Mino – The UC Guy

Microsoft Unified Communications Blog

Archive for the ‘OCS & Exchange07’ Category

Single certificate for OCS/Exchange/ISA usage

Posted by Mino on July 7, 2009

Any Post starting with this disclaimer means that this post was not written by me however I have liked it and added to my blog. I am also including the link to the original or similar post to provide credit to the original author.

http://www.unifysquare.com/blog/post/Single-certificate-for-OCSExchange-firewall-usage.aspx

Internal certificates work wonders for your Active Directory Domain Services members. For Unified Communications, where OCS and Exchange are going to be using the same ISA 2006 server as the firewall, utilizing a Subject Alternative Name (SAN) certificate for your edge configuration and your ISA configuration can save you time, management hassles, and possibly provide cost savings as well. For internal servers, an internal PKI is just fine, but for the public interface of your system, you should most likely be looking at using a public-sourced key such as Go-Daddy, Thawte, DigiCert, etc. OCS Federation, remote users, and Public Instant Messaging Connectivity (PIC) demand public certificates.

The following table shows the SAN names needed on a certificate to support the base OCS and Exchange functions on ISA 2006 – and I imagine that this certificate construction will work just fine on many other firewalls as well. The table comes from my test domain; you should replace my test domain with your own domain name.

Obtain a public SAN (UCC) certificate from your favorite provider, import the certificate into your OCS Edge server and your ISA server computer account Trusted Root Certificate store and then you can use one certificate for all these uses. This approach leaves you with only the one certificate to manage and renew, or, if life treats you badly, move to a new server.

 

 

SAN Name

Usage

Notes

1

SIP.domain.com

OCS Edge Server

IM, Presence, Federation, PIC

2

webconf.domain.com

OCS Edge Server

Web Conferencing

3

AV.domain.com

OCS Edge Server

A/V

4

revproxy.domain.com

ISA Reverse Proxy

Web Components

5

CWA.domain.com

ISA Web Listener

Communicator Web Access

6

DOWNLOAD.CWA.domain.com

ISA Web Listener

CNAME for CWA desktop sharing

7

AS.CWA.domain.com

ISA Web Listener

CNAME for CWA desktop sharing

8

MAIL.domain.com

ISA publisher

Outlook Anywhere, OWA, POP, IMAP

9

AUTODISCOVER.domain.com

ISA Web Listener

Autodiscover for outlook and OCS.

Advertisements

Posted in A/V Edge Server, Certificates, Communicator Web Access, Consolidated Edge, Edge Server, Good Articles take from Other Blogs, OCS & Exchange07, OCS 2007 R2 | Tagged: , , , , , , , , , , , , , , , , , , | 10 Comments »

How to Fix Exchange UM Certificate errors when Integrating with OCS 2007

Posted by Mino on May 19, 2009

Typically When Exchange 2007 is installed, it generates a self-issued certificate for use with IIS, SMTP, and SIP (if you’re using UM).  This certificate generally isn’t ideal for Outlook and OWA clients because it’s not trusted by any machines except for the Exchange server, and one of the first tasks to do is replace this certificate with one that is trusted by the user’s machines.

So typically you would request to buy a Public certificate for the Exchange and usually people don’t include the internal FQDN of the servers in this request.

On the Other Hand when you deploy the OCS 2007 you will require Certificate for each OCS server and this is required for securing the communication internally between OCS to OCS servers and OCS to Client. So you will deploy internal Enterprise CA in your domain to issue the certificates for the OCS , and since this is Enterprise CA so it will be published in the Active directory and it will be trusted by default for all internal domain user computers.

However when you try to integrate the OCS 2007 with the Exchange UM by this design , the first thing you will notice that the Voice mail is not accessible from the Communicator client  and it is giving you communicator error whenever you click on voice mail ,and you will find lots of Certificate event logs and OCS Protocol stack errors on both OCS front end and Exchange UM Server.

The reason behind that is because the Exchange UM server is still using the Exchange Self Signed certificate for its internal name and it is trying to communicate with the OCS using this certificate , and since the OCS doesn’t know anything about this issuer so it drops the connection.

To solve this problem we will have to replace the Exchange UM self signed certificate with one from the same CA that the OCS 2007 is using. To accomplish this task simply run the below command on the Exchange command shell.

