CCM 6 + CUPS + OCS 2007 integration notes:

I would like to summarize the integration notes for the above configuration, kindly find below the latest notes for OCS/CUP integration:

1. To have CCM/OCS integration you will need to have a SIP trunk between the Mediation server GW facing NIC and the CCM, otherwise it will not work (calls will get service unavailable errors).
2. To have Voice-mail auto redirection (a phone missed called redirected directly to the extension’s Voice mail) you will have to enable caller-ID on the SIP trunk, otherwise the user will get an auto-attendant.
3. For Auto-attendant feature in Exchange, just create a new auto-attendant as voice enabled, assign an extension and create an Extension routing rule on the CCM to redirect the call to the Exchange feature and it will work.
4. To do presence integration you will need CUPS in-place, we didn’t have the time to test that.
5. Feature that has been tested successfully:

• PC to phone calls
• Phone to PC calls.
• Dual forking (from calls coming from OC).
• Multi-group conferencing (OC – Phone – phone).
• Voice mail and missed call notification.
• Call forwarding to phone, PC and VM.
• OVA

Inbound/outbound faxing option with Cisco CM and OCS 2007

I have been asking a lot of MS and Cisco folks about the options of inbound and outbound faxing with Exchange 2007 UM and Cisco CM also known as CCM, I didn’t have a clear answer so I tried to figure it out, please keep in mind that the below lines doesn’t hold any official responses neither from MS nor from Cisco.

Let us summarize what we want to do:

• Outbound faxing, meaning that the user will send an email to whatever server then it is sent as a fax to its destination.
• Inbound fax, meaning that a sender send a fax to a user, the user gets the fax in his mailbox and open it using the outlook.

Pretty simple but hard to achieve, why, well I believe that this problem occur because Microsoft folks are not focusing in this part “looks like the R2 will have something to bring”, and Cisco is not playing fair with MS since they don’t let their technology work with MS specially in this part.

Let us design a simple design for inbound faxing:

The problem that we want to deliver the fax to the user’s mailbox, we will have UM and typically OCS, to achieve those 2 things has to be known:

• Users’ external extension which must be unique.
• Users’ email address.

The exchange 2007 UM server can intercept the fax signal and deliver the message correctly to the user’s mailbox, the problem that it doesn’t work fine with CCM, although that Microsoft inbound faxing relies on using t.38, Cisco uses t.38 as well but Cisco’s implementation relies on UDP while Microsoft relies on what…yes TCP and there is no way to change any of them to the other protocol.

So using t.38 while a Cisco voice GW inplace is not possible, so we will have to let the UM server intercept the fax signal and tries to do the job by enabling EnableInbandFaxDetection, I tried it with CCM 4.3 but it didn’t work “I will upgrade mine within 2 weeks to CCM6 so I shall give you what it does with CCM 6”.

So what is the available option, I believe that onramp http://www.cisco.com/en/US/docs/voice_ip_comm/unity_exp/rel3_1/administration/guide/voicemail/fxgatewy.html

And trying to deliver the fax either to a shared mailbox or specifically to the user.

Note: you can deliver the message directly to the user by configuring you DID distribution to be as following for example: suppose that you have xxxx5000 up to xxxx5100 as DID, so distribute odd numbers for users direct phone and even numbers for direct fax.

Configuring such a configuration poses a real challenge for organizations with large number of employees, but configuring a single extension for everything in the world relies on CCM to talk to Exchange server nicely.

For outbound faxing, Exchange UM doesn’t support using outbound faxing, but if you have Cisco GW inplace you can use offramp faxing, I didn’t go into designing it since I am waiting for my CCM6 boxes, once they are here I will post an update about if anything make any feature works, and about offramp design and implementation.

Restricted OCS Deployment ports requirements and firewall rules details

Here you can find a detailed table for ports requirements and firewall configuration for restricted OCS deployments.

The difference in this table that we have detailed as much as we can the different communication ports and firewall requirements for all of the segmented including internet, internal and enterprise voice communications.

We also detailed the ports and communication paths so it can be reader-friendly for the Security/Firewall engineers.

The wiki assumes that servers are deployed in the same VLAN and separated by a very restricted firewall configuration, Edge is deployed in the DMZ and again restricted firewall configuration is required.

