Posts Tagged ‘OCS 2007 R2’
Posted by Ståle Hansen on 22/06/2010
I recently integrated Exchange 2010 RTM OWA with OCS 2007 R2 for chat and presence. Having read some blog posts about how to implement the feature I decided to blog how I got this feature working based on these blogs and my own findings. I will cover the steps for both the Exchange 2010 RTM and SP1 versions since the steps are different.
Prerequisites
- Download and install OCS 2007 R2 Web Trust Tool on the Exchange 2010 server
- http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=ca107ab1-63c8-4c6a-816d-17961393d2b8
- Locate and install the following files in elevated mode by running cmd.exe as administrator
- vc_redistx64
- UCMAredist.msi
- CWAOWASSP.msi
- If the Exchange 2010 server is running on Server 2008 R2 you also need to install the latest cumulative hotfix update for OCS 2007 R2 on the Exchange server
- http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=b3b02475-150c-41fa-844a-c10a517040f4
- Download and run ServerUpdateInstaller.exe
- Also download the latest update for UCMAredist that is not included in CU5
- Reboot the server
Configuring Exchange 2010 RTM
NOTE: The below steps need to be done on all Exchange 2010 CAS servers in you deployment
- Download and run the PowerShell Script found in the below link
- http://msunified.net/exchange-downloads/script-imexintegration-ps1/
- The script will not configure anything
- It takes backup of web.conf and generates the configuration you manually need to add the web.conf file
- The script makes it easy to generate the correct syntax for populating the below keys
- Navigate to the web.conf file
- C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa\web.conf
- Edit the file and search for the string IMPoolName
- Replace the three “add key” strings with the ones provided with the script
- In Exchange Management Shell run the following command to configure OWA Virtual Directory
- Run IISreset in PowerShell
Configuring Exchange 2010 SP1
The Exchange 2010 SP1 guide is based on this great post written by Martin Sundström: http://msundis.wordpress.com/2010/06/21/integrate-ocs-2007-r2-with-exchange-server-2010-sp1-owa/ The configuration on Exchange is now moved from web.conf to the per server OWA Virtual Directory. I will definitely create a script automating the below process when I get more hands on :)
NOTE: The below steps need to be done on all Exchange 2010 CAS servers in you deployment
- Get the active Exchange 2010 certificate using this command in Exchange Management Shell
- Use the thumbprint and OCS pool FQDN in the command below
- Run iisreset
Configuring OCS 2007 R2
In order to allow the Exchange 2010 server to communicate with OCS using SIP containing presence and chat you need to add every Exchange 2010 CAS servers as authorized hosts on OCS.
- On your OCS R2 Pool server configure authorized host
- NOTE: Your user needs to be member of the RTCUniversalServerAdmins group
- Open Office Communications Server R2 under Administrative Tool
- Expand forest and Enterprise pool or Standard Edition Servers depending on you deployment
- Right click your pool and choose properties->Front End Properties
- On the Hosts Authorization tab
- You need to add the Client Access server FQDN and configure as the below image
- NOTE: This is the FQDN of your subject name (CN) on the certificate used on the CAS server
Troubleshooting the Installation (RTM)
Next are a few troubleshooting steps that can assist with some of the more common problems encountered with Exchange/OCS integration. I found these valid troubleshooting steps on Rand Morimoto’s post: http://www.networkworld.com/community/node/47348
Configuring the Firewall on the CAS Server
If the Client Access Server has the Windows Firewall enabled, it might need an exception to enable OCS 2007 R2 to communicate with it. To create the exception, perform the following steps:
- From the Control Panel, open Windows Firewall
- On the left side of the Windows Firewall window, click .“Allow a Program Through Windows Firewall.
- Click Add Program; then click Browse.
- Browse to C:\Windows\System32\inetsrv and select w3wp.exe.
- Click Open and then click OK twice to apply changes and close the window. Be sure to perform this step on all CAS servers with IM integration enabled.
