Posted by Mino on July 7, 2009
Any Post starting with this disclaimer means that this post was not written by me however I have liked it and added to my blog. I am also including the link to the original or similar post to provide credit to the original author.
http://www.unifysquare.com/blog/post/Single-certificate-for-OCSExchange-firewall-usage.aspx
Internal certificates work wonders for your Active Directory Domain Services members. For Unified Communications, where OCS and Exchange are going to be using the same ISA 2006 server as the firewall, utilizing a Subject Alternative Name (SAN) certificate for your edge configuration and your ISA configuration can save you time, management hassles, and possibly provide cost savings as well. For internal servers, an internal PKI is just fine, but for the public interface of your system, you should most likely be looking at using a public-sourced key such as Go-Daddy, Thawte, DigiCert, etc. OCS Federation, remote users, and Public Instant Messaging Connectivity (PIC) demand public certificates.
The following table shows the SAN names needed on a certificate to support the base OCS and Exchange functions on ISA 2006 – and I imagine that this certificate construction will work just fine on many other firewalls as well. The table comes from my test domain; you should replace my test domain with your own domain name.
Obtain a public SAN (UCC) certificate from your favorite provider, import the certificate into your OCS Edge server and your ISA server computer account Trusted Root Certificate store and then you can use one certificate for all these uses. This approach leaves you with only the one certificate to manage and renew, or, if life treats you badly, move to a new server.
| |
SAN Name
|
Usage
|
Notes
|
|
1
|
SIP.domain.com
|
OCS Edge Server
|
IM, Presence, Federation, PIC
|
|
2
|
webconf.domain.com
|
OCS Edge Server
|
Web Conferencing
|
|
3
|
AV.domain.com
|
OCS Edge Server
|
A/V
|
|
4
|
revproxy.domain.com
|
ISA Reverse Proxy
|
Web Components
|
|
5
|
CWA.domain.com
|
ISA Web Listener
|
Communicator Web Access
|
|
6
|
DOWNLOAD.CWA.domain.com
|
ISA Web Listener
|
CNAME for CWA desktop sharing
|
|
7
|
AS.CWA.domain.com
|
ISA Web Listener
|
CNAME for CWA desktop sharing
|
|
8
|
MAIL.domain.com
|
ISA publisher
|
Outlook Anywhere, OWA, POP, IMAP
|
|
9
|
AUTODISCOVER.domain.com
|
ISA Web Listener
|
Autodiscover for outlook and OCS.
|
Posted in A/V Edge Server, Certificates, Communicator Web Access, Consolidated Edge, Edge Server, Good Articles take from Other Blogs, OCS & Exchange07, OCS 2007 R2 | Tagged: autodiscover, av, certificate, Communicator web access certificate, cwa, digicert certificate, download.cwa, Entrust certificate, Exchange 2007 Certificate, OCS 2007 CWA Certificate, OCS Edge Certificate, office communications server 2007 Certificate, revproxy, SAN Certificate, sip, Subject Alternative Name certificate, UC Certificate, UCC certificate, webconf | 4 Comments »
Posted by Mino on July 6, 2009
This is a case I have faced right after the MVP award thing; it proves one thing to me. You will always learn till the last minute of your life whether you are a Ranger or MVP or even one of the product team themselves.
Ok here is the case; I have a Pilot on Isolated Environment where I have deployed 3 machines (AD+ CA+ Exchange, OCS Front End, OCS Mediation) And the users are on another production environment and they are planning to test the OC locally from their computers joined to the Production domain not the pilot one.
I have everything configured fine, hosts file edited correctly, Certificate Chain imported and Communicator is able to login correctly with no Problem. All of a Sudden all Vista machines are not able to download address book or to retrieve outlook free /busy information. However XP machines are working smoothly with no Problem
OK….then we think logic , what is common between Address Book and Exchange Free/ Busy? Both are Web Services retrieved through HTTPS, so it has to be IE problem.
After some Googleing I found the solution on the UC No Evil blog as he describes details of troubleshooting steps he did and in the end it appeared to be the IE setting of Check for sever certificate revocation along with Disabling Windows Vista User Access Control
Below Are the Detailed Steps as described on the Blog:
- Make sure this symptom is the same on all of your Vista clients.
- Flush DNS by using ipconfig /flushdns on the client.
- Verify within IE that ‘Check for server certificate revocation* is disabled. To do this go to IE > Advanced > Security section > Check for sever certificate revocation*. Deselect the check box.
