Jeff Schertz, Author at Perficient Blogs

Welcome Microsoft Lync Server 2010

Jeff Schertz — Mon, 13 Sep 2010 16:09:20 +0000

Due to Microsoft’s announcement this morning I have added one final update to this blog. Microsoft has released product information and Release Candidate software for Lync Server 2010.
More details can be found here: Presence Goes Green on Microsoft Lync 2010

What’s New in Communications Server ‘14’ – Voice Features

Jeff Schertz — Wed, 09 Jun 2010 15:25:00 +0000

In a follow-up to some of the features I briefly mentioned in a previous article here is a more in-depth look at some additional new features currently in the CS ‘14’ beta software which have been covered in various presentations throughout TechEd 2010 this week. I’ve just scratched the surface with most of these topics, but it should help explain what some of the buzz-words like SBV, CAC, and Registrar mean.
Enterprise Voice Features
Site Resiliency

With the addition of a ‘Site’ component in Communications Server user services can now be balanced and protected against device and site failures by associating users with more than one location. Data Center and main office locations with full CS server deployments are defined as a Central Site while small and medium remote offices where a Survivable Branch Appliance (SBA) is installed is deemed a Branch Site. Each Enterprise Voice enabled user is then associated with a primary site and secondary, backup site automatically by virtue or simply registering with the primary site under normal conditions.
One of the new server components found in the Front-End server role is the Registrar. I will cover that component and the core changes involved in a later article, but for now it’s important to understand the Registrar service handles Communicator end-point login and connections to CS. This component lives on both a Front-End server role (both Standard Edition and Enterprise Edition) and on an SBA. When CS end-points perform automatic SRV lookup they can now leverage multiple response, ordered by priority, which now gives clients the ability to look for services on another host in the event the primary host is unreachable. This feature offers the ability to provide highly-available services to users leveraging a secondary pool in the same site or disaster recovery protection by using yet another pool in a different site.
For clients located in a branch office with the SBA configured as their primary registrar those users can be serviced by another pool in a central site in the event that the SBA fails. In the case of a WAN outage or loss of connection to the primary pool in the central site the branch office users are still signed-in to their Communicator client, but only Enterprise Voice features are available along with peer-to-peer communications between users in that ‘orphaned’ office location.
It is important to understand that the SBA is simply a registrar and not a full pool, only limited services are provided by the SBA, mainly with the intention of handling user registration and voice dialing features via the PSTN in that branch location.

Call Admission Control

Call Admission Control (CAC) is basically a fancy name for bandwidth management of voice call routing, which determines whether or not an audio or video session can (and should) be established based on taking real-time measurements of the network conditions. It is applied to media flow traversing LAN/WAN network segments but does not extend out to communications across the Internet or PSTN. The egress point of Communications Server (the Edge Server or the media gateway) is where the boundaries lie for CAC functionality.
CAC policies can be defined by administrators to set maximum values for total bandwidth for audio and video (independently) as well as the maximum possible bandwidth allocated to a single audio or video call (again, separate settings). In the scenario of a highly congested WAN link between two remote sites video calls may be disabled by CAC in order to prevent any poor communications experiences and provide users with the option to select alternative methods before ever having a ‘bad call’. And in the same scenario audio calls would automatically be routed via the PSTN if both locations have their own PBX or some other form of PSTN connectivity. Audio quality changes may be noticed at that point as RTA would be changed to G.711 for PSTN call routing, but the switchover is otherwise transparent to the users.

Mediation Server Bypass

This feature (also referred to simply as media bypass) offers bandwidth savings and can help improve call quality by reducing latency, removing transcoding, and minimizing the potential for additional packet routing problems to impact the communications.

Multiple Gateway Support

Unlike previous in versions of OCS where a mediation server could only be configured to communicate with a single gateway the Mediation Server role can now configured to handle multiple routes so many media gateways can be configured to route calls to the same Mediation Server. This can greatly reduce the amount of on-site hardware required in some distributed deployment scenarios.

Caller ID Manipulation

The Caller ID information can be customized on outbound calls placed by all users or any number of specific users or groups.

E911

Support for enhanced emergency services dialing is now provided by a combination of location services solutions which can be defined both by administrators and Communicator users themselves to provide proper location information in the event that a 911 call is placed from Communications Server.

Private Telephone Lines

A user (typically an executive) can now be configured with a second private telephone number which would not be listed anywhere in the directory for other users to browse and identify it. A special ring is associated with incoming calls directed to the private line number, and none of the advanced features (call forwarding, team ring, RGS, etc) are available. Private calls also do not adhere to Do Not Disturb presence rules and will always ring through to the user if they are signed-in. Outbound calls from teh user will still appear from their primary number, the private number will only be used to route inbound calls and thus further protect the number from becoming known to undesired users.

Common Area Phones

Because the Polycom CX700 (Tanjay) device has always required a user to sign-in it has never been a good solution for open areas and shared workspaces to provide telephony services. With CS ‘14’ come a host of new telephony end-points from various partners including Polycom and Aastra. Some photos of the latest Polycom devices can be seen on fellow MVP Mike Stacy’s blog.
These devices can register directly to Communications Server using a dedicated AD object and provide for, at minimum, voice services at all times. Additionally CS Enterprise Voice enabled users can log into some devices using a PIN, brining their number and presence over to the device until they either sign-out or a time-out period is reached in which the phone reverts back to the standard number.

Call Management

The Response Group Service contains a host of new features. Anonymous Calling allows agents to accept and place calls without showing their identity. Attendant Routing Method offers a configuration setting in which all RGS agents will receive an incoming call simultaneously, regardless of their current presence. The RGS management controls have been brought into the same tools as the rest of the CS components, the CS Shell (PowerShell) and CS Control Panel (CSCP). Richer IVR configurations and prompts provide more options to customize Response Group attendants.
The Announcement service has been updated to handle unassigned number routing rules so that if inbound calls to valid, but unassigned DIDs are routed to Communications Server the routing and response to those calls can be handled as desired instead of just dropping the calls or forwarding them all to a single primary number.
A Call Park feature has been added to allow users to put a voice call on hold and then pick it up on another endpoint without having to forward the call.

Outbound Route Translation

And saving the best for last (IMO) is a topic near and dear to my heart, normalization. As it is still best practice to design numbering plans and normalization rules to fully conform to RFC3966 standard (E.164 with the ‘+’ prefix) there will still exist the scenarios where the connected telephony system cannot handle some digits (as in the ‘+’) or the device cannot (or the administrators will not) allow changes to the numbering plans or rules.
In previous versions only the ‘+’ could be stripped off by the Mediation server just prior to leaving OCS, but that was it. With CS ‘14’ multiple rules can be added to further manipulate URIs just prior to routing to the gateway. This mean digits can be added, stripped, or replaced using RegEx patterns. This is very advantageous when dealing with Direct SIP deployments where no media gateway is available to provide additional number manipulation.
This single feature addition alone should be the last nail in the coffin of any Communications Server deployments in which RFC3966 complaint numbers are not utilized.

