Single certificate for OCS/Exchange/ISA usage

Any Post starting with this disclaimer means that this post was not written by me however I have liked it and added to my blog. I am also including the link to the original or similar post to provide credit to the original author.

http://www.unifysquare.com/blog/post/Single-certificate-for-OCSExchange-firewall-usage.aspx

Internal certificates work wonders for your Active Directory Domain Services members. For Unified Communications, where OCS and Exchange are going to be using the same ISA 2006 server as the firewall, utilizing a Subject Alternative Name (SAN) certificate for your edge configuration and your ISA configuration can save you time, management hassles, and possibly provide cost savings as well. For internal servers, an internal PKI is just fine, but for the public interface of your system, you should most likely be looking at using a public-sourced key such as Go-Daddy, Thawte, DigiCert, etc. OCS Federation, remote users, and Public Instant Messaging Connectivity (PIC) demand public certificates.

The following table shows the SAN names needed on a certificate to support the base OCS and Exchange functions on ISA 2006 – and I imagine that this certificate construction will work just fine on many other firewalls as well. The table comes from my test domain; you should replace my test domain with your own domain name.

Obtain a public SAN (UCC) certificate from your favorite provider, import the certificate into your OCS Edge server and your ISA server computer account Trusted Root Certificate store and then you can use one certificate for all these uses. This approach leaves you with only the one certificate to manage and renew, or, if life treats you badly, move to a new server.

 

	SAN Name	Usage	Notes
1	SIP.domain.com	OCS Edge Server	IM, Presence, Federation, PIC
2	webconf.domain.com	OCS Edge Server	Web Conferencing
3	AV.domain.com	OCS Edge Server	A/V
4	revproxy.domain.com	ISA Reverse Proxy	Web Components
5	CWA.domain.com	ISA Web Listener	Communicator Web Access
6	DOWNLOAD.CWA.domain.com	ISA Web Listener	CNAME for CWA desktop sharing
7	AS.CWA.domain.com	ISA Web Listener	CNAME for CWA desktop sharing
8	MAIL.domain.com	ISA publisher	Outlook Anywhere, OWA, POP, IMAP
9	AUTODISCOVER.domain.com	ISA Web Listener	Autodiscover for outlook and OCS.

Address Book Download Issue (Vista Only)

This is a case I have faced right after the MVP award thing; it proves one thing to me.  You will always learn till the last minute of your life whether you are a Ranger or MVP or even one of the product team themselves. 

Ok here is the case; I have a Pilot on Isolated Environment where I have deployed 3 machines (AD+ CA+ Exchange, OCS Front End, OCS Mediation) And the users are on another production environment and they are planning to test the OC locally from their computers joined to the Production domain not the pilot one.

I have everything configured fine, hosts file edited correctly, Certificate Chain imported and Communicator is able to login correctly with no Problem. All of a Sudden all Vista machines are not able to download address book or to retrieve outlook free /busy information. However XP machines are working smoothly with no Problem

OK….then we think logic , what is common between Address Book and Exchange Free/ Busy?  Both are Web Services retrieved through HTTPS, so it has to be IE problem.

After some Googleing I found the solution on the UC No Evil blog as he describes details of troubleshooting steps he did and in the end it appeared to be the IE setting of Check for sever certificate revocation along with Disabling Windows Vista User Access Control

Below Are the Detailed Steps as described on the Blog:

1. Make sure this symptom is the same on all of your Vista clients.
2. Flush DNS by using ipconfig /flushdns on the client.
3. Verify within IE that ‘Check for server certificate revocation* is disabled.  To do this go to IE > Advanced > Security section > Check for sever certificate revocation*.   Deselect the check box.
4. Now  close Internet Explorer, close Communicator (Completely — sign-out and close application)
5. Start Communicator| Sign in
6. If you’re not presented with an error or the warning stating an issue accessing the Address Book, go to the %userprofile%\Local Settings\Application data\Microsoft\Communicator and verify that a GalContacts.db file exists.  If it does exist, GREAT! You’re done.   If not then continue with the rest of the procedure.
7. Within IE add the Address Book URL that users will download the AB files.  IE > Internet Options > Security > Trusted Sites > Add the URL to trusted sites (ex.  https://ocsfrontend.company.com)
8. Repeat steps 4-6
9. If you still cannot download the address book try, move to step 10.
10. Verify that User Access Control is off and then repeat steps 4-6.