- Now close Internet Explorer, close Communicator (Completely — sign-out and close application)
- Start Communicator| Sign in
- If you’re not presented with an error or the warning stating an issue accessing the Address Book, go to the %userprofile%\Local Settings\Application data\Microsoft\Communicator and verify that a GalContacts.db file exists. If it does exist, GREAT! You’re done. If not then continue with the rest of the procedure.
- Within IE add the Address Book URL that users will download the AB files. IE > Internet Options > Security > Trusted Sites > Add the URL to trusted sites (ex. https://ocsfrontend.company.com)
- Repeat steps 4-6
- If you still cannot download the address book try, move to step 10.
- Verify that User Access Control is off and then repeat steps 4-6.
Also some good technical details for the issue are available here on Microsoft Forums
Posted in Certificates, Common Errors, Front End Server, Good Articles take from Other Blogs, Miscellaneous, OCS 2007 R2, communicator client | Tagged: address book download, cannot download address book, Check for sever certificate revocation, GalContacts.db, office communications server 2007 r2, Office Communicator 2007, Office communicator 2007 R2, outlook integration error, unable to retrieve free busy information, Unified Communications, User Access Control, vista can not download address book | 4 Comments »
Posted by Mino on July 2, 2009
First Of all I am Egyptian and Proud to be
We have the Pharos Beliefs in our blood that simply Nothing is Impossible and Sky is the limit Always.
Yesterday at 1 AM I received the Congratulations e-mail for the Award of 2009 MVP in Unified Communications.
That really felt so awesome , specially that I remembered from 10 years I had the dream to Achieve an MCP Certificate and Hold Microsoft Card in my hands , then later I wished to have Direct communications with The Microsoft Guys , later I Wished to have my Own Blog and to actually have something useful to write in it.
That MVP Dream came to my mind last year and I thought how far that could be. Today I have Achieved this Dream and I am very happy with it, I owe it to God who has been always taking care of me and giving me all the good things.
Thanks …Like Kaka Says: I Belong To Jesus
Posted in About Me | Tagged: Egypt, Jesus, kaka, Link Development, linkdev, linkdotnet, Microsoft Most Valuable Professional, mina nagy, Mino, MVP, The UC Guy, UC Guy, Unified Communications | 1 Comment »
Posted by Mino on May 24, 2009
Open Registry editor and locate the following key:
HKLM/Software/Policies/Microsoft/Communicator, and set SavePassword=1.
This enables a checkbox to save password in MOC login dialogue.
After the password is entered it is saved into the registry
HKCU/Software/Microsoft/Communicator/AccountPassword
This registry key store in hashed value. Changing the hash requires re-entering the password.
Note: You may want to use this option if MOC users login from workgroup machine, or Kerberos authentication is not working
Source :http://www.ocspedia.com/FE/How_to_Save_Password_MOC.htm
Posted in OCS 2007 R2, communicator client | Tagged: MOC on workgroup, MOC password, MOC without authentication, Office communicator client, password, Save password | Leave a Comment »
Posted by Mino on May 19, 2009
Typically When Exchange 2007 is installed, it generates a self-issued certificate for use with IIS, SMTP, and SIP (if you’re using UM). This certificate generally isn’t ideal for Outlook and OWA clients because it’s not trusted by any machines except for the Exchange server, and one of the first tasks to do is replace this certificate with one that is trusted by the user’s machines.
So typically you would request to buy a Public certificate for the Exchange and usually people don’t include the internal FQDN of the servers in this request.
On the Other Hand when you deploy the OCS 2007 you will require Certificate for each OCS server and this is required for securing the communication internally between OCS to OCS servers and OCS to Client. So you will deploy internal Enterprise CA in your domain to issue the certificates for the OCS , and since this is Enterprise CA so it will be published in the Active directory and it will be trusted by default for all internal domain user computers.
However when you try to integrate the OCS 2007 with the Exchange UM by this design , the first thing you will notice that the Voice mail is not accessible from the Communicator client and it is giving you communicator error whenever you click on voice mail ,and you will find lots of Certificate event logs and OCS Protocol stack errors on both OCS front end and Exchange UM Server.
The reason behind that is because the Exchange UM server is still using the Exchange Self Signed certificate for its internal name and it is trying to communicate with the OCS using this certificate , and since the OCS doesn’t know anything about this issuer so it drops the connection.
To solve this problem we will have to replace the Exchange UM self signed certificate with one from the same CA that the OCS 2007 is using. To accomplish this task simply run the below command on the Exchange command shell.