OCS R2 XMPP Gateway Deployment for Gmail

Jeff Schertz — Mon, 17 May 2010 18:03:00 +0000

The purpose of this article is to serve as a lessons-learned addendum to the current primary resource for configuring OCS and GMail federation: the Communication Server team’s official blog post on the subject. Following the detailed steps in that article should get you to a working end-state, but if a specific deployment differs from the directions in any way, sometimes it is hard to tell which of the documented settings are recommendations and which are requirements. I will address each of the steps with additional details that should help explain the requirements and back-ends processes in a bit more detail.
Component Topology
Borrowing the diagram from Microsoft’s documentation, let us look at the different components:

Gmail
- The Gmail cloud consistent of a farm of (at last count) 5 different GoogleTalk hostnames overlapped among 3 unique IP addresses. It’s not clear if three of the servers are sharing some type of load-balanced DNS/IP configuration or if some of the hostnames are actually redundant hosts. As with all things ‘cloud’ there isn’t much know about what’s actually inside it, but that is not important when configuring the OCS XMPP server. It is helpful to know the source traffic’s hostnames and IP address when troubleshooting.
  - xmpp-server.l.google.com, 74.125.45.125
  - xmpp-server1.l.google.com, 74.125.155.125
  - xmpp-server2.l.google.com, 74.125.47.125
  - xmpp-server3.l.google.com, 74.125.45.125
  - xmpp-server4.l.google.com, 74.125.45.125
Edge Server
- The normal Edge Server requirements still apply here, so the best practice deployment in a perimeter network with two interfaces on different TCP/IP networks is recommended. Let’s not start cutting corners here; don’t make me write yet another Edge Server article
XMPP Gateway
- A single Windows Server with no requirement of multiple network interfaces. A single interface can be used to handle both external (Gmail) and internal (OCS Edge) communications. But if your perimeter network configuration requires two interfaces to properly route traffic in a specific scenario, then 2 separate interfaces can be used and is supported.
- Network Address Translation is supported, and will be used in this example deployment. But by all means, if a public IP address needs to be assigned directly to an XMPP gateway server interface then communications will work just as well.

Communications Topology
Now we can take a closer look at the actual communication paths utilized end-to-end:

Following the example above, the communications steps for a Gmail user attempting to send an instant message to someone in our contoso.com example OCS organization:

Any one server in the GoogleTalk farm will attempt to locate the contoso.com SIP domain services by looking for a specifically defined DNS Service Locator (SRV) record named _xmpp-server._tcp.contoso.com. This record would be configured to point to a DNS Host (A) record for the XMPP gateway’s public FQDN. This can be any name desired. It is recommended to use an A record in the same domain namespace as the SRV record, but this is not a requirement. (Apparently Strict DNS Naming is not required by the XMPP server.) The name xmpp.contoso.comis used in this example.
The GoogleTalk server will then attempt a standard TCP connection to xmpp.contoso.com over port 5269. This is not a secured connection, so there are no certificate requirements on this first leg of communications. This connection is typically handled by an external firewall which is performing Network Address Translation (NAT).
This request is routed by the firewall to the XMPP server’s single interface which is actively listening on 5269 on its only configured IP address (10.11.12.40). The connection continues to be unsecure.
Once the XMPP gateway handles the request it will look at its SIP Configuration to locate an appropriate next hop, which would be configured as the Access Edge FQDN (sip.contoso.com). Based on the DNS configuration of the XMPP server it may be appropriate to configure a local HOSTS entry on the XMPP Server for the Access Edge FQDN to connect directly to the perimeter IP (10.11.12.33). If the public IP is resolved then the communications may fail; this traffic should not be routed outside the firewall and back in, it should stay within the perimeter network.
The connection is established with the Access Edge server on it’s Federation listening port of 5061, over MTLS as a certificate is utilized for XMPP Server to Edge Server traffic. The XMPP server must connect to the Access Edge using the Federation port and NOT the internal Edge interface. This is one of the most common deployment mistakes: attempting to configure the XMPP server to communicate with the Edge server’s internal interface.
For outbound traffic to GoogleTalk, the Edge Server simply treats the gmail.com SIP domain as any other federated domain. The configuration would denotes that traffic to gmail.com should be xmpp.jds.local in this example. For this portion of communications to properly function there are a few very important aspects to cover:
- Most importantly a certificate needs to be installed and configured on the XMPP gateway.
  - This is only used for communications between the XMPP and Edge servers, NOT for any external communications with GoogleTalk servers. Thus an internal private CA can be used to request the certificate for the XMPP server, and any root/issuing CA certificates must be imported onto the XMPP server just as would have been done with the Edge server.
  - An easy way to get a certificate on the XMPP server is to use the OCS Certificate Wizard on the Edge server (as the XMPP server does not include the wizard) and then just export and import the certificate with the private key to the XMPP server.
- Secondly, the certificate must be issued to the XMPP server’s exact hostname.
  - The Microsoft configuration article linked at the top of this blog article discussed that the Primary DNS suffix of the XMPP gateway needs to be configured with something, as an FQDN is required here.
  - What the article does not clarify is that XMPP server’s FQDN must utilize the actual server hostname; you cannot just select any secondary name for the XMPP server and configure the certificate, DNS resolution, and the Edge server’s Allow list entry to just anything. More simply stated: the XMPP server’s configured FQDN, certificate CN (or SAN entry) and the Edge server’s Allow list entry for gmail.com must all be set to the actual server’s fully qualified hostname. Because the XMPP server hands this name out during communications it is a hard requirement
- Lastly, if a single XMPP server FQDN configuration is attempted, instead of using separate private and public as in this example, then:
  - Microsoft’s article states that the public FQDN could be used here instead, but the external firewall would need to be configured to allow outbound traffic from the Access Edge server to loop back into the firewall and then connect to the XMPP server over 5061. Normally only traffic destined to 5269 would be allowed in from the Internet.
  - This configuration is least desirable as it is best practice to keep all XMPP<>Edge communications internal, just as discussed above in step #4. But since the leg of the communications is encrypted then routing it out to the Internet temporarily does not impose any additional security threat.
The XMPP server uses the XMPP configuration to locate gmail.com services from it’s Allowed Domain List by resolving the known SRV record _xmpp-server._tcp.gmail.com. Currently the xmpp-server.l.google.comrecord is configured as the highest priority (set to the lowest value or 5 versus 20 for the other hosts). The XMPP server then connects to that host to complete the entire communication path.
Success!

Caveats
There are a few items in the current implementation of the XMPP services which should be understood:

Only a single SIP domain per OCS organization can be configured. This limitation comes from the fact that (1) the XMPP server configuration only has the ability to support a single OCS SIP domain for gateway services and (2) the Edge server Allow list can only point to a single next-hop for the gmail.comSIP domain. So even if multiple XMPP server instance were deployed to support each desired OCS SIP domain, the OCS organization’s single Access Edge server could only point to one of those XMPP servers. There is currently no workaround to this limitation, so typically only the primary SIP domain is configured XMPP services.
Originally only gmail.com addresses were supported, but in January 2010 Microsoft released a hotfix for the XMPP server which adds support for the googlemail.com SIP domain as well. No configuration changes are necessary on the XMPP server itself after applying the update as it will automatically use the defined route to gmail.com for any communications destined for googlemail.com contacts. But additional configuration is required on the Edge server, as an additional entry must be added to the Allow list properties tab for googlemail.com to point to the same XMPP internal FQDN that was used for the original gmail.com entry.