Also some good technical details for the issue are available here on Microsoft Forums

Communcator Web Access R2 (error 0-1-492)

Apparently there is a bug with CWA and Windows 2008 where the Service Principal Name (SPN) isn’t created for the FQDN of your CWA site. The result is the following error when you attempt to sign in with integrated Windows authentication

Cannot sign in because your computer clock is not set correctly or your
account is invalid (error code: 0-1-492)

The Windows authentication site will fail with the error if your site is running on Windows 2008 Server

HOW TO FIX IT:

·         You need to add an SPN matching the FQDN of your internal site (cwa.contoso.com) to the user account you assigned in AD for CWA.

·         Open ADSIEDIT and navigate to the OU where your CWA service account is stored.

·         Locate the CWA service account (mine is called ‘CWAService’) and right-click then choose Properties.

·         Turn on the checkbox to ‘Show only attributes that have values’ and scroll down to an entry called ’servicePrincipalName’.

·         Click the Edit button.

·         Type in the SPN using the following format (http/). For example, if your site is called “cwa.contoso.com” then type in “http/cwa.contoso.com”.

NOTE: Do NOT type http://.

·         Click OK and you’re done!

Thanks to the following blogs :

http://jasonshave.blogspot.com/2009/01/communcator-web-access-error-0-1-492.html

http://www.confusedamused.com/notebook/cwa-2007-r2-login-fails/

How to Integrate Exchange UM Voicemail into Cisco IP Phones

I am working with a client who is using Cisco CUCM with Cisco Phones, along with Microsoft Exchange 2007 voice mail on the UM , but when you divert the phone to voicemail you are not prompted with the users voicemail prompt – you are prompted with the Subscriber access greeting of “ Welcome , you are connected to Microsoft exchange ,…etc )

Usually when you call someone and there is no answer then you are transferred to the Pilot number, the extension of the person you are calling is sent also in the request so that you would be directly transferred to the users voice mail not to the Welcome greeting.

This Problem Happens when Diverted Calls are not accepted because both sides cannot agree on DTMF handling , the MTP is important, because it deals with differences in how DTMF is signaled between the phones and gateways and the sip trunk

Just make sure the following on the Cisco SIP trunk:

1. Accept Out-of-Dialog REFER
2. Accept unsolicited Notification
3. Accept Replaces Header
4. Have the SIP trunk configured to use MTP, once I’d configured MTP and MRG/MGRL

The changes detailed below are based on a new installation of Call Manager 5. As this environment been created for the purpose of testing the integration between platforms, it contains only minimum configuration. The required Changes are with:

·         Media Termination Point (MTP)

·         Changes to security profile

Media Termination Point: The Cisco Call Manager installation builds the default media termination point.

Media Resource Group: Create a media resource group “MRG_CCM5” and add the media resource (MTP) to the group. Multicast is not required.

Media Resource Group List: Create a media resource group list “MRGL_CCM5” and add the media resource group “MRG_CCM5” to the list.

Device Pools: By default Cisco Call Manager creates the “default” device pool. Open the device pool “default” and select the new media resource group list “MRGL_CCM5”.

SIP Trunk Security Profiles: Copy the “Non Secure SIP Trunk Profile” to “E2K7 Non Secure SIP Trunk Profile” and enable “Accept Unsolicited Notifications”.

Partition Configuration: Create a Class of Control Partition “Local”.

Calling Search Space: Create a Class of Control Calling Search Space “CCS_Local” and add the Partition “Local” to the calling search space.