Currently the document still being reviewed, but if you are interested in following it you will find it on the wiki, here http://social.technet.microsoft.com/wiki/contents/articles/ocs-2007-r2-firewall-port-settings.aspx

We will be publishing another one for Lync as well linked to the wiki and we will validate the wiki this week at a customer location and we will publish the updates later.

Reference: http://www.shudnow.net/2009/08/29/office-communications-server-2007-r2-audiomedia-negotiation/

Office Communicator cannot place calls to the Exchange UnifiedMessaging Auto Attendant

http://support.microsoft.com/kb/2431925

Over the past 1 minutes Office Communications Server has experiencedTLS outgoing connection failures 1 time(s). The error code of the lastfailure is 0×80090322

In OCS 2007 R2 you might get the following error:

TLS outgoing connection failures.

Over the past 1 minute Office Communications Server has experienced TLS outgoing connection failures 1 time(s). The error code of the last failure is 0×80090322 (The target principal name is incorrect.) while trying to connect to the host “serer FQDN”.

Where Wrong principal error could happen if the peer presents a certificate whose subject name does not match the peer name. Certificate root not trusted error could happen if the peer certificate was issued by remote CA that is not trusted by the local machine.

Resolution:

For untrusted root errors, ensure that the remote CA certificate chain is installed locally. If you have already installed the remote CA certificate chain, then try rebooting the computer.

Cause:

This is mainly because of wrong certificate names, validate that edge and OCS front end have the correct FQDN (((Recently I found that FQDN configured in the OCS 2007 R2 Administrative console on Edge and on the front End is case sensitive and has to match the server FQDN and the Certificate FQDN letter cases so make sure that you have the FQDN has the correct letter cases so EDGE.domain.com is not like edge.domain.com)))

Poor OCS voice quality with Dell 760 onboard NIC

Well if you don’t know then it has been on the forums, some users complained from poor voice quality (OCS displays poor network quality), this has been reported with the onboard NIC, once changing the NIC problem solved.

This issue is with Windows XP, looks like something is wrong with the driver.

OCS DNS and Certificate Calculator

You can use the attached excel sheet, the input is the following:

- Internal DNS name.

- External DNS name.

- Servers names and External Host records for individual services like (the host records name that will be used for web conferencing...etc).

The output is in 2 sheets, 1 sheet includes all of the external and internal DNS names, where they should be created and what is their configuration.

The other is the list of the certificates, and if they should be internal or external and what is their common name at SANs.

OCS-DNS-Certificate-calculator

DNS and Certificate Calculator for Exchange 2007/2010 and OCS 2007 R2

This is the Calculator where you can use this calculator to create a single certificate that can be used by Exchange and OCS, including Edge, FE, CWA and CAS servers.

You can get it from here: OCS-DNS-Certificate-calculator-V1.4

Cannot login to CWA, clock synchronization error

If you cannot login to CWA and you get an error that the clock is not synchronized then probably you are using a SIP domain that is different than your internal domain name, please make sure to add the http
SPN to your CWA account in the form http://cwa.domain.com

Communicator cannot be used for groups with more than 100 members

You might receive this message in OCS 2007 Client when you try to expand a group in OC.

First you have to know that OCS client is hard coded with a maximum of 150 members to display, if you want users to display more than the default 100 limit then create the following client side policy and restart the OCS Client.

Open Registry then go to: HKLM\Software\Policies\Microsoft\Communicator\ then Create a Key: MaxDLExpansion (DWORD) and type 150 as the value.

More KBs:

http://support.microsoft.com/kb/945542

http://social.technet.microsoft.com/Forums/en/ocsaddressbook/thread/09a20c42-0e04-4f64-9aa7-dc3f1f4a1cd4

The call could not be completed because security levels do not match

The problem that I will talk about it here is that I couldn’t join a conf. or do any one to one conf. with any of my Tandberg video endpoints from OCS client.

The problem started after a security review we have done ourselves and we came up with several action to take to enhance our security internally, after the review OCS to CODIAN MCU communication got dropped.

The first problem stopped us from debugging it, last Thursday we solved the first problem so we started to debug this one, below are the symptoms of the issue:

• When you do a call from OCS client to Codian MCU the following error appears in the OCS client “The call could not be completed because security levels do not match".
• In the MCU OU will find the following error: Unable to provide video channel - possible bandwidth/codec issue.