Troubleshooting
As with anything OCS-related, know where the firewalls are and what traffic they are allowing/blocking. Nearly every deployment I have been involved with almost always has some blocked port, misconfigured policy rules, fat-fingered port number, or some other issue which prevents servers from communicating over the desired ports. If at any point you are struggling it is never a bad idea to eyeball the firewall polices and network diagrams one more time. Occasionally even the smallest mistake can completely prevent communications. For example, I once ran into an issue where OCS was configured to use lm.domain.com (as in Live Meeting) for one of the FQDNs but the hosting provider read the request to create an external DNS record as im.domain.com (as in Instant Messaging) due to the font that was used. In many sans serif fonts an uppercase ‘I’ looks identical to a lowercase ‘l”. < See what I mean?
To test connectivity to various service when testing traffic filtering rules, start with the following:
Name Resolution
Verify that lookup of the GoogleTalk servers is functioning:

C:>nslookup -type=srv _xmpp-server._tcp.gmail.com
Non-authoritative answer:
_xmpp-server._tcp.gmail.com SRV service location:
priority = 20
weight = 0
port = 5269
svr hostname = xmpp-server2.l.google.com
_xmpp-server._tcp.gmail.com SRV service location:
priority = 20
weight = 0
port = 5269
svr hostname = xmpp-server1.l.google.com
_xmpp-server._tcp.gmail.com SRV service location:
priority = 20
weight = 0
port = 5269
svr hostname = xmpp-server3.l.google.com
_xmpp-server._tcp.gmail.com SRV service location:
priority = 5
weight = 0
port = 5269
svr hostname = xmpp-server.l.google.com
_xmpp-server._tcp.gmail.com SRV service location:
priority = 20
weight = 0
port = 5269
svr hostname = xmpp-server4.l.google.com

Verify that the XMPP server’s SRV and A records exist:

C:>nslookup -type=srv _xmpp-server._tcp.contoso.com

Non-authoritative answer:
_xmpp-server._tcp.contoso.com SRV service location:
priority = 0
weight = 0
port = 5269
svr hostname = xmpp.contoso.com
C:>nslookup xmpp.contoso.com

Non-authoritative answer:
Name: xmpp.contoso.com
Address: 12.34.56.78

Port Connectivity
Using telnet and netstat commands a number of test can be performed to validate end-to-end communications are correctly allowed. When using telnet to connect to specific ports if a blank window immediately appears that is an indication of a successful connection. A failed connection will be reported as ‘Connect failed’ after a few seconds. Be aware that return traffic needs to allowed for a successful connection, so often the return packets are accidently filtered by a firewall configuration causing this error.
From the XMPP server telnet to each of the GoogleTalk XMPP listenting ports to verify connectivity.

C:>telnet xmpp-server.l.google.com 5269
C:>telnet xmpp-server1.l.google.com 5269
C:>telnet xmpp-server2.l.google.com 5269
C:>telnet xmpp-server3.l.google.com 5269
C:>telnet xmpp-server4.l.google.com 5269

Perform a similar test from an external host to verify inbound communications to the XMPP server:

C:>telnet xmpp.contoso.com 5269

From the XMPP server test connectivity directly to the Access Edge service:

C:>telnet edge.jds.local 5061

From the Edge server test connectivity directly to the XMPP server:

C:>telnet xmpp.jds.local 5269

Active Connections
If all test appear to work but IM connections to or from gmail.com users is still not working, active connections can be searched for on the XMPP server to validate that the remote GoogleTalk servers are attempting to connect.
From the XMPP server search for active TCP connections to the XMPP listening port:

C:>netstat –ano | findstr 5269
TCP 10.11.12.40:5269 0.0.0.0:0 LISTENING 1780
TCP 10.11.12.40:5269 10.11.12.40:62325 CLOSE_WAIT 1780
TCP 10.11.12.40:5269 33.99.141.69:37617 ESTABLISHED 1768

And to look for connections from the Edge server:

C:>netstat –ano | findstr 5061
TCP 10.11.12.40:5061 0.0.0.0:0 LISTENING 1780
TCP 10.11.12.40:5061 10.10.10.50:3690 ESTABLISHED 3688
TCP 10.11.12.40:62329 10.11.12.40:5061 TIME_WAIT 0

Outlook Profile Configuration without the MSOL Client

Jeff Schertz — Sun, 07 Feb 2010 17:10:00 +0000

There are a few scenarios where you may want to use Outlook to access an Exchange Online mailbox but cannot use the Microsoft Online Services Sign-In client. This could be due to installation or operating requirements of the client (some OS versions are unsupported) or maybe users don’t have the required permissions to install software but can at least modify Outlook profiles.
Take note that this is a completely unsupported approach and might not even work on some platforms. The intent is for accessing the mailbox in temporary situations and not for long-term deployment solutions. Not using the sign-in client can impact more than just single-sign-in user experience. It is a ‘best practice’ approach to deploy the client to end-users on supported platforms.
Additionally it was pointed out by a Microsoft Support Engineer that not using the Services Sign-In client prevents certificate downloads from BPOS which is required to support AutoDiscover. Thus Outlook clients will not be able to download the Offline Address Book or see any Free/Busy and Out of Office information.
The instructions in this article are simply a reverse-engineered look at what it is required to configure an Outlook profile to work with a mailbox hosted on Exchange Online/BPOS. This approach was tested using Outlook 2003, 2007, and 2010 against a mailbox hosted in the North American datacenters. I assume the same process would also work for other regions of the world with the correct URLs (red002 for EMEA and red003 for APAC).
The two main issues that can prevent administrators from successfully configuring profiles are related to (a) the order in which the profile is configured and (b) the confusing nature of the Exchange mailbox server names. But using the correct approach to the first issue takes care of the second.
Create New Outlook Profile
Start by creating a new Outlook profile using the Mail control panel applet. (In Windows 7 this can be found by searching for ‘mail’ in the Control Panel window.)

Open the Mail(or “’Mail 32-bit’) Control Panel applet.
Click Show Profiles…
Click Add…
Enter a unique, descriptive name for the new profile (e.g. jeff@contoso.com)
Depending on the version of Outlook used select the available choice to create a new profile:
1. Outlook 2003: Add a new e-mail account
2. Outlook 2007/2010: Manually configure server settings or additional server types
Select Microsoft Exchange (Server).

Now the first important step has been reached, as a valid server name will need to be supplied, but the odd thing is that internal, non-resolvable FQDNs are used by for the Exchange Online mailbox servers. If you have ever looked at a profile configured automatically by the sign-in client you would have noticed that the server names were typically in a REDxxx.local domain. So clearly a normal connection cannot be made to that server over the Internet as .local is not a publically supported DNS suffix. But Outlook Anywhere (aka RPC over HTTP) can be configured for the initial connection to the mailbox. This approach also works for all on-premise Exchange clients as well when trying to configure a profile to use Outlook Anywhere when Autodiscover is either not configured or supported.
There is a long list of possible Exchange mailbox server names that may change at any point as since this is an unsupported process Microsoft could modify them at any point during server upgrades/replacements. The name used in this example the may not work so I would recommend looking at the profile setting of another mailbox (or even the same mailbox) which was configured properly through the normal client procedure. If that mailbox server name resolves but is not the server which actually hosts this specific mailbox account the profile will still work as Exchange will redirect Outlook to the correct mailbox server in the organization. This can be verified by seeing that the server name changes to a different value after the profile is initially setup.

