter_01100.html
  I am also not certain this is the setting I’m looking for. I believe what I need to change is actually on the Presence server under the domains section I found this
  Domains Configuration
  Use the controls on this window to view and edit domains managed by the IM and Presence Service. Previously, the IM and Presence Service supported a single domain. With this release, you can specify multiple domains.
  Before You Begin
  To take advantage of multiple IM and Presence Service domains, you must choose Directory URI as the IM address scheme on the Advanced Presence Settings window. If the IM address scheme is set to UserID@domain, the default domain is used for the IM and Presence Service. The status of the IM Address Scheme setting is displayed at the top of the window in the Status box. The Status box contains a link to the Advanced Presence Settings window.
  Is this what I need to do?

  Hello everyone. This is long winded but the context is needed to explain what I'm looking for. Any help is appreciated.
  My customer has piloted IM&P for 1 year now and is looking to take it to the next level. They purchased Expressway Core & Edge and they are looking to enable Mobile Remote Access, B2B Video and XMPP Federation. One issue is that the Jabber domain that was selected 1 year ago for the pilot was a local domain. The reason for this is because the multidomain support was not available at the time. Internally there are 3 domains. example.ca, examplesales.ca, and examplebanannas.com. Their Jabber ID they use today is example.root.local. I am reading through the guides and it seems as though IM&P allows you to map a JABBER ID to an email address or a directory URI. This will allow multiple presence domains within one Presence cluster. The problem is that it appears as though federation will not work through expressway core / edge if you use this method. Can this be confirmed?
  I am providing you these URL's only for guidance, to show you how I arrived at my situation where I’m asking for help on a configuration change to my customers IM&P settings.
  note the section on page 41 of the following guide http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/X8-5/Mobile-Remote-Access-via-VCS-Deployment-Guide-X8-5-1.pdf
  One would presume that Multi-domain support is now supported with expressway core & edge. The caveat I found on page 4 of the following guide in relation to xmpp federation.
  http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/XMPP-Federation-with-Cisco-VCS-and-IM-and-Presence-Service.pdf
  and page 10 of the following guide
  http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/X8-5/XMPP-Federation-with-Cisco-VCS-and-IM-and-Presence-Service.pdf
  and this section
  http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/im_presence/interdomain_federation/10_5_1/CUP0_BK_I07B7052_00_integration-guide-interdomain-federation-105/CUP0_BK_I07B7052_00_integration-guide-interdomain-federation-105_chapter_01010.html#CUP0_RF_CAF8AEDD_00
  Expressway-E does not support XMPP address translation (of email addresses, for example). If you are using Expressway-E for XMPP federation, you must use native presence Jabber IDs from IM and Presence Service.
  This being said
  Based on my findings, I believe Cisco now supports multi-domain setup for IM&P with the "caveat" federation still doesn't work. My customer is not happy with this but still would like to proceed with the rest of the benefits that MRA brings to the table for their Jabber deployment. 
  To support the above scenario it is my understanding I need to make an adjustment to the configuration of IM&P. As I stated when I opened the case my customer’s current IM&P domain is “example.root.local” their JID is made up of [email protected]. It’s my understanding we cannot use this domain and activate MRA so we need to adjust everyone’s JID to be a Publicly routable DNS name. Since everyone that has a JABBER account also has an email account I was thinking we map the JID to the email. I’m trying to understand how to get from where we are to where we need to be. I found this guide but it doesn’t talk about the effects of doing this on a live system setup the way my customer is setup.
  http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/im_presence/interdomain_federation/10_5_1/CUP0_BK_I07B7052_00_integration-guide-interdomain-federation-105/CUP0_BK_I07B7052_00_integration-guide-interdomain-federation-105_chapter_01100.html
  I am also not certain this is the setting I’m looking for. I believe what I need to change is actually on the Presence server under the domains section I found this
  Domains Configuration
  Use the controls on this window to view and edit domains managed by the IM and Presence Service. Previously, the IM and Presence Service supported a single domain. With this release, you can specify multiple domains.
  Before You Begin
  To take advantage of multiple IM and Presence Service domains, you must choose Directory URI as the IM address scheme on the Advanced Presence Settings window. If the IM address scheme is set to UserID@domain, the default domain is used for the IM and Presence Service. The status of the IM Address Scheme setting is displayed at the top of the window in the Status box. The Status box contains a link to the Advanced Presence Settings window.
  Is this what I need to do?