New-ExchangeCertificate -GenerateRequest -Path c:\UMrequest.req -SubjectName “c=US, o=Contoso, cn=umsrv.mydomain.local” -DomainName mydomain.local -PrivateKeyExportable $true
This will generate a request on the C: drive under the name of UMrequest.req for the UM server internal FQDN umsrv.mydomain.local , open it with notepad and copy the content and then go to the PKI auto enrolment page https:\\pkisrv.mydomain.local\certsrv to issue the certificate and save it locally .
Then we need to import the certificate to exchange and Enable it for UM service usage , my certificate is saved on the C: drive with the name of UMCertificate.cer
Import-ExchangeCertificate -Path c:\UMCertificate.cer
The last thing we will do is to enable this certificate for UM usage, first make sure to copy the Thumbprint of the certificate that you will see in the command shell then run the below command .
Enable-ExchangeCertificate -Thumbprint 5113ae0233a72fccb75b1d0198628675333d010e –Services UM
Restart UM service and restart OCS Front End Server and now you will get the UM working fine with the OCS and you will no longer see the protocol stack errors.
Posted in Certificates, Common Errors, Front End Server, Mediation Server, OCS & Exchange07, OCS 2007 R2, Phone Edition, Unified Messaging, communicator client | Tagged: Communicator client voice mail error, Exchange UM integration, Exchange UM voice mail, Exchange Unified Messaging, OCS Certificate errors, OCS Protocol Stack errors, OCS Voice mail, Office communications Server 2007, UM Certificate errors, UM OCS integration, unable to access voice mail | Leave a Comment »
Posted by Mino on May 13, 2009
As strange as this might sound to you but this is the latest case I have faced which in the end appeared to be a known bug and Microsoft Premiere Support were able to solve it after 3 weeks of investigation
Setup
So you have OCS 2007 R2 implemented over Windows 2008 and the Backend is placed on SQL 2008 on windows 2008 server. The below roles are all implemented on windows 2008:
- Front End 1
- Front End 2
- Mediation
- Consolidated Edge not joined to the domain
Problem:
When you restart any OCS server you cannot remote access to that server again, the Ping over the server is lost and when you go and check the server you find the network is disconnected.
If you went through all of the OCS Server services you will find them all are in the mood of starting and it will take it like 10 minutes then it will fail to start .
If you set these OCS Services to manual start rather than Automatic then reboot. You will find that the server is functioning normally.
This is really a very strange problem and I never faced it before as I have already implemented the OCS on 2008 but I still up to this moment don’t know the symptoms that causes this problem to happen.
Solution:
- Set startup type for wmiApSrv to automatic
- Add dependency on RtcSrv to wmiApSrv
- Set startup type for RtcSrv to automatic
- Reboot
- RtcSrv is starting and running
- Set startup type for all Rtc* services to automatic
- Reboot
- All Rtc* services starting and running
To set the RTCSrv service dependency you can use the registry to modify the following:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RtcSrv and modify the DependOnService to include the wmiApSrv.
Posted in Consolidated Edge, Edge Server, Front End Server, Miscellaneous, OCS 2007 Components, OCS 2007 R2, Uncategorized | Tagged: OCS 2007 R2 server services fail to start, OCS 2007 R2 servers lose network connection, Rtc services, RtcSrv, Services are set to Automatic, wmiApSrv | 3 Comments »
Posted by Mino on May 13, 2009
If you have heard allot about UC and you are interested to implement in your organization and you don’t have the knowhow and you don’t have the money to outsource someone to do this …then this is for you.
Microsoft is offering a full paid UC Pilot to have UC Solution implemented in your organization running for 25 pilot users from your organization….all you have to do is ask you Microsoft Account Manager for a Voice Pilot and here is what you will get also for free
A Voice Pilot is defined as an OCS 2007 deployment with the following characteristics for at least 25 users:
- User has been enabled for IM, Presence, and Enterprise Voice
- User is relying on Office Communicator 2007 or Office Communicator Phone Edition for their daily business telephony needs – OCS is managing incoming and outgoing call routing
- The OCS Voice Pilot implementation must be connected to the customer’s existing production PBX with the Pilot Users’ primary number managed by OCS
- The OCS deployment has to be on Physical servers and not virtualized ones
- Customer willing to become a public reference case in FY09 (i.e. press, analyst, or customers reference, case study, etc)
- Complete a validation questionnaire provided by Microsoft
Besides the free implementation and the buisness presentation , you will also get for free the Voice Pilot kit box below which includes the following gifts J
Posted in 1-What is UC, OCS 2007 R2 | Tagged: Microsoft UC, Microsoft Voice Pilot, UC for Free, Voice Pilot | Leave a Comment »
Posted by Mino on April 26, 2009
I have been into a deployment within the GULF countries where the language of the application is much more important than the application itself.
