About Me

My photo
TsooRad is a blog for John Weber. John is a Skype for Business MVP (2015-2016) - before that, a Lync Server MVP (2010-2014). My day job is titled "Technical Lead, MS UC" - I work with an awesome group of people at CDW, LLC. I’ve been at this gig in one fashion or another since 1988 - starting with desktops (remember Z-248’s?) and now I am in Portland, Oregon. I focus on collaboration and infrastructure. This means Exchange of all flavors, Skype, LCS/OCS/Lync, Windows, business process, and learning new stuff. I have a variety of interests - some of which may rear their ugly head in this forum. I have a variety of certifications dating back to Novell CNE and working up through the Microsoft MCP stack to MCITP multiple times. FWIW, I am on my third career - ex-USMC, retired US Army. I have a fancy MBA. One of these days, I intend to start teaching. The opinions expressed on this blog are mine and mine alone.


Server 2012 R2 KB2919355–WTF?

Last week, I innocently decided to build myself a new Server 2012 R2 image – and then sysprep it so I could easily spin up a new host for whatever I needed.

Yes, I know I could use Server 2016 – but the vast majority of my customers are using 2012 R2 – and what good is a lab exercise if it does not reflect what you will be doing in production?  So, off I go to build myself my squeaky clean image.

The install went so easy.  And the then update nightmare begins.  I have no idea why it has to be so &^%#$@! difficult.  It’s not like I am trying to do something that is way out there.  I just want to get all the operating system updates applicable up to and including today.

As we should know by now, Server 2012 R2 will go through multiple iterations of updates for a variety of reasons.  One of them being what some people called SP1 to R2 – specifically KB2919355.  Roughly 800MB of (eh?) goodness.  After that is another 190+ updates.

For my new image, KB2919355 refused to be seen, let alone install.  Dang.  Last time this happened I had to throw the server away.  Oddly, and why I am ranting today, is that the next server build, like 5 minutes later, went right through with zero issues.  This time, I resolved to figure it out rather than give in. 

Here is what I found.  This may or may not work for you.  It may or may not trip your trigger – you may just wish to throw things away and start the Server 2012 R2 Update Roulette game over again.

After doing some reading about the well-known issue that is KB2919355, I downloaded the components of the KB separately.  https://www.microsoft.com/en-us/download/details.aspx?id=42334. I also downloaded KB2919442 separately from here: https://www.microsoft.com/en-us/download/details.aspx?id=42162.

Then I installed/ran them in the following order:

  • kb2932046
  • kb2934018
  • kb2937592
  • kb2938439
  • kb2959977
  • kb2919442
  • clearcompressionflag.exe
  • Chant, light the candles, and spatter the chicken blood.  Reboot
  • kb2919355

Oh joy.  Only 190 more to go.





SfB Persistent Chat ChannelService.exe high CPU

Twice in the last two weeks, I have seen an SfB Persistent Chat server go bonkers over a topology publish action.  Specifically, it would seem that the topology publish action caused channelservice.exe to peg the CPU at 100% with the predictable result of a very sluggish server.

Tangential input and possibly related data points:

The fix was easy enough, in one case I did a stop-cswindowsservice followed by start-cswindowsservice.  In the other case I had to boot the box because PowerShell opened but never responded to any input.

Such is life.



SfB Online and AudioCodes handsets

As part of another process, I was browsing through the Skype OIP and Lync OIP sites…and noticed that only the AudioCodes 440HD was qualified for SfB Online.

Odd, says I.  My 450HD just worked.  So, I commenced to testing with the 405 and the 420HD that I happened to have handy.  Here is my firmware load per phone:


I then proceeded to use the web interface on each handset to modify the login to the UPN of an SfB online user.

SfBO login with each model shown was successful. Note the firmware version per handset. Test calls worked.  Transfer worked.  Holds worked.  All the basic features that I use worked just fine.

While the 405,420HD, and 450HD do not show on the SfBO OIP, they clearly function as expected.

Nice to know, eh?


