Recently I built a new OCS 2007 R2 Enterprise Edition pool for a customer, consisting of 4 Front End servers deployed behind a F5 BIG-IP hardware load balancer to provide IM and Presence and Web Conferencing to a few thousand users. You’d think “no worries right, follow the Deployment Wizard, she’ll be apples”.

Not quite in this case. From this, I learnt a lot more about what it takes to get things off the ground in a large, highly regulated and distributed Active Directory and LCS/OCS environment.

So the objective of this post is to share a few tips with you to help mitigate delays in your deployments in the future.

Back End SQL Database

Make sure you have necessary permissions on the SQL Server (cluster) for the account you are using to create databases in the instance you’re going to use. Note that a SQL Server instance that currently hosts LCS databases cannot be used to deploy the databases for OCS 2007 R2.

Also check with your DBA to see if any minimum database size requirements are in place as part of an existing new database template.

Forest Level Universal Group Memberships

As well as having Domain Admins group membership in the domain you’re deploying the pool in, to create the Enterprise Edition Pool you’ll need either membership of the RTCUniversalServerAdmins group at forest level (the parent domain – created during Forest Prep) or be a member of a group that has had these effective permissions delegated to it (see John’s post for more details).

Service Accounts

Once you’ve created the Enterprise Pool and entered all the necessary FQDNs, specified the back end server and the file shares to use, you’ll want to started installing OCS 2007 R2 on your Front End Servers and adding them to the pool. A few things to watch for here service account wise that you may require change control/approval on.

• The RTCService you create (or utilise from an existing deployment – same name or not) during Front End Server activation must be a member of the RTCHSUniversalServices universal group in forest root.
• The RTCComponentService account must be a member of the RTCComponentsUniversalServices universal group in forest root.
• The RTCGuestUserAccess account you create during Front End Server activation must be a member of the RTCUniversalGuestAccessGroup universal group in forest root.

These are all things that are usually taken care of during the entire deployment process, but could snag you up in a more complicated environment. So when you submit that change request to get RTCUniversalServerAdmins group (or equivalent delegated) membership, send through the names of the service accounts you intend on using also.

Issuing certificates to servers when using the Certificate Wizard isn’t an option

Generally once each Front End Server is installed, added to the pool and activated, we kick on with assigning certificates to these servers. We do this using the Certificate Wizard included with the OCS 2007 R2 Admin Tools.

If you don’t have the necessary rights to wanton request certificates from the CA (e.g. you might only have rights to issue certificates from one particular template) or you can’t request using the Web Server template that the OCS Certificate Wizard uses, you’ll need to either submit CSR files or get your certs from the CA’s web enrolment page. During this deployment, I opted for the later.

Because we generally need to specify a SAN (Subject Alternative Name) or two for things like pool FQDN, machine FQDN and External Web Farm FQDN, we need to make sure these get on the cert. This works a bit differently than in the OCS 2007 R2 Certificate Wizard.

Navigate to the Web Enrolment page of your CA (generally https://serverhostname/certsrv) and click through (in order) the Request a Certificate, Advanced certificate request and Create and submit a request to this CA pages.

Specify the certificate template (Web Server ideally, but if you can only use a certificate template that grants the equivalent or greater specs than this, select that). Fill in all the usual details like you would in the OCS 2007 R2 Certificate Wizard.

Now, here’s the cool part. In the Attributes box at the bottom of the page, you can specify the additional SANs you need. Your string should take the following format:

(san:dns=SN FQDN&dns=SAN FQDN) e.g. san:dns=hostname.domain.com&dns=poolname.domain.com&dns=abs.domain.com

Note that each SAN FQDN is separated by a & (ampersand) sign.

Once you’ve specified your SANs, click Submit.
If the CA is not configured to issue certificates automatically; a Certificate Pending page appears and requests that you wait for the CA administrator to issue the certificate that you requested.
Otherwise, the Certificate Issued Web page appears and you can click Install this Certificate to install the certificate.

