This posting is provided "AS IS" with no warranties, and confers no rights.The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway. Please use the Microsoft Forums for support requests.
First of all, don’t panic! Office Communications Server (OCS) 2007 R2 still has a nice graphical setup wizard that guides you through the installation process. But sometimes, for very specific tasks, the command line is your best friend.
This post is more a “note to self”, since I use this commands a lot, but I hope you find it useful too.
For OCS, the command-line utilities LCSCMD and RGSCOT are installed with the Office Communications Server 2007 R2 Administrative Tools. By default, they are located in the following location %ProgramFiles%\Common Files\Microsoft Office Communications Server 2007 R2.
To request a Web Server certificate from an online CA for Communicator Web Access:
LcsCmd.exe /Cert /Action:Request /sn:im.contoso.com /san:im.contoso.com,download.im.contoso.com,as.im.contoso.com,cwa.contoso.com,cwa-server.contoso.com /ca:"ca-server.contoso.com\Contoso Root CA" /OU:IT /org:Contoso /country:PT /city:Lisbon /state:Lisbon /friendlyName:CWACertificate /exportable:TRUE
To generate the Web Server certificate request file for Communicator Web Access:
LcsCmd.exe /Cert /Action:Request /sn:im.contoso.com /san:im.contoso.com,download.im.contoso.com,as.im.contoso.com,cwa.contoso.com,cwa-server.contoso.com /filename:c:\certrequest.txt /OU:IT /org:Contoso /country:PT /city:Lisbon /state:Lisbon /friendlyName:CWACertificate /Online:FALSE /exportable:TRUE
To create contact objects for Response Group Service:
RGSCOT /Create /PoolFQDN:ocspool.contoso.com /DisplayName:"Information Desk" /DisplayNumber:+3515555555 /PrimaryUri:sip:InformationDesk@contoso.com /LineUri:tel:+3515555555
RGSCOT /Create /PoolFQDN:ocspool.contoso.com /DisplayName:"Help Desk" /DisplayNumber:+3519999999 /PrimaryUri:sip:HelpDesk@contoso.com /LineUri:tel:+3519999999
When integrating Exchange Unified Messaging with OCS, there might be necessary to generate a new certificate, in order to replace the self-signed generated automatically by Exchange. This time, instead of using command-line utilities, I’ll use some Exchange Management Shell cmdlets.
To generate the request for the UM certificate:
New-ExchangeCertificate -generaterequest -subjectname "dc=com,dc=contoso,o=Contoso,cn=um-server.contoso.com" -domainname UM-SERVER,um-server.contoso.com,autodiscover.contoso.com -PrivateKeyExportable $true -path c:\certrequest.txt
To import the issued certificate:
Import-ExchangeCertificate -Path c:\certnew.cer
To enable the certificate:
Enable-ExchangeCertificate -Thumbprint 5113ae0233a72fccb75b1d0198628675333d010e -Services "POP, IMAP, UM, IIS"
This is just a sample of some commands that I generally use when installing and configuring OCS 2007 R2. There are many, many more actions that can be performed using the command line, such as preparing Active Directory, installing server roles, creating pools, moving the backend database and so on, and so on.
BTW, before you ask, there are still no specific PowerShell cmdlets for OCS 2007 R2. Let’s wait for OCS Wave “14”!
– How many public certificates do I need, in order to configure external access to my OCS 2007 pool? – 3. One for the HTTP Reverse Proxy, one for the OCS Access Edge and one for the OCS Web Conferencing Edge. – Even if I'm using a consolidated Edge topology? – Yes! – But can't I just use a super-mega-jumbo SAN certificate with all the required alternative names? – No! – Why not? – Because!
Well, to tell you the truth it's not "because", it is the official support policy written in the OCS 2007 Supportability Guide, the OCS 2007 Planning Guide and the OCS 2007 Edge Server Deployment Guide.
Here's a summary of the external certificate requirements:
– But why can't I just use my internal CA? – Well, to tell you the truth, it's technically possible, as long as you remember these guidelines:
It is very unlikely that these requirements will change with the release of Office Communications Server 2007 R2.
Recently, I was doing some tests with Exchange Unified Messaging, but when I tried to connect to Exchange Voice Mail using Communicator R2, I got the following error:
"Incompatible security setting. The call could not be completed because security levels do not match"
An Exchange UM dial-plan supports three different security levels: Unsecured, SIP Secured, and Secured. The following table shows the differences in terms of Mutual TLS and SRTP for the various security levels.
When integrating Exchange UM with Office Communications Server 2007, consider the following when selecting the dial plan security level:
The registry key PC2PCAVEncryption (REG_DWORD) can be used to specify whether encryption is supported, required, or not supported when making and receiving audio and video calls. The supported values are:
BTW, if you're playing around with this registry key (or any other), you may find useful to know that Communicator uses the following precedence, when applying settings:
Further investigation revealed the following error on Communicator logs:
"SIP/2.0 415 Unsupported Media Type"
After this, it seemed quite obvious that the problem had to do with encryption, more specifically to the SRTP setting. The solution? There are 2 possible ones:
One final note: the problem didn't affect Office Communicator 2007, only the R2 client, so we can assume the R2 clients will be more secure than its predecessors.
I recently had to upgrade 2 LG-Nortel IP Phone 8540 (aka Tanjay or OCPE) to the latest firmware available: Microsoft Office Communicator 2007 Phone Edition v1.0.522.101.
The device was running version 1.0.199 (1.23) of the software which was still a Beta version and had, of course, some annoying bugs.
So, how do you upgrade one of these babies? You use Microsoft Office Communications Server 2007 Software Update Service, a kind of WSUS specific for UC devices. I'm not going into details about deploying this service, for that please read Microsoft Office Communications Server 2007 Software Update Service Deployment Guide.
After you setup the OCS Update Service, you just need to turn on the device, sign-in and hopefully the device will automatically upgrade (there are a couple of additional steps, like preparing the infrastructure and approving the update, but let's keep it simple for now).
To sign-in, you must provide 3 things:
My problems started here, I couldn't even sign-in, because the device didn't accept the certificate that was issued with my private Enterprise CA (BTW, using private certificates is 100% supported, as long as you publish the Root CA in Active Directory. I blogged about it recently and Jens Trier Rasmussen also has a great post about the subject).
The error message was "Cannot validate server certificate".
Let the troubleshooting begin:
What else could I do? I was about to send the devices to LG Nortel when I tried a different approach: changing the format of the user name at the sign-in window. Do you know what? IT WORKED!
If you have Beta Tanjay devices running version 1.0.199 of Communicator Phone Edition and don't seem to get it working, try to change the user name to one of these formats:
as opposed of using DOMAIN\user.
I'm now running version 1.0.522.101 that besides some bug fixes, it also supports R2!
Jens wrote a great article that could potentially be related to this issue: When do you need to use DHCP option 119 with OCPE powered devices?
After reviewing my environment, I confirmed that DHCP option 119 was in place, so the problems I had were probably due to some bug in the beta version.
Every OCS deployment needs the appropriate clients rolled out to the users. There are 3 client programs that almost every OCS solution must have:
Since there has been some upgrades and patches to the RTM versions of these programs, I thought I could provide the latest download links to them.
This program is not free, so first of all you should download it from Microsoft Volume Licensing Services site (assuming you have a volume license agreement).
Next, you should apply the October 2008 hotfix, which will fix some issues (this update is needed in order to interoperate with OCS 2007 R2).