Exchange UM and SDP 180\183

So, had a pretty funny (well, it started funny…) discovery a couple of weeks back:

I have a pretty simple environment that looks pretty much like this:

UM design

  • There’s a Lync 2013 pool.
  • There’s an Exchange 2010 UM server.
  • There’s an old QSIG PBX.
  • There’s an AudioCodes M1000 SBC to connect the above.

Users on Lync can dial users on the old PBX and vice versa via the AudioCodes SBC, voicemail works for users on both platforms; Lync and Exchange communicate directly over TLS, the old PBX and Exchange are communicating via the AudioCodes SBC over TCP, messages can be heard on the Outlook clients for both platforms, but one (apparently) critical feature is missing:
When users on the old PBX hit the “Play on Phone” button on their Outlook client to play their voicemail on their handset, the call rings, but we can’t hear any audio.
It works perfectly for Lync users, but users on the PBX’s UM dial plan can’t play their messages on the phones.

I immediately blames the SBC as there was no reason why any other call would connect, except for calls originating at the Exchange UM server.

Traces showed the following:

Trace

The gateway is doing everything you’d ask it to do, everything looks ok, but still, no audio could be heard.

Next I went to the Exchange UM server. Using Wireshark, I traced a one of the calls from the Exchange UM server to the user’s handset.
Using the Wireshark’s VoIP Calls player,  I could actually hear myself speaking on the handset, but there was nothing playing on the Exchange side.

Took me some time and some assistance from the nice guys at Microsoft to discover the following:

There’s a UCMA design limitation, where SDP can only be sent in 183 and in 200 OK.
If the “180 Ringing” contains SDP, UCMA will freak out.
My SBC was sending two provisional responses with SDP – 183 with SDP and 180 with SDP, before sending the 200 OK with SDP.
Apparently, we could send only 183 with SDP or 180 with SDP.
Sending both would cause the UCMA to get stuck and not initiate the Audio channel.

Who would have thought!

Once we suppressed the 183 packet, Exchange UM immediately started playing audio.

Advertisements

Skype for Business Response Groups Diagrams

This is something I was looking for every time I had a deployment with multiple Response Groups.

Customers and management would usually like to see a graphic chart of how the Response Groups’ workflows work, what are the timeout and over flow options, what’s the chosen routing method for each group,  and who are the users in each group.

Looking at Matt Landis‘ great Get-csRgsWorkflowDiagram script, I was inspired (and in need) to do something similar.

Took a while to get it where I wanted, but the version published here now is one I’m very happy about and it actually gives me everything I was looking for.

It’s actually two files;

  • One file is the script that you should run from your PC.
  • The second file is a custom Visio stencil (.vss file) that will be downloaded to your “My Shapes” folder (That’s always in your “My Documents” folder after you install Visio) and will provide the Visio images for the script. You can find it here if you wish to download it to your machine beforehand.
    The script will detect proxy\download issues and will prompt you to download the VSS file manually if required.

Prerequisites

  • Run this script from your workstation – not from the server. It doesn’t matter if your workstation is in the domain or not.
  • You’ll need an installation of Visio on that machine.
  • PowerShell 3.0 is a must.
  • ADDS RSAT is required if you’re sing Active Directory Distribution Groups for some of your Response Groups’ groups. We’re using the AD PowerShell Module to expand these groups and list their users.
  • Your Lync\S4B pool’s FQDN and administrator credentials.
  • Your Execution policy set to Bypass, at least until I start signing my scripts…

Running the script

From PowerShell, run the file, it will immediately prompt you for your Pool’s FQDN:

Pool Name

Enter your pool’s name and you’ll be prompted for credentials:

Creds

The script will generate a list of all your Response Groups. Pick up a Response Group nunmber from the list, or hit 0 for all Response Groups. Each workflow will be drawn in a new page:

WF List

If required, it will download the Visio stencil and place it in your “My Shapes” folder:

VSS

The script will start drawing the diagram in the background:

Drawings

Upon completion, the script will auto-save the file to your My Documents folder:

Path

The file is saved with the workflow’s name and the creation date:

File

And is ready to be opened:

Visio Window

For multiple Response Groups you’ll have multiple pages, each with the Workflow’s name.

Diagrams are scaled to fit the pages, but might be larger due to large number of agents in a group.

Known Issues

  • This script was tested in English, you might experience some issues if you’re running Visio under a different language.
  • Windows 10 OS build 10565 can’t install ADDS RSAT – the script will not expand Distribution Groups.

Download

Please download the script here.

Skype for Business Online updates

Announced today, Microsoft is expanding some Skype for Business Online services and offering new ones;

PSTN Conferencing preview will now be available to customers in the following countries:

  • Belgium
  • Canada
  • Denmark
  • France
  • Germany
  • Italy
  • Netherlands
  • Spain
  • Sweden
  • Switzerland
  • United Kingdom

Finland, Norway and South Africa will be able to use this feature in November.

Cloud PBX Preview now available worldwide, allowing customers to get rid of separate PBXs globally and still break out locally. This is option still requires an om-premises S4B server installation.