User Configuration
- Before the user community can utilize the IM features, they must be “provisioned” for Office Communications Server R2 and must be enabled for Enhance Presence. When the user is initially enabled on OCS 2007 R2, he will automatically be enabled for Enhanced Presence.
- Users must also have a valid SIP proxy address for the OWA IM integration component to enable the IM Integration UI.
- When attempting to view the Instant Messaging contact list, a user might receive a notification that states
- Instant Messaging Isn’t Available Right Now. The Contact List Will Appear When the Service Becomes Available.
- If this occurs, perform the following steps:
- Using the same user account, confirm that you can access the IM services using the Office Communicator 2007 R2 client.
- If functional, confirm that the OCS Server name is properly entered in the Web.Config file of the CAS server.
- Also confirm the configuration of the Authorized Hosts option on the OCS pool contains all IM Integrated Client Access Servers.
OWA Certificate Error
If OWA cannot locate the certificate, an error stating The Local Certificate Specified Was Not Found in the Store for the Local Computer appears.
In this case, confirm that the value of the OCSCertificateIssuer and OCSCertificateSerialNumber fields in the Web.Config file are correct. Also ensure that there are blank spaces between every two characters in the serial number to separate octets in the string.
References
TechNet: http://technet.microsoft.com/en-us/library/ee633458%28EXCHG.140%29.aspx
Chris and Robin’s Technology blog: http://chrislehr.com/2009/11/implementing-integrated-ocs-in-owa-2010.htm
Martin Sundström: http://msundis.wordpress.com/2010/06/21/integrate-ocs-2007-r2-with-exchange-server-2010-sp1-owa/
Rand Morimoto: http://www.networkworld.com/community/node/47348
Posted in Exchange 2010, OCS 2007 | Tagged: Exchange 2010, PowerShell, OCS 2007 R2, owa, OWA OCS Integration | 9 Comments »
Posted by Ståle Hansen on 28/04/2010
I had a mind boggling troubleshooting session the other day where the problem was audio and video through consolidated OCS EDGE server behind NAT’ed in interfaces. After running Network Monitor and analyzing the SIPlogs on all involved machines:
- Inside Client
- Customer OCS Front End
- Customer OCS EDGE
- Outside Federated Client
- Firewall
The Symptoms
- SIP, Presence and IM working fine
- The call gets connected but fails with no media connectivity after just a few seconds
- No RTP traffic on any machine in Network Monitor
- In the SIP log we could see that the client used NAT AV EDGE IP, not public IP
- Therefore no media connectivity because the external client and external EDGE cant reach that IP
- When Internal Client and Federated Client was on the same subnet audio and video worked fine
The Solution
Read Rick Varvel’s blog post up and down and studied all the fine print and found that the Internal Client has to be able to resolve the Public IP of the AV EDGE server. This is an issue when the internal DNS is authoritative for the external domain without all external entries.
