Going to Help > About in the AudioCodes Syslog tool ACSyslog gives you a nice little show at first…
The little animation blew my mind, so I subconsciously clicked on it, and was blown away even more. BOOM!
Have fun using Keys 1, 5, Left, Right and Ctrl while debugging SIP messages!
X.509 certs are annoying. You need to get them issued with the right names, or reissued if you make a mistake or forget a SAN, and they need to be cared for from time to time otherwise they expire and make your world hell.
Wouldn’t it be great if you could make them last longer than the default of 2 years? Especially if you’ve installed them all over your Lync infrastructure, like:
Having to track and schedule downtime for cert renewal of all of the above components is quite the chore. So let’s extend it to 5 years using Microsoft Windows AD Certificate Services (AD CS)
To start, we’ll duplicate the Web Server template. Open your Certification Authority MMC, go on your CA, and right click on Certificate Templates, then click Manage.
Right click on Web Server, then go on Duplicate Template.
Under General, we will need to give it a name and Validity Period. I’ve chosen LyncServer but it can be anything. You will need the Template Name when getting certificates issued without auto-enrollment, like from an edge server, or from your voice gateway using a CSR.
Under Request Handling, make sure to check Allow private key to be exported, review the other tabs and options to satisfy your curiosity, then click OK.
You can close the Certificate Templates Console and wait a bit for AD to replicate, or force it.
We will now enable the certificate so it can be issued. Right click on Certificate Templates again, then go on New, and Certificate Template to Issue. Look for your new LyncServer template, then click OK.
ONE LAST STEP!
On the CA server, you will need to extend the limit on the validity period, otherwise it will remain at 2 years regardless of what our template says. To do this, run:
certutil -setreg ca\ValidityPeriodUnits 5
certutil -setreg ca\ValidityPeriod years
The restart the Active Directory Certificate Services service, and the CA is now ready to start issuing longer certs!
When requesting certificates from Lync (or others), make sure to specify the template name when prompted. And if using a CSR for your gateway or edge servers, you can force the template attribute which is not included in the CSR, and is required by Windows to issue you a cert. To do that run:
certreq -attrib “CertificateTemplate:LyncServer”
Then pick the CSR, and then save the resulting signed certificate. BOOM!
The Lync 2013 Management Shell has a tendency of getting stuck or hung when running on Windows Server 2012 R2. Upon opening it, all you see is a black window, no prompt.
To fix the problem, just install the latest Cumulative Update package (CU from January 2014 fixes the problem).
During configuration of an AudioCodes gateway, a required config for successful TLS negotiation is the use of an NTP server. If you’re running Active Directory domain in your network, your primary time source is the Domain Controller hosting the PDC Operations Master role.
To test NTP is working correctly before hardcoding it into your appliances, you can run the following command:
w32tm /stripchart /computer:<yourNTPsource>
The Stripchart modifier will show a strip chart of the offset between your computer and the NTP source you specified.
Also, for future-proof NTP configuration and to avoid having broken services in case you move PDC role and demote your time source, you can create CNAME records such as ntp.yourdomain.com, or use SRV records like the standard _ntp._udp.yourdomain.com (and point them to _ldap._tcp.pdc._msdcs.yourdomain.com for no manual intervention!).