Enter VA3DIAXVS101.RED001.local in the Microsoft Exchange server field. Verify that Use Cached Exchange Modeis selected.
Enter the username of the desired mailbox, e.g. jeff@contoso.com or jeff@contoso.microsoftonline.com, whichever format is the configured username of the online account.
Click More Settings…
An error message will appear stating “The action cannot be completed. The connection to Microsoft Exchange in unavailable. Outlook must be online or connected to complete this action.” Click OK.
Another settings window labeled Microsoft Exchange will appear. Click OK again.

Note: If you attempt to use the Check Name button in the previous window the process will always fail as the .local server name is not yet resolvable. Ignore that button.

At this point the profile settings window should be displayed as seen in the image below, allowing the remainder of the configuration to be completed manually. This allows for the RPC over HTTP settings to be configured so that the once unresolvable .local server name will now be valid.

Configure Profile Settings

Enter and confirm the following settings across the various properties tabs. All steps beginning with ‘Verify’ or ‘Confirm’ indicate that the default value is the desired setting. Steps labeled as ‘Select’ or ‘Enable’ indicate a change in the default profile setting.

General Tab

Enter a descriptive account name (e.g. Exchange Online).
Select Automatically detect connection state.

Advanced Tab

Verify that Used Cached Exchange Mode and Download shared folders are enabled.

Security Tab

Verify that Encrypt data between Microsoft Office Outlook and Microsoft Exchange is enabled.
Verify that Negotiate authentication is the selected Logon network security setting.

Connection Tab

Enable Connect to Microsoft Exchange using HTTP.
Click Exchange Proxy Settings…

Exchange Proxy Settings

In the Use this URL to connect to my proxy server for Exchange field, enter red001.mail.microsoftonline.com for mailboxes stored in North America datacenters. Substitute red002 or red003 for other regions.
Enable the Only connect… or Mutually authenticate… setting (depending on the version of Outlook).
Enter the proxy server value of msstd:*.mail.microsoftonline.comin the field below.
Enable the setting On fast networks connect using HTTP first, then connect using TCP/IP.
Verify the setting is enabled for On fast networks connect using HTTP first, then connect using TCP/IP.
Verify that NTLM Authentication is the selected Proxy authentication setting.

Once completed with the steps above click OK to close and save the profile window, returning back to the original account creation wizard.

Click the Check Name button next to the User Name field and an authentication prompt should appear. Enter the password for the online account.

After a few seconds the Microsoft Exchange settings page on the wizard should have updated the information by updating the correct home mailbox server name as well as converting the username to the Display Name value. The underlined text format in both fields indicates a successful connection to the online mailbox, and thus the profile configuration is complete.

Click Next and Finish to complete the wizard.

Back at the original Mail applet window make sure that the Prompt for a profile to be used setting is enabled if there are now multiple Outlook Profiles configured on the same Windows user profile.

Understanding Contact Objects in Exchange Online

Jeff Schertz — Fri, 08 Jan 2010 14:15:00 +0000

When planning a migration up to Exchange Online, or even when working with a current customer that has already noticed this, there is one important distinction to be aware of regarding how Contact Objects are handled in the BPOS-Shared realm. Whether or not Directory Synchronization is (or will be) used with an on-premise Active Directory domain is also important.
Created in the Cloud
First off, an administrator can simply create a contact directly in the Exchange Online environment using the Microsoft Online Services Administration Center (commonly referred to as MOAC). The primary purpose of a contact object in Exchange is to include a single managed object which appears in the global address book to all users for sending email to an external SMTP address. A contact can not use an internal SMTP address in any domain, meaning that any domain which is currently verified in BPOS as Authoritative and configured for Inbound Messaging should not exist in a contact. Otherwise a Non-Delivery Report (NDR) would be created if any internal users attempt to send a message to it. Any foreign domains and any BPOS-verified domains still configured for External Relay would still be allowed.
Assuming we have a BPOS-Shared site of schertz1.microsoftonline.com let us create a new contact for my PointBridge email address. Using MOAC, the following contact was created directly in the cloud; no Directory Synchronization was used in this process (more on that later).

Once the contact is created it appears in the Contacts list with the SMTP address I added above:

But here where things get a little different. With a standard On-Premise Exchange deployment that exact address would appear in the address book in Exchange, but due to the fact that BPOS-Shared uses a single multitenant directory for separate clients there needs to be a way to store the address in a globally unique format. Otherwise if another BPOS-S client had already created a contact for the same SMTP address in their directory then we would have received an error when attempting to add this contact.
A quick peak at the Address Book in Outlook shows the actual format that the SMTP alias is stored in the directory:

By using this shadowed format the same SMTP alias can be stored in multiple tenant directories without conflict as the site’s specific (and unique) default domain name is used as the suffix. Regardless of how the SMTP alias appears in the address book to users the functionality is still the same and all messages sent to the contact are delivered to the correct address.
Directory Synchronization
The main difference here is when a contact object is created in BPOS by Directory Synchronization instead then the displayed E-mail alias will not look the same as what was shown above. When viewing the proxy address from either the administrative console or an Outlook client a different format appears, which upon first glance appears to be completely incorrect.
In this example there is a contact stored in an on-premise AD domain for Matt McGillen which contains his PointBridge SMTP address:

But when this object is created in BPOS via Directory Synchronization it appears to be stamped with a different address of mmcgillen@schertz1.microsoftonline.com which uses the default mail routing domain name in this BPOS site. This address appears the same anywhere it can be viewing in Exchange.

From the Contacts list in the Microsoft Online Service Administration Center:

From the E-Mail Address tab of a user in the Outlook Address Book:

From the online Address Book view in Outlook Web Access:

Obviously if this was the real address stamped on the contact it would no longer work as a mail forwarder as that domain is (by default) configured as an internal relay domain in BPOS and clearly wouldn’t send messages to the proper mailbox. But the contact will, and does work as expected. What happens is although the same shadowed proxy address format as described earlier in this article is used on the contact object itself to allow for unique address across the multi-tenant domain, the actually displayed format of that address does not reflect that.

The functionality is the same whether the contact was created manually in MOAC or automatically via Directory Synchronization, but the addresses are displayed to the administrators and end-users differently. I was told by Microsoft this caveat was necessary in order to get the proper functionality, but unfortunately the shadowed proxy address is not displayed for the synchronized contacts.

So, in a smaller environment it can sometimes be a better solution to leave the contacts out of AD (if possible) and simply create and manage them in MOAC. This will allow end-users to see the proper SMTP aliases and be less-confusing to them. Otherwise simply make sure that at least your administrators are aware of the display issue in the case any migrated end-users start to notice it and question the validity of the contacts. It is still undetermined if this behavior will be changed in the future to display the correct address for synchronized object.