• Multiple additional SIP domains - certificate and DNS requirements

  We've setup Lync 2010 Enterprise in our organisation and have successfully enabled a couple of thousand users.
  This is working successfully internally, externally and through Lync Mobile.
  However, we've only enabled users who are using the main company domain for SMTP and SIP addresses aaaaa_group.com (so all nice and easy so far!)
  In other words, user A has a primary SMTP and SIP address of
  UserA@aaaaa_group.com
  However, due to numerous mergers and acquisitions over the years, we have quite a lot of users who have other primary SMTP addresses e.g. bbbbb_co.uk, ccccc_company.com, ddddd_ltd.co.uk, de.ccccc_company.com etc etc
  There must be in excess of 40 to 50
  of these other domains in use as primary SMTP addresses.
  (Nearly all
  these users have secondary SMTP addresses of aaaaa_group.com).
  I have been told to approach this from a best practices point of view and give all users a SIP address that matches their primary SMTP address and calculate how much it will cost to buy certificates to cover enabling every user for Lync on all these domains.
  I know from reading that wilcard certificates are considered to be a bad thing generally with Lync, especially if using Lync Mobility as the phone Lync clients don't accept them. 
  Wilcard certificates aside, what are the names that will I need to add to my SAN certificates?  Presumably sip.domain.com, access.domain.com, meet.domain.com, dialin.domain.com, edge.domain.com, autodiscover.domain.com, lyncdiscover.domain.com
  The potential cost of all these names is frankly getting pretty scary considering we currently use Verisign for all our cert requirements, and they charge like a wounded bull.  However, I still need to report back with a cost of doing this, no matter
  what it is.
  Any thoughts/comments would be very welcome. :-)

  Actually the Mobility clients for mobile devices (cell phones, tablets) DO support wildcard entries in the certificates, it's the Lync Phone Edition client (desktop handset devices) which does not work with wildcards.  So you may be able to use wildcards,
  but do plenty of research on how to approach this.  Here are some articles to get started:
  http://blog.schertz.name/2011/02/wildcard-certificates-in-lync-server/
  http://blog.schertz.name/2011/02/lync-phone-edition-incompatible-wildcard-certificates/
  That said, if you decide to skip the wildcard approach then you do NOT need to add additional entries for ALL FQDN types, only some.
  For both the Edge Server external certificate and any internal Front End certificate you'll need to add the 'sip' FQDN for every domain to the SAN field.
  sip.domain1.com, sip.domain2.com, sip.domain3.com, etc
  The Front End certificate will also need the lyncdiscover and lyncdiscoverinternal
  FQDNs, and the Reverse Proxy certificate will require the lyncdiscover
  FQDNs.
  For Exchange Server you'll need to an autodiscover.domainX.com record as well, although this can also be covered by the wildcard entry.  The remainder of names (web conferencing, external web services, dialin, meet, etc.) can all remain in the primary
  SIP domain only as these FQDNs will be passed in-band to the clients after they have successfully signed-in to Lync.  Unless you need users to all user their own domain names for the SimpleURLs (which it doesn't not sound like in your scenario) then you'd
  have to add all those as well.
  So if you are not supporting any Lync Phone Edition devices I would try going with the wildcard route first to see how well things work.  And even if you do have some of those devices you could simply add the 40-50
  sip.domain.com FQDNs to both the FE and Edge certificate but still use a wildcard entry for the mobility clients, SimpleURls, etc.  Just make sure that the certificates Common Name (e.g. Subject Name) is NOT the wildcard entry, use the primary
  domain name entry in the CN and then place the wildcard entries in the SAN field.  It is also best practice to duplicate the CN as a SAN field entry for the widest range of support by all clients.
  For example:
  Edge Server external certificate
  Common Name: sip.domain1.com
  Subject Alternative Name: sip.domain1.com, *.domain1.com, *.domain2.com, *.domain3.com, *.domain4.com,
  etc...
  Jeff Schertz | Microsoft Solutions Architect - Polycom | Lync MVP