After applying Cumulative Update packages to Lync 2010 or 2013 topologies, there is a required step to update the back-end databases and the Central Management Store (CMS). If you forget because you’re either lazy or rushed, you’ll start noticing some things don’t work as expected, like the Call Park Service and the Response Group Service. Here’s an indication that your DB needs to be upgraded:
Event ID 31059 by the LS Call Park Service clearly tells us to Upgrade the databse to CU1. See below for the cmdlets to run, but please refer to Microsoft’s official upgrade documentation for some important considerations:
Lync 2013 Standard Edition:
- Install-CsDatabase -ConfiguredDatabases -SqlServerFqdn SE.FQDN -Verbose
- Install-CsDatabase -CentralManagementDatabase -SqlServerFqdn CMS.FQDN -SqlInstanceName DBInstanceName -Verbose
- Enable-CsTopology
- %ProgramFiles%\Microsoft Lync Server 2013\Deployment\Bootstrapper.exe
Lync 2013 Enterprise Edition:
- Install-CsDatabase -ConfiguredDatabases -SqlServerFqdn FEBE.FQDN -Verbose
- Install-CsDatabase -DatabaseType PersistentChat -SqlServerFqdn PChatBE.fqdn -SqlInstanceName DBInstance -Verbose
- Install-CsDatabase -ConfiguredDatabases -SqlServerFqdn SQLServer.FQDN -Verbose
- Enable-CsTopology
- %ProgramFiles%\Microsoft Lync Server 2013\Deployment\Bootstrapper.exe
Recently I upgraded my single “LAMP” setup with two Apache front-ends, and two MySQL mirrored backends. When moving WordPress to the new web servers I came across an issue with MySQL connections. The /var/log/audit/audit.log shows:
type=AVC msg=audit(1401916568.434:533): avc: denied { name_connect } for pid=31254 comm=”httpd” dest=3306 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1401916568.434:533): arch=c000003e syscall=42 success=no exit=-13 a0=10 a1=7fffdda48c20 a2=10 a3=10 items=0 ppid=1685 pid=31254 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=”httpd” exe=”/usr/sbin/httpd” subj=system_u:system_r:httpd_t:s0 key=(null)
The issue is related to SELinux blocking the MySQL connections from within Apache, and instead of taking the easy way out and disabling SELinux completely, the only command needed to get it to work was:
setsebool -P httpd_can_network_connect_db 1
For a while now I’ve had a server rack hosting my lab environment, but it’s always been exposed to bad temperature conditions. Since moving to our own house the rack has been sitting in the attached garage, where it gets up to 90F in the summer and as low as 20F in the winter. So far all equipment in the rack survived the abuse, but it was difficult to work on stuff during extreme weather, it meant either freezing or sweating during seasons. And that’s not all, the only electrical circuit that went to the garage also ran the outside lights, kitchen and living room outlets, and would trip at least once a week.
So a couple of months ago I started a little project to build an insulated server room in the basement, with tempered dual-pane glass sliding doors, separate electrical circuits, and access to a window that could house an A/C unit during the summer, and just be open during the winter. You can see the end result in the picture, but for the whole process in building the room, you can visit THIS PAGE.
Recently I came across an issue where the Edge server would not replicate the topology. After spending some time looking through firewall ACLs, NAT exemptions, packet captures and the rest of the usual networking stuff, it turns out the problem was WAY more obscure than simple connectivity…
If your Edge server’s Trusted Root CA store contains over 100 entries, the SChannel security package will truncate this list internally and depending on where your internal Root CA sits in the alphabetical order, it could be truncated and affect the ability to replicate the Lync topology over HTTPS 4443.
To resolve this issue, there are two options:
1. Delete unnecessary certificates from the Trusted Root CA store of the Edge server. This could potentially affect federated partners depending on which Root CAs you delete, but is a quick and easy way to fix the problem.
2. Edit the registry on the Edge server to add a DWORD value, SendTrustedIssuerList, to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL key and assign it a value of 0. This will prevent schannell.dll from truncating the Root CA list from the edge server, and allow validation tests to pass.
This was taken from the Technet’s Lync Forums here
Just recently I’ve devoted my extra time to finding and implementing open-source alternatives for common proprietary business applications. So far I’ve had great success in getting the solutions up and running, and I’ve been nothing short of impressed on how much community support they receive.
I will start writing comparisons on the Commercial VS. Open-Source solutions I’ve come across and tested, but for now i’ll simply list a few that i’ve been very happy with:
Commercial / OSS Alternative
Microsoft Exchange or Lotus Notes / Zimbra Collaboration Suite
Microsoft Live Communications Server / Asterisk + Openfire
Microsoft SharePoint / Alfresco (Not yet implemented)
Microsoft CRM / SugarCRM Community
Microsoft Office / OpenOffice or IBM’s Symphony
There’s still a few things that I cannot go without, which is Active Directory. SAMBA 4 will come with DC emulation built-in, but it’s still not out. Until then i’ll keep working on other OSS alternatives to see if i can completely eliminate Microsoft or otherwise commercial software in a small environment.