BPOS Sign-In Client Breaks iPhone USB Synchronization

Jeff Schertz — Thu, 07 Jan 2010 22:18:46 +0000

So, I just ran into this issue and thought it would be worth documenting. During countless pilot migrations of users from various mail platforms to the Exchange Online portion of BPOS I’m surprised I’m just seeing this for the first time.
The Scenario
Where this appears is with a standard end-user scenario of a single Microsoft Outlook profile configured for POP or IMAP access to some hosted mailbox. Also iTunes is installed on the same computer and the iPhone is configured to synchronize Contacts, Calendar items, Email messages, etc over a USB connection.
If the Microsoft Online Services Sign-In client is installed and configured on the computer, one of the things the application configuration for Outlook does is create a new Outlook Profile for the online mailbox, leaving the existing profile alone. But it also deselects a default profile and configures Outlook to prompt for a profile when launched. This prompt is later hidden from BPOS users when they launch the application from within the Services Sign-In client itself, but is visible when Outlook is launched directly from Windows via a desktop shortcut or any other application shortcut outside of the Services Sign-In client.
Here is how the Mail control panel would be configured before the installation of the Service Sign-In client:

And this is what the configuration would look like after the Services Sign-In client configures Outlook:

What I discovered is that iTunes is not compatible with multiple Outlook profiles and will only synchronize with the profile configured as the default. So in this scenario where there is no longer a default profile chosen the next device synchronization would actually remove all Outlook content from the phone! Whoops.
The Workaround
This scenario typically would only happen during pilot or testing phases were a user might be logging into both the source and target mailboxes at different times on the same computer. Once the user is migrated over to Exchange Online then the iPhone would be reconfigured to use Exchange ActiveSync and no longer could iTunes be used to synchronize mailbox content to the device.
But until the user is migrated, if they need to restore the source mailbox data to the iPhone then the following steps can be used:
Select a Default Profile

Close Outlook, iTunes, and disconnect the phone.
Open the the Mail control panel applet, also called Mail (32-bit)in 64-bit operating systems.
In the Mail – Setup window click on the Show Profiles…button.
Change the When starting Microsoft Outlook, use the profile setting to Always use this profile and then select the original profile, which is typically named ‘Outlook’. Do not select the profile named after your BPOS account’s email address.

Resynchronize the iPhone

Launch iTunes with the iPhone not connected to the computer.
Go to the Edit menu, select Preferences… and then select the Devicestab.
Click the Reset Sync Historybutton, then click OK to close the Preferences window.
Connect the iPhone via USB and sync the device and all of the mailbox content should begin to copy to the device.
Disconnect the iPhone and verify that all missing mailbox data has been restored to the device.

From this point, one of two choices are left. The supported answer would be to revert Outlook back to no default profile and then not synchronize the device again until the mailbox migration is complete. On the other hand, the changes could be left as-is and although the Services Sign-In client will appear to function correctly it is possible that be having that unsupported configuration other problems could arise over time.

OCS Communicator Web Access Listening Port

Jeff Schertz — Thu, 24 Sep 2009 13:26:14 +0000

During the deployment of an OCS Communicator Web Access Server there is a setting that is not covered in much detail in the documentation: the Communication Server Listening Port. No default or suggested value is given, as shown by this screenshot of the virtual server creation wizard:

This port is used by the Communicator Web Access Server to listen for inbound communications from other OCS servers. When an additional Virtual Web Server is added to the same host, as is common when both Internal and External types are setup on the same server, the new virtual site’s listening port must be on a different port then what the initial site is configured for, otherwise the following error will appear:

This is also a common error when attempting to use a standard OCS port (like 5061) when CWA has been installed on an OCS Front-End server (such collocation is unsupported) . Since the Front-End services already occupy that port then an unused port must be specified. If CWA is installed on a separate server (as it should be) and the first, internal virtual site activation accepts 5061 as a value but the second virtual site activation does not, then it can be a bit confusing since one might think that there should not be a port conflict if the second site is configured on it’s own IP address.

Even though both virtual sites should be setup on different IP addresses, so that the default TCP 443 value can be used for the IIS site, all back-end OCS server communications still happen on the host’s primary IP address, which is what is resolved by DNS for the server’s FQDN. It’s common practice to set the first virtual site configured during the initial CWA deployment to 5061, and additional sites can be set for values of 5062, 5063, etc. There is no requirement on what port is used, except that it can’t already be in use on the host server.

For example, assume a CWA Server is configured with both an Internal and External virtual site, using the following configuration:

Description	FQDN	IP Address	Port	Listen Port
Communicator Web Access Host Server	ocs02.schertz.local	192.168.207.14
Virtual Web Server 1 – Internal	https://im.schertz.lab	192.168.207.14	443	5061
Virtual Web Server 2 – External	https://im.schertz.lab	192.168.207.15	443	5062

The way that the settings are displayed in the Communicator Web Access management console, it almost appears as if those listening ports are associated with the same IP address that the virtual web site is:

But that is not the case. There are a couple ways to verify exactly which IP address each Listening Port is actually listening on by using either simple netstat command or by capturing traffic on the server. The following diagram shows the basic traffic flow of two separate conversations, one between Workstations 1 and 2, and another IM session between Workstations A and B. The workstations on the left-hand side are typical Office Communicator users while those on the right-hand side are using Communicator Web Access with a web browser. Workstation B is located outside the corporate network and is directed through the firewall to the External CWA site running on the second IP address.

Below is a screenshot of a Network Monitor session with captured traffic from the two separate IM conversations:

Instant messages sent from Workstation 1 to Workstation 2 appeared on the CWA server as coming from the OCS Front-End server (OCS01) and were directed toward the CWA server (192.168.207.14) to port 5061.
Instant messages sent from Workstation A to Workstation B also came from the same Front-End server and were directed to the CWA server on the same primary host IP address (192.168.207.14), but were sent to port 5062, and not to the external virtual site’s IP address of 192.168.207.15.

Additionally, a netstat command can be issued at the same time to validate that the listening ports (5061 & 5062) are only established on the same, primary IP address. (This only displays active connections so if no users are currently using CWA then the ports won’t be listed.)

Changing the Listening Port

Unfortunately the Communicator Web Access management tool does not offer the ability to change the configured listening port after the virtual site has been created. The only port values which can be modified in the virtual server’s properties are: the client-connection port (which appears on the Connectivity tab and is typically set to 443) and the next-hop connection port (shown on the Next Hop tab, usually 5061). The latter is actually the remote listening port on the Front-End server that CWA will attempt to connect to. Nothing here about listening port that CWA itself is using for each virtual site.

The only way to change this setting is to manually update the TrustedServiceListeningPort WMI property.