Cause:

The cause was that OCS 2007 server has been configured to require encryption at the A/V conference, this causes the communication to drop, and configuring the module to support encryption fixes the problem.

How to help OCS to not drop words, applying Voice QOS for OCS on WANtraffic

How to applying the correct QOS for OCS 2007 traffic over the WAN, this has been a hot topic (at least for me) as I believe that all of voice traffic requires over WAN links.

I will introduce some QOS terminology in this post, and later will tell you how to apply QOS for OCS traffic.

Quality of Service Models

There are 3 service models:

• Best Effort No QOS policies are implemented.
• Integrated Services (IntServ) Resource Reservation Protocol (RSVP) is used to reserve bandwidth per flow across all nodes in a path, uses the Resource Reservation Protocol (RSVP) to reserve network resources in advance of the data actually traveling across the network. Once the end-to-end bandwidth reservation is in place, the data is transmitted.
• Differentiated Services (DiffServ) Packets are individually classified and marked; policy decisions are made independently at each node in a path, DiffServ doesn't use RSVP, but instead uses hop by hop Behavior or per hop behavior (PHB) to allow each router/hop across the network to examine the packet and decide what service level it should receive.

IP QOS Markings

We currently use 2 QOS marking methods:

• Precedence The first three bits of the IP TOS field are evaluated; compatible with Ethernet COS and MPLS EXP values.
• DSCP The first six bits of the IP TOS are evaluated to provide more granular classification; backward-compatible with IP Precedence.

The following table contains the Precedence Values:



The following table lists the DSCP marking Values:



How to reserve the Bandwidth:

You can use any of the following methods:

• Policing · Creates an artificial ceiling on the amount of bandwidth that may be consumed; traffic exceeding the cap and be remarked or dropped.
• Shaping · Similar to policing but buffers excess traffic for delayed transmission; makes more efficient use of bandwidth but introduces a delay.

Installing OCS 2007 R2 DB update utility

While I trying to install the OCS 2007 db update utility from the November update collection for OCS 2007 R2, the setup kept asking for SQL 2005 client tools, after so many tries here is the solution:

Install the following SQL MSI, I am not familiar with SQL so what matters it fixed my problem: http://download.microsoft.com/download/3/1/6/316FADB2-E703-4351-8E9C-E0B36D9D697E/SQLServer2005_XMO_x64.msi

You will need it only if you are running Enterprise version with separate SQL server and want to run the hotfix from the frontend server.

Exchange2007 and OCS on the same server

Well, to install OCS on x64 system you will need to run the following command in order to run CWA and enable OCS services to mount:

CSCRIPT %SYSTEMDRIVE%\Inetpub\AdminScripts\adsutil.vbs SET W3SVC/AppPools/Enable32bitAppOnWin64 1

Then restart IIS and maybe the OS, this is because OCS CWA dlls requires to run in IIS x86 mode, so what I think that happened that someone did the following script which configured IIS on x64 system to run in x86 mode. But if do that on E12 server than has the CAS role installed this will blow its mind you will get the error: 2274 W3SVC-WP ISAPI Filter ‘C:\Exchsrvr\ClientAccess\owa\auth\owaauth.dll’ could not be loaded due to a configuration problem. The current configuration only supports loading images built for a x86 processor architecture.

So you will have to set back the flag to 0, then uninstall OCS, so I think that installing both of the applications is not working thus not supported.

The main Problem when installing OCS 2007 along with exchange 2007 is IIS in Exchange 2007 requires 64 bit mode, OCS do the opposite this is because OCS CWA dlls requires to run in IIS x86 mode,, if you installed OCS with Exchange 2007 (for your labs or worst for your production environment) the exchange will collapse, here is how to fix it:

• Uninstall OCS 2007
• Run the following script CSCRIPT %SYSTEMDRIVE%\Inetpub\AdminScripts\adsutil.vbs SET W3SVC/AppPools/Enable32bitAppOnWin64 0
• Restart IIS

Fast tip for controlling OCS bandwidth

Here is a fast one; you can use a client policy to control the total bandwidth of OCS and LiveMeeting traffic using the following registry keys:

• HKLM\software\policies\Microsoft\LiveMeeting\MaxAudioVideoBitrate
• HKLM\software\policies\Microsoft\Communicator\MaxAudioVideoBitrate

Using ASA and OCS video conferencing server

During my attendance of OCS ignite tour training and some other OCS events, we have been informed that OCS edge video servers cannot be located behind a NAT device e.g. firewall, this is due to the fact the Video conferencing doesn’t work correctly with NAT, so the design was saying give the Edge NIC a real IP and place it directly on the internet.