YADR–AudioCodes 450HD

AudioCodes has a new phone, the 450HD – complete with a touch color screen. I have been using the 450HD as my desk handset now for a few weeks, and I like it a lot.  Form, fit, function, the 450HD has it all.  I am not sure if you can actually lay YOUR hands on one of these gems, but I am sure you will be able to soon.  In the meantime, let me present my opinion, so you can start salivating.


What comes in the box?  I have an “optional” model number, because I got the AC adapter.  Other than that, this is what I got.


A wall mount?  Nice touch.  I did a project one time where the client had to go out and have all new wall mounts custom made for their new IP phones (different manufacturer).

Build Quality

As I have mentioned before, AudioCodes has great build quality.  The 450HD continues this tradition.  Very nice. The manual buttons feel good, and the touch screen responds well.  After I realized that I had to remove the screen protector thingy, the touch screen went from “responds well” to “most excellent.”

The Screen and Controls


Give it an extension + PIN or futz through getting your URI entered, and in you go. Once you are logged in you see this:


Notice the soft keys on the left.  There is four more available on the right side of the screen.  These soft keys are programmable via the web interface, the ini file for each phone, or right on the phone itself.  Using the phone itself also allows you to do a directory lookup and choose from that so no typing needed. choosing the BLF options gives you presence on the contact…


…works with SfBO users…Wiley Coyote is SfBO and offline, Martin Luther is SfBO and available, while Chicken Hawk is on-premises and has gone into away status.  Works with federated contacts also.


Oddly, or perhaps by design, the user cannot change the button assignments unless the admin gives them access to the web interface.  And if I was to logoff, give you the phone, and you login to your domain with your user, the soft key assignments are then available to you too.  That might be good, that might be bad.  Something to consider if you ever have to decommission one of these units. I have elevated this issue to AudioCodes as I feel that these soft-buttons should follow the user, not the phone itself.

Having said that, I like the soft keys.  One button dialing is right up my alley.

Skype Integration

We have to talk about Skype – that’s why we’re here!  SfB logins were totally painless.  Extension + PIN code flew right through. I already mentioned the programmable buttons that work so well – and clearly the 450HD is working in concert with SfB for presence, making calls, directory lookups, etc.

Login with username and PW forces using the keypad with multiple pushes of each number to scroll through letters and symbols, etc.  YUK.  Where is the QWERTY keyboard this unit is screaming for?  I am told that it is coming.  In the meantime, I suggest the web interface is mucho better if your organization does username login.  I always advise my customers to use ext= format in SfB/Lync for this very reason (Not workable if you are SfBO).

Other than that, the 450HD is ready for SfB right out of the box, logs right in, functions as expected in a totally flawless manner.  The 450HD picked up the DHCP options, discovered the environment, and asked for an extension and PIN.  And connected.  Perfect.

With the current firmware (, the 450HD will also log straight into an O365 account with zero squabbles.   Martin.Luther@tsoorad.net is a synced account to O365 enabled for mail and SfBO with a PSTN number assigned from Microsoft.  Logs in. Perfect.


Note that the phone did not get calendar connected.  I am assured that this will be resolved by EOM Jan 2017.

Also note that with a different user, the soft keys remain the same…

Calls out, calls in, audio quality with speaker or handset is most excellent.  I am about 1/2 deaf and I had no issues with volume or clarity. 

I just realized I used the word “perfect” twice in this section.  I was going to change that, but then I realized, it is the right word.  Live with it.


Download the BToE client from AudioCodes…extract and install..


…and then get your pairing code from the phone itself.


BToE integration went very smoothly, as expected.  In addition, I used a virtual machine that is guest on a VMware host that has no audio, but with BToE that VM cranked right up to using the 450HD as an audio source.  Mo’ perfect.


The 450HD web interface is standard, totally functional AudioCodes fare.  You can probably figure it all out by just ratting through it without reading a thing.  AudioCodes has not yet published 450HD specific admin or user guides, but I am told that they are mere weeks away from providing a lovely document telling you just how to configure each and every nuance of this new product.