Below are the complete steps to set up OCS 2007 R2 EDGE when behind NAT
- Implement OCS 2007 R2 EDGE with at least two NIC’s
- One Internal
- One or more External
- When you have more than one external NIC beware of the Strong Host Model feature in Server 2008 where NIC’s don’t share gateways and media flow works different
- Configure the firewall to perform DNAT inbound and SNAT outbound for the A/V Edge external interface
- Configure the Internal NIC with an IP address and FQDN that is resolvable from you internal subnets
- Configure the External NIC’s with NAT’ed IP addresses, not the public ones because you are behind NAT
- Make sure that the OCS 2007 R2 EDGE server can resolve all the external FQDN’s with the public IP addresses
- Add them in the external DNS
- Or add them in the local hosts file
- Make sure that the A/V EDGE public IP and FQDN is resolvable from the Internal Client subnets
- Make sure that the OCS 2007 R2 EDGE server knows it is behind NAT
- On your edge server goto: start->run-> type in compmgmt.msc
- Expand Services And Applications
- Expand Office Communications Server
- Right-click the OCS EDGE entry and choose properties
- Under A/V EDGE server make sure that the “External IP address is translated by NAT” check mark is checked
- Press apply and exit
- Restart the OCS EDGE services
Resources
Rick Varvel: http://blogs.technet.com/rickva/archive/2009/04/03/Configuring-A_2F00_V-Edge-Service-for-NAT.aspx
Mino – The UC Guy: http://theucguy.wordpress.com/2009/03/04/the-ocs-2007-r2-edge-and-nat/
Elan Shudnow – Audio/Media Negotiation: http://msunified.net/2009/08/30/office-communications-server-2007-r2-audiomedia-negotiation/
Inside OCS – Ports required for OCS 2007 R2 EDGE: http://blog.insideocs.com/2008/08/20/what-ports-do-i-need-to-open-on-my-firewall/
msunified.net – Single consolidated EDGE server clarified: http://msunified.net/2009/07/01/single-consolidated-edge-server-clarified/
Posted in OCS 2007 | Tagged: OCS 2007 R2, AV EDGE, No Media Connectivity, Ports required for OCS 2007 R2 EDGE | Leave a Comment »
Posted by Ståle Hansen on 09/04/2010
Server 2008 R2 is now supported by OCS 2007 R2. As a follow-up to my post on
Installing OCS 2007 R2 Prerequisites on Windows Server 2008 I will in this post describe how you can install OCS 2007 R2 prerequisites on Server 2008 R2. While you need to install the same prerequisites on both OS’ there is a change in what commands you use and you also need to prepare the server in a different way when you are installing on Server 2008 R2
Part one – Before you install OCS 2007 R2 binaries
- Open powershell as administrator and run the following commands
- Import-Module ServerManager
- Add-WindowsFeature as-net-framework,desktop-experience,telnet-client
- This installs the following features
- [As-Net-Framework] – .Net Framework 3.5 SP1
- [Desktop-Experience] – Desktop Experience
- [Telnet-Client] – Telnet Client (recommended not required)
- Request the Hotfix that is described in KB975858 for Windows Server 2008 R2
- You need to request it, then you recieve a link by email, from there you can download and install it
- Install the prerequisites for the specific role as described in part three
- Run Windows Update untill everything is updated
- Install the OCS 2007 binaries for the role you are installing
Part two – After you install OCS 2007 R2 binaries
- When you try to activate OCS 2007 R2 Standard Edition, Enterprise Edition or Edge Server role when all windows updates are installed it fails
- Download and install the latest cumulative updates for OCS 2007 R2
- I recommend downloading ServerUpdateInstaller.exe that features all the updates and will install the ones necessary for the specific role
- You need to manually update the Pool DB
- After installing the latest cumulative updates I have experienced that some services can’t start when you reboot the server, the symptoms are
- If you have XP or Vista clients in your enterprise change the default NTLM security settings from 128-bit encryption to “no minimum”
- Start secpol.msc on a Windows Server 2008 R2 operating system server.
- Click to select Local Policies and then click Security Options node.
- Make sure that the following values of the policies are set to “No Minimum.”
Part three – Commands to install the necessary prerequisites for OCS 2007 R2 on Windows Server 2008 R2
Front End on Windows Server 2008 R2
- Import-Module ServerManager
- Add-WindowsFeature web-windows-auth,web-mgmt-compat,web-mgmt-console,web-http-logging,msmq-server,msmq-directory,was-process-model,was-config-apis,rsat-adds
Installs the following components:
- [Web-Windows-Auth] – Windows Authentication
- [Web-Mgmt-Compat] – IIS 6 Management Compatibility
- [MSMQ-Server] – Message Queuing Server
- [MSMQ-Directory] – Directory Service Integration
- [RSAT-ADDS] – Active Directory Domain Services Tools
- [WAS-Process-Model] – Process Model
- [WAS-Config-APIs] – Configuration APIs
- [Web-Mgmt-Console] – IIS Management Console
- [Web-Http-Logging] – HTTP Logging
- [PowerShell] – Windows PowerShell
The last 3 in the list are not required, but they are highly recommended. IIS 7.0 Management Console is IMHO much easier to use than the IIS 6.0 version. The logging tools often come in handy when troubleshooting OCS IIS issues.