On the CWA server run wbemtest.exe to access the Windows Management Instrumentation Tester application.
Click Connect.
Clear the ‘Namespace’ field and enter rootdefaultrtccwa_repository and then click Connect.
Under ‘IWbem Services’ click on Open Class.
In the ‘Get Class Name’ window enter MSFT_CWASiteSetting for the Target Class Name.
Click Hide System Properties to help filter the list a bit.
Click on Instances to see a list of installed CWA Virtual Servers.
Double-click on the desired instance to view the properties. To identify the instances compare the ‘Description’ property value with the description name shown in the CWA administrative tool, as shown below:
Highlight the property TrustedServiceListentingPort and click Edit Property.
The configured value is stored in both decimal and hexadecimal so be careful changing the value to insure that the format is not altered incorrectly. Simply update both values (use the Calculator in Programmer mode to validate both formats are equal).
For example, change the port from 5062 to 1975 (7B7 in hex) and click Save Property.
Click Save Object. at the ‘Object Editor for MSFT_CWASetting.Name’ window.
Click Close, Close, Exit.
Refresh the CWA Management console window and the new port setting should be displayed.
Issue a Restart on the specific virtual site in the CWA management console to complete the change.

OCS Edge on Server 2008 – The Strong Host Model

Jeff Schertz — Thu, 17 Sep 2009 14:18:00 +0000

The typical OCS deployment these days is using Windows Server 2008 instead of Server 2003 for the host OS now since R2 and Server 2008 have been out for some time, so a certain issue has begun to pop up in some deployments. Basically, if an R2 Edge server is deployed on Server 2008 and three separate NICs are used for the three external Edge roles then some routing problems can typically be seen. Previously on Server 2003 this was not a problem, but something has appeared to change in the behavior of Server 2008.

Well here is the story. (Do not miss the final paragraph as there is an important point that might make the rest of this article moot!)

OCS Edge on Windows Server 2003

Let us first revisit a proper configuration of an Edge Server when using multiple external interfaces.

Although this example is using private IP addresses with a single consolidated R2 Edge (with a static NAT compatible firewall) the scenario still holds true if publicly routable IP addresses are used instead.

Interface Role	IP Address	Subnet Mask	Default Gateway
Internal Edge	10.1.1.30	255.0.0.0
Access Edge	172.16.1.31	255.255.255.0	172.16.1.1
Web Conferencing Edge	172.16.1.32	255.255.255.0
A/V Conferencing Edge	172.16.1.33	255.255.255.0

Because internal networks are ‘known’ and external clients could be coming from anywhere in the public Internet IP address space (assuming Public IPs are used like in this example) then the single default gateway for the server should NOT be defined on the internal interface, but on an external interface.

Additionally, a static route would be defined to route traffic to/from the internal subnet(s). Not only do the Front-End and other OCS servers need to communicate directly with the Edge internal interface, so do any internal client workstations. For example, A/V sessions between internal and external clients travel from the internal workstation to the Edge internal interface, and out the external interface to the external client. This is why it’s important to make sure that the Edge internal FQDN is published in the internal DNS zone and not just setup on the Front-End server as a HOSTS file entry.

Since static route needs to include more than just the Front-End server, it should be define the entire, routable internal network. If multiple subnets are used internally then either a larger mask would need to be used (if all networks are configured in the same IP numbering scheme) or multiple static route will need to be added to include any and all networks where OCS servers, clients, and devices may reside.

route add –p 10.1.1.0 mask 255.255.255.0 10.1.1.1

Also we must not forget to go into the all of the external interface’s TCP/IP Advanced Properties and disable the option for Register this connection’s addresses in DNS.

The above configuration works on Server 2003 because the operating system adheres to what is called the Weak Host Model in networking. This means that all outbound traffic leaves the server on a loosely defined ‘primary’ external interface. In our scenario the Access Edge interface would hold this title as it has the default gateway defined on it, while the other externally-facing interfaces do not have a default route defined. This means that inbound traffic from external clients which hits the Edge server on any of the different interfaces would complete it’s return trip out of the single primary interface, as shown in the diagram below:

OCS Edge on Windows Server 2008

Windows Server 2008 by default now uses the Strong Host Model which no longer contains the premise of a ‘primary’ interface role among the multiple NICs. (For an excellent article on how all of this works, take a look at The Cable Guy’s article Strong and Weak Host Models.)

This now means that traffic which enters a specific interface will always be sent back out the same source interface, as shown in this diagram:

Clearly the initial benefit that can be seen is that traffic is now segregated and bandwidth more efficiently utilized than before with the Weak Host Model. External Office Communicator clients will be able to sign in and federation will function, but external Live Meeting won’t connect and no A/V and desktop Sharing features will work. This behavior also makes it easier to design routing and firewall policies as return traffic can be predicted correctly and like-communication rules can be bound together in the same firewall policies.

But using the same configuration as on Server 2003 does not work for Server 2008. (For now ignore the Default Gateway icons in the diagram above on the Webconf and AV Edge interfaces. This would then represent the typical configuration based on previous rules, but as we cover a potential resolution in the next section then those icons will come into play.)

This is because when the Web Conferencing and A/V return traffic leaves the server it will exit on the same interface it originally came in on. And since the Default Gateway is blank on those two interfaces, that traffic will not find the router and simply fail. It’s easy to confirm that behavior by watching traffic on the external firewall and by capturing packets on the server, as return traffic is lost when no usable outbound route can be found for the outgoing interface.

So there are actually two ways to resolve this in Server 2008. I’ve struggled with being able to get a ‘best practice’ recommendation from anyone on this problem, and Microsoft has yet to update any TechNet articles addressing this. The main reason is there really is not a single solution. In my opinion and from the feedback of other MVPs and SMEs in the product area it really depends on the network configuration and how the Edge Server should be configured to handle and route traffic.

Use Multiple Default Routes

One approach is to simply set the same Default Gateway on each of the external interfaces. Now normally you wouldn’t want multiple default routes defined on the same server. When multi-homing a Windows Server to different IP subnetworks (as we have here with the separate internal and external NICs on the Edge server) then factors like Dead Gateway Detection come into play, and following that general practice is correct.

But with multiple interfaces connected to the same IP subnetwork and be used to segregate traffic and not simply load balance traffic, then each adapter needs to have a valid next-hop route defined in order for the Strong Host Model to be used.

Interface Role	IP Address	Subnet Mask	Default Gateway
Internal Edge	10.1.1.30	255.0.0.0
Access Edge	172.16.1.31	255.255.255.0	172.16.1.1
Web Conferencing Edge	172.16.1.32	255.255.255.0	172.16.1.1
A/V Conferencing Edge	172.16.1.33	255.255.255.0	172.16.1.1

The potential pitfalls with this solution is that any of the three interfaces could be used for initiating outbound communications. Checking the route table afterwards will show that all three defined routes have the same metric value. For responses to inbound traffic this is not a problem as the Strong Host model will dictate that the response leaves the interface it entered on and external firewalls will see the return traffic from the same IP and routing should be fine. But for initiating an outbound connection, as can happen when an internal users tries to start an IM conversation with a Federated or PIC user, needs to travel out of the Access Edge interface to match the traffic profile that firewalls would be configured for (TCP 5061 outbound). Typically this works usually since the Access Edge was the first configured external interface, but because the Strong Host Model does not officially assign a primary interface then it seems to be a little luck or black-magic.

