My life as a UC n00b...

Friday, September 04, 2009 3:27 PM

How PIN expiration status is calculated in Microsoft Exchange Unified Messaging

Recently, one of my customers asked me how PIN expiration is determined in Unified Messaging. He claimed that after adding his CEO to a non-expiring UM Mailbox Policy, the CEO was prompted to change his PIN after 45 days. Having never experienced this behavior with any other customer since the release of Exchange 2007, I was admittedly skeptical of the story I was being told over the phone. So, I decided to dig in, to see whether we had a problem with our code.

There are a number of configuration objects that provide core functionality for a user who is enabled for Unified Messaging: the Dial Plan, the UM Mailbox Policy, the UM IP Gateway, and the UM Server. While the UM IP Gateway, the UM Dial Plan, and the UM server are involved in routing a call to Subscriber Access, the PIN authentication settings for the call are controlled by the user’s UM Mailbox Policy. Found under the PIN Policies tab of the UM Mailbox Policy, the PIN Lifetime option and its value determines how long the PIN can be used for authentication before a new PIN value is required.

You might be wondering, “Okay, but how does Unified Messaging enforce PIN expiration on a user-by-user basis?” To answer that question, we first need to understand the Subscriber Access authentication process, and we need to perform some basic calculations involving Windows DateTime values.

Subscriber Access Authentication

When a UM enabled user calls the Subscriber Access number associated with a Dial Plan, the Unified Messaging server will first extract the Caller ID data from the call and attempt to find the extension in Active Directory. If the UM server is unable to resolve the extension to a known EUM proxy address, the caller will be prompted to enter their extension. With the caller now known to Unified Messaging, the UM server will then retrieve the PIN authentication settings from the user’s UM Mailbox Policy, including the number of days defined in the PIN Lifetime value if enabled.

Next, the caller will be prompted to enter their PIN. The UM server will use a MAPI call to read the salted hash of the user’s PIN from their mailbox, and it will use an LDAP call to read the PIN checksum stored in the properties of the user account from Active Directory. If the PIN value was entered correctly by the caller, the UM server will retrieve the PasswordSetTime from the user’s mailbox and calculate whether the PIN is expired. If the PIN is not expired, the user is granted access to the mailbox.

PIN Expiry Calculation

PIN expiration calculations are based on the Windows DateTime structure. The DateTime value type can be described as the number of 100 nanosecond intervals (or ticks) which have occurred since 00:00 January 1 0001 A.D. (Anno Domini) in the Gregorian calendar. A second contains 10,000,000 ticks, and there are 864,000,000,000 ticks in a given 24 hour period. With this in mind, there are three time values that are used by Unified Messaging when calculating PIN expiration during a Subscriber Access logon attempt.

msExchUMPinPolicyExpiryDays

If the PIN Lifetime option is enabled in the properties of the UM Mailbox Policy, you must specify the number of days that the PIN will be considered valid, with a valid range of 1 – 999 days. If the PIN Lifetime option is disabled in the properties of the UM Mailbox Policy, a default value of 36,500 days (100 x 365 days) is used to represent an unlimited expiration value. The PIN Lifetime option in the Exchange Management Console maps to Active Directory attribute msExchUMPinPolicyExpiryDays, where its value is stored in seconds. If your PIN Lifetime on your UM Mailbox Policy is configured with a value of 45 days, the corresponding msExchUMPinPolicyExpiryDays value in Active Directory will be set to 3,888,000 seconds.

PasswordSetTime

When a PIN for a UM enabled user is either set or reset, the PasswordSetTime value in their mailbox is set to the current GMT time in binary. This value is stored in an XML blob within the IPM.Configuration.Um.Password message found in the Associated Contents table of the mailbox (MAPI property 0x7C070102).

SystemTimeUTC

At the time of the Subscriber Access logon attempt, the UM server will use the current GMT time in ticks as a base from which to calculate the expiry status of the PIN.

Upon retrieving these three values, the Exchange Unified Messaging server performs the following calculation to determine whether a PIN is expired:

PINExpiryStatus = SystemTimeUTC - (PasswordSetTime + msExchUMPinPolicyExpiryDays)

A negative PINExpiryStatus result value is indicative of a valid PIN.
A positive PINExpiryStatus result value is indicative of an expired PIN.

For example, let’s assume that a Unified Messaging server discovered the following tick values while attempting to authenticate a Subscriber Access caller:

PasswordSetTime – 633873957184350657    ( Tuesday, September 01, 2009 9:55:18 AM )
PIN Lifetime/msExchUMPinPolicyExpiryDays – 38880000000000     ( 45 Days )
SystemTimeUTC – 633876609141336861      ( Friday, September 04, 2009 11:35:14 AM )

-36228043013796 = 633876609141336861 – (633873957184350657 + 38880000000000)

With a negative tick result value, we at least know that the PIN is still valid. But for how much longer?

41.93 days = 36228043013796 (remaining ticks) / 864000000000 (ticks per day)

After presenting the results of this research and testing to my customer, we were able to conclude that PIN expiry calculations performed by Unified Messaging were occurring within specification. While we were unable to determine why the CEO was prompted to reset his PIN, I suspect that human error was likely involved.

As always, I hope this helps…

-- Dave

If you’d like to try calculating the PIN expiration value for a given mailbox, you can follow these steps. We will use a slightly less complicated method than the Unified Messaging server.

Step 1 – Get PIN Lifetime value from UM Mailbox Policy

Open the Exchange Management Console and locate UM Mailbox Policy associated with your user account. Open the properties of the UM Mailbox Policy, and select the PIN Policies tab. If the PIN Lifetime option is enabled, note the number of days as configured in the GUI. If the PIN Lifetime for your UM Mailbox Policy is disabled (i.e. unlimited), use a value of 36,500 days (100 x 365 days).

In my environment, my UM Mailbox Policy is configured with a PIN Lifetime value of 45 days.