New-ExchangeCertificate -GenerateRequest -Path c:\UMrequest.req -SubjectName “c=US, o=Contoso, cn=umsrv.mydomain.local” -DomainName mydomain.local  -PrivateKeyExportable $true

This will generate a request on the C: drive under the name of UMrequest.req  for the UM server internal FQDN umsrv.mydomain.local , open it with notepad and copy the content and then go to the PKI auto enrolment page https:\\pkisrv.mydomain.local\certsrv   to issue the certificate and save it locally .

Then we need to import the certificate to exchange and Enable it for UM service usage , my certificate is saved on the C: drive with the name of UMCertificate.cer

Import-ExchangeCertificate -Path c:\UMCertificate.cer

The last thing we will do is to enable this certificate for UM usage, first make sure to copy the Thumbprint of the certificate that you will see in the command shell then run the below command .

Enable-ExchangeCertificate -Thumbprint 5113ae0233a72fccb75b1d0198628675333d010e –Services UM

Restart UM service and restart OCS Front End Server and now you will get the UM working fine with the OCS and you will no longer see the protocol stack errors.

Posted in Certificates, Common Errors, communicator client, Front End Server, Mediation Server, OCS & Exchange07, OCS 2007 R2, Phone Edition, Unified Messaging | Tagged: , , , , , , , , , , | 3 Comments »

How to Integrate Exchange UM Voicemail into Cisco IP Phones

Posted by Mino on March 27, 2009

I am working with a client who is using Cisco CUCM with Cisco Phones, along with Microsoft Exchange 2007 voice mail on the UM , but when you divert the phone to voicemail you are not prompted with the users voicemail prompt – you are prompted with the Subscriber access greeting of “ Welcome , you are connected to Microsoft exchange ,…etc )

Usually when you call someone and there is no answer then you are transferred to the Pilot number, the extension of the person you are calling is sent also in the request so that you would be directly transferred to the users voice mail not to the Welcome greeting.

This Problem Happens when Diverted Calls are not accepted because both sides cannot agree on DTMF handling , the MTP is important, because it deals with differences in how DTMF is signaled between the phones and gateways and the sip trunk

Just make sure the following on the Cisco SIP trunk:

  1. Accept Out-of-Dialog REFER
  2. Accept unsolicited Notification
  3. Accept Replaces Header
  4. Have the SIP trunk configured to use MTP, once I’d configured MTP and MRG/MGRL

The changes detailed below are based on a new installation of Call Manager 5. As this environment been created for the purpose of testing the integration between platforms, it contains only minimum configuration. The required Changes are with:

·         Media Termination Point (MTP)

·         Changes to security profile

Media Termination Point: The Cisco Call Manager installation builds the default media termination point.

Media Resource Group: Create a media resource group “MRG_CCM5” and add the media resource (MTP) to the group. Multicast is not required.

Media Resource Group List: Create a media resource group list “MRGL_CCM5” and add the media resource group “MRG_CCM5” to the list.

Device Pools: By default Cisco Call Manager creates the “default” device pool. Open the device pool “default” and select the new media resource group list “MRGL_CCM5”.

SIP Trunk Security Profiles: Copy the “Non Secure SIP Trunk Profile” to “E2K7 Non Secure SIP Trunk Profile” and enable “Accept Unsolicited Notifications”.

Partition Configuration: Create a Class of Control Partition “Local”.

Calling Search Space: Create a Class of Control Calling Search Space “CCS_Local” and add the Partition “Local” to the calling search space.

Trunk Configuration:

Trunk Configuration

General

Setting

Device Name

E2K7

Description

Exchange UM

Device Pool

Default

Call Classification

Use System Default

Media Resource Group List

<None>

Location

Hub_None

AAR Group

<None>

Packet Capture Mode

None

Packet Capture Duration

0

Media Termination Point Required

Enabled

Retry Video Calls as Audio

Disabled

Transmit UTF-8 for Calling Party Name

Disabled

Unattended Port

Disabled

MLPP Domain Information

<None>

   