• IOS AIR3.6  runtime error 3747 Multiple application domains are not supported on this operating syst

  3747
  Multiple application domains are not supported on this operating system.
  I'm getting this error from an IOS app compiled with air 3.6.
  No code has changed  from Air 3.5 which is error free. Web app / android versions of the same codebase do not error.
  See the stackTrace below ( well done Adobe for providing this since air 3.5 !! )
  I use swfloaders for loading embedded swf vector art graphics. This has not caused any issue until now. Should I load all art into the main app's application domain ?
  The error does not crash the app and I could suppress it easily but is could the tip of the iceberg because application domains are scary stuff.
  Error: Error #3747
          at flash.display::Loader/loadBytes()
          at mx.core::MovieClipLoaderAsset()
          at mx.controls::SWFLoader/loadContent()
          at mx.controls::SWFLoader/load()
          at mx.controls::SWFLoader/initializeHandler()
          at flash.events::EventDispatcher/dispatchEvent()
          at mx.core::UIComponent/dispatchEvent()
          at mx.core::UIComponent/set processedDescriptors()
          at mx.core::UIComponent/initialize()
          at com.komodomath.app::ImageSWFloader/initialize()
          at mx.core::UIComponent/http://www.adobe.com/2006/flex/mx/internal::childAdded()
          at mx.core::UIComponent/addChildAt()
          at spark.components::Group/addDisplayObjectToDisplayList()
          at spark.components::Group/http://www.adobe.com/2006/flex/mx/internal::elementAdded()
          at spark.components::Group/setMXMLContent()
          at spark.components::Group/set mxmlContent()
          at spark.components::SkinnableContainer/set mxmlContent()
          at spark.components::SkinnableContainer/createDeferredContent()
          at spark.components::SkinnableContainer/createContentIfNeeded()
          at spark.components::SkinnableContainer/createChildren()
          at mx.core::UIComponent/initialize()
          at com.komodomath.lesson::SaveStatusCheck/initialize()
          at mx.core::UIComponent/http://www.adobe.com/2006/flex/mx/internal::childAdded()
          at mx.core::UIComponent/addChildAt()
          at spark.components::Group/addDisplayObjectToDisplayList()
          at spark.components::Group/http://www.adobe.com/2006/flex/mx/internal::elementAdded()
          at spark.components::Group/addElementAt()
          at mx.states::AddItems/addItemsToContentHolder()
          at mx.states::AddItems/apply()
          at mx.core::UIComponent/applyState()
          at mx.core::UIComponent/commitCurrentState()
          at mx.core::UIComponent/setCurrentState()
          at mx.core::UIComponent/set currentState()
          at com.komodomath.maingroups::LessonGroup/handleNewLessonClick()
          at com.komodomath.maingroups::LessonGroup/___LessonGroup_KButton1_click_lessonOver()