NOTE: If you are to run the create pool wizard from the Front End server against SQL 2008, you also need the MS SQL Native Client: X64 Package (sqlncli.msi) – 7963 KB
Also check out this post of mine whether to run create pool on OCS Front End or Back End SQL server: http://msunified.net/2009/08/11/create-pool-%e2%80%93-run-on-ocs-or-sql-server/
Office Communicator Phone Edition deployment on Windows Server 2008
- Import-Module ServerManager
- Add-WindowsFeature Web-Static-Content
Installs the following components in addition to Front End prerequisites:
[Web-Static-Content] – Static Content
NOTE: It exists default MIME types for both the .xml and the .cat extensions that is used by the updater. There is however no default for the .nbt extension and you need to configure it manually. See this post on how to do it http://www.codesalot.com/2010/communicator-phone-edition-update-issues/
Monitoring Server on Windows Server 2008
- Import-Module ServerManager
- Add-WindowsFeature msmq-server,msmq-directory
Installs the following components:
- [MSMQ-Server] – Message Queuing Server
- [MSMQ-Directory] – Directory Service Integration
CWA Server on Windows Server 2008
- Import-Module ServerManager
- Add-WindowsFeature web-windows-auth,web-digest-auth,web-basic-auth,web-mgmt-compat,web-mgmt-console,web-common-http,web-ISAPI-ext,web-ISAPI-filter,web-request-monitor,web-http-redirect,web-http-logging
Installs the following components:
- [Web-Windows-Auth] – Windows Authentication
- [Web-Digest-Auth] – Digest Authentication
- [Web-Basic-Auth] – Basic Authentication
- [Web-Mgmt-Compat] – IIS 6 Management Compatibility
- [Web-Mgmt-Console] – IIS Management Console
- [Web-Common-Http] – Common-http-features
- [Web-ISAPI-Ext] – ISAPI Extensions
- [Web-ISAPI-Filter] – ISAPI Filters
- [Web-Request-Monitor] – Request Monitor
- [Web-Http-Redirect] – HTTP Redirection
- [Web-Http-Logging] – HTTP Logging
Mediation Server on Windows Server 2008
- Import-Module ServerManager
- Add-WindowsFeature rsat-adds
Installs the following components:
- [RSAT-ADDS] – Active Directory Domain Services Tools
References:
For base OS prerequisites: http://support.microsoft.com/kb/982021
For supporting OCS 2007 R2 after raising the domain functional level: http://support.microsoft.com/kb/982020
Posted in OCS 2007 | Tagged: OCS 2007 R2, Prerequisites, Server 2008 R2 | 6 Comments »
Posted by Ståle Hansen on 18/03/2010
March first 2010
Telenor TSOC discovered that a new worm was on the loose on Windows Live Messenger. This time it is in your native language and therefor the probability of users actually clicking on the link is much greater. The worm sends a link from one of your contacts in MSN and if you click it a trojan will be downloaded to your PC and install itself. This is a huge risk for businesses that allow users to use Windows Live Messenger in their company network. If one PC get compromised in the internal network the possibility for it infecting other PC’s is even greater. This is one of the main reasons to implement OCS 2007 R2 as the only business solution for chat. Some arguments are:
- Encrypted internal chat solution
- All traffic stay inside you organization
- Can federate and chat with other organizations in a secure manner
- Can add global rules for blocking links, file transfers and unpatched clients
- Can add MSN contacts and be sure that messages with links is blocked server-side
In addition to secure chat OCS gives the businesses the ability to implement Unified Communications and is therefore way more than just a chat client.