Trunk Configuration
Call Routing Information

Setting

Inbound Calls

Significant Digits

All

Connected Line ID Presentation

Default

Connected Name Presentation

Default

Calling Search Space

CCS_Local

ARR Calling Search Space

<None>

Prefix DN

<Blank>

Redirecting Diversion Header Delivery

Disabled

Outbound Calls

Calling Party Selection

First Redirect Number

Connected Line ID Presentation

Default

Connected Name Presentation

Default

Caller ID DN

<Blank>

Caller Name

<Blank>

Redirecting Diversion Header Delivery

Enabled

Trunk Configuration

SIP Information

Setting

Destination Address

<IP Address of E2K7 Server>

Destination Address is an SRV

Disabled

Destination Port

5060

MTP Preferred Originating Codec

711alaw

Presence Group

Standard Presence Group

SIP Trunk Security Profile

E2K7 Non Secure SIP Trunk Profile

Rerouting Calling Search Space

<None>

Out-of-Dialog Refer Calling Search Space

<None>

SUBSCRIBE Calling Search Space

Default

SIP Profile

Standard SIP Profile

DTMF Signalling Method

No Preference

Posted in Cisco 4.x Integration, Cisco 5.x Integration, Cisco 6.x Integration, Cisco 7.x Integration, Good Articles take from Other Blogs, OCS & Exchange07, Unified Messaging | Tagged: , , , , , , , , | 8 Comments »

Customizing Exchange UM Auto Attendant

Posted by Mino on March 24, 2009

 When you normally configure your Exchange UM auto attendant, here is the normal greeting that you will hear:

“Welcome to the Exchange Auto Attendant. Use the key pad to spell the name of the person you are calling, last name first, or to spell their e-mail alias, press the # key twice. If you know the extension, press the # key.”

One of our clients requested to change the Auto Attendant to give him in the end the below experience:

“Welcome to Company ABC, please dial the extension of person you are calling”

Which means that we need to remove the following parts from the Greeting:

·         Name lookup

·         The # key

In the end this was done by the below command from the exchange shell and of course we used a custom greeting for the first custom welcome part.

Set-UMAutoAttendant -Identity “test” –NameLookupEnabled $false

Replace “test” with the name of your Auto Attendant

Also the client asked if that greeting can be interrupted , we tested that and it appeared that it can only be interrupted after the first wav file ends which is “ welcome to the exchange auto attendant “  .

If you tried to interrupt before this greeting ends then you will hear a sorry message , however you can enter any digits and interrupt the greeting right after that 3 seconds part. 

Posted in OCS & Exchange07, Uncategorized | Tagged: , , , , , , , , , | 1 Comment »

OCS 2007 and Outlook 2007 Smart Tags

Posted by Mino on March 21, 2009

I have been asked about the do ability to have the Presence of a person from inside the body of an e-mail or to to be able to call a phone number from inside the e-mail body also.

to do this you need to go the below settings from inside the outlook 2007

Tools – Options –Spelling–Spelling and Auto Correction–Auto Correct Options –Smart Tags

Make sure to click on both Person Name (English ) & ( Outlook email ) , and Telephone Number . 

communicator-presence-smart-tag1

 

phone-number-smart-tag1

Posted in communicator client, OCS & Exchange07, OCS 2007 R2 | Tagged: , , , , , , | 3 Comments »

How to enable inbound fax for OCS 2007 Enterprise Voice and Exchange 2007 UM enabled users?

Posted by Mino on March 9, 2009

Any Post starting with this disclaimer means that this post was not written by me however I have liked it and added to my blog. I will also include the link to the original or Similar post to provide credit to the original author.

http://blogs.technet.com/jenstr/archive/2007/11/13/how-to-enable-inbound-fax-for-enterprise-voice-and-exchange-2007-um-enabled-ocs-2007-users.aspx

Exchange 2007 SP1 UM supports both voice mail and incoming fax to a given extension. However, if the user is both UM-enabled and enabled for Enterprise Voice using OCS 2007, incoming fax is not supported using the same extension. The reason being that OCS 2007 Mediation Server does not currently support T.38.

How is it possible to provide incoming fax support for Enterprise Voice enabled users? The answer is to use a separate extension for fax and route fax calls to this extension directly to Exchange 2007 SP1 UM outside of OCS 2007.

Let’s assume we have a company called Contoso with the environment shown below and we will use that company to explain the issue and the solution

12

The OCS 2007 environment is connected to the PBX via a SIP/PSTN gateway called PSTNOCSGWY. The PBX routes all calls to the DID range +131255xxxxx to OCS 2007. OCS 2007 is integrated with the Exchange 2007 SP1 UM server called UMSRV1. It hosts a UM Dial Plan called OcsUmDialPlan of UriType = SipName (required for OCS 2007 integration). There is a UM Mailbox Policy associated with this UM dial plan called OcsUm. Exchange 2007 SP1 UM is connected to the PBX via OCS 2007.2

The Contoso user Test User is enabled for Enterprise Voice with the DID +13125510001 and SIP URI TestUser@contoso.com. His extension is 10001. His Enterprise Voice configuration is shown below.