Step 2 – Get PasswordSetTime from User’s Mailbox

You can find the PasswordSetTime for a given UM enabled user account by using the MFCMAPI utility (http://www.codeplex.com/MFCMAPI).

Create a mail profile for the user’s mailbox.
Launch MFCMAPI.
Click Session, then choose Log On and Display Store Table.
Select the profile for the user’s mailbox .
Click MDB, then choose Open Default Message Store.
If prompted, enter the logon credentials for the user account.
Verify that the CreateStoreEntryID flags value is 0x00000000 and click OK.
Highlight the Root Container from the Navigation column.
From the Actions menu, choose Open Associated Contents Table.
Check the PR_MESSAGE_CLASS (MAPI property 0x001A001E) from each listed message until you find the message containing the IPM.Configuration.Um.Password message class.
From the details of the IPM.Configuration.Um.Password message, double-click on PR_ROAMING_DICTIONARY (MAPI property 0x7C070102)
Within the XML data from MAPI tag 0x7C070102, locate the PasswordSetTime value (as highlighted in the screenshot below)
Open the Exchange Management Shell and enter the following commands to convert the binary value from PasswordSetTime to Coordinated Universal Time (UTC), based on Greenwich Mean Time (GMT).

$PasswordSetTime = [DateTime]::FromBinary(5245559975611738561)
$PasswordSetTime
The Exchange Management Shell will return the value Tuesday, September 01, 2009 9:55:18 AM and store it in the variable $PasswordSetTime.

Step 3 – Calculate the PIN Expiration

With all these two values in hand, you can now calculate the PIN expiration status for the UM enabled user account using the Exchange Management Shell.

$PasswordSetTime.AddDays(45)

The PIN for this UM enabled user will expire on Friday, October 16, 2009 9:55:18 AM (GMT).

Posted by DaveH | 0 Comments

Monday, August 17, 2009 9:58 AM

(Part 3 of 3) The complete step-by-step setup guide for deploying Microsoft Unified Communications products with Enterprise Voice in a lab environment using a single Windows Server 2008 Hyper-V computer and a single Internet IP address

Configuring OCS 2007 R2 Communicator Web Access

Now we will install the OCS 2007 R2 CWA role. Although the Communicator Web Access setup program only allows you to create a single virtual server instance (internal or external), a CWA server can be configured to host both types of virtual servers on the same computer. Since I really don’t use CWA internally that much in my lab, I opted to install a single external virtual server instance on my CWA server. Both external and internal users will access the same CWA virtual server instance using https://cwa.contoso.com.

Step 1 – Connect to the Virtual Machine that will host the OCS 2007 R2 CWA role

To configure one of the virtual machines to host the OCS 2007 R2 CWA server role, we’ll need to connect to the Windows 2008 host computer and launch the Server Manager console. Expand the Hyper-V role and verify that the virtual machine for Communicator Web Access was created with the following specifications:

Role OCS 2007 R2 Communicator Web Access

Memory 512MB

Network One (1) Virtual NIC

Hard Disk 16GB Virtual Hard Disk

OS Version Windows Server 2003 SP2 (x64)

FQDN CWA-R2.contoso.com (domain-joined)

IP Address 192.168.1.12

To configure the server, double-click on the Communicator Web Access virtual server within the Hyper-V section of the Server Manager console.

Step 2 – Configure OCS 2007 R2 CWA Network Settings

Next, we need to configure the network settings for the Communicator Web Access virtual machine. Since we will be using only an external CWA virtual server, only one NIC is required. If you’re wondering why I suggest using an external CWA virtual directory versus an internal CWA virtual directory, the Remote Desktop Sharing functionality is offered by the CWA external virtual directory.v

A. To configure OCS 2007 R2 CWA network settings

Log on to the OCS 2007 R2 CWA Server virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, then click Run. Type ncpl.cpl and press Enter to launch Network Connections.
Right click on the Local Area Network network interface and select Properties.
Highlight Internet Protocol (TCP/IP) and click on the Properties button.
Under the General tab of TCP/IP Properties, configure the network adapter as follows:

Choose Use the following IP address.

     IP Address: 192.168.1.12
     Subnet Mask: 255.255.255.0
     Default Gateway: 192.168.1.1 (our Linksys Router)

Choose Use the following DNS servers.

     Primary DNS Server: 192.168.1.10 (our internal DNS server)
     Alternate DNS Server: None
Click OK to commit your changes. Close the Network Connections dialog box, and restart the CWA virtual machine.

Step 3 – Generate a TLS certificate for Communicator Web Access

Our next step for deploying Communicator Web Access will be to request a certificate from our Enterprise CA. Although CWA will host an external virtual server that will be accessed by both internal and external clients, we will use an internally generated certificate for the CWA server. Later, we’ll request a third party PKI certificate which will be assigned to the ISA Listener that will be used to proxy all inbound SSL requests – including CWA. The easiest way to request a certificate for CWA is to use the Certificate Wizard from our Front End server.

A. To use the Certificate Wizard to request a new certificate

Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, then Programs, then Administrative Tools. Click Office Communications Server 2007 R2 to launch the OCS 2007 R2 administration console.
Within the administration console, expand the contoso.com Forest level entry, then expand Standard Edition Servers.
Expand the OCS-R2.contoso.com pool level entry, then right click on the OCS-R2.contoso.com server object. Select Certificates.
On the Welcome to the Certificate Wizard page, click Next.
On the Available Certificate Tasks page, click Create a new certificate, and then click Next.
On the Delayed or Immediate Request page, click Send the request immediately to an online certification authority, and then click Next.
On the Name and Security Settings page, configure as follows:

a. Enter a meaningful name for the CWA server certificate (i.e., OCSR2CWACert).
b. Under Bit length, select 1024 bit length.
c. Enable the Mark cert as exportable check box.
d. Enable the Include client EKU in the certificate request check box.

