The main point of this article was to clear up some confusion as to how connectivity to a PIC provider works with multiple SIP domains as PIC providers ignore Subject Alternative Name (SAN) names in a certificate. So if we have multiple SIP domains, how exactly do we achieve PIC federation with multiple SIP domains? Well, read on and I’ll tell you!
Public IM Connectivity takes advantage of federation to allow users to talk with Yahoo, MSN, and AOL. Allowing your users to communicate with these providers is not all or nothing. You can choose to allow users to communicate with one PIC provider, two PIC providers, or all three.
If you take a look at the OCS doumentation, it clearly states that for Federation, you need a DNS record of _sipfederationtls._tcp.<domain>, over port 5061. <domain> will be your SIP domain. When you install an Access Edge, you specify an External Access Edge FQDN. So let’s say our main SIP Domain is exchange.shudnow.net. We may specify our External Access Edge FQDN as sip.exchange.shudnow.net. So our Federation DNS record will be _sipfederationtls._tcp.shudnow.net that points to sip.exchange.shudnow.net. This is possible because both namespaces match up. You cannot have an SRV record point to an A record that belongs to a different namespace.
So, what do we do for all our other SIP domains? Well, when we install the Edge, we will specify that we have multiple SIP domains and those SIP domains get added to the Subject Alternative Name (SAN) of the certificate. This allows us to create different Federation DNS entries and point them to an A record that matches the FQDN specifed in one of the SAN entries of the certificate assigned to the Access Edge role.
But as stated earlier, PIC providers ignore SAN names. So how do we allow federation to multiple SIP domains? These SRV records are only used for open/enhanced federation where we want to allow domains to automatically federate with our OCS organization. PIC does not use open/enhanced federation. It uses something called Direct Federation which is where you specify what SIP domains belong to a specific Access Edge FQDN.
So let’s say in my organization, I have the following SIP domains:
- exchange.shudnow.net
- sales.shudnow.net
- marketing.shudnow.net
When setting up PIC on Microsoft’s Licensing Website, you would specify that for each of these SIP domains, that the PIC provider would use the Common Name of the External Access Edge FQDN. This may be sip.exchange.shudnow.net. So instead of PIC accessing the SRV records for each domain which wouldn’t work unless PIC starts to not ignore SANs, each time it needs to communicate with a specific domain, it will always use the Common Name of the External Access Edge FQDN.
Because of this, your SRV records are not needed unless you plan on doing Open/Enhanced Federation. You can read more about Federation and PIC from the Edge Server Deployment Guide here.
Thanks to Tom Laciano over at LCSKid for clearing up some of this for me.
What a great statement shared about public IM connectivity and multiple sip domains that is so amazing. I would like to say something about this allocation which is so valuable for me. I like it. Thanks a lot. Keep it up ! :)
Hi Elan,
For Federation do you really need to make use of SRV records ? Is there no fall back to A records ?
BR,
Ronald