I have been working a while with ASA and I have tested my configuration, you don’t need a NAT device in ASA (5520,5540) V7 or V8 (this is my testing so results could be true), the edge server could have a real IP on its NIC, and placed in the DMZ for example, in this case the ASA will filter the packets only as a firewall and will not do NAT, creating a DMZ for the edge server might be a hustle but this is not the case if you created sub interfaces.

This might be a tricky discussion when talking to Microsoft partner or consultant since this is not the case of ISA 2006, but you can do the above configuration safely on your ASA.

I am thinking about creating routing rule between the DMZ in ISA server and the internal/external network but I didn’t have the chance to test it, so this might do the trick instead of placing your video edge server naked in the desert.

How many ports required for outbound telephony calls

Suppose that you have your PBX infrastructure and you have OCS 2007 as well, you want to allow outbound/inbound calls from OCS to the external world, so how many port you need.

Well, this depends on the configuration you have, here is the options:

• For E1/T1 connection you don’t need any extra configuration, why, because if you have E1 this is will be an ISDN interface that has 30 channel so you have a 30 calls (outbound/inbound) in total so you might need to recalculate how many calls you do and if you need extra E1s, same applies for T1.
• If you have analog lines, then each analog line can do 1 call at a time, so you might need to recalculate that.
• If you have prima cells, same here as analog lines.
• For faxing (In total) treat is a normal phone call so if you do faxing using your E1, so you have 30 channels, if analog lines same as above.

Why CCM 4.3 support has been removed from OCS?

When OCS released it was officially supported by MS for about 3 days, and then the support removed and only V5 and V6 was supported, to tell you the truth I have been testing OCS with V4.3 for a long period in my labs, and some of my customers went to a non-supported state for a period of time, but OCS/Exchange and V4.3 all works so fine, So why it is not supported.

Tricky, no one knows. But based on my lab testing, I found that OCS is using additional SIP extensions and messages that are not supported by older SIP entities that uses SIP standards, I have heard from couple of my friends that meeting place and Cisco Video conferencing are not working as supposed to be when 4.3 in there.

So if you don’t want support from MS, then you can go with V4.3, not supported but you can go for it in lab testing and small piloting, beware that v4.3 will be out of support soon.

LCS/OCS KBs

Communicator 2005

949280 Description of the Communicator 2005 hotfix rollup package: December 19, 2008

960244 After you install Live Meeting 2007 console or Live Meeting 2007 add-in, two new menu options that do not work are added to Office Communicator 2005 Action menu

960255 After you upgrade Live Meeting Service Conference center to Live Meeting 2007, you can no longer use the Meet Now button in Office Communicator 2005

960252 Office Communicator 2005 crashes when you try to accept an inbound phone call

Communicator 2007

957465 Description of the Communicator 2007 hotfix rollup package: December 19, 2008

960423 Office Communicator 2007 cannot display Chinese characters in URLs when the EnableURL registry value is enabled

960424 You cannot prevent Office Communicator 2007 from controlling the call forwarding settings

959385 Description of the update package for Communications Server 2007 Web Components November 2008

Access is denied when you click on the meet now

I pushed the LMaddin.msi to all of my clients in my network (about 1500 Client), and the addin appeared in the outlook, most of my clients tried to use the new plug in but they either got access is denied or (there was a problem launching the live meeting client).

I tried to know what is wrong since I had working on my PC, finally I got it, I didn’t install the lmconsole.msi on my clients, this will cause you the problem since the console is not installed yet, install the console and it will work fine.

Note: installing the console after the addin will fix it, you don’t need to remove it and install the console.

Install Office Communications Server 2007 R2 Standard Edition onWindows Server 2008

Prerequisites

Before you install Office Communications Server 2007 R2 Standard Edition, you must deploy Internet Information Services (IIS). On a computer running IIS 7.0 on Windows Server 2008, you need to configure IIS to run in IIS 6.0 compatibility mode. The following steps describes the installation process.



Open Server Manager.



Select Next.



Select Web Server (IIS).



Select Add Required Features.