When you are finished, click Next.
On the Organization Information page, type or select the name of your organization and organizational unit (enter contoso.com for both entries), and then click Next.
On the Your Server’s Subject Name page, configure as follows:

a. In Subject Name, verify that the FQDN of the OCS CWA server is displayed (i.e., CWA-R2.contoso.com)
b. In Subject Alternate Name, enter the values cwa.contoso.com,as.cwa.contoso.com,download.cwa.contoso.com.

When you are finished, click Next.
Since we are generating this certificate from the Front End server, you will receive a warning which states The Subject Name does not match the Computer FQDN. Do you wish to continue? Choose Yes.
On the Choose a Certification Authority page, the wizard attempts to automatically detect any CAs that are published in Active Directory. Click Select a certificate authority from the list detected in your environment, and then select your certification authority (CA). Click Next.
On the Request Summary page, review the settings that you specified, and then click Next.
At the Assign Certificate Task screen, click the View button and verify that the Subject Name and Subject Alternative Names values are correct, then click Assign Certificate Later.
A dialog box appears and informs you that the Certificate Wizard completed with warnings. Click Finish.

At this point the certificate has been issued to the Front End server from the Certificate Authority. We need to export it from the local computer’s certificate store to a PFX file.

B. Export the new certificate from the OCS 2007 R2 Front End server

Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, then Run. Type mmc.exe and press Enter to launch the Microsoft Management Console.
From within the Management Console, click File, then Add/Remove Snap-in…
Within the Add/Remove Snap-in dialog box, click Add.
Select the Certificates snap-in, then click Add.
When prompted to choose which for which account to manage certificates, choose the computer account. Click Next.
When prompted to choose which computer to manage, choose Local Computer, then click Finish.
Close the Standalone Snap-in dialog box, then close the Add/Remove Snap-in dialog box.
Expand Certificates (Local Computer), then expand the Personal certificate store.
Click on Certificates, then locate and select the certificate that was issued to CWA-R2.contoso.com.
From the menu bar click Action, then All Tasks, then select Export.
At the Welcome to the Certificate Export Wizard screen, click Next.
At the Export with Private Key screen, choose Yes, export the private key. Click Next.
At the Export Format settings, choose Personal Information Exchange – PKCS #12 (.PFX), then click Next.
Enter a Password for the export file, then click Next.
Enter an Export Filename (i.e., c:\CWACert.pfx) and click Next.
Click Finish to complete the certificate export.
Copy the CWACert.PFX export file to the CWA server so that it can be imported.

C. Import the new certificate to the OCS 2007 R2 CWA server

Log on to the OCS 2007 R2 CWA virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, then Run. Type mmc.exe and press Enter to launch the Microsoft Management Console.
From within the Management Console, click File, then Add/Remove Snap-in…
Within the Add/Remove Snap-in dialog box, click Add.
Select the Certificates snap-in, then click Add.
When prompted to choose which for which account to manage certificates, choose the computer account. Click Next.
When prompted to choose which computer to manage, choose Local Computer, then click Finish.
Close the Standalone Snap-in dialog box, then close the Add/Remove Snap-in dialog box.
Expand Certificates (Local Computer), then select the Personal certificate store.
From the menu bar, click Actions, then All Tasks, then select Import.
At the Welcome to the Certificate Export Wizard screen, click Next.
Click Browse, change the Files of Type option to Personal Information Exchange (pfx), and select the CWACert.pfx file that you copied from the Front End server. Click Next.
Enter the password that you used to export the private key, then click Next.
When prompted where to place the certificate, choose the Personal certificate store. Click Next.
Click Finish to import the certificate.
Close the Certificates management console.

Step 4 – Install Internet Information Services 6.0 for Windows 2003

Communicator Web Access requires Internet Information Services 6.0 when installed on Windows Server 2003. Considering this, we need to install IIS 6.0 prior to installing the CWA server role.

A. To install Internet Information Services 6.0

Log on to the OCS 2007 CWA virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Open the Control Panel and launch Add/Remove Programs.
Click Add/Remove Windows Components.
In the Components list box, click Application Server.
Click Details.
Click Internet Information Services Manager.
Click Details to select the World Wide Web Publishing Service, Active Server Pages, and Remote Administration (HTML) components to be installed.
Click OK until you are returned to the Windows Component Wizard.
Click Next and complete the Windows Component Wizard.

Step 5 – Install OCS 2007 R2 Communicator Web Access

After installing Internet Information Services, we are now ready to install the Communicator Web Access binaries.

A. To install Communicator Web Access

Log on to the OCS 2007 R2 CWA virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click SetupSE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
When prompted to install the Microsoft Visual C++ 2008 Redistributable, choose Yes to install it.
When prompted to install Microsoft .NET Framework 3.5 SP1, choose Yes to install it.
On the Office Communications Server 2007 R2 Deployment Wizard page, click Deploy Other Server Roles.
On the Deploy Other Server Roles page, click Deploy Communicator Web Access.
On the Deploy Communicator Web Access page, at Step 1: Install Communicator Web Access, click Install.
On the License Agreement page, click I accept the terms in the license agreement, and then click Next. If you do not accept the license terms, Setup cannot continue.
On the Install location for Microsoft Office Communications Server 2007 R2, Communicator Web Access page, in the Location box, type a path where Communicator Web Access server should be installed, or accept the default location (C:\Program Files\Microsoft Office Communications Server R2\Communicator Web Access\). Click Next.
Do not close the Deployment Wizard window. Instead, continue directly to the next procedure in order to activate Communicator Web Access.

Step 6 – Activate OCS 2007 R2 Communicator Web Access

Having successfully installed Communicator Web Access, we are now ready to activate the server.