Trunk Configuration:

Trunk Configuration General	Setting
Device Name	E2K7
Description	Exchange UM
Device Pool	Default
Call Classification	Use System Default
Media Resource Group List	<None>
Location	Hub_None
AAR Group	<None>
Packet Capture Mode	None
Packet Capture Duration	0
Media Termination Point Required	Enabled
Retry Video Calls as Audio	Disabled
Transmit UTF-8 for Calling Party Name	Disabled
Unattended Port	Disabled
MLPP Domain Information	<None>

Trunk Configuration Call Routing Information	Setting
Inbound Calls
Significant Digits	All
Connected Line ID Presentation	Default
Connected Name Presentation	Default
Calling Search Space	CCS_Local
ARR Calling Search Space	<None>
Prefix DN	<Blank>
Redirecting Diversion Header Delivery	Disabled
Outbound Calls
Calling Party Selection	First Redirect Number
Connected Line ID Presentation	Default
Connected Name Presentation	Default
Caller ID DN	<Blank>
Caller Name	<Blank>
Redirecting Diversion Header Delivery	Enabled

Trunk Configuration SIP Information	Setting
Destination Address	<IP Address of E2K7 Server>
Destination Address is an SRV	Disabled
Destination Port	5060
MTP Preferred Originating Codec	711alaw
Presence Group	Standard Presence Group
SIP Trunk Security Profile	E2K7 Non Secure SIP Trunk Profile
Rerouting Calling Search Space	<None>
Out-of-Dialog Refer Calling Search Space	<None>
SUBSCRIBE Calling Search Space	Default
SIP Profile	Standard SIP Profile
DTMF Signalling Method	No Preference

Jabra Dial 520

Any Post starting with this disclaimer means that this post was not written by me however I have liked it and added to my blog. I will also include the link to the original or Similar post to provide credit to the original author.

http://blogs.technet.com/jkruse/archive/2009/02/25/jabra-dial-520.aspx 

I’ve received a Demo unit of the JABRA Dial 520 under the UC Voice program and I have been showing it to our client to get their feedback.

Everyone is very happy with its cool look and the plug and play thing as you don’t need to configure anything once you plug it the communicator will automatically chose it as the default device. You will be able to call any number and click dial so it will open communicator client and place the call.

The voice quality is good but when you receive a call on your communicator client the JABRA 520 will just blink white light without telling you the number of the caller, quite disappointing to me :-( 

But as an overall I like it and will really love it if the screen shows me the number or the name of the caller

 

 

Office Communicator Custom Presence States

Any Post starting with this disclaimer means that this post was not written by me however I liked it and added to my blog. I will also include the link to the original or Similar post to provide credit to the original author

http://blogs.technet.com/toml/archive/2007/11/30/oc-custom-presence-states.aspx 

Office Communicator 2007 offers a few user defined areas, the Note, your location and Custom Presence

Please note something important – there is no defined custom presence that includes the Yellow (away) status. The reason is that it is not supported as it was deemed to be a value that you wouldn’t set yourself but would be set based on your activity. I would agree with that for Away but Be Right Back I can set but it is what it is. What happens if you set one of the states to the Yellow (away) states – none of the custom presence items show.

Another item to note that can be a bit annoying – you can’t sign in with the custom presence, you have to sign in with a standard state and then change. My approach is to pick the state that matches what I will eventually select with my custom text.

Here is syntax for my presence.xml used for what you see and I also included a reg file. Please note that you can put the xml anywhere just update the reg file syntax for the correct path.

<customStates>
    <customState ID=”1″ availability=”online”>
        <activity LCID=”1033″>Out and about – use mobile</activity>
    </customState>
    <customState ID=”2″ availability=”Busy”>
        <activity LCID=”1033″>Down in the lab – use mobile</activity>
    </customState>
    <customState ID=”3″ availability=”busy”>
        <activity LCID=”1033″>Reviewing program documents</activity>
    </customState>
    <customState ID=”4″ availability=”do-not-disturb”>
        <activity LCID=”1033″>Executive Briefing with Customer</activity>
    </customState>
</customStates>

and here is the syntax of my presence.reg file

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Communicator]
@=”"
“CustomStateURL”=file:///C:/Users/toml/Documents/presence.xml