This step installs the certificate to the User container in the Certificates MMC snap-in, so make sure to properly move it to the Machine container so you can assign it to your Front End servers.

Conclusion

You won’t come across a lot of these issues in every Enterprise Edition pool deployment you do, but it’s worth being aware of them for those peskier, more locked down environments.

If anyone has any questions regarding anything I’ve mentioned, feel free to post it in the comments section.

- Justin Morris, Modality Systems

The next meeting of the UCVUG will take place on Monday April 19th, 2010.

I would like to pass on details of the next UCVUG meeting.  Please support this great community by registering for the event and participating.

April 2010 Meeting Details

The Microsoft Unified Communications Virtual User Group (UCVUG) will be hosting its next quarterly meeting on April 19th, 2010 at 12:00 PM Eastern Time (-5 GMT). This event will be broadcast online via Microsoft Live Meeting. Please register if  you plan to attend so that we can get a count of how many attendees to plan for.

Agenda

• UCVUG Welcome – Dustin Hannifin
• Exchange 2010 UM and OCS 2007 R2 Integration – Alex Lewis
• Prize Drawing and Closing – This month we will be giving away copies of Windows 7

Speaker Bio

Alex Lewis is a senior Unified Communications consultant at Convergent Computing and author of many books in the “Unleashed” series. He has contributed to Exchange Server 2003 Unleashed, Exchange Server 2007 Unleashed and Exchange Server 2010 unleashed and is currently writing “Microsoft Communications Server W14 Unleashed”. You can follow Alex on Twitter and read more about his UC implementation experiences on his blog, Windows into Silicon Valley.

Registration

If you plan to attend this event, please register via the registration link here:

http://ucvugapril2010.eventbrite.com/

-John Lamb, Modality Systems

Gurdeep Singh Pall Delivers the Goods During Microsoft  Keynote at VoiceCon 2010 Orlando

Gurdeep is is the Corporate VP of the Unified Communications R&D group at Microsoft.  I had the distinct pleasure of working with Gurdeep when I was at Microsoft.  He’s not only an incredibly technical and passionate leader, but a great speaker as well.  I always make a point of taking extensive notes whenever he presents, because of the wealth of information and key talking points that he delivers.

Here are my notes from his VoiceCon Orlando keynote presentation.

On-Demand Presentation Recording:

You can watch the keynote here:  http://tv.voicecon.com/

• Register and go to Live TV. 
• In the video window, click Menu, and navigate to on-demand presentations for VoiceCon (March 2010, Orlando)

Statistics Presented in the Introduction Video:

• 1 in 6 US households don’t have fixed line phones
• US mobile phone users send 1.7x more texts than phone calls on average (I expect this is much higher in UK/Europe)
• The statistic rises to 10x among teenagers
• 70% of mobile phone calls originate from cars
• 4 million “millennials” enter the workforce each year
• The most popular online destination for the millennial demographic is social networks
• 300 million people use Windows Live Messenger to make voice calls
• In December 2009, AT&T asked the FCC to eliminate the regulatory requirement to provide landlines to households
• “The next generation is here”

Introduction:

“The only thing that is constant is change”

Computer and phone have been separate, and over the last decades, computers kept getting faster and faster, but phones have  the same

The average information worker only spends 40% of time at their desk.  (So most communications systems are designed for 40% of use?  What about the other 60%?)

Microsoft Has Just “One” Idea: 

If we had to design communications system, starting anew, without being tethered to the past, how would you go about designing that system? 

How do you take software to create a communications system like that?

Microsoft had a luxury:  They could be disruptive because there was no legacy business to protect.

OCS Today:

70% of "fortune X”( ? – didn’t catch the number) companies have OCS today

Microsoft and entire industry led the transformation from mainframes to PC’s.  The ethos was: don’t buy hardware, software and services and software from a single vendor, build an ecosystem

“Mainframe era economics plagues the PBX industry.”

New Wave 14 features Demo:

Jamie Stark did a great job showing new features of “Communications Server Wave 14”.  I was happy to see that they skipped past the typical “Presence is dialtone” explanation and embedded presence in Outlook.  This is a very powerful message, but one that this particular audience has all seen before.