IPP Manager

The 450HD is fully supported by the IPP Manager.  If it works in the IPP Express version, then it will work in the full IPP version also.  So nice.

What’s Missing

I have already pointed out the QWERTY keyboard and the calendar connection to the O365 tenant account. On the phone, select the “MENU” button, select “settings” and then scroll down a bit, and the LCD Contrast and Backlight Timeout are “not implemented” (yet) – but other than that, the 450HD I have is ready for prime time.

And considering that I was shipped a preview beta unit, gees, only three things?  And I am told both are coming before GA.


AudioCodes has a color phone – with some very nice features – ready to go with SfB on-premises and also with SfB online.  Clean, functional, well-built, great audio.  POE or wall power, pass through switch for your desktop. USB for headset or hockey puck.Did I mention the color screen?  Did I mention it worked OOBE with me doing nothing?  Works with SfB Online (yes, I mention that twice in one paragraph).

Considering that this unit is not in GA yet – what was that word up above?  Oh yes, it starts with a “P”.

You can get one here.



Server and Client OID with Skype (Lync 2013) Edge

The following is firmly in the “unsupported” range of topics. Follow this line of thinking at your own risk. Don’t blame me or anyone else should this go sideways on you. If this does not bother you, read on.


I am working a side project that involves connecting Jabber and Lync 2013 (SfB would work also I suspect) using a mix of the Cisco guidance and Lync 2013 documentation. The intent is to create an inter-domain federation using Lync 2013 Edge services on one side, with the Jabber organization presenting services via an ASA using an ASA feature that provides a TLS proxy. Interesting, yes? Notice that I did not invoke the phrase XMPP. As in the XMPP is not being used. And this is IM/P only.

Here is what we are doing:



Why are we here?

Without stepping too far out on the edge of the cliff, this article is going to concern itself with one element of this construction – namely the requirement to establish the TLS connection between the ASA doing TLS proxy, and the Lync 2013 Edge server (or servers). Basically, it works as you would expect, however, the ASA is looking for a certificate that has both client and server OID codes. And it needs to trust the issuing CA.

Using a certificate from a public authority – well from DigiCert at any rate – will fill this requirement for you (I don’t have a cert handy from another vendor)(oops, I spoke too soon. Entrust, GoDaddy, and Verisign all do it also, but you should check your vendor to make sure). If you are doing a one-off, then you might be using your internal Windows Certificate Authority, which does NOT issue this duality by default. Nor does the standard certificate request generated by the Lync (SfB) wizard prompt you for this requirement – basically because it has no clue as to what you are fixing on doing!

So, what to do? Well, If you have a Windows Enterprise CA, then you are in luck. If you have the standard version, some bright individual will have to figure out how to make a standard edition CA allow for templates. No, I am not that bright.

With your Windows Enterprise CA firmly in hand, open the template editor.


Then, copy the existing “Web Server” template…


Change things around as needed… I don’t know all the implications of making random changes – so tread carefully on some of these items….

But, on the General Tab, you will want to change the “Template display name”, and the “Template name” to something easy to remember. In the “Template name” I suggest using something with no spaces…maybe like this?


After that, head over to the “Extensions” tab…select the “Edit” button…


Select “Add”


Select Client Authentication, and click the obvious button marked “OK”


OK again…


And, one more time on the “OK” button…


So, close the template manager, then right click “Certificate Templates” and choose New | Certificate Template to Issue…


From the resulting list, choose whatever it is that you called your new template, and do the “OK” thing…


…and now we have our squeaky clean new template ready for you to use. Finally.



Let’s now turn to the real reason we are here, and use this new template to get a certificate for our Edge Server. Yes, usually we will do a public cert, and we have already proved that the major public CA issuers will give us what we want – but we do need to test this in lab first – or you may be doing a one-off, yes?

