Month: June 2014

Extending Lync Server certificate validity periods

Posted on by Gonzalo Escarrá

X.509 certs are annoying. You need to get them issued with the right names, or reissued if you make a mistake or forget a SAN, and they need to be cared for from time to time otherwise they expire and make your world hell.

Wouldn’t it be great if you could make them last longer than the default of 2 years? Especially if you’ve installed them all over your Lync infrastructure, like:

  • Front End servers
  • Mediation servers
  • Edge server’s Inside NIC
  • Office Web App Server
  • Reverse Proxy or HLB
  • Voice Gateways
  • Exchange UM

Having to track and schedule downtime for cert renewal of all of the above components is quite the chore. So let’s extend it to 5 years using Microsoft Windows AD Certificate Services (AD CS)

To start, we’ll duplicate the Web Server template. Open your Certification Authority MMC, go on your CA, and right click on Certificate Templates, then click Manage.

2014-07-15 20_14_43-kratos.escarra.org - Remote Desktop Connection

Right click on Web Server, then go on Duplicate Template.

2014-07-15 20_15_16-kratos.escarra.org - Remote Desktop Connection

Under General, we will need to give it a name and Validity Period. I’ve chosen LyncServer but it can be anything. You will need the Template Name when getting certificates issued without auto-enrollment, like from an edge server, or from your voice gateway using a CSR.

2014-07-15 20_19_04-kratos.escarra.org - Remote Desktop Connection

Under Request Handling, make sure to check Allow private key to be exported, review the other tabs and options to satisfy your curiosity, then click OK.

2014-07-15 20_22_13-kratos.escarra.org - Remote Desktop Connection

You can close the Certificate Templates Console and wait a bit for AD to replicate, or force it.

We will now enable the certificate so it can be issued. Right click on Certificate Templates again, then go on New, and Certificate Template to Issue. Look for your new LyncServer template, then click OK.

2014-07-15 20_27_06-kratos.escarra.org - Remote Desktop Connection

ONE LAST STEP!

On the CA server, you will need to extend the limit on the validity period, otherwise it will remain at 2 years regardless of what our template says. To do this, run:

certutil -setreg ca\ValidityPeriodUnits 5
certutil -setreg ca\ValidityPeriod years

The restart the Active Directory Certificate Services service, and the CA is now ready to start issuing longer certs!

When requesting certificates from Lync (or others), make sure to specify the template name when prompted. And if using a CSR for your gateway or edge servers, you can force the template attribute which is not included in the CSR, and is required by Windows to issue you a cert. To do that run:

certreq -attrib “CertificateTemplate:LyncServer”

Then pick the CSR, and then save the resulting signed certificate. BOOM!

 

Lync 2013 Shell “Stuck” on Server 2012 R2

Posted on by Gonzalo Escarrá

The Lync 2013 Management Shell has a tendency of getting stuck or hung when running on Windows Server 2012 R2. Upon opening it, all you see is a black window, no prompt.

PS Stuck

To fix the problem, just install the latest Cumulative Update package (CU from January 2014 fixes the problem).

http://support.microsoft.com/kb/2809243

Testing NTP from Windows

Posted on by Gonzalo Escarrá

During configuration of an AudioCodes gateway, a required config for successful TLS negotiation is the use of an NTP server. If you’re running Active Directory domain in your network, your primary time source is the Domain Controller hosting the PDC Operations Master role.

To test NTP is working correctly before hardcoding it into your appliances, you can run the following command:

w32tm /stripchart /computer:<yourNTPsource>

The Stripchart modifier will show a strip chart of the offset between your computer and the NTP source you specified.

Also, for future-proof NTP configuration and to avoid having broken services in case you move PDC role and demote your time source, you can create CNAME records such as ntp.yourdomain.com, or use SRV records like the standard _ntp._udp.yourdomain.com (and point them to _ldap._tcp.pdc._msdcs.yourdomain.com for no manual intervention!).

Network details from Windows 8/8.1 Task Manager

Posted on by Gonzalo Escarrá

Right-clicking on the Task Manager’s network throughput graph can give you some nice details on your traffic. This will work on Windows 8, 8.1 and the equivalent Server editions 2012 and 2012 R2. Note that the statistics are only gathered while the Task Manager process is running and are not cumulative. For cumulative results, you can use the Get-NetAdapterStatistics | fl cmdlet.

2014-06-10 15_16_12-astaro.escarra.org - Remote Desktop Connection

2014-06-10 15_16_28-astaro.escarra.org - Remote Desktop Connection

Out of date sources for an up-to-date template?