About this trojan
First you get a message from one of you contacts saying, seen this?? :D and it links to hxxp://www.facebook-c.com/image.php?Photo023girl.JPG. The trojan adapts to the language on the computer and will display the text in you native language. In norwegian it will be se på dette bildet :D with the link following. The link points to a site at Yahoo and so the links was live for a day or two. It still was a huge security risk. The trojan is written in Visual Basic and executes a C++ program. It installed itself as c:\windows\winmbu.exe and granted itself access through the local firewall. The program gave the owner of the trojan access to
- Communication with C&C over the IRC protocol
- Sending of messages over MSN and Yahoo messenger
- Download and run files on the infected computer
At release date only 13 of 41 antivirus products detected this file. So even with an updated antivirus on the local computer 69% of the antivirus solutions would not have detected it.
Link to official article in norwegian: http://telenorsoc.blogspot.com/2010/03/trojaner-spres-via-msn-messenger.html
Link to the antivirus protection overview: http://www.virustotal.com/analisis/89c677bc0044864d80244aee8201661e79f431f33c3b164aa778f363fe1cf9da-1267474859
Posted in UCC | Tagged: OCS 2007 R2, Windows Live Messenger, MSN, trojan, worm, Telenor TSOC | 1 Comment »
Posted by Ståle Hansen on 23/02/2010
I had a problem at a customer site with Live Meeting that external users could not join the meetings. External and anonymous users got the same message. Internal Live Meeting was working just fine and so did Communicator externally.
The EDGE server gave the following Event ID:
- Source: OCS Web Conferencing Edge Server
- Event ID: 41993
- Level: Error
- Description: Failed to process data received from the client
That did not tell me much so I checked the Front End server. It had the following Event ID:
- Source: OCS Data MCU
- Event ID: 41059
- Level: Error
- Description: Failed to connect external users because the download URL is invalid.
It was now clear to me that the external web farm FQDN had to be wrong so I checked the Meeting Settings at pool level. The “External URL for meeting content download” was empty. Also the addressbook URL was empty. I decided to set the external web farm FQDN and found a way using lcscmd. After using lcscmd as described below external Live Meeting users could connect just fine. With the below steps I was able to set the external webfarm FQDN.
NOTE: PoolName in an Enterprise Edition deployment is the full FQDN name like ocspool01.domain.local. In a Standard Edition deployment you only need the Front End Server name like ocs-server and do not use FQDN
Step 1. Check current settings
To check the current URLs configured for these services, you can use LCSCMD.exe, and run the following:
Lcscmd /web /action:ListWMISettings /poolname:poolName
To retrieve the settings, check out the created html in the location provided after the command
Step 2. Update External URL
To update the external URL, you need to run the following command:
Lcscmd /web /action:updatepoolurls /externalwebfqdn:WebfarmFQDN /poolname:poolname
Step 3. Check the settings again
Rerun the line stated in Step 1 to check your settings again, and check the created html file:
Lcscmd /web /action:ListWMISettings /poolname:poolName
To clear the external URL in one step, just run the following:
Lcscmd /web /action:clearpoolexternalurls /poolname:poolName
For more information, check the following link: http://support.microsoft.com/kb/938288
Thanks to: http://www.pro-exchange.eu/modules.php?$1&name=News&file=article&sid=971
Posted in OCS 2007 | Tagged: OCS 2007 R2, Event ID 41993, Event ID 41059, external web farm fqdn | Leave a Comment »
Posted by Ståle Hansen on 08/11/2009
On several OCS 2007 Enterprise installations this patch was not that easy to install when you are using SQL 2008 backend database. Here’s what I had to do to install this patch
To apply the hotifx, you must have the following software installed.
- OCS administration tools
- MS SQL Native Client
- If you decide to install SQL 2008 Client Tools, SQL 2005 Service Pack 2 (SP2) Backward Compatibility must also be installed.
- To install the SQL 2005 Service Pack 2 (SP2) Backward Compatibility you need to download and install
- Microsoft SQL Server 2005 Management Objects Collection
- Microsoft SQL Server 2005 Backward Compatibility Components
- Finally run the patch with the following command when on a OCS Enterprise deployment
- OCS2009-DBUpgrade.msi POOLNAME=poolname
If the installation failes check Scott Oseychik’s post about SQL won’t allow update here: http://blogs.msdn.com/scottos/archive/2009/08/21/installation-of-ocs-2007-r2-hotfix-package-969834-may-fail-if-sql-settings-have-been-changed.aspx
View the full technical article here: http://support.microsoft.com/kb/969834
Posted in OCS 2007 | Tagged: OCS 2007 R2, OCS2009-DBUpgrade.msi, SQL 2008 backend, SQL 2005 Service Pack 2 (SP2) Backward Compatibility | 3 Comments »
Posted by Ståle Hansen on 08/11/2009
MVP Lee Desmond posted a great post about the November updates for Office Communications Server 2007 R2. Check it out here: http://www.leedesmond.com/weblog/?p=607
Check out the latest Nov 2009 updates released for the different Office Communications Server 2007 R2 server roles as described in KB968802. This applies to both the Standard and Enterprise Editions.
A very important and welcome addition to assist the patch management process is the “Cumulative Server Update Installer” (ServerUpdateInstaller.exe) delivered as part of this release. Instead of having to determine and manually applying the relevant patches to the various R2 server roles, this tool relieves the administrator from those tedious chores by applying all updates for the appropriate server role in just one click. You can also use this tool on the command line with the switches /silent, /forcereboot and /extractall.
If not already present, you shoud also apply the update* for the Office Communications Server 2007 R2 Back-end Database (KB969834).
Download for the updates (.msp), executable (.exe) and installer (.msi) can be obtained here.
Here is a good guide on how to install the updates: http://blogs.technet.com/ucspotting/archive/2009/11/26/3296447.aspx
Posted in OCS 2007 | Tagged: OCS 2007 R2, MOC, patch, hotfix, update, rollup package, lcs | Leave a Comment »
Posted by Ståle Hansen on 28/10/2009
Doug over at DMTF has written an excellent article about what do for OCS single sign on when internal domain and sip domain does not match. When split brain DNS is no option you can create two dns zones for the SRV records only. Here is an excerpt from his blog. View the full blog post here: http://blogs.technet.com/dougl/archive/2009/06/12/communicator-automatic-configuration-and-split-brain-dns.aspx
To implement this for Contoso, we would create a zone “_sipinternaltls._tcp.contoso.com” and zone “sip.contoso.com.” Notice that these are two zones – not two records in one “contoso.com” zone. A zone is a name resolution boundary in the hierarchical DNS namespace. By configuring the internal DNS server to be authoritative only for these two names, clients will continue resolving other names in the contoso.com domain as they always have.
Coincidentally, over on his blog, Geoff Clark has just suggested the same thing. He describes the problem and suggests the same solution but shows a method of creating the zone on a Windows DNS server via the DNS management console. Unfortunately, there is a limitation in the management console that is not present in the underlying Windows DNS implementation. This limitation required Geoff to create the zone as “_tcp.contoso.com” when what we would really like is a zone named “_sipinternaltls._tcp.contoso.com.”
This limitation in the user interface can be resolved by creating the zones and the records using the Dnscmd command line tool. For Contoso, here are the required commands:
dnscmd . /zoneadd _sipinternaltls._tcp.contoso.com. /dsprimary
dnscmd . /recordadd _sipinternaltls._tcp.contoso.com. @ SRV 0 0 5061 sip.contoso.com.
dnscmd . /zoneadd sip.contoso.com. /dsprimary
dnscmd . /recordadd sip.contoso.com. @ A 172.16.45.12
Of course, you’ll need to make the appropriate changes for your environment. If you are not running the command on your Windows DNS server, you will need to replace the first dot with your server name. You may also prefer a different zone type than “dsprimary.” If so, change the zoneadd commands appropriately. I doubt that your pool’s IP address is the same as my example but, if you have followed me this far, you already know what to change there.
Posted in OCS 2007 | Tagged: OCS 2007 R2, Split Brain DNS | Leave a Comment »