Open the SfB Deployment Wizard… get yourself over to step three of “Install or Update Skype for Business Server System” and lean on the “Run Again” or “Run” option…


Select the external group, and do “request”…


Adjust the parameters to meet some common-sense items – like shorten up that friendly name – holy crap – but remember that you need the “Advanced” button down at the bottom…


Prepare request now, but…


Specify a file name…


Gees. Finally we are where all this has lead up to!

Specify your alternate template name now. And if you did not heed the advice to use a name with no spaces, my guess is going to be caps count, and don’t use the spaces. Cleverly, having run into this before, I know not to use long certificate template names and long CA names. Adelante! If you have been reading along (or not) you will see that my modified template name is WebServerAndClient…


…which plugs into the SfB Deployment Wizard thusly:


At this point, you can proceed normally. At last.


Clean it up

If you do use an internal certificate source for the outside of your edge server, you will need to provide a copy of the trusted root that issued your Edge certificate to anyone who is wanting to connect – hence the reason we use public certificates.  But, for our scenario, we placed the issuing root cert onto the ASA and wala!



For whatever reason, you want to get a certificate for your SfB/Lync Edge Server that has both server and client OID authentication. We can fairly certain that public CA providers provide certificates with both by default. Windows Enterprise Certificate Authorities do not provide both OID’s by default – you must create and publish a custom certificate template. And we showed how to use that custom template with the SfB deployment wizard.



Microsoft Teams goes Preview

For the past few months, I have had the privilege of participating in the testing of the Microsoft Teams offering that went public preview today.

I am not Mr. Persistent Chat. If nothing else, Persistent Chat was not going to make the jump to Office 365 – too many hurdles there.  Most of my projects have deployed Persistent Chat, and customers that need the feature set really get into it.  With that said, *I* don’t use it to any great extent – but I can see where the history of the conversation between many users can be very helpful – see IT projects, financial folks, etc.

So into the Office 365 breach steps the intrepid group responsible for Microsoft Teams.  IMHO, they have created a very nice application – one that I will use, if for nothing else, for each and every project I am on.  The meeting space alone is worth whatever the price of admission is.  I have tried the web app from IE, FireFox, and Chrome, and it works so well, it is almost scary.  Excellent work.  The desktop app is slick, and all content is homed in the cloud – so swapping between web-based and desktop is, as far as I can tell, seamless.


For those interested in some technical detail, here are the primary features:

  • Threaded, persistent chat organized by teams and channels (topics)
  • A team work space organized around tabs including conversation, files (integrated with SharePoint) and notes (integrated with OneNote), Office files, Power BI reports, and web sites
  • Private 1:1 and group messaging
  • Built-in voice, video and MeetUp capabilities
  • Emoji, stickers, giphys and custom memes
  • @mentions
  • Native integration to SharePoint, OneNote, and Office apps 
  • Over 65 out-of-the box 3rd party Connectors

Note the fourth item down.  Ooooh.  Aaaaah.  Nice beyond further comment.


Interested?  Here are some links to get you going.

Introduction to Microsoft Teams:  This session will explain why Microsoft Teams is the chat-based workspace in Office 365.  With Microsoft Teams, all your team conversations and context - all the related files, notes and content - are kept together in one place and easily accessible by everyone on the team, with everything tightly integrated with the other Office 365 apps you use.  Learn how Microsoft Teams will help your team to communicate more effectively http://aka.ms/microsoft-teams-introduction

Deploy and manage Microsoft Teams:  This session will go into detail what IT Pros need to consider when enabling Microsoft Teams for their users. We will go walk through the process for rolling out Microsoft Teams and configuring the infrastructure, as well as taking a closer look at the supporting technologies for Microsoft Teams. http://aka.ms/microsoft-teams-deployment



How do I get this in my tenant?

Well, as you might expect, login to your tenant portal… and then go to Settings | Services & add-ins.  Scroll down a bit to “Microsoft Teams”  click.


Turn Teams on!



Select the features you want.  You want all of them.


All set!  Watch the vids!