A. To activate Communicator Web Access

Log on to the OCS 2007 R2 CWA virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
On the Office Communications Server 2007 R2 Deployment Wizard page, click Deploy Other Server Roles.
On the Deploy Other Server Roles page, click Deploy Communicator Web Access.
On the Deploy Communicator Web Access page, at Step 2: Activate Communicator Web Access, click Run.
On the Welcome page, click Next.
On the Select domain service account page, select Use an existing account. Enter the name RTCComponentService in the Account name box, then type the account password in the Password box. This account is already a member of the RTCComponentUniversalServices group, which is required for the CWA service to start. Click Next.
In the Select Certificate dialog box, click the certificate you installed before beginning Setup; this was the certificate you created and imported in Step 1 above. Click OK.
On the Select Server Certificate page, click Next.
On the Confirm Installation page, click Next.
After the server has been activated, click Close on the Activation Complete page to close the Activation Wizard.
Do not close the Deployment Wizard window. Instead, continue directly to the next procedure in order to create a virtual server.

Step 7 – Create the CWA external virtual server

Once CWA has been activated, we are ready to create our external virtual server. Again, I use an external virtual server for both internal and external users, primarily for the simplicity of connecting to CWA with a single DNS name.

A. To create an external virtual server for Communicator Web Access

Log on to the OCS 2007 R2 CWA virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
On the Office Communications Server 2007 R2 Deployment Wizard page, click Deploy Other Server Roles.
On the Deploy Other Server Roles page, click Deploy Communicator Web Access.
At Step 3: Create Virtual Server of the Deploy Communicator Web Access page, click Run.
On the Welcome page, click Next.
On the Select Virtual Server Type page, click External then click Next.
On the Select Authentication Type page, choose Use Built-in Authentication, then click Next.
On the Select Authentication Type page, the default value of Forms-based Authentication is already selected since this is an external virtual server. Click Next.
On the Select Connection Type page, select HTTPS then click the Select Certificate button. Choose the certificate that we generated for Communicator Web Access, then click OK. Click Next to continue.
On the Select IP Address and Port Settings page, select the IP address 192.168.1.12 or use the default value [All Unassigned]. In the Port box, type the port to be used by the virtual server, which should be 443 by default.
On the Server Description page, type a name for the virtual server in the Description box (i.e., Communicator Web Access), then click Next.
On the Select a listening port page, type 5061 as the port number that the Communicator Web Access server will use to listen for SIP messages in the Listening port box. This value must be a unique port value that is not used by any other application on the server. Click Next.
On the Select a pool page, select the fully-qualified domain name of the Office Communications 2007 R2 server that will act as a “next hop” server for anonymous users. Here we will choose OCS-R2.contoso.com, which is our Standard Edition Front End server. For the Port value, choose 5061. Click Next.
On the Start Server Option page, select Start this virtual server after the Create Virtual Server Wizard finishes and then click Next. This ensures that the virtual server will start immediately after it is created. (Virtual servers must be started before they can be accessed.) If you do not start the virtual server immediately, you can start the server later by using either the Communicator Web Access Manager or the Internet Information Services Manager snap-in.
On the Review Settings Before Virtual Server Creation page, verify that the virtual server has been configured correctly and then click Next.
On the Create Virtual Server Complete page, click Close to close the Create Virtual Server wizard.

Step 8 – Install OCS 2007 R2 Administration Console

The next step of our Communicator Web Access installation involves installing the OCS Administration Console.

A. Install the administration console

Log on to the OCS 2007 R2 CWA virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
At the main deployment page, select Administrative Tools from the menu on the right.
On the License Agreement page, click I accept the terms in the license agreement and then click Next.
When the installation finishes, close the OCS 2007 R2 Deployment Tools.
Click Start, then Programs, then Administrative Tools. There you will find the Office Communications Server 2007 R2 administration console as well as the Microsoft Office Communications Server 2007 R2, Communicator Web Access CWA management console.

Step 9 – Configure Audio Conferencing for Communicator Web Access

Communicator Web Access offers support for audio conferences, or telephone calls between three or more people. (Peer-to-peer phone calls are not supported in the R2 version of CWA.) To conduct an audio conference, Communicator Web Access connects the user’s telephone to the public switched telephone network (PSTN) and then initiates calls to the other conference participants.

With a successfully deployed Mediation Server and a correctly configured media gateway, there is no additional configuration necessary for Communicator Web Access users to use the audio conferencing feature. Otherwise, static routes must be configured before CWA users will be able to participate in audio conferences. For the purposes of this lab, we will skip configuring audio conferencing for CWA.

If you need more information on Audio Conferencing in CWA, please visit http://technet.microsoft.com/en-us/library/dd425101(office.13).aspx.

Step 10 – Configure Desktop Sharing in Communicator Web Access

Communicator Web Access in OCS 2007 R2 supports desktop sharing between participants if the environment has been correctly configured to support it and if meeting policy has been configured to allow it. In previous steps, we obtained certificates containing the same required host names to support desktop sharing in CWA, and we configured both internal and external DNS to support desktop sharing. We also enabled desktop sharing in the default policy used by Live Meeting in a previous configuration step. At this point, there is no further configuration necessary to support desktop sharing for our lab environment, but if you would like more information on desktop sharing in CWA, please visit http://technet.microsoft.com/en-us/library/dd425349(office.13).aspx.

This completes the installation of the OCS 2007 R2 CWA server role.

Configuring ISA Server 2006

Our final server role to deploy in this lab environment is ISA Server 2006, which will be configured to act strictly as a reverse proxy for the various SSL web sites offered by Exchange 2007 and Office Communications Server 2007 R2. Since we will not be using ISA Server 2006 as a firewall, we will use a single NIC configuration in this lab.

Step 1 – Connect to the Virtual Machine that will host the ISA Server 2006 role

To configure one of the virtual machines to host the ISA Server 2006 server role, we’ll need to connect to the Windows 2008 host computer and launch the Server Manager console. Expand the Hyper-V role and verify that the virtual machine for ISA 2006 was created with the following specifications:

Role ISA Server 2006

Memory 512MB

Network One (1) Virtual NIC

Hard Disk 16GB Virtual Hard Disk

OS Version Windows Server 2003 SP2 (x64)

FQDN ISA.contoso.com (not domain-joined)

IP Address 192.168.1.6

Although the DNS name of this server will be ISA.contoso.com, it will not be joined to the Contoso.com domain. To configure the server, double-click on the ISA 2006 virtual server within the Hyper-V section of the Server Manager console.