Posted on by Gonzalo Escarrá

Say you’re trying to speed up your VM deployments and create a template with Windows Server 2012 or 2012 R2, and in the process to clean up some valuable HD space you run something like the following:

Get-WindowsFeature | Where-Object -FilterScript { $_.Installed -Eq $FALSE } | Uninstall-WindowsFeature –Remove

What that’ll do is remove the binaries off any uninstalled feature and save you a few gigs… BUT you will need the media, or the sources in a share, any time you want to install a feature, which is fine… as long as your template does not get updated. The moment you run Windows Update and go through the motions, your media will no longer work if you want to add features, and installations will fail with something like this:

Error: 0x800f081f

The source files could not be found.
Use the “Source” option to specify the location of the files that are required to restore the feature. For more information
on specifying a source location, see http://go.microsoft.com/fwlink/?LinkId=243077.

To update your sources so that you can use them when installing features, you can use the install.wim file on your media and grab the latest patches using WSUS Offline Updater (http://www.wsusoffline.net/), then merge the updates with the sources. Here’s how:

  • Copy the Sources\install.wim file from your Windows Server 2012 or 2012 R2 DVD media to somewhere in your hard drive.
  • Create a temporary folder, let’s call it C:\Win2012R2
  • Remove the read-only attributes of your local install.wim file because we will be modifying it
  • Run dism.exe /get-wiminfo /wimfile:C:\install.wim and take note of the Index for the edition you’re using
  • Run dism.exe /mount-wim /WimFile:C:\install.wim /index:4 /mountDir:C:\Win2012R2. Note i’m using Index 4, which is for Datacenter (non-core)
  • Run WSUS Offline and download all patches for the edition you’re using, and create an ISO from them
  • Mount the ISO with the updates, then run dism.exe /image:C:\Win2012R2 /Add-Package /PackagePath:F:\w63-x64\glb. In my case, the ISO was mounted on drive F:
  • Run the previous command at least twice. There are times where updates won’t slipstream into the sources unless they are at the right version. This is the case with Update 1 for Server 2012 R2.
  • Once all updates are injected, run dism.exe /Unmount-Wim /MountDir:C:\Win2012R2 /commit which will write the install.wim file back with changes and is ready for use.

When it comes time to install features, just use Add-WindowsFeature with -source:wim:\\server\share\install.wim:4 (note the Index number at the end).

For more detail, you can check out this TechNet article in combination with WSUS Offline to help you with the patch downloads.

Thanks for reading!

Oops! when you forget to update Lync’s Back End DB

Posted on by Gonzalo Escarrá

After applying Cumulative Update packages to Lync 2010 or 2013 topologies, there is a required step to update the back-end databases and the Central Management Store (CMS). If you forget because you’re either lazy or rushed, you’ll start noticing some things don’t work as expected, like the Call Park Service and the Response Group Service. Here’s an indication that your DB needs to be upgraded:

2014-06-09 13_34_18-MobaXterm Professional

Event ID 31059 by the LS Call Park Service clearly tells us to Upgrade the databse to CU1. See below for the cmdlets to run, but please refer to Microsoft’s official upgrade documentation for some important considerations:

Lync 2013 Standard Edition:

  • Install-CsDatabase -ConfiguredDatabases -SqlServerFqdn SE.FQDN -Verbose
  • Install-CsDatabase -CentralManagementDatabase -SqlServerFqdn CMS.FQDN -SqlInstanceName DBInstanceName -Verbose
  • Enable-CsTopology
  • %ProgramFiles%\Microsoft Lync Server 2013\Deployment\Bootstrapper.exe

Lync 2013 Enterprise Edition:

  • Install-CsDatabase -ConfiguredDatabases -SqlServerFqdn FEBE.FQDN -Verbose
  • Install-CsDatabase -DatabaseType PersistentChat -SqlServerFqdn PChatBE.fqdn -SqlInstanceName DBInstance -Verbose
  • Install-CsDatabase -ConfiguredDatabases -SqlServerFqdn SQLServer.FQDN -Verbose
  • Enable-CsTopology
  • %ProgramFiles%\Microsoft Lync Server 2013\Deployment\Bootstrapper.exe

 

Review: Plantronics Voyager Legend UC

Posted on by Gonzalo Escarrá

VoyagerLegendUC1In the days of work anywhere, at any time, from any device, having a reliable bluetooth headset that will integrate with Microsoft Lync and pair with a multitude of devices is a must. The Plantronics Voyager Legend UC is now part of my mobile office and is always in my backpack. Here are the things I love about it:

  • It integrates beautifully into Lync. You can pick up and hang up calls with a single press of a button on the headset. Also, if you press the “mute” button on your headset, it mutes your Lync client so people are aware of your status when in conferences. This integration requires the use of the BT dongle (and of course it is included).
  • Voice and build quality is outstanding for a bluetooth headset, and can play A2DP audio so you can listen to podcasts or music while in between calls. The noise cancelling is excellent and removes most background noise.
  • Tested battery life is about 5 hours if you’re constantly talking (or listening over A2DP), and the headset can charge all the way to 100% in about 30 minutes.
  • Zero effort in PC pairing. Plug in the dongle and you’re set. I have never had a problem with pairing to either cell phone or BT dongle.
  • Can pair with a PC (dongle) and two other Bluetooth devices at the same time. You can pair your Lync client on your laptop and have your smartphone and tablet also paired, simultaneously, with the ability to seamlessly pick up and switch calls.
  • Voice commands to “answer”, “ignore” or “call John Doe” built into the headset make it easy to handle calls without touching the headset, and sensors within enable you to automatically answer calls simply by putting the headset on your ear. The sensors are accurate enough to not trigger if you have the headset in your pocket.