  same issue as http://forums.adobe.com/message/4736711

• Multiple SIP Registrar changes Header Behaviour

  Hi all,
    I want to use multiple SIP registrars and mu UC520 supports this:
  Cisco IOS Software, UC500 Software (UC500-ADVIPSERVICESK9-M), Version 15.1(2)T2, RELEASE SOFTWARE (fc1)
  all SIP UA config is consistent other than using a registrar number.
  When sending with the FQDN the call succeeds after a 401, with the IP address instant 403 and fails.
  Does anyone know a way to enforce a domain name in the From header?
  Single Registrar:
  sip-ua
  credentials username <username> password <password> realm iinetphone.iinet.net.au
  authentication username username <username> password <password> realm iinetphone.iinet.net.au
  no remote-party-id
  registrar dns:sip.vic.iinet.net.au expires 3600
  Sent:
  INVITE sip:[email protected]:5060 SIP/2.0
  Via: SIP/2.0/UDP 124.168.221.176:5060;branch=z9hG4bK14BD13DB
  From: "iiNetPhone" <sip:[email protected]>;tag=78DE21E4-196D
  To: <sip:[email protected]>
  Date: Tue, 26 Apr 2011 08:20:43 GMT
  Call-ID: [email protected]
  Supported: 100rel,timer,resource-priority,replaces,sdp-anat
  Min-SE:  1800
  Cisco-Guid: 0315016448-0000065536-0000000074-4027191562
  User-Agent: Cisco-SIPGateway/IOS-12.x
  Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER
  CSeq: 101 INVITE
  Timestamp: 1303806043
  Contact: <sip:[email protected]:5060>
  Expires: 180
  Allow-Events: telephone-event
  Max-Forwards: 69
  Session-Expires:  1800
  Content-Type: application/sdp
  Content-Disposition: session;handling=required
  Content-Length: 256
  v=0
  o=CiscoSystemsSIP-GW-UserAgent 2333 1968 IN IP4 124.168.221.176
  s=SIP Call
  c=IN IP4 124.168.221.176
  t=0 0
  m=audio 18664 RTP/AVP 0 101
  c=IN IP4 124.168.221.176
  a=rtpmap:0 PCMU/8000
  a=rtpmap:101 telephone-event/8000
  a=fmtp:101 0-15
  a=ptime:20
  Received:
  SIP/2.0 401 Unauthorized
  Via: SIP/2.0/UDP 124.168.221.176:5060;branch=z9hG4bK14BD13DB
  From: "iiNetPhone" <sip:[email protected]>;tag=78DE21E4-196D
  To: <sip:[email protected]>;tag=SD52fjf99-952402136-1303806042870
  Call-ID: [email protected]
  CSeq: 101 INVITE
  Timestamp: 1303806043
  Multiple Registrar:
  sip-ua
  credentials username <username> password <password> realm iinetphone.iinet.net.au
  authentication username username <username> password <password> realm iinetphone.iinet.net.au
  no remote-party-id
  registrar 1 dns:sip.vic.iinet.net.au expires 3600
  Sent:
  INVITE sip:[email protected]:5060 SIP/2.0
  Via: SIP/2.0/UDP 124.168.221.176:5060;branch=z9hG4bK14B5FFFFBEBA
  From: "iiNetPhone" <sip:[email protected]>;tag=78DA6660-2A
  To: <sip:[email protected]>
  Date: Tue, 26 Apr 2011 08:16:39 GMT
  Call-ID: [email protected]
  Supported: 100rel,timer,resource-priority,replaces,sdp-anat
  Min-SE:  1800
  Cisco-Guid: 2169983744-0000065536-0000000071-4027191562
  User-Agent: Cisco-SIPGateway/IOS-12.x
  Allow: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER
  CSeq: 101 INVITE
  Timestamp: 1303805799
  Contact: <sip:[email protected]:5060>
  Expires: 180
  Allow-Events: telephone-event
  Max-Forwards: 69
  Session-Expires:  1800
  Content-Type: application/sdp
  Content-Disposition: session;handling=required
  Content-Length: 256
  v=0
  o=CiscoSystemsSIP-GW-UserAgent 1309 2161 IN IP4 124.168.221.176
  s=SIP Call
  c=IN IP4 124.168.221.176
  t=0 0
  m=audio 18738 RTP/AVP 0 101
  c=IN IP4 124.168.221.176
  a=rtpmap:0 PCMU/8000
  a=rtpmap:101 telephone-event/8000
  a=fmtp:101 0-15
  a=ptime:20
  Received:
  SIP/2.0 403 Forbidden
  Via: SIP/2.0/UDP 124.168.221.176:5060;branch=z9hG4bK14B5FFFFBEBA
  From: "iiNetPhone" <sip:[email protected]>;tag=78DA6660-2A
  To: <sip:[email protected]>;tag=aprqngfrt-8jdjp610000a6
  Call-ID: [email protected]
  CSeq: 101 INVITE
  Timestamp: 1303805799