Step 2 – Configure ISA Server 2006 Network Settings

Before installing the ISA Server binaries, we need to configure the network settings for the virtual machine.

A. To configure ISA Server network settings

Log on to the ISA Server virtual machine as the built-in Administrator account (ISA\Administrator).
Click Start, then click Run. Type ncpl.cpl and press Enter to launch Network Connections.
Right click on the Local Area Network network interface and select Properties.
Highlight Internet Protocol (TCP/IP) and click on the Properties button.
Under the General tab of TCP/IP Properties, configure the network adapter as follows:

Choose Use the following IP address.

     IP Address: 192.168.1.6
     Subnet Mask: 255.255.255.0
     Default Gateway: 192.168.1.1 (our Linksys Router)

Choose Use the following DNS servers.

     Primary DNS Server: 4.2.2.1 (Internet root server)
     Alternate DNS Server: 4.2.2.2 (Internet root server)
While still within the TCP/IP properties of the Hyper-V External network adapter, click on the Advanced button.
Within Advanced settings, click on the DNS tab. Under Append these DNS suffixes (in order), click Add and enter the domain contoso.com. Then, under DNS suffix for this connection, enter contoso.com. Finally, deselect the option to Register this connection’s addresses in DNS.
Click OK three times to complete the configuration of the Local Area Network network adapter.
Close Network Connections.
Click Start, then Run. Type Notepad %windir%\system32\drivers\etc\hosts to open the hosts file for editing.
After opening the hosts file in Notepad, add each of the following entries. To minimize complexity, I use a single hosts file with identical entries on both my Edge server and my ISA server.

192.168.1.5    edge-r2.contoso.com
192.168.1.6    isa.contoso.com
192.168.1.6    cwa.contoso.com
192.168.1.6    as.cwa.contoso.com
192.168.1.6    download.cwa.contoso.com
192.168.1.6    mail.contoso.com
192.168.1.6    autodiscover.contoso.com
192.168.1.10   email.contoso.com
192.168.1.11   ocs-r2.contoso.com
192.168.1.12   cwa-r2.contoso.com
192.168.1.13   mediation-r2.contoso.com
Save your changes by clicking File then Save. If you find that you are unable to save your changes and receive an Access Denied error message, then you will need to launch Notepad as the local Administrator account, create the various entries, then save the file.
After successfully configuring the network settings for the virtual machine, restart the ISA 2006 server.

Step 3 – Copy UC Certificate and Internal CA Certificates to ISA 2006 server

Before we install the ISA Server binaries, we first need to copy our UC Certificate purchased from a publicly trusted Certification Authority and the certificate from our internal Certification Authority to the ISA server.

A. To copy certificates to the ISA 2006 server

Log on to the ISA Server virtual machine as the built-in Administrator account (ISA\Administrator).
Launch Windows Explorer, and navigate to the Certificates folder using the administrative share for the C:\ hard disk on the Exchange server (\\192.168.1.10\C$\Certificates).
When prompted for authentication, enter the credentials of the built-in Domain Administrator account (Contoso\Administrator).
Within the Certificates folder, select the file sip_contoso_com_exported.pfx and the file ContosoCA.cer. After highlighting each file, choose Edit then Copy from the Windows Explorer menu bar at the top of the window, or simply press CTRL+C to copy the two certificates to the Windows clipboard.
Again within Windows Explorer, navigate to the C:\ folder from the virtual hard disk on the ISA 2006 server.
Choose Edit then Paste from the Windows Explorer menu bar at the top of the window, or simply press CTRL+V to paste the two certificates from the Windows clipboard into the root of drive C:\ on the ISA server.
Verify that the two certificates were successfully copied to the ISA server, then close Windows Explorer.

Step 4 – Import the Certificates into the local Certificate store

Now that our certificates have been copied to the ISA server, we need to import them into the local computer certificate store.

A. To import the UCC Certificate into the local certificate store

Log in to the ISA Server 2006 virtual machine using the built-in Administrator account (ISA\Administrator).
Click Start, then Run. Type mmc.exe and press Enter to launch the Microsoft Management Console.
From within the Management Console, click File, then Add/Remove Snap-in…
Within the Add/Remove Snap-in dialog box, click Add.
Select the Certificates snap-in, then click Add.
When prompted to choose which for which account to manage certificates, choose the Computer account. Click Next.
When prompted to choose which computer to manage, choose Local Computer, then click Finish.
Close the Standalone Snap-in dialog box, then close the Add/Remove Snap-in dialog box.
Expand Certificates (Local Computer), then expand the Personal certificate store object.
Right click on the Certificates object, then highlight All Tasks within the context menu and select Import to launch the Certificate Import Wizard.
At the Welcome page for the Certificate Import Wizard, click Next.
At the File to Import page, enter C:\sip_contoso_com_exported.pfx or browse to the C:\ drive and select the file using the Windows object picker. Click Next.
At the Password page, enter the password used to export the certificate from the Windows 2008 physical host computer (i.e. the Exchange server), then enable the option to Mark this key as exportable. Click Next.
At the Certificate Store page, select the option to Automatically select the certificate store based on the type of certificate. Click Next.
Click Finish to complete the certificate import.

B. To import the Contoso Root CA certificate into the local certificate store

Log in to the ISA Server 2006 virtual machine using the built-in Administrator account (ISA\Administrator).
Click Start, then Run. Type mmc.exe and press Enter to launch the Microsoft Management Console.
From within the Management Console, click File, then Add/Remove Snap-in…
Within the Add/Remove Snap-in dialog box, click Add.
Select the Certificates snap-in, then click Add.
When prompted to choose which for which account to manage certificates, choose the Computer account. Click Next.
When prompted to choose which computer to manage, choose Local Computer, then click Finish.
Close the Standalone Snap-in dialog box, then close the Add/Remove Snap-in dialog box.
Expand Certificates (Local Computer), then expand the Trusted Root Certification Authorities certificate store object.
Right click on the Certificates object, then highlight All Tasks within the context menu and select Import to launch the Certificate Import Wizard.
At the Welcome page for the Certificate Import Wizard, click Next.
At the File to Import page, enter C:\ContosoCA.cer or browse to the C:\ drive and select the file using the Windows object picker. Click Next.
At the Certificate Store page, select the option to Place all certificates in the following store. Verify that the Trusted Root Certification Authorities certificate store is selected, then click Next.
Click Finish to complete the certificate import, then Close the Microsoft Management Console.