Select Next.



Select Next.

• Select ASP.NET
• Select Windows Authentication

• Select IIS 6 Management Compatibility
• Select IIS 6 Metabase Compatibility
• Select IIS 6 WMI Compatibility
• Select IIS 6 Scripting Tools
• Select IIS 6 Management Console

Select Close.

The Microsoft Visual C++ Redistributable Package, must also be installed on the computer for Office Communications Server 2007 R2 to run correctly.

Execute vcredist_x64.exe from OCS 2007 R2 installation media.



Select Next.



Select Install.



Select Finish.

After setup remove temporary files that are erroneously generated by the installer into the system root directory. See knowledge base article http://support.microsoft.com/kb/950683.

Install Standard Edition Server

If you run the Deployment Tool, Setup automatically installs Microsoft SQL Server 2005 Express Edition with SP2 for the back-end database. You do not need to install this component separately.



Execute setupse.exe.



Select Yes.







Select OK.



Select OK.





Select Next.



Select Next.



Select Next.



Deselect all options and select Next.







Select Next.



Select Next.



Select Next.



Select Finish.

Configure Standard Edition Server

After you install Standard Edition server, use the Configure Server Wizard to configure it.



Execute Configure Server.



Select Next.



Select Next.



Select Next.



Select Clients will be manually configured for logon. Select Next.



Select Next.



Select Next.



Select Finish.

Configure Certificate

Office Communications Server requires certificates on each Server in order to use MTLS (TLS with mutual authentication). All Office Communications Servers use MTLS to communicate with one another. Each client will also need to trust the certificate that the server is using in order to connect to the server by using TLS.

Before request a certificate is necessary to create a request.inf file as described in the following figure.



From a command prompt create a new certificate request file using the following command:

certreq –new request.inf StandardOCS.req

To request the certificate use the following command or use the web interface from the issuing Certification Authority named XYZ.

certreq –submit -config XYZ.it.net\IssuingCA1 StandardOCS.req StandardOCS.cer



Select Configure Certificate.



Select Next.



Select Next.



Select Next.



Select Next.



Select Next.

Configure Web Components Server

Log on to the server running the Web Components Server as a member of the Administrators group.

1. Click Start, click Administrative Tools, and then click the Internet Information Services (IIS) Manager.

2. In the Connections pane, expand the Web Components Server.

3. Expand Sites, and then click Default Web Site.



In the Default Web Site Home pane, under IIS click Authentication. In the Actions pane, click Bindings.



In the Site Bindings dialog box, click Add.



In the Add Site Bindings dialog box, in the Type drop-down, click https.

In the SSL certificate drop-down, click the certificate that you want to use for the Web Components Server.



Click OK.



Select Close.



Select Exit.

Start Services

The final step in OCS 2007 R2 setup is related to start your Office Communications Server 2007 R2 services.



Select Start Services.



Select Next.



Select Next.

Install Administrative Tools

The procedure for installing the administrative tools (not installed during OCS 2007 R2 Setup) is illustrated in the following steps.







To install the 32-bit version of the OCS R2 32-bit Administrative Tools is available in the “\Support\i386” directory on the 64-bit media.

The required pre-requisites are also located in this directory, and must be installed in the following order:

1. sqlncli.msi (SQL Server Native Client – contains the SQL OLE DB and SQL ODBC drivers in on native DLL)

2. vcredist_x86.exe (x86 VC++ 2008 redistributable)

3. NET Framework 3.5 SP1 (download it here from Microsoft’s Web Site or use \Setup\amd64\dotnetfx35.exe)

4. OCSCore.msi (OCS 2007 R2 Core Components)

5. AdminTools.msi (Office Communications Server 2007 R2 Administrative Tools)

Appendix B – Address Book configuration

The users populated in the Address Book Server files can be controlled based on certain Active Directory Attributes listed in the AbAttribute table in rtc database.

To see in address book files only users enabled for Office Communications Server you need to change a value in msRTCSIP-PrimaryUserAddress attribute from default (hex: 8020800 dec: 134350848) to (hex: 8028000 dec: 134381568).



After you modify the AbAttribute table, you can refresh the data in the AbUserEntry table by running this command: abserver.exe –regenUR.



Then, you can update the file in the Address Book Server file store by starting a manual -syncNow operation.



Note: For advanced address book configurations refer to the following link.