Polycom CX is not dead yet – Skype for Business customers can use Polycom CX600 and CX3000, HP 4120, and Mitel Mivoice 6725 to connect to the cloud directly. Polycom VVX series Can be used as well.

source and more details: Microsoft.

MS15-104 Security update breaks Lync Server 2013 web services

Microsoft released a KB article describing issues with the Web Components Server on Lync Server 2013 after installing the latest security update.
It affects the following:

•Users can’t sign in to your dial-in page.
•Lync Mobile clients can’t sign in.
•External clients can’t sign in.
•Address book web queries fail.
•Users are prompted for credentials for some web services after they sign in internally to Lync desktop clients.

To resolve this problem, uninstall security update 3080353, install the July 2015 cumulative update, and then reinstall security update 3080353.

Source and additional information: Microsoft.

Skype for Business Users’ pictures from URLs

This was out first on the November 2013 update for Lync Server 2013 where Microsoft brought back the (not so) loved Lync 2010 feature feature of allowing users to set their Lync pictures to internet accessible photos.
Soon, all users in the organization were superheroes and Sports Illustrated models.

Users that were not enabled for this feature will only see the following when trying to change their photo:

No photo option

A short command will add this feature to any policy that you had at the time and you could later control this with the Set-CsClientPolicy -DisplayPhoto, specifying “NoPhoto”,
“PhotosFromADOnly”, or “AllPhotos”

Now, what happens if you have a new client policy that requires this feature? (Or you never enabled it before?)

First, find out which policies are enabled with this feature by running the following:

Get-CsClientPolicy | ft Identity,PolicyEntry

The result should be similar to this:

Before

unless this was never enabled in your environment, then all of the above should be empty with only “{}”.

Now choose the policy you want to assign this feature to and run the following command:

$NPE=New-CsClientPolicyEntry -Name EnablePresencePhotoOptions -Value True

$Policy=Get-CsClientPolicy -Identity <PolicyName>

$Policy.PolicyEntry.Add($NPE)

Set-CsClientPolicy -Instance $Policy

Make sure you replaced “<PolicyName>” with your actual policy and then run the
Get-CsClientPolicy | ft Identity,PolicyEntry” command again.
The output will now show you have that set for the policy you chose:

After

And the Client can now change their profile photo:

New Photo

Remember there’s still a restriction on picture sizes (30 KB Max) and they must be publically available.

Client

September 2015 Update for Skype for Business Server 2015

Following the release of the MS15-104 security update, Microsoft released the first CU for Skype for Business Server 2015, as described in KB3061064.

The CU includes the following patches:

  • KB 3090687 September 2015 update for Skype for Business Server 2015, Core Components
  • KB 3080355 MS15-104: Description of the security update for Skype for Business Server 2015 (Web Components Server): September 8, 2015
  • KB 3080352 MS15-104: Description of the security update for Skype for Business Server 2015 (Enterprise Web App): September 8, 2015
  • KB 3063353 June 2015 cumulative update 6.0.9319.55 for Skype for Business Server 2015 and Unified Communications Managed API 5.0 Runtime
  • KB 3063352 June 2015 cumulative update 6.0.9319.55 for Skype for Business Server 2015, Response Group Service
  • KB 3061059 June 2015 cumulative update 6.0.9319.55 for Skype for Business Server 2015 (Front End server and Edge server)

The link to the CU installer and some of the updates is currently broken but the download is available here.

Skype for Business Server Response Groups Migration Gotcha

Noticed something weird during a recent upgrade to from Lync Server 2013 to a new Skype for Business Server pool.

I was double-checking my self against Greig Sheridan‘s very detailed guide and as expected, everything worked just fine.
We tested and confirmed that calls are coming through and the response groups are all working as expected – that was easy.

The next week I’m getting a phone call saying the Response Groups’ managers can’t change some of the settings they used to be able to.
Checking AD permissions – OK.
Opening the Workflow – I can’t see the managers and the workflow is set to “Unmanaged”.

I thought it was just a misconfiguration but then I checked the “Get-CsRgsWorkflow” export we did earlier (Never underestimate documenting!) and all workflows that were set to “Managed: True” are now set to “Managed: False“.

I thought it was a bug, but no – it’s by design. I couldn’t see it in the migration documents (nor thought I should look for it!) but the Microsoft planning document for Skype for Business Server 2015 states very clearly vaguely that “When you migrate response groups from a prior version to Skype for Business Server, the type is set to Unmanaged.”
Here, check for yourself.

I’m not sure if this is the behaviour when performing an in-place upgrade to Skype for Business, but assuming it is.

Reset \ Fix Skype for Business and Lync accounts …And a bonus!

Every now and then I run into one account that has something weird about it. Usually it would display an old phone number even when you changed the phone number in AD, ran Update-CsAddressBook and deleted all old records you had.
However, when looking at the user’s contact card you’ll still see the old number AND the new number, resulting in users dialling the wrong number, resulting in call failures, resulting in service desk calls, do I need to go further…?