A way to force the Access Edge interface to act as a primary default route interface would be to leave the Default Gateway set on the interface properties, and then perform a route print to identify the Metric value of that route. Then instead of adding the same Default Gateway value on the other two interfaces simply create a static route from the command line and assign a metric of higher value to each of the other interfaces. This will insure that the Access Edge interface is used for initial outbound connections but when Strong Host attempts to reply to traffic from any of the 3 interfaces there is a defined route on each interface.

Configuring Multiple Default Gateways

Start by verifying that the Access Edge interface is the only external interface configured with a Default Gateway.

Issue a ROUTE PRINT command to identify the assigned metric for the Access Edge interface’s default route entry, as well as the defined indexes for each external NIC. In the example below the Index values are 14, 15, 16 for the external NICs and the default route’s Metric is 276.

C:>route print
===========================================================================
Interface List
16 …00 15 5d 67 a2 0f …… Microsoft VM Adapter #4 (AV Edge)
15 …00 15 5d 67 a2 0e …… Microsoft VM Adapter #3 (Webconf Edge)
14 …00 15 5d 67 a2 0d …… Microsoft VM Adapter #2 (Access Edge)
12 …00 15 5d 67 a2 0b …… Microsoft VM Adapter (Internal Edge)
1 ……………………… Software Loopback Interface 1
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.16.1.1 172.16.1.31 276
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
10.0.0.0 255.0.0.0 10.1.1.1 10.1.1.30 11

Alternatively the NETSH command can be used to identify the interface indexes.

C:>netsh interface ipv4 show interface

Idx Met MTU State Name
— — —– ———– ——————————-
1 50 429467 connected Loopback Pseudo-Interface 1
12 5 1500 connected Internal Edge
14 5 1500 connected Access Edge
15 5 1500 connected Webconf Edge
16 5 1500 connected AV Edge

Issue the following persistent ROUTE commands to set higher metric values for the other interfaces.

route add –p 0.0.0.0 mask 0.0.0.0 172.16.1.1 metric 277 IF 15
route add –p 0.0.0.0 mask 0.0.0.0 172.16.1.1 metric 278 IF 16

Disable the Strong Host Behavior

An alternative approach would be to disable that default functionality and configure Server 2008 to use the Weak Host Model. This would allow the same single-external Default Gateway definition, but has some inherent drawbacks. Especially now with R2 a consolidated Edge Server can more easily host all external roles on the same physical interface (since NAT restrictions have been loosened). This being the case, a benefit to using multiple physical interfaces for each external role is to increase bandwidth and segregate traffic. Thus reverting the server back to a Weak Host Model could inherently negate those benefits. But on the flip side with an Edge server that handles a lot of AV communications (which require more bandwidth than others) then using Weak Host would effectively offer dedicated NIC for internal AV with outbound AV travelling over the ‘primary’ Access Edge interface, thus balancing A/V traffic across 2 interfaces. Keep in mind that the actual benefits may vary here depending on the duplex mode of the interface and switches since the two streams are in opposite directions.

Enabling Weak Host Send/Receive

Use the ROUTE PRINT or NETSH commands shown in the section above to identify each interface’s index value.

Verify each adapter’s current Weak Host settings

C:>netsh interface ipv4 show interface 14

Issue a set of commands for each interface to enable Weak Host sending and receiving.

netsh interface ipv4 set interface 14 weakhostsend=enabled
netsh interface ipv4 set interface 14 weakhostreceive=enabled

netsh interface ipv4 set interface 15 weakhostsend=enabled
netsh interface ipv4 set interface 15 weakhostreceive=enabled

netsh interface ipv4 set interface 16 weakhostsend=enabled
netsh interface ipv4 set interface 16 weakhostreceive=enabled

Verify the setting changes on each adapter with the NETSH command again.

C:>netsh interface ipv4 show interface 14

Summary

Although it’s a bit more complicated, attempt the first option as clients have typically configured their firewall rules to flow traffic in/out on the same interfaces. And in some instances I’ve seen clients simply set the default gateway values on each interface’s properties without mucking around with metrics and command line strings, and everything just worked fine. Go figure!

But if internal routing issues seem to prevent that approach from working, then disabling Strong Host will also get the job done and is an easier configuration on the server side. Changes may need to be performed on the firewall to handle inbound and outbound traffic of the same type to/from different IPs, but being armed with this information ahead of time though can make this an easier process.

So all this stuff leads me to one important point that can save a ton of work and headaches up front. Simply ask the question: “Why are there 3 externally-facing physical interfaces in the Edge server?”

With NAT support for consolidated Edge in R2 there are now even less deployments with separate physical external interfaces (due to different subnetworks connected to AE/LM and AV roles, but even that scenario is slightly different because the of the unique networks which don’t share the same default route anyways). Physical traffic segregation and bandwidth are the only real arguments for having multiple external interfaces, and with gigabit interfaces in servers being the norm these days bandwidth limitations might be perceived more than actual. Besides, once that level of traffic flow is reached it is typically a better approach to deploy a second Edge server and expand into a pool than simply add multiple interfaces to a box that still has to flow all of that data back into a single NIC to connect to the internal OCS servers after all. So if any single recommendation were to come out of this article it would be to make sure that 3 external interfaces are really needed in the first place!

A/V Edge Authentication Connection Errors

Jeff Schertz — Mon, 22 Jun 2009 13:11:31 +0000

Just a quick note regarding an error I recently ran across. A client was experiencing problems with Dial-In Conferencing after a recent deployment and during troubleshooting the issues I ran across this pair of errors in the Front-End server’s OCS event log:

OCS Audio-Video Conferencing Server
Event ID 32018
“The Audio-Video Conferencing Server encountered an error when requesting credentials from the A/V Edge Authentication Service.”

OCS Protocol Stack
Event ID 14502
”A significant number of connection failures have occurred with remote server…”
8007274D
80072746

The IP address of the the ‘remote server’ described in ID 14502 was actually the IP address on the Edge server’s internal interface. So after checking the the common reasons for server-to-server communications issues (filtered ports on firewalls, incorrect or missing DNS entries, or invalid certificates) everything appeared to check out. All other features were working, as internal to external audio and video communications were tested multiple times in addition to Live Meeting and Desktop Sharing.

The A/V Authentication service was correctly configured on the Edge Server’s Interfaces tab on the default port of 5062, and from the Front-End server I was able to telnet directly to that port. Hmmmm…

Next step was to check the internal configuration and make sure that the Front-End services were attempting to go to the right place.

Bingo! The A/V Edge Servers entry under the Global Properties > Edge Servers tab had the correct FQDN but was mistakenly configured to use 443 instead of 5062, where the A/V Auth service was actually listening on the Edge’s internal IP.

Simple enough, just change it, right? That would be too easy. You can’t edit the current entry. And attempts to directly resolve it will be thwarted by one of two errors messages depending on if you attempt to delete the current entry and replace it with a new one, or simply try to add a second entry for the same FQDN with a different port value.

“The A/V Edge Server internal FQDN and A/V authentication port is currently assigned to a pool or server. Please check the Status Pane. Removing this entry may result in the failure of users to exchange media.”