  I solved it using SIP Profiles:
  voice class sip-profiles 100
  request INVITE sip-header From modify "@.*>;" "@sip.vic.iinet.net.au>;"
  request INFO sip-header From modify "@.*>;" "@sip.vic.iinet.net.au>;"
  dial-peer voice 2000 voip
  voice-class sip profiles 100
  Adam

• Supporting multiple companies with JES6

  I have been trying to find instructions to support multiple companies using email, calendar, and IM on a single installation of JES6 (messaging, calendar, IM, delegated admin, independent convergence, etc). I have had no luck.
  The sales pitch talks a great story about scalability, so I must be missing something. Sun Docs does not have Messaging Server 7.0 yet. The wiki that the product page sends you to is incomplete. I am not sure when Sun made the decision to not require complete documentation before a product is released, but I find that frustrating.
  I see that I can add multiple domains in Delegated Administrator, but this does not create separate partition areas in Messaging Server. I believe that you need to separate each company's email and calendar so that conflicts in names don't happen.
  Can someone direct me to a document or tell me how to do this? Please?

  workman99 wrote:
  I have been trying to find instructions to support multiple companies using email, calendar, and IM on a single installation of JES6 (messaging, calendar, IM, delegated admin, independent convergence, etc). I have had no luck.Log into Delegated Administrator and create a new organisation for each of the companies you wish to support. This organisation will require a domain-name e.g. somecompany.com (hence the term "hosted domain"). The users in the company then log into Messaging/Calendar/Convergence with [email protected].
  The sales pitch talks a great story about scalability, so I must be missing something. Hosted/Virtual domain functionality is in use by a number of companies to provide the very functionality you refer to.
  Sun Docs does not have Messaging Server 7.0 yet. There is no intention to provide static PDF based docs for communication-suite-6 products (which include MS7.0) going forth.
  The wiki that the product page sends you to is incomplete.How exactly is it incomplete? Where there are differences between MS6.3 and MS7.0 they are documented on the http://wikis.sun.com/display/CommSuite/ site.
  I am not sure when Sun made the decision to not require complete documentation before a product is released, but I find that frustrating.Once again, what exactly is not complete. Sweeping statements aren't really constructive. The wiki format has provided the ability to provide much quicker updates and enhancements to the documentation then was previously possible with the publish-once PDF guide mechanism.
  I see that I can add multiple domains in Delegated Administrator, but this does not create separate partition areas in Messaging Server. I believe that you need to separate each company's email and calendar so that conflicts in names don't happen. You don't require separate partitions as Messaging Server and Calendar Server both use the hosted domain information in their storage e.g.
  bash-3.00# ./mboxutil -lxp user/[email protected]/INBOX
    msgs  Kbytes last msg         partition   quotaroot mailbox path and acl
       3     240 2008/04/03 07:28 primary          5120 user/[email protected]/INBOX /opt/SUNWmsgsr/data/store/partition/primary/=user/b7/e4/=testuser@hosted%dsun%dcom [email protected] lrswipcda
  bash-3.00# ./mboxutil -lxp user/shjorth/INBOX
    msgs  Kbytes last msg         partition   quotaroot mailbox path and acl
       6      37 2008/09/12 13:08 primary          5120 user/shjorth/INBOX /opt/SUNWmsgsr/data/store/partition/primary/=user/c4/31/=shjorth shjorth   lrswipcdaSo in the above example "testuser" is in the hosted.sun.com hosted domain and "shjorth" is in the aus.sun.com default domain. The default domain does not have the domain information appended in the path and is treated as a special case.
  bash-3.00# ./cscal list [email protected]
  [email protected]: [email protected] status=enabled
  bash-3.00# ./cscal list [email protected]
  [email protected]: [email protected] status=enabledFor calendar server, the domain of the user is appended to the UID thus providing for separate UID name-spaces for each hosted-domain organisation.
  Regards,
  Shane.