Step 5 – Install ISA Server 2006

After configuring the virtual machine, we are now ready to install the ISA Server 2006 binaries. Please verify that you have correctly configured the network settings for the virtual network adapter before proceeding with the installation of ISA.

A. To install ISA Server 2006

Log on to the ISA Server 2006 virtual machine as the built-in Administrator account (ISA\Administrator).
Launch Windows Explorer, and navigate to ISA CD or shared installation folder.
Double-click ISAAutorun.exe, the setup launcher for ISA Server 2006.
At the Welcome page, click Next.
At the License Agreement page, select I accept the terms in the license agreement.
At the Customer Information page, enter your User Name, your Organization Name, and your Product ID.
At the Setup Type page, choose the Typical installation option. This installs ISA Server, Advanced Logging, and ISA Server Management. Click Next.
On the Internal Network page, click the Add button.
In the Addresses dialog box, click Add Adapter.
In the Select Network Adapters dialog box, select the single virtual network adapter, then click OK.
Back in the Addresses dialog box, click OK to return to the Internal Network page. Note that the addresses shown here will have no meaning in a single NIC ISA configuration, as all network addresses in a single NIC configuration are considered internal.
Back on the Internal Network page, click Next.
On the Firewall Client Connections page, click Next. Since our server will not be acting as a firewall, this setting will not matter.
Click Next on the Services Warning page.
Click Install to being the installation.
On the Installation Wizard Completed page, put a checkmark in the Invoke ISA Server Management when the wizard closes checkbox and click Finish.
Close the Internet Explorer window entitled Protect the ISA Server Computer.

Step 6 – Configure ISA System Policy

Having successfully installed the ISA server binaries, we are now ready to configure the server. First we’ll configure the system policy to allow for remote management using terminal services client, and we’ll configure the system policy to respond to pings from computers on our local network.

A. To configure ISA system policy

Log on to the ISA Server 2006 virtual machine as the built-in Administrator account (ISA\Administrator).
Click Start, then Programs, then Microsoft ISA Server, then choose ISA Server Management
Within the ISA Server Management console, expand the ISA server object in the navigation pane on the left.
Right click on Firewall Policy and choose Edit System Policy from the context menu.
Within the System Policy Editor, you will find a list of Configuration Groups. Under the Remote Management configuration group, choose Terminal Server.
Within the Terminal Server configuration group, select Enable this configuration group under the General tab.
Click on the From tab. Under This rule applies to traffic from these sources, select the Remote Management Computers group, then click Edit.
In the Remote Management Computers Properties dialog box, click Add then select Computer. Alternatively you may add an entire subnet or an entire range of IP addresses.
Enter the Host Name of your computer which will be used to manage the ISA server remotely using terminal services client, then enter the IP address. Click OK.
After adding each computer that will be used to manage your ISA server, click OK to commit your changes.
Back at the System Policy Editor dialog box, under the Remote Management configuration group, click on the ICMP (Ping) configuration group.
Within the ICMP (Ping) configuration group, select Enable this configuration group under the General tab.
Next, click on the From tab. Under This rule applies to traffic from these sources, verify that the Remote Management Computers group is listed, then click Add.
Within the Add Network Entities, expand Networks, then select Local Host. Click Add.
Back within the System Policy Editor, click OK.
Click Apply to commit your System Policy configuration changes.

Step 7 – Create Exchange OutlookAnywhere Firewall Rule

Our next step will be to create a firewall rule to handle almost all Exchange 2007 requests, including Outlook Web Access.

A. To create the Exchange OutlookAnywhere firewall rule

Log on to the ISA Server 2006 virtual machine as the built-in Administrator account (ISA\Administrator).
Click Start, then Programs, then Microsoft ISA Server, then choose ISA Server Management.
Within the ISA Server Management console, expand the ISA server object in the navigation pane on the left.
Right click on Firewall Policy and highlight New. Select Exchange Web Client Access Publishing Rule.
At the Welcome to the New Exchange Publishing Rule Wizard page, enter a meaningful name for the rule (i.e. Exchange OutlookAnywhere). Click Next.
At the Select Services page, choose Exchange Server 2007 as the server version. Choose the option Outlook Anywhere (RPC/HTTP(s)), and enable the option Publish additional folders on the Exchange Server for Outlook 2007 clients. Click Next.
At the Publishing Type page, choose Publish a single Web site or load balancer, then click Next.
At the Server Connection Security page, choose Use SSL to connect to the published web server or server farm. Click Next.
At the Internal Publishing Details page, enter the internal site name mail.contoso.com. Enable the option Use a computer name or IP address to connect to the published server, then either enter the IP address or Browse to the IP address of the Exchange server, 192.168.1.10. Click Next.
At the Public Name Details page, choose to Accept requests for This domain name (type below), then enter the Public Name mail.contoso.com. Click Next.
At the Select Web Listener page, click New.
At the New Web Listener Definition Wizard welcome page, click Next.
On the Web Listener Client Connection Security page, choose Require SSL secured connections with clients. Click Next.
At the Web Listener IP Addresses page, choose both the Internal and Local Host networks, and enable the option ISA Server will compress content sent to clients through this Web Listener if the clients requesting the content support encryption. Click Next.
At the Web Listener SSL Certificates page, select Use a single certificate for the Web Listener, then click Select Certificate. From the list of available certificates, choose the UC Certificate purchased from the publicly trusted Certification Authority, then click Select. Click Next.
At the Web Listener Authentication Settings page, choose No Authentication from the drop down box, then click Next.
At the Web Listener Single Sign On Settings page, choose Next. Single Sign On is not a supported option in a single NIC ISA configuration.
Click Finish to complete the configuration of the Web Listener.
Back at the Select Web Listener page, verify that the HTTPS Listener web listener is selected, then click Next.
At the Authentication Delegation page, choose No Delegation, but client may authenticate directly. Click Next.
At the User Sets page, choose All Users, then click Next.
At the Completing the New Exchange Publishing Rule Wizard page, click Finish.
Next, click Apply to commit your changes.
From the list of available firewall rules, right click on the new Exchange OutlookAnywhere rule, then choose Properties.
Select the From tab. Under the option This rule applies to traffic from these sources, select the Anywhere network set then click Remove. Click Add, expand Networks, and Add the Internal and Local Host networks.
Next, click the Traffic tab, and enable the option Require 128-bit encryption for HTTPs traffic.
Next, click on the Paths tab, then click on the Add button to add a new path. Enter the path value /owa/*, and under External Path, choose Same as published folder. Click OK, then click Apply.
Click Test Rule to simulate a connection request to each of the external paths listed under the Paths tab.
Click OK to complete configuration of the Exchange OutlookAnywhere rule.