Usually, I end with YMMV… but seriously, you are going to love this.


Call Flow Manager

I think that RGS is a wonderful thing, and something that every SfB deployment should evaluate for applicability.  Do you detest the SfB Response Group Service?  Then you might not want to read any further.  However, should you recognize the utility of said service, then this review might be just the thing you need to read.

SfB Response Groups allow the creation of simple hunt group or IVR-type grouping of agents to handle calls to a common DID.  They can work to the outside world, or be simply internal; but either way, the RGS is a great tool for those situations to which the RGS talents are applied.  I won’t go into what those talents are, or how to put the entire thing together in this article; rather this is a review of a spiffy tool from New Zealand Skype (well, Office Server and Services) MVP Andrew Morpeth.  What he and his team have done is create a nice GUI interface to the entire RGS management problem.  Let’s take a look at Call Flow Manager (CFM), shall we?

Before we start, you may wish to review the official documentation for RGS.


If you have issues un-zipping a distribution and placing it a server that has met the prerequisites then you have larger issues than I can help with.  Dirt simple.  Just leave things in one folder, and put that folder on the drive.  Execute CallFlowManager.UI.exe and away you go.  You might want to make sure you know the license information before you start, as that will be the first question asked when the tool starts up. And oh yes, run this tool as administrator.

What are those prerequisites you might ask?  Simple: 

  • Supported for Lync 2013 or Skype for Business 2015
  • Microsoft .Net Framework 4.5
  • Lync/SfB Administrative Tools
  • Install the “Local Configuration Store” – this is step 1 of the Lync/SfB deployment wizard. Querying Response Group information requires this component to be installed
  • Outbound internet access on port 443 to https://theucguys.com
  • Minimum screen resolution of 1024×768
  • You may need to Run as administrator to ensure all feature work as expected

As you might ascertain, you will have best results doing CFM on an SfB Front End server.  I put mine on the Tsoorad.Net Test Lab SE.  Truly an awesome piece of gear; used and abused on a regular basis.


OOBE RGS requires three separate interfaces – an admin headache at the very least.  CFM puts all of that into one GUI.  I had a little challenge getting my head around the interface, but that was me – in the end, I like it quite a bit.  Especially the creation and assignment of business and holiday hours – a PowerShell goat rope for OOBE RGS management.

CFM also offers 10 IVR options rather than four.  And you can flip an RGS workflow between hunt and IVR.   Phone number visibility rounds out the technical offering. 


I had zero issues using CFM on my SfB SE.  In fact, one of the nicer things that I always forget is to run things as admin.  C’mon Microsoft.  I am logged in as an administrator, why make me right-click and runas?  CFM checks for you, and rather than barfing in your face, flips up this nice little notice and offers to fix it for you.


If like me, you forget your brain at times, CFM has a nice search feature.  Here I have searched for RGS1 and discovered those elements that pertain to anything in my SfB that hints at RGS1…


Very nice.  You might also notice that I carefully name my RGS components to include the workflow name…makes things stick out later when you discover that your documentation is not as up-to-date as you claim in your work reviews. You can search on almost anything.  You have no idea how stupid I can get while creating RGS workflows – I forget what I called what, and who belongs to what all the time. This feature alone is worth giving CFM a test drive.  Here I have quick search for TWO letters…


Interface Walkthrough

Let’s take a look at the overall GUI. CFM opens to this screen.  I have exercised the upper-left pull down to select an RGS workflow.  Here you can see pretty much the basics of the workflow.  You can change/edit anything on the display, and then save it before moving to something else.  I like this much better than the native tool.


Across the top, Call Flow Designer, Queues, Groups, Business Hours (oh yes), Holidays (oh yes #2), Numbers (oh yes #3, and Logs.

Queues allows you to create and manage RGS Queues.  About the same as the CSCP, but with CFM, you get everything you need in one interface.  IMHO, clearly much better.


Groups does the same as Queues, and my comment above holds true here also.