English is not commonly used and the localized language was requested even on the OCS level.
Microsoft Provides localized MUI (Multilingual User Interface ) for Both Communicator Client 2007 R2 and Communicator Web Access. However there is no MUI yet for the Communicator Phone Edition 
This MUI Package for Office Communicator 2007 R2 includes the following languages:
· Arabic
· Bulgarian
· Catalan
· Chinese – Simplified
· Chinese – Traditional
· Chinese Hong Kong
· Croatian
· Czech
· Danish
· Dutch
· English
· Estonian
· Finnish
· French
· German
· Greek
· Hebrew
· Hindi
· Hungarian
· Italian
· Japanese
· Korean
· Latvian
· Lithuanian
· Norwegian
· Polish
· Portuguese (Portugal)
· Portuguese (Brazil)
· Romanian
· Russian
· Serbian
· Slovak
· Slovenian
· Spanish
· Swedish
· Thai
· Turkish
· Ukrainian
Posted in Communicator Web Access, OCS 2007 R2, communicator client | Tagged: Multilingual User Interface Package, Office communicator 2007 R2, Office Communicator in Arabic, User Interface Package | Leave a Comment »
Posted by Mino on April 25, 2009
Microsoft Unified Communications Training and Adoption 2007/2007 R2 User Awareness and Training Materials
The Unified Communications 2007/2007 R2 User Awareness and Training Materials Kit provides resources for IT Pros, Administrators, or Corporate Trainers to speed the usage and adoption Unified Communications technologies in the enterprise. Materials in the kit can be customized to the needs of the company and/or organization. The kit provides the following materials: Awareness Materials – Posters, Web Banners, Door Hangers, and Stickers Training Materials Quick Reference Cards, Tips & Tricks Cards, and links to Web-based Training, Getting Started Tours, and Office Online Help and How-to’s.
Posted in 1-What is UC | Tagged: Corporate Trainers, Getting Started Tours, How-to's, Training Materials, Training Materials Kit, Unified Communications, User Awareness | Leave a Comment »
Posted by Mino on April 12, 2009
Although I was really going nuts in this case but in the end I was really happy with the information i have learnt from the security side. I spent like 2 nights till 4 AM trying just to figure out one thing
“Why the Hell this Phone is not able to login”
Ok , if you read my previous Post on the Phone edition update error “0×2ee7/0 ” you will notice I was able to successfully update the firmware of the phone to the latest R2 .
I have the below Environment:
· OCS 2007 R2 Front End on windows 2008
· OCS Backend on SQL 2008 running on windows 2008
· PKI running on windows 2008
Communicator clients are working just fine and everything is just as it should be… everything but the Communicatory Phone edition.
Whenever I try to login, it shows the phone is doing the following loop of actions:
· Locating Domain Controller
· Downloading Certificate
· Installing Certificate
· Connecting to office communications Server
And then the loop starts again …
1. I made sure that the certificate is well published in the Active Directory
2. I made sure of all naming conventions on the OCS
3. I made sure of the Security rights from the CA to download the Certificate chain over the http web enrolment page
In the end I made trace using wireshark to see exactly how it connects:
· The phone shows right connection to the NTP , DNS, DHCP records
· Locates the right CA and communicates with it and it gives Authorized back signal
· Then it tries to communicate with the OCS Server
· Then all of a Sudden the Connection is dropped
I have contacted Microsoft senior consultants in that Ty Ryan and Josh Jones , they both double checked with me all the settings and they had no clue why it was doing that but what they were sure of is that the phone doesn’t like the root CA for some reason.
So we got back to the Security Architecture Consultant Robin Wright from Microsoft who has built this PKI , he gave us a clue that we have Root CA and beneath it is the Issuing CA .
The design of this PKI is based on encryption 4096 and using Algorithm SHA256RSA , we asked Microsoft Development team about whether this phone edition does support that PKI setting specially that it is running Windows CE and it appeard that SHA2 is only supported on XP SP3 or later and Windows 2003 SP1 or later . But no one from the Development team had any confirmed information .
So I installed another PKI with encryption 2048 and using Algorithm SHA1 not SHA2 , replaced all certificates on the OCS Server with another one from the new PKI and….
Voila, the Phone is working in no time .
Lesson Learnt : Too much of security will kill you , if you can’t make up your mind 
Posted in Certificates, OCS 2007 R2, Phone Edition | Tagged: Certificate Authority, Communicator phone edition is unable to login, OCPE, Office communications Server 2007, PKI, PKI SHA2, Polycom CX700, SHA256RSA, Tanjay errors, Tanjay unable to login | 1 Comment »