 

 

To be enabled for Exchange 2007 SP1 UM the administrator would issue the following Exchange Management Shell command:

Enable-UmMailbox -id TestUser -UmMailboxPolicy OcsUmPolicy -Extensions 10001 -SIPResourceIdentifier TestUser@contoso.com -Pin 1234

Test User is now enabled for Exchange 2007 SP UM, but will not be able to receive incoming fax on extension 10001 or DID +13125510001.

As indicated above the solution is to give Test User a separate extension for fax and the extension needs to be routed to Exchange 2007 SP1 UM directly without going through OCS 2007. Contoso will therefore have to create a configuration as shown below. There is a dedicated SIP/PSTN gateway for connectivity to Exchange 2007 SP1 UM. The PBX routes the DID range +131266xxxxx to this SIP/PSTN gateway. There is a new UM Dial Plan called UmDialPlan with UriType=TelExtn. There is a UM Mailbox Policy associated with this UM dial plan called Um. The UM server UMSRV1 hosts both UM Dial Plans.

The administrator now decides that Test User should have the extra extension 11001 and DID +13126611001 as the fax number.

To enable Test User to receive fax the administrator need to issue the following Exchange Management Shell command:

Set-Mailbox -id TestUser -SecondaryAddress 11001 -SecondaryDialPlan UmDialPlan

With the above configuration Test User is now able to receive fax on DID +13126611001.

3

Posted in AVAYA, Cisco 4.x Integration, Cisco 5.x Integration, Cisco 6.x Integration, Cisco 7.x Integration, Mediation Server, Nortel CS1000, OCS & Exchange07, OCS 2007 R2, PBX Integration, Quintum's gateways, Unified Messaging | Tagged: , , , , , , , , , , , , , , , , | 13 Comments »

Call unsuccessful – The Requested type of content encryption is not supported

Posted by Mino on November 17, 2008

You might get the above error message when you try to call your voice mail hosted on Exchange 2007 SP1 UM from your Office Communicator Phone Edition (OCPE) powered device. The likely cause of the issue is a mismatch between the VoIPSecurity setting of your SIP URI UM dial plan and the Security – Encryption level setting on the A/V Conferencing properties on your OCS 2007 pool.

The OCPE device use the Security – Encryption level setting to determine, if media should be encrypted or not. The default setting is Require encryption and OCPE will then send media using SRTP. If the UM dial plan VoIPSecurity parameter is set to SIPSecured Exchange 2007 SP1 UM will not accept the SRTP based media and you get the error message above on OCPE. Changing your UM dial plan to have the VoIPSecurity parameter set to Secured will fix the issue. This is the recommended setting, since this ensures that media is sent in a secure way.

Posted in Common Errors, OCS & Exchange07, Phone Edition | Tagged: , , , , , , , , | Leave a Comment »

Communicator error ” Cannot Synchronize Address Book “

Posted by Mino on November 17, 2008

A common issue we see is clients getting an error stating “Cannot Synchronize Address Book”.  It looks like this:

1  

 

 2

 

This is an action that the OCS installation doesn’t take care of automatically so it happens pretty regularly.  To resolve it, select the Directory Security tab and click on the Server Certificate Button

3

After you click on the Server Certificate button, follow the Wizard, select Assign an Existing Certificate and assign the certificate used by your OCS Server for client logins.  Once you’ve assigned the certificate the SSL port on the Web Site tab should be filled in with port 443. 

Sign your clients out of Communicator and then back in and the Address Book should be downloaded successfully

 

PS : if you are using Exchange 2007 Selfsigned Certificate , you should also recieve this error still and that it because the self signed certificate for exchange is not trusted by OCS 2007 . so you should either replace the exchange 2007 self signed certificate with a certificate from the same CA as the OCS 2007 or you should import the exchange self signed certificate inside the OCS 2007 servers in the Trust Certificate store  

Posted in Common Errors, communicator client, Miscellaneous, OCS & Exchange07 | Tagged: , , , | 1 Comment »

How to provide Exchange 2007 SP1 UM fault-tolerance as seen from OCS 2007?

Posted by Mino on October 12, 2008

Exchange 2007 SP1 UM provides voice mail functionality for OCS 2007 users when they are Enterprise Voice enabled. How is it possible to provide Exchange 2007 SP1 UM fault-tolerance for these users?