And now to the “good stuff” – Business Hours (and Holidays).  In the CSCP, webpage, PowerShell combination of native tools, business hours and holidays are, again IMHO, a royal PITA.  El Yucko to paraphrase my second child.  In CFM, you are given a nice GUI to create, edit, and play with both of these options that allow the final customization of the RGS in terms of open hours and closed hours.  The business hours selection comes with pre-worked up day selections, so that you don’t even have to think too much.  Pretty nice for those of use with both brain cells that are already full.


The Holiday hours works pretty much the same.


The Numbers page will show you all the DIDs that available so that you don’t do the John thing and try to assign a number to an RGS that is already assigned.


…and finally, Logs.  This little nifty detail will show you all the PowerShell that is going on under the hood as you create or modify various elements of the RGS structure.  I think it would be even nicer if the entire PowerShell command string was shown rather than a brief “hey, we did this general command.”


Nit Picks

I have always disliked the CSCP view of the RGS with the workflow, queue, and group arrangement.  My brain operates on the group, then queue, then create workflow concept, and the tool could be rearranged to reflect that.  However, having observed that, there is nothing WRONG with what is here.  I will reiterate my comment about the logs, and then that is that.  For something like this to have only TWO nitpicks is remarkable all by itself.


Without reworking all the screen caps already shown, here is the same workflow as above, but seen from the native web tool.


Note that the queues and groups are not here, and to put together the business and holiday sets, you will need PowerShell. Clearly, CFM does a much better job of presenting options, creating answers, working up the solution, etc. 

And the final Bit of Goodness

CFM can take a workflow that is “hunt group” and transform it to an “IVR” – something that the native tools cannot do (to the best of my knowledge).  If you choose to take this action, be warned that it appears to be a one-way street.  Once an IVR, always an IVR.


And when you get to the IVR slice of life, the native tools only gives you four levels, CFM blows past that as mentioned above.  So nice.

Where to get this piece of greatness

Simple.  Just go to TheUCGuys.com


I like it. A lot. I won’t say more.



SfB & Jabber via XMPP & Cisco Express

Much thanks and deep appreciation to Justin O’Sullivan, Cisco dood extraordinaire. (http://www.syferstrategies.com/blog)


Microsoft Skype for Business and Cisco Jabber are, by far, the two most popular IM/P applications for the general business community.  Yes, there are some fringe applications that offer some really good features, and they work well, but for the mainstream business community, it really boils down to either Microsoft SfB or Cisco Jabber.

This is empirically proved by my blog tracking. Since its’ original posting in May of 2013, my #2 most viewed article, month after month, has been http://tsoorad.blogspot.com/2013/05/connecting-lync-2013-and-cisco-jabber.html.

Seeing as how both applications have had several years to mature and evolve, I thought this would be a good time to revisit the entire scenario of connecting the two most popular suites so your business can connect to another to streamline process and communication.

To achieve this lofty goal, I leveraged my SfB lab, which is currently running SfB update to the June 2016 Cumulative Update.  I also leveraged one of my awesome Cisco-centric co-workers, Justin O’Sullivan.  Justin runs a full Cisco lab in the course of his job, and he graciously agreed to burn up his off hours helping create the SfB <-> Jabber federation.

Initial Environment Layout

As stated, my lab is SfB, running a full edge on three IP’s. All SfB components are updated to 6.0.9319.259. (and yes, I know that not all components update to that version, but they are all 6.0.9319, and Microsoft does not update components that have no need to update).

Justin’s Cisco lab is an alphanumeric soup of Expressway C/E Version: 8.8.0, Cisco IM & Presence Version:, Cisco UCM Version:, & Cisco Jabber Version: 11.7.1.  Whew!

As in the previous Lync-Jabber article, the SfB side is extremely simple, but we’ll step through all the necessary configurations and considerations (with pictures so that Amanda sitting in the back of the class will understand), and then we’ll do the same with the Jabber side.

Skype for Business XMPP setup.