Demo highlights:

• Location awareness
• E911 services – powered by the location awareness (Location is carried in the SIP channel and sent to a public service providers in the cloud.)
• “Visual Voice Mail” type voice mail UI – directly accessible in Office Communicator
• Click to convert to Voice Mail to text via Exchange UM  (cool feature: each transcribed word is a hyperlink that will jump to the right place in the audio playback.)
• Contact Card & Skill Search  This is an interface directly into the SharePoint index of skillsets and information
• Call Admission Control

Case Studies

This section was followed by a great demo from Clarity Consulting around a hosted Call Centre solution they built on OCS 2007 R2.   

There was also a customer presentation from AT Kearney, a business consulting company with 3500 employees and 47 offices.

• Replaced legacy PBX with OCS R2, extended for mobile users
• Improved employee work/life balance and lowered TCO
• 300k IM / day
• 450 – 500 video calls / day
• Anecdote: OCS federation with clients like Best Buy enables secure & compliant communication (both data and voice) at no extra cost.

Gartner Magic Quadrants:

For four years in a row, Microsoft has been a leader in the Gartner magic quadrant for UC, and Microsoft is also a leader in the following MQ’s: 

• Enterprise Content Management
• Social Software
• Information Access Technology

Gurdeep’s Predictions

In next 3 years

• 50% of voice calls will be more than voice
• 75% of apps will be communications enabled

Quote: "The success of UC will be like salt in food.  It’s always there, an important ingredient, but you never see it."  (referring to the fact that it will be embedded into applications by default).

My Takeaways

I think the big takeaway is that Microsoft is leading in Enterprise Collaboration.  Voice is becoming an increasingly a smaller part of collaboration, and while still critically important, must fit seamlessly into the bigger picture of real-time (synchronous) and non-real-time (asynchronous) collaboration.  This, along with seamless mobility, are the most critical factors to consider when developing a UC strategy within an organization.

-John Lamb, Modality Systems 

Last year, I deployed a new set of Exchange Server 2007 servers (Client Access and Hub Transport on one server, Mailbox Server on another) into an Exchange Server 2003 environment for a customer as part of the build phase of the messaging migration component of a large infrastructure upgrade project. I went about testing mailbox access, mail routing etc and found that I had some weird behaviour occurring.

I couldn’t log on using OWA to mailboxes I created on the new Mailbox Server or mailboxes I migrated from the Exchange 2003 server because I was getting a "you do not have permission to access this mailbox" error (below).

I checked the mailbox permissions on the mailboxes and everything looked fine (NT AUTHORITY\SELF was specified).

I could however log onto mailboxes on the Exchange 2003 using the Exchange 2007 OWA, meaning OWA itself looked ok. No mail was traversing between the two environments nor was it getting to external recipients from Exchange 2007 mailboxes.

In addition to that, I was getting these warnings on the Mailbox Server:

Log Name: Application

Source: MSExchangeMailSubmission

Date: 24/06/2009 2:29:44 PM

Event ID: 1009

Task Category: MSExchangeMailSubmission

Level: Warning

Keywords: Classic

User: N/A

Computer: MBX.domain.local

Description:

The Microsoft Exchange Mail Submission Service is currently unable to contact any Hub Transport servers in the local Active Directory site. The servers may be too busy to accept new connections at this time.

And these on the Client Access/Hub Transport Server:

Log Name: Application

Source: MSExchangeTransport

Date: 24/06/2009 5:51:41 AM

Event ID: 1035

Task Category: SmtpReceive

Level: Warning

Keywords: Classic

User: N/A

Computer: CASHT.domain.local

Description:

Inbound authentication failed with error LogonDenied for Receive connector Default CASHT. The authentication mechanism is Gssapi. The source IP address of the client who tried to authenticate to Microsoft Exchange is [ipaddressofex2003machine].