I read various workaround involving running various scripts against the RTC database, and to be honest – there are some thing I’d rather not touch.

Workaround for the “corrupted” users would normally be disabling them and then re-enabling the for Skype for Business \ Lync.
This will do the trick, BUT has a huge downside: if you didn’t export the users’ data they’ll lose all of their groups, favourites, contacts, etc. Also, you’ll have to re-apply the user’s policies, line URI, private numbers, etc.
This is both time consuming and would require to schedule a maintenance window as the user is going to be kicked out.

So, came up with the following script:

Window

  1. You’ll provide the user’s sip address.
  2. The system will confirm the user’s name so you’re happy to move on.
  3. The user’s data will be exported to a folder on your local C drive (Path is always C:\y0av\users\<username>)
  4. The user’s Get-CsUser data will be exported to a text file in the same folder so you can compare the settings once you’re done.
  5. The user will be disabled, and the script will run Update-CsUserDatabase and pause for 15 seconds.
  6. The user will then be enabled and the script will pause for another 15 seconds. The purpose of the pauses is to allow for the changes to set in. I tested various environments and 30 seconds seems like enough time. I’ll add the option to change the pause in future versions.
  7. The user’s polices will be re-applied.
  8. The system will run Update-CsUserDatabase and Update-CsAddressBook to reflect the changes.
  9. The user’s data dump is saved in the C:\y0av\users folder, and you can manually delete it if you feel you no longer need it.

Folder

What’s missing?

  • If the user is configured with a Private Line you’ll have to use the script with the -PrivateLine switch.
  • PIN must be reset for the user after the account is recreated.
  • Conference ID will change – any recurring Skype for Business \ Lync meetings must be re-sent.

What’s the bonus?

All the tests I made show that the script runs fast enough to not interfere with the user’s activity; I ran this against a user during a call, the script completed and the call never disconnected.
Try this on a test account before killing someone’s call in your organization… 🙂

______________________________________________________________________________

Policies this script will save and re-apply:

Hosted Voicemail (True or False)
Archiving Policy
CallViaWork Policy
Client Policy
ClientVersion Policy
Conferencing Policy
External Access Policy
Hosted Voicemail Policy
Location Policy
Mobility Policy
Persistent Chat Policy
Pin Policy
Presence Policy
Third Party Video System Policy
User Services Policy
Voice Policy
Voice Routing Policy

To run the script for a user with a private line, run:

S4BUserRepair.ps1 -PrivateLine

Download the script here.

Request and Enroll Multi-SAN certificates on Windows Server 2012

In one of my recent deployments, the customer asked to keep the existing naming convention of his domain, keeping it as “SRV_SVC_01.domain.local”. If you’ve been around long enough, you know that names that contain underscores ( _ ) are a little frowned upon. Windows will ask you if you really want to use this name when you changed the machine’s name, but will let you go through with it.

The bigger issue started when I tried configuring an IIS ARR web farm on to publish an Office Web Apps Server for this one. IIS will not accept underscores in names so that presented an issue. Also, the Office Web Apps server was already configured and published in the topology so changing the name now wasn’t really an option. Usually I’ll just create some random name and add that to the host file on the IIS ARR box, but since we’re using HTTPS here, the published name (the name the IIS ARR machine is accessing) must natch the name on the certificate. The only solution I though of was to use a multi SAN certificate.

By default, requesting a domain certificate sing the IIS wizard will generate a certificate with the server’s CN and you’ll be able to bind this to the HTTPS port of the server. Unfortunately, there’s no way to add additional names to this request.

The workaround – Manually submit a Web Server certificate request.

Let’s cover these steps:

Open the local machine’s certificate console and request a new certificate:

Request

Run through the next screens until you reach the certificate template choice. Most of the odds are you’ll see this:

Computer

Hit “Show all templates” and scroll down to “Web Server”, you won’t be happy to see the following:

WebServerWell, how do we do that now…

Log on to your CA and open the Certification Authority management console, scroll down to “Certificate Templates”, right-click it and choose “Manage”:

ManageOn the new “Certificate Template Console”, locate your Web Server template, right-click it and choose “Properties”:

Properties

On the Web Server window, click the Security tab. Add the Computer you’re trying to enroll the certificate for (user accounts can’t be used here since we’re enrolling on behalf of the machine), then tick the “Enroll” box:

Security

Now go back to the machine and try to re-enroll the certificate; You’ll see that you now have the Web Server certificate template available:

WebOK

Tick Web Server certificate box and click on the “More information required….” link.
In the new window, do the following:
For the Subject Name – choose “Common name” for “Type” and enter your server’s FQDN in the value field, than click “Add”.
For Alternative names – choose DNS and enter the FQDN (or FQDNs) you’d like to use in the value field and click “Add”:

CertProperties

When done, click OK and then “Enroll” on the next window. This will initiate the certificate request. When enrolled. you’ll see the following:

Success

You’ll now see the certificate in the Personal certificate store of the machine:

Certificate