The UC edition of the headset comes with a few accessories that the regular non-UC edition lacks, like a nice little docking station for your desk, a portable charge cable which doubles as a micro-USB cable, and probably best of all, a case that holds the BT dongle and the headset with a built-in battery that can give you up to 14 hours of additional talk time!

IMG_0379_resizedAlso, as part of a software value-add, the Plantronics Spokes software can be installed on your computer so the Lync client can change your presence to “In a Call” even if you’re on your cell phone. This unifies your presence between any voice devices using the common headset, and makes Lync aware of your status.

My only complaints about the headset is that there is no way to turn the “Mute On” and “Mute Off” prompts even after making changes through the Spokes software, or through the MyHeadset Updater settings. Also, while it offers excellent noise cancelling, the wind resistance is not that great. If you are using this headset outdoors, the voice quality might disappoint, but I feel it’s more designed for home/office and road warriors anyway, so this is not a big deal at all for me.

As part of my testing I’ve recorded a short clip with audio direct from the headset.

In summary, the Plantronics Voyager Legend UC is probably the best bluetooth headset I have ever used, and is now part of those gadgets that I can’t live without. It retails for about $199 with all the accessories (headset, dongle, charging cable, battery case and desk cradle), or about $119 for the headset, dongle and charging cable. With it’s outstanding build and audio quality, a large number of accessories that can be included, and complete Lync integration, this headset will not disappoint those who are looking to break off the desk phone forever.

Do you use the Legend UC? What do you think?

Non-E.164 voice gateway trunk into Lync 2013

Posted on by Gonzalo Escarrá

While doing an integration with a Cisco CallManager cluster that was on version 6.1, I realized why Microsoft only supports CUCM 7.0 and above. Earlier versions do not handle E.164 and so calls through the SIP trunk into the Lync mediation pool would not have the nice “+” on the SIP Invites. Fortunately, Lync 2013 lets you do inbound and outbound translations to overcome these situations, although you’d still be running on an unsupported Voice gateway.

To handle Inbound SIP without E.164 prefix, you can create a Pool Dial Plan for the SIP trunks (PstnGateway) you’ll need to handle, and then create normalization rules to prefix a + and remove any other numbers. You can also do it at a Global level, but I like to keep things separate, and in my case CUCM integration is only temporary until all sites are on Lync.

Inbound:

2014-06-05 16_38_49-MobaXterm Professional

To handle Outbound SIP, you can use Calling and Called Number Rules under Trunk Configuration, and add/remove prefixes to be passed over to the voice gateway. In my case, I’m removing the + and prefixing a 7 to test outbound PSTN calling.

Outbound:

2014-06-05 16_39_45-MobaXterm Professional

Lync Comfort Noise with Cisco router or AudioCodes

Posted on by Gonzalo Escarrá

Lync uses a feature called Comfort Noise that reduces network traffic in moments of silence, but still allows the voice gateways to generate some white noise to avoid the “hello? are you still there?” conversations. If your gateway is not configured to support Comfort Noise, then Lync will throw Event ID 25073 on your calls, saying The Mediation Server service has received a call that does not support comfort noise […] The Trunk does not support comfort noise.

Comfort Noise

If you’re using a Cisco router as your voice gateway, you can enable Comfort Noise support by using the following command under your voip dial-peer connecting into Lync:

rtp payload-type comfort-noise 13

Or if you’re using an AudioCodes gateway, you can find the options under VoIP > Media > RTP/RTCP Settings, but make sure you’re using the Full menu set.

2014-06-11 14_55_36-AudioCodes - Internet Explorer

After enabling Comfort Noise support, you can run a packet capture and notice the RTP packets showing support

Comfort Noise 2

Apache and MySQL on different hosts with SELinux

Posted on by Gonzalo Escarrá

Recently I upgraded my single “LAMP” setup with two Apache front-ends, and two MySQL mirrored backends. When moving WordPress to the new web servers I came across an issue with MySQL connections. The /var/log/audit/audit.log shows:

type=AVC msg=audit(1401916568.434:533): avc: denied { name_connect } for pid=31254 comm=”httpd” dest=3306 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1401916568.434:533): arch=c000003e syscall=42 success=no exit=-13 a0=10 a1=7fffdda48c20 a2=10 a3=10 items=0 ppid=1685 pid=31254 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=”httpd” exe=”/usr/sbin/httpd” subj=system_u:system_r:httpd_t:s0 key=(null)

The issue is related to SELinux blocking the MySQL connections from within Apache, and instead of taking the easy way out and disabling SELinux completely, the only command needed to get it to work was:

setsebool -P httpd_can_network_connect_db 1