And:

Log Name: Application

Source: MSExchangeSA

Date: 18/06/2009 8:37:22 AM

Event ID: 9186

Task Category: General

Level: Warning

Keywords: Classic

User: N/A

Computer: CASHT.domain.local

Description:

Microsoft Exchange System Attendant has detected that the local computer is not a member of group ‘/dc=local/dc=domain/ou=Microsoft Exchange Security Groups/cn=Exchange Servers’. System Attendant is going to add the local computer into the group.

The current members of the group are ‘CN=Exchange Install Domain Servers,CN=Microsoft Exchange System Objects,DC=domain,DC=local; CN=CASHT,OU=Servers,OU=IT,OU=Company,DC=domain,DC=local; CN=MBX,OU=Servers,OU=IT,OU=Company,DC=domain,DC=local; ‘.

Because this was a new install of Exchange Server 2007, I thought something was up with the install so redeployed the virtual machines from template and installed from scratch and reconfigured everything but alas, no dice. I’d never seen these kind of issues on other deployments so found it really weird.

I google’d everything I could to find a solution but nothing came up. I ran the Exchange BPA and Troubleshooting agents, ran Test-MAPIConnectivity and Test-OWAConnectivity but to no avail.

Quite perplexed, it was here that I called Microsoft Product Support Services to check out the problem with me.

We increased event logging levels on OWA, Information Store, Mail Submission on the relevant servers but still didn’t see anything compelling to determine the problem. I also tried removing the OWA virtual directory and recreating it but this didn’t help.

Finally, we checked the Local Security Policy on the Mailbox Server under

Computer Configuration -> Windows Settings -> Security Settings -> Local Policies – User Rights Assignment and looked at the Access this computer from the network policy setting. It was here that I found that the Default Domain Policy was enforcing DOMAIN\Domain Users rather than not being defined at all as it should be.

Once I removed this setting and did a gpupdate /force on the two Exchange 2007 servers, everything lit up and worked as it should. I could log into an Exchange Server 2007 mailbox using OWA, mail started flowing between the two environments and to external recipients and all the warnings in the Application logs on both servers cleared up.

This is definitely not something you’ll come across regularly in your Exchange travels as it was a unique pre-existing issue with the customer environment, but worth checking out if you’re experiencing behaviour and warnings like this after you install Exchange Server 2007 into an Exchange Server 2003 environment.

A corporate version of the successful iDialog client is now available

Corporate Licensing

iDialogPro is the corporate version of the iDialog client (based on iDialog version 1.2), now available with volume licensing and controlled distribution to your users.  

How It Works

iDialogPro is available as a free (no cost) application in the Apple iTunes store.   This enables your users to download and install iDialogPro as they would any other iPhone or iPod Touch application.   Upon launching the application, the user will be asked to provide an authorization code in order to unlock and use the application beyond the initial trial period.   The code is tied to your company‘s OCS domain and is therefore automatically secure from unauthorized distribution outside of your company.   This enables the code to be distributed freely to your users, for example, via email.

What do I need?

In order to use iDialogPro, you will need the following:

• An Apple iPhone or iPod Touch device with a network connection (WiFi, 3G, EDGE, GPRS, etc)
• iDialogPro installed on the device.
• A Microsoft OCS 2007 or 2007 R2 server system that is properly configured
• An OCS Communicator Web Access (CWA) Server, preferably accessible via the Internet

Trial Capability

If you would like to try iDialogPro, download and install the application from the Apple iTunes store.  When you launch the application for the first time, use the activation code “CanIConnect”.   This code will enable use of the product for 3 days. 

If you have any questions or would like more information about licensing iDialogPro for your organization, please contact us: idialog@modalitysystems.com

-John

John Lamb, Modality Systems

Skype is getting serious about business voice

I posted recently on Skype hiring Jonathan Rosenberg.  Today, Skype announced that David Gurle has joined the team as GM and VP of Skype for Business.

Mr. Gurle was instrumental in laying the foundation for LCS/OCS at Microsoft, and more recently turned Thomson Reuters into a major collaboration player within the financial services market.