First, make sure that XMPP is enabled in your environment. At the site level and at the Edge Pool level:


Personally, I always light up every possible configuration on initial install, so I don’t have to go back and do it again later.  You can just turn things off later, but if you waited until now, you will need to publish the topology when you get done with this step, and then either run step 2 of the deployment wizard on the appropriate servers, or bootstrap the appropriate servers so that the necessary bits are turned on to make this work.

Next, you need to head off for your Control Panel.  I suppose you could also do this next piece from PowerShell, but I like GUI when I can GUI.

Inside CSCP (yes, still called that) go to your Federation and External Access tab on the left, and check your External Access Policy.  Make sure the “Enable communications with XMPP federated users is checked.


Now go to the XMPP Federated Partners and setup a partner as shown.


Get yourself an admin PowerShell window open on your server and do get-csxmppallowedpartner so you can double-check your work (read your spelling).


You might also want to have your dialbackpassphrase set.  Just set it to something easy-peasy.  If I am not too mistaken, I set this example to “xmppdialback” – if you need a primer on just what this part does, see this.


Now, go to your external DNS provider, and get yourself a squeaky clean SRV record:

_xmpp-server._tcp.domain.com or in my case, _xmpp-server._tcp.tsoorad.net.  Port 5269.  In DNS parlance, you want to submit, if you need to, _xmpp-server._tcp.domain.com 0 0 300 5269 sip.domain.com, where the numbers mean 0 weight, 0 priority, TTL 300, port 5269, and a target of sip.domain.com.  An NSLOOKUP from the world should reveal something that looks a lot like this:


Set your firewall to allow port 5269 inbound and outbound from your Edge server (or servers).  At this point, I can expect things to work from the SfB side of life.

And now the fun (?) begins

As a preface, Justin worked through this one time, but it took a few server restarts before he could convince his system to operate as expected.  Neither of us could figure that out but, what the heck, eh?

Reference Material Used:


Expressway C/E Version: 8.8.0

Cisco IM & Presence Version:

Cisco UCM Version:

Cisco Jabber Version: 11.7.1

JabberID = sAMAccountName@domain.com

In this example, we will be configuring external XMPP federation using the Cisco Expressway solution as opposed to the IM&P based XMPP federation option. When deploying external XMPP federation, you must choose one or the other and not both. Verify the service is correctly enabled on the selected option (Expressway) and disabled on the other (IM&P).

Service disabled on CUPS/IM&P



Follow the certificate requirements as per Cisco documentation.

Add the local domains to the Expressway-C server and verify XMPP Federation is set to “On”:

Navigate to Configuration > Domains



On the Expressway-E, further enable the XMPP federation settings as below:

Navigate to Configuration > Unified Communications > Configuration



1. In our example, we are not using TLS as depicted above

2. If in use, the Dialback Secret must be the same on other Expressways in the domain

XMPP DNS Records

For foreign systems to resolve/authenticate your domain correctly, set up the below SRV record for XMPP services:

_xmpp-server._tcp.{domain} (priority) (weight) (port 5269) (Target Host)

(e.g. _xmpp-server._tcp.syferstrategies.com 0 0 5269 expe.syferstrategies.com)

Group Chat Records

For group chat node DNS resolution to work properly with federated domains, configure the below external SRV records:

_xmpp-server._tcp.{chatnode}.{domain} (priority) (weight) (port 5269) (Target Host)

(e.g. _xmpp-server._tcp.chatnode1.syferstrategies.com 0 0 5269 expe.syferstrategies.com)


1. Alternatively, static routes can be used on the local Expressway if the remote system does not have these DNS records enabled

a. This can be added under Configuration > Unified Communications > Federated Static Routes

Checking XMPP Federation status

Navigate to Status > Unified Communications > XMPP Federation Connections


Jabber Experience


Add the external contact


Enter the IM address of the external contact


New federated contact seen below




Back to SfB to see how that looks!



We have demonstrated a SfB XMPP configuration then the Cisco Expressway/Jabber configuration. Works great, less filling.  Let the commo begin!