Exchange 2007 SP UM and OCS 2007 are integrated at the UM dial plan level. A given UM dial plan can be served/hosted by multiple UM servers. Do provide fault-tolerance you implement two or more UM servers and assigns the OCS integrated UM dial plan to all of them.

How can OCS 2007 use these UM servers in a fault-tolerant way?

OCS 2007 discovers UM users, UM servers and UM dial plans from Active Directory. It finds the UM dial plan of a user by looking at the EUM proxy address of the user, ie. the user with the SIP URI tu@contoso.com has as one of his proxy addresses EUM:tu@contoso.com;phone-context=Hellerup.contoso.com. The value of phone-context is the name of the UM dial plan. By looking at the UM dial plan attribute msExchUMServerDialPlanBL OCS 2007 gets the list of the UM servers servicing the dial plan. Let’s call that list the “working set”.

OCS will randomly contact one of the UM servers in the “working set”. If that fails it will try a second one. If that also fails it will give up and the call can’t be completed. A failed UM sever will be removed from the “working set”. OCS will incrementally throttle traffic to the failed UM server and when it replies positively it will be included in the “working set”.

Posted in OCS & Exchange07 | Tagged: , , , | Leave a Comment »

How to enable inbound fax for Enterprise Voice and Exchange 2007 UM enabled OCS 2007 users?

Posted by Mino on October 7, 2008

OCS 2007 users enabled for Enterprise Voice will use Exchange 2007 SP1 Unified Messaging (UM) as the Voice Mail system. In such a configuration the users Direct Inward Dialing (DID) numbers are homed on OCS 2007 and OCS 2007 is connected to the PSTN or PBX system via a OCS 2007 Mediation Server and a SIP-PSTN gateway. How to configure integration between OCS 2007 and Exchange 2007 SP1 UM is described here.

Exchange 2007 SP1 UM supports both voice mail and incoming fax to a given extension. However, if the user is both UM-enabled and enabled for Enterprise Voice using OCS 2007, incoming fax is not supported using the same extension. The reason being that OCS 2007 Mediation Server does not currently support T.38.

How is it possible to provide incoming fax support for Enterprise Voice enabled users? The answer is to use a separate extension for fax and route fax calls to this extension directly to Exchange 2007 SP1 UM outside of OCS 2007.

Let’s assume we have a company called Contoso with the environment shown below and we will use that company to explain the issue and the solution

The OCS 2007 environment is connected to the PBX via a SIP/PSTN gateway called PSTNOCSGWY. The PBX routes all calls to the DID range +131255xxxxx to OCS 2007. OCS 2007 is integrated with the Exchange 2007 SP1 UM server called UMSRV1. It hosts a UM Dial Plan called OcsUmDialPlan of UriType = SipName (required for OCS 2007 integration). There is a UM Mailbox Policy associated with this UM dial plan called OcsUm. Exchange 2007 SP1 UM is connected to the PBX via OCS 2007

 

 

The Contoso user Test User is enabled for Enterprise Voice with the DID +13125510001 and SIP URI TestUser@contoso.com. His extension is 10001. His Enterprise Voice configuration is shown below.

To be enabled for Exchange 2007 SP1 UM the administrator would issue the following Exchange Management Shell command:

Enable-UmMailbox -id TestUser -UmMailboxPolicy OcsUmPolicy -Extensions 10001 -SIPResourceIdentifier TestUser@contoso.com -Pin 1234

 

Test User is now enabled for Exchange 2007 SP UM, but will not be able to receive incoming fax on extension 10001 or DID +13125510001.

As indicated above the solution is to give Test User a separate extension for fax and the extension needs to be routed to Exchange 2007 SP1 UM directly without going through OCS 2007. Contoso will therefore have to create a configuration as shown below.

There is a dedicated SIP/PSTN gateway for connectivity to Exchange 2007 SP1 UM. The PBX routes the DID range +131266xxxxx to this SIP/PSTN gateway. There is a new UM Dial Plan called UmDialPlan with UriType=TelExtn. There is a UM Mailbox Policy associated with this UM dial plan called Um.

The administrator now decides that Test User should have the extra extension 11001 and DID +13126611001 as the fax number.

To enable Test User to receive fax the administrator need to issue the following Exchange Management Shell command:

Set-Mailbox -id TestUser -SecondaryAddress 11001 -SecondaryDialPlan UmDialPlan

With the above configuration Test User is now able to receive fax on DID +13126611001

Posted in OCS & Exchange07 | Tagged: , , , | 1 Comment »