“Trusted entry breaks the FQDN, Port or Version uniqueness constraint.”

Resolution

At this point we’ll need to un-assign the current value from a couple places in the OCS configuration so that the invalid entry can be removed.

First go to the Pool Properties under the Pool object and change the A/V Authentication Service to (None).

And then from the Mediation Server Properties also change the A/V Edge Server setting to (None).

Give Active Directory some time to replicate these configuration changes around, and we can go back and remove the original entry and replace it with the correct port number.

Revisit the Global Properties on the OCS Forest object and delete the existing A/V Edge Server entry with the invalid port listed.
Create a new entry with the correct values. (Depending on the time elapsed between now and the previous steps you may receive another “Trusted entry breaks FQDN…constraint” warning but it can be ignored at this point.)

After restarting the Front-End services those two errors should stop appearing in the event log and Front-End to A/V Authentication communications should now be working.

UC Virtual User Group Kickoff Meeting

Jeff Schertz — Fri, 24 Apr 2009 13:50:14 +0000

The newly formed Unified Communications Virtual User Group (UCVUG) will be hosting it’s first meeting next month and we’ve already gotten over 100 participants registered. Hence the name, it will be a virtual Live Meeting

This open online community is neither affiliated with Microsoft or PointBridge and was started by Office Communications Server MVP Dustin Hannifin with help from some of the other MVPs. The initial meeting will include presentations by myself covering the new features in OCS 2007 R2 and by Mike Stacy on Evangelize Communications new SmartSIP application. We will have a number of attendees from Microsoft and may also have some representatives from partners like Polycom, Audiocodes and Plantronics.

Our goal with this group is to have some candid, real-world-based discussions and presentations with a variety of IT professionals through the industry and help push the UC story out there.

Event Details

Thursday, May 21, 2009
7:00 PM – 8:30 PM (ET)

Visit this page to register for the event: http://ucvuglaunch.eventbrite.com

Migrating Lotus Notes to Microsoft’s Business Productivity Online Suite

Jeff Schertz — Wed, 11 Mar 2009 20:36:00 +0000

I’ve been slacking on the OCS-related blog material recently, and that’s mainly due to the projects I’ve been working on, one of which is currently wrapping up. My main focus since October has been a couple of migration projects from customer’s previously running Lotus Notes into the shared BPOS cloud.

For a little background information on the BPOS offerings, basically with the help of a simple sign-in application running on a desktop a user can have full Outlook, Live Meeting, and SharePoint functionality with all of the backend systems being completely hosted and managed offsite by Microsoft. From a user-end standpoint they can’t tell that their Exchange services are hosted offsite and not integrated directly onsite. But on the back-end it takes a pretty fair amount of work to get everything connected and migrated over.

There are a few threads in the Microsoft Online Services discussion forums that briefly discuss the options for moving from a Lotus Notes platform up to BPOS, either directly or via an intermediary mail system. I’ve completed projects using both scenarios as BPOS has moved from a beta to full release service and third-party vendors have updated their toolsets to support the new environment.

Quest Notes Migrator for Exchange

The first migration approach I took was the only available path at the time: a two-hop migration of Notes to a new Exchange 2007 deployment located on-site, followed by a second migration up to BPOS. The first leg was accomplished by using Quest Software’s Notes Migrator for Exchange (NME) to perform a fairly standard Notes to Exchange migration on-site. Notice I said ‘fairly standard’ as usually you don’t have to stand up a completely new Active Directory forest and Exchange deployment and then tear it back down again afterwards.

This was a complicated procedure with much overhead, but it left us two benefits in terms of flexibility: freedom of change control procedures when modifying the interim forest and the ability to delete the entire forest upon completion of the migration without leaving irreversible schema changes in a production forest. That said, this approach added significant time to the deployment as almost everything had to be performed twice. Since mail coexistence was not used and a weekend ‘big-bang’ approach was chosen there was no need to use the Notes Transporter, but simple PowerShell scripts were used to bulk create mailbox-enabled user accounts in the interim forest. Mailbox data was brought over in multiple stages from Notes to Exchange using NME and then from Exchange to Exchange Online using the MSOL Migration Tools found under the migration section of the Administration Center.

Since then Quest started testing the ability to connect NME directly to mailboxes in BPOS to cut out that middle-man process of two migrations. Here’s a recent press-release stating the support for Direct-to_BPOS migrations using NME: http://www.quest.com/newsroom/news-releases-show.aspx?contentid=8503.

So, I just used this new process to perform a migration of nearly 10x the amount of data in less time than the previous project by using this single-step direct migration approach with NME. The time saved by not processing and moving mail data twice can drastically reduce the overall time frame in relation to the amount of mail data being migrated. In a green-field mailbox approach with possibly just moving contacts or small amounts of calendar data this can accomplished over a single weekend, but if there is 100MB of mailbox data across thousands of mailboxes each then a pretty significant amount of time will be required in advance to pre-load data into BPOS. Although you can use multiple migration consoles, load balanced Internet connections, etc there is still the very real impact of pushing gigabytes of data across a latency-happy public Internet.

The most recent version of the NME User Guide now has an additional section which outlines the order of migration steps. Among these steps there is one important caveat that has not yet made it into the documentation: the Outlook profile for the ‘migration’ account must have Offline Cached Mode disabled. Once the BPOS Services client configures the Outlook profile for the desired administrator account it cannot be left in cached mode. If initial connection attempts to BPOS from NME were made while in cached mode any changes to will not be properly picked up, including the important Receive-As rights which will be granted on the back-end via a submitted service request. The same error will appear before and after the change if still in cached mode:

To resolve this problem delete the Outlook profile and the .OST file. Then open up the Sign-In client and authenticate with the same administrator account and access the Options tab. Select the More Options button and then click the trouble shooting link for “Reconfigure desktop applications” which will allow you to reconfigure Outlook and recreate the missing profile.

Immediately close Outlook and open the Mail control panel to select the profile and disable cached mode. Make sure to delete the newly created .OST file again (which should be quite small if Outlook was closed as soon as it was configured).

Form this point NME should be able to connect to the BPOS directory without complaining about missing “Receive-As” permissions.

Converting Recorded Live Meetings into Portable Media Files

Jeff Schertz — Thu, 29 Jan 2009 05:44:27 +0000

Live Meeting 2007 has the ability to record meetings, capturing audio, video, and other shared content for archival and later viewing. When in a meeting the presenter can behind recording content and select where they want to save the output to.

The main disadvantage with the recorded content has been the portability (or lack thereof) of the captured content. Live Meeting will save the recording across literally hundreds of files scattered through multiple folders. The Live Meeting Recording Manager can then be used to view recent recordings which is played back in Internet Explorer.

Well now there is a new tool called the Recording Converter which was just released by Microsoft that will take the saved content and convert it into a single .WMV file

Using the converter is as simple as pointing the source folder location to the My Meeting subfolder containing the recording you want to convert, and then selecting the resolution and what type of video is used, if applicable. Converting a 3 minute presentation containing video, audio and a shared slide deck took only about 30 seconds to process. I did notice the total recording size did grow from 3.3MB for all folder contents to 8MB for the individual Windows media file.