I don’t like making predictions, but is this the start of a 3 horse race in Enterprise UC?  Or will Skype simply fill an important gap in the small and mid-market businesses where the major Enterprise UC players require too much investment and heavy-lifting?

If Skype starts with adoption at smaller companies and and grows up-market through continuous innovation, they will be well-positioned for success. 

-John

John Lamb, Modality Systems

To provide a seamless experience for your staff working remotely outside the corporate LAN in addition to an Edge Server, OCS 2007 R2 (and R1) also requires a reverse proxy in your DMZ/perimeter network to publish your Web Components Server role (IIS) of the Front End Server. This is to provide a few things:

• Address book download (GAL search capabilities) in Office Communicator.
• Distribution group expansion within Office Communicator.
• Meeting content download during a web conference in Live Meeting and;
• Download of device firmware update for Office Communicator Phone Edition (OCPE – Tanjay) devices.

If the client applications (Office Communicator and Live Meeting) can’t retrieve these items, you will experience problems such as:

• The much maligned “Cannot synchronise corporate address book” error in Communicator.
• The inability to expand distribution groups in a users contact list in Communicator.
• PowerPoint presentations, whiteboards and any other uploaded content will not display in Live Meeting and;
• Any OCPE devices external to the corporate LAN won’t be able to get new firmware updates.

In addition to this, a reverse proxy would usually be required to publish other services such as Communicator Web Access, Outlook Web Access/App, SharePoint, etc. ISA Server 2006 is your best weapon of choice for this purpose, but the reverse proxy requirement for OCS can also be achieved using other firewall/web publishing devices you might have.

Today I’m going to focus on a neat trick you can utilise with ISA Server to use 1 less certificate, FQDN and IP address when publishing your OCS IIS directories by utilising an existing URL.

All the requirements and steps for setting up ISA Server are detailed in the Microsoft documentation. The focus of this post won’t be to go into the detail of how to configure rules and web listeners in ISA. I’ll assume you’re all cluey enough to get that bit sorted out.
I’ll use publishing SharePoint with OCS as an example, but this could be adapted to be used with the other resources as listed above, depending on your publishing method.

Because we are specifying explicit URL paths to forward web requests to OCS, we can layer this on top of a rule that already forwards requests to the /* of your URL and use its FQDN as well. The end product should look like this:

The only requirement for this scenario is that the underlying URL must be using a web listener that supports No Authentication in the Authentication tab of the web listener. You can’t use a URL that is being published using ISA Server forms-based authentication or another type of authenticaiton, because OCS requires No Authentication to work.

Today I’ll go through the process of completing the following tasks:

1. Changing your External Web Farm FQDN on your OCS pool to match the desired URL.
2. Configuring your OCS web publishing rule to respond to requests on the new URL.
3. Specifying explicit required paths on the new URL.

I recommend that you either test this configuration in a lab environment first or schedule an outage window to implement this as it may cause an interruption of service to the existing URL you’re utilising.

Changing your External Web Farm FQDN

Firstly, you’ll want to identify which FQDN you’re going to use for the OCS External Web Farm FQDN from your existing FQDNs published on ISA Server. Let’s say for example sharepoint.contoso.com.

1. Log on to the Standard Edition server or Enterprise Edition server in the pool with an account that is a member of RTCUniversalServerAdmins group or has equivalent permissions
2. Open a command-line prompt.
3. Navigate to the \Program Files\Common Files\Microsoft Office Communications Server 2007 directory.
4. To set the external URL for the Web farm, type the following command:

5. Lcscmd /web /action:updatepoolurls /externalwebfqdn:sharepoint.contoso.com /poolname:<poolname>

This will update the WMI parameters for the pool and allow OCS to respond to requests to the FQDN specified.

Configuring the OCS web publishing rule to respond to requests on the new URL

As you progress through the Web Publishing Rule Wizard as detailed in the documentation, you’ll need to configure the fields on the Public Name Details page with the FQDN of the existing service you’re going to utilise (SharePoint in our case).

Specify the path /Abs/* for now, we’ll specify more paths later.