Step 8 – Create Exchange ActiveSync Firewall Rule

Next, we will create a firewall rule to handle Exchange 2007 ActiveSync requests.

A. To create the Exchange ActiveSync firewall rule

Log on to the ISA Server 2006 virtual machine as the built-in Administrator account (ISA\Administrator).
Click Start, then Programs, then Microsoft ISA Server, then choose ISA Server Management.
Within the ISA Server Management console, expand the ISA server object in the navigation pane on the left.
Right click on Firewall Policy and highlight New. Select Exchange Web Client Access Publishing Rule.
At the Welcome to the New Exchange Publishing Rule Wizard page, enter a meaningful name for the rule (i.e. Exchange ActiveSync). Click Next.
At the Select Services page, choose Exchange Server 2007 as the server version. Choose the option Exchange ActiveSync, and then Click Next.
At the Publishing Type page, choose Publish a single Web site or load balancer, then click Next.
At the Server Connection Security page, choose Use SSL to connect to the published web server or server farm. Click Next.
At the Internal Publishing Details page, enter the internal site name mail.contoso.com. Enable the option Use a computer name or IP address to connect to the published server, then either enter the IP address or Browse to the IP address of the Exchange server, 192.168.1.10. Click Next.
At the Public Name Details page, choose to Accept requests for This domain name (type below), then enter the Public Name mail.contoso.com. Click Next.
At the Select Web Listener page, choose the existing HTTPS Listener from the Web Listener drop-down list. Click Next.
At the Authentication Delegation page, choose No Delegation, but client may authenticate directly. Click Next.
At the User Sets page, choose All Users, then click Next.
At the Completing the New Exchange Publishing Rule Wizard page, click Finish.
Next, click Apply to commit your changes.
From the list of available firewall rules, right click on the new Exchange ActiveSync rule, then choose Properties.
Select the From tab. Under the option This rule applies to traffic from these sources, select the Anywhere network set then click Remove. Click Add, expand Networks, and Add the Internal and Local Host networks.
Next, click the Traffic tab, and enable the option Require 128-bit encryption for HTTPs traffic.
Next, click on the Paths tab, then verify that /Microsoft-Server-ActiveSync/* is listed as the Internal Path. Click Apply.
Click Test Rule to simulate a connection request to the external ActiveSync path listed under the Paths tab.
Click OK to complete configuration of the Exchange ActiveSync rule.

Step 9 – Create Exchange Autodiscover Firewall Rule

Next, we will create a firewall rule to handle Exchange 2007 Autodiscover requests.

A. To create the Exchange Autodiscover firewall rule

Log on to the ISA Server 2006 virtual machine as the built-in Administrator account (ISA\Administrator).
Click Start, then Programs, then Microsoft ISA Server, then choose ISA Server Management.
Within the ISA Server Management console, expand the ISA server object in the navigation pane on the left.
Right click on Firewall Policy and highlight New. Select Exchange Web Client Access Publishing Rule.
At the Welcome to the New Exchange Publishing Rule Wizard page, enter a meaningful name for the rule (i.e. Exchange Autodiscover). Click Next.
At the Select Services page, choose Exchange Server 2007 as the server version. Choose the option Outlook Anywhere (RPC/HTTP(s)), and enable the option Publish additional folders on the Exchange Server for Outlook 2007 clients. Click Next.
At the Publishing Type page, choose Publish a single Web site or load balancer, then click Next.
At the Server Connection Security page, choose Use SSL to connect to the published web server or server farm. Click Next.
At the Internal Publishing Details page, enter the internal site name autodiscover.contoso.com. Enable the option Use a computer name or IP address to connect to the published server, then either enter the IP address or Browse to the IP address of the Exchange server, 192.168.1.10. Click Next.
At the Public Name Details page, choose to Accept requests for This domain name (type below), then enter the Public Name autodiscover.contoso.com. Click Next.
At the Select Web Listener page, choose the existing HTTPS Listener from the Web Listener drop-down list. Click Next.
At the Authentication Delegation page, choose No Delegation, but client may authenticate directly. Click Next.
At the User Sets page, choose All Users, then click Next.
At the Completing the New Exchange Publishing Rule Wizard page, click Finish.
Next, click Apply to commit your changes.
From the list of available firewall rules, right click on the new Exchange Autodiscover rule, then choose Properties.
Select the From tab. Under the option This rule applies to traffic from these sources, select the Anywhere network set then click Remove. Click Add, expand Networks, and Add the Internal and Local Host networks.
Next, click the Traffic tab, and enable the option Require 128-bit encryption for HTTPs traffic.
Next, click on the Paths tab. Select each Internal Path entry, then click Remove. After removing all values, click Add to add a new Internal Path value of /*. Verify that the External Path is the Same as published folder. Click OK, then click Apply.
Click Test Rule to simulate a connection request to the external Autodiscover path listed under the Paths tab.
Click OK to complete configuration of the Exchange Autodiscover rule.

Step 10 – Create OCS 2007 R2 Web Components Firewall Rule

Next, we will create a firewall rule to handle OCS 2007 R2 Web Components requests.

A. To create the OCS 2007 R2 Web Components firewall rule

Log on to the ISA Server 2006 virtual machine as the built-in Administrator account (ISA\Administrator).
Click Start, then Programs, then Microsoft ISA Server, then choose ISA Server Management.
Within the ISA Server Management console, expand the ISA server object in the navigation pane on the left.
Right click on Firewall Policy and highlight New. Select Web Site Publishing Rule.
At the Welcome to the New Web Site Publishing Rule Wizard page, enter a meaningful name for the rule (i.e. OCS 2007 R2 Web Components). Click Next.
At the Specify Rule Action page, choose Allow then click Next.
At the Publishing Type page, choose Publish a single Web site or load balancer, then click Next.
At the Server Connection Security page, choose Use SSL to connect to the published web server or server farm. Click Next.
At the Internal Publishing Details page, enter the site name sip.contoso.com. Enable the option Use a computer name or IP address to connect to the published server, then either enter the IP address or Browse to the IP address of the OCS Front End server, 192.168.1.11. Click Next.
At the next Internal Publishing Details page, enter a path value of /*. Enable the option Forward the original host header instead of the actual one provided in the Internal site name field on the previous page. Click Next.
At the Public Name Details page, choose the option Accept requests for this domain name (type below). Enter the public site name sip.contoso.com and a path value of /*. Click Next.
At the Select Web Listener page, choose the existing HTTPS Listener from the Web Listener drop-down list. Click Next.
At the Authentication Delegation page, choose No Delegation, but client may authenticate directly. Click Next.
At the User Sets page, choose All Users, then click Next.
At the Completing the New Web Site Publishing Rule Wizard page, click Finish.
Next, click Apply to commit your changes.
From the list of available firewall rules, right click on the new OCS 2007 R2 WebComponents rule, then choose Properties.
Select the From tab. Under the option This rule applies to traffic from these sources, select the Anywhere network set then click Remove. Click Add, expand Networks, and Add the Internal and Local Host networks.
Next, click the Traffic tab, and enable the option Require 128-bit encryption for HTTPs traffic.
Next, click on the Paths tab. Verify that /* is listed as the internal path value. Click Apply.
Click Test Rule to simulate a connection request to the external Web Components path listed under the Paths tab.
Click OK to complete configuration of the OCS 2007 R2 WebComponents rule.

Step 11 – Create OCS 2007 R2 CWA Firewall Rule

Finally, we will create a firewall rule to handle OCS 2007 R2 Communicator Web Access requests. This will be the last rule that we need to create to support OCS and Exchange traffic for our lab environment.

A. To create the OCS 2007 R2 CWA firewall rule

Log on to the ISA Server 2006 virtual machine as the built-in Administrator account (ISA\Administrator).
Click Start, then Programs, then Microsoft ISA Server, then choose ISA Server Management.
Within the ISA Server Management console, expand the ISA server object in the navigation pane on the left.
Right click on Firewall Policy and highlight New. Select Web Site Publishing Rule.
At the Welcome to the New Web Site Publishing Rule Wizard page, enter a meaningful name for the rule (i.e. OCS 2007 R2 CWA). Click Next.
At the Specify Rule Action page, choose Allow then click Next.
At the Publishing Type page, choose Publish a single Web site or load balancer, then click Next.
At the Server Connection Security page, choose Use SSL to connect to the published web server or server farm. Click Next.
At the Internal Publishing Details page, enter the site name cwa.contoso.com. Enable the option Use a computer name or IP address to connect to the published server, then either enter the IP address or Browse to the IP address of the OCS Front End server, 192.168.1.12. Click Next.
At the next Internal Publishing Details page, enter a path value of /*. Enable the option Forward the original host header instead of the actual one provided in the Internal site name field on the previous page. Click Next.
At the Public Name Details page, choose the option Accept requests for this domain name (type below). Enter the public site name cwa.contoso.com and a path value of /*. Click Next.
At the Select Web Listener page, choose the existing HTTPS Listener from the Web Listener drop-down list. Click Next.
At the Authentication Delegation page, choose No Delegation, but client may authenticate directly. Click Next.
At the User Sets page, choose All Users, then click Next.
At the Completing the New Web Site Publishing Rule Wizard page, click Finish.
Next, click Apply to commit your changes.
From the list of available firewall rules, right click on the new OCS 2007 R2 CWA rule, then choose Properties.
Select the From tab. Under the option This rule applies to traffic from these sources, select the Anywhere network set then click Remove. Click Add, expand Networks, and Add the Internal and Local Host networks.
Next, click the Traffic tab, and enable the option Require 128-bit encryption for HTTPs traffic.
Next, click on the Paths tab. Verify that /* is listed as the internal path value. Click Apply.
Click Test Rule to simulate a connection request to the external Communicator Web Access path listed under the Paths tab.
Click OK to complete configuration of the OCS 2007 R2 CWA rule.

This completes the deployment of the ISA Server 2006 server role.

Conclusion

Please remember that much of this configuration is considered by Microsoft to be unsupported for production use. While the configuration details provided in this series of blog entries have enabled me to achieve the goals I wanted for my own lab, your own mileage may vary. Either way, I hope that you have found this series of blog entries to be helpful, and as always, all comments and/or corrections are greatly appreciated.

-- Dave

Posted by DaveH | 0 Comments

Monday, August 17, 2009 9:55 AM

(Part 1 of 3) The complete step-by-step setup guide for deploying Microsoft Unified Communications products with Enterprise Voice in a lab environment using a single Windows Server 2008 Hyper-V computer and a single Internet IