By Girija Bhagavatula, Senior Program Manager, Lync Server Team
If you are a Lync Mobile user on Windows Phone or iOS then you should be aware that starting June 1st it is possible that some of you might see errors in receiving push notifications to your device. The most likely reason for that may be your system administrator has not updated the required certificates for enabling the federation between your on-premise Lync Server deployment and the Lync Push Notifications Clearing House service in Office 365. The certificate update itself is a very easy process and you can refer your system administrator to the next section titled “Certificate Update” for more details. Most of you will not even see this issue since your system administrator would likely have updated these certificates as part of a Windows Update.
As part of our ongoing commitment to security Lync team is making a change to the SSL certificate chain that will require our customers and partners to take action before June 1st, 2013. Lync Servers currently use the GTE CyberTrust Global Root and beginning on June 1st, 2013 will migrate to the Baltimore CyberTrust Root. The new root certificate uses a stronger key length and hashing algorithm which ensures we remain consistent with industry-wide security best practices. If your service does not accept certificates chained to both the GTE CyberTrust Global Root and the Baltimore CyberTrust Root, please take action prior to June 1st, 2013 to avoid certificate validation errors. While we seek to minimize the need for customers to take specific action based on changes we make to Lync Server, we believe this is an important security improvement. The Baltimore CyberTrust Root can be downloaded from https://cacert.omniroot.com/bc2025.crt.
The migration of Lync Online Service to use the new Baltimore trusted root Certificate Authority is planned during May 2013. As of June 1st 2013, all of our servers including the Lync Push Notifications Clearing House Service will be on Baltimore certs only. So please ensure that your Lync Server deployments have been updated to trust the Baltimore Root before that.
As an IT Admin, if you perform Windows Updates regularly:
· All you would have to do is validate that the new Baltimore Root cert is already present in the “(LocalComputer) Trusted Root Certification Authorities” cert store on each Microsoft facing Server.
If you do not perform Windows Updates regularly and/or new Baltimore Root cert is not appearing in cert trusted root store:
· You can perform Windows Update for this requirement or import the Baltimore Root to each Microsoft facing Server. You can download the Baltimore Root cert from here.
If you are wondering about all the jargon around push notifications and have often wondered how the incoming notifications are being delivered to you on the mobile device. Let me take this opportunity to give you an overview. The mechanism used to deliver the incoming notifications to your device differs based on which version of Lync mobile client you are currently using.
In this blog, I’ll cover Push Notifications which is the primary mechanism to deliver notifications on Windows Phone (both Lync Mobile 2013 and 2010) and iPhone/ iPad (Lync Mobile 2010 only). If you are a Lync Mobile 2010 user then Windows Phone and iPhone/ iPad use Microsoft Push Notification (MPNS) and Apple Push Notification (APNS) service respectively. However, if you have recently upgraded your client to Lync Mobile 2013 on iPhone and iPad then you no longer have any dependency on the Apple Push Notification server and instead the notifications are directly delivered to the Lync mobile client using background VoIP sockets. I’ll leave the VoIP socket discussion for a future topic.
The following table captures the different mechanisms used based on your Lync Mobile client and Lync Server versions.
N/A* - you cannot use a Lync Mobile 2013 client against a Lync Server 2010 deployment
At a very high level, most mobile systems don’t allow applications to run in the background to save battery and bandwidth costs. So when you press the home button your Lync app goes into a suspended state and hence can no longer communicate to the corresponding web service in our case the Lync Server. This poses a challenge, Lync being a real-time communication application has the need to receive asynchronous updates from the server for any incoming call or IM. The Push Notification services allows Lync Server to send notifications to the Windows Phone and iPhone/iPad even when the Lync mobile application is in the background and hence not running.
Given that Lync is an Enterprise application with deployments across multiple enterprises and locations it made sense to centralize the push notifications delivery from the various on-premise Lync Server deployments to the MPNS and APNS. The Lync Push Notifications Clearing House service which is hosted in Office 365 centralizes the notification delivery and helps to isolate on-premise deployments of Lync Server from direct communication with MPNS and APNS. Because Lync uses a secure connection to MPNS and APNS, Microsoft can maintain the certificates needed to authenticate with MPNS and APNS on behalf of all on-premise Lync Servers. The communication between the on-premise deployments of Lync Server and the Lync Push Notifications Clearing House is handled through SIP federation. This federation is same as the one you experience when you communicate with your Lync buddies in a different enterprise or in Lync Online or when connecting to your friends on Windows Live. Starting June 1st if you see errors in receiving push notifications to your device or failing to contact your federated buddies in Lync Online, then it is possible that your admin has not updated the required certificates for enabling this SIP federation between your on-premise Lync Server deployment and the Lync Push Notifications Clearing House service in Office 365 that I had talked about earlier in the blog. See the section titled “Certificate update” for more details.
As an example, in case of Windows Phone user receiving an IM, the invite would flow from the on-premise Lync Server 2010 or 2013 deployment to the Lync Push Notification Clearing House service in Office 365 from where it would be forwarded to the Microsoft Push Notifications Service. From the Microsoft Push Notification Service the invite will be delivered to the Windows Phone device and a notification will be displayed to the user.
If you are a Lync Mobile 2013 user the following diagram illustrates how the Push Notification Service fits within a Lync Server 2013 topology running UC Web API and Lync 2013 Mobile clients.
If you are a Lync Mobile 2010 user the following diagram illustrates the Push Notification Service as it applies to a Lync Server 2010 topology running the Mobility Service and Lync 2010 Mobile clients.
For more information you can refer to the Lync Server blog on Push notifications.