Continue with configuration of the web publishing rule to the Select Web Listener page and select the web listener already configured for the FQDN you want to use.

Continue configuration as detailed in the documentation.

Specifying explicit required paths on the new URL

After you’ve created the web publishing rule for OCS, open the Properties dialog and select the Paths tab.

In addition to the /Abs/* path you added during creation, add the following additional paths for this web publishing rule:

/RequestHandler/*

/GroupExpansion/*

/DeviceUpdateFiles_Ext/*

/etc/*

Your paths should look like this (they might be in a different order, this is ok):

And the rule you have created for publishing SharePoint should look like this:

This rule then effectively becomes a “catch-all”, and must be ordered after the OCS publishing rule in your ISA Server firewall policy (as illustrated in the first image in this post).

By creating these two rules in ISA Server, we ensure that only requests from Office Communicator and Live Meeting to the explicit paths we have specified for OCS are proxied to your OCS 2007 R1/R2 pool/front end server, and all other requests are proxied to your SharePoint server (or whatever other service you choose).

This results in only utilising the one IP address, SSL certificate and FQDN, thus cutting down on costs and management.

Feel free to post any questions to the comments section.

- Justin

Jonathan Rosenberg Joins Skype

I was warming up to write a blog post on Cisco’s UC announcement today (Cisco Unified Communications system 8.0), but the video on their web site nearly put me to sleep.   Based on the look of the new Cisco phones, they didn’t get the memo about the importance of user experience.

Instead, the big news today comes from Skype:  They hired Jonathan Rosenberg, a key author of the SIP protocol:

http://gigaom.com/2009/11/09/skype-names-sip-guru-as-chief-technology-strategist/

Rosenberg is well-regarded in SIP circles and his hiring means that Skype is making a stronger push into the enterprise… When I last spoke to Skype CEO Josh Silverman, he was pretty clear about his desire to turn Skype into a major enterprise voice and collaboration player.

The recent legal tussling over Skype’s core technology has finally been put to rest and now they have Rosenberg.  Given that he was instrumental in the development of SIP, founded DynamicSoft (which was acquired by Cisco) and was then key to Cisco’s voice strategy over the last 5 years, this could be a very interesting twist for Enterprise UC.

-John

John Lamb, Modality Systems. 

iDialog v1.1.1 release

The first update to iDialog is now available.  The update is a free download if you have already purchased iDialog v1.0.

This update includes the following features and fixes:

Features:

• Support for Enterprise certificates. If your OCS CWA is configured with an internal certificate, the user is warned about the untrusted certificate and can choose to “accept” the certificate in order to proceed.  This is the same behavior that is available in all major web browsers today.  This will greatly improve the out of box experience for users at companies that have used an internal CA to issue their CWA certificate (or certain Public CA’s that have proved to be problematic for the iPhone platform).
• Support for OCS CWA 2007 and 2007 R2 servers that are published behind an ISA Server using Single-Sign On (SSO) authentication.   If you have deployed CWA using ISA SSO, the connection will now be seamless.
• Support for Distribution Groups (This feature is available only if your company has deployed OCS 2007 R2).
• Robust connection status information and error messages

Fixes:

• Improved speed and responsiveness.
• Support for passwords with certain special characters.
• Fix for intermittent app crashes when signed in to multiple OCS endpoints.

   

  As always, feel free to email us at idialog@modalitysystems.com if you have any comments, suggestions or inquiries.

-John

Pictorial Representations of Presence Status

Wortell, a Microsoft Certified Gold Partner in The Netherlands, has developed very cool and clever use of OCS on their company’s web site.

Link: http://www.wortell.nl/nl-nl/OurPeople/Pages/onze-mensen.aspx

The company profile page contains pictures of Wortell employees.  Each person’s picture changes based on the person’s OCS presence.   If you hover over a picture, you see the person’s name and their presence icon.

This is a great example of OCS as a platform technology and the power of contextual presence. 

I think this example is so impressive because it’s a very creative idea that was very well executed with high-quality photography and a clean and simple layout.  Nice job!

-John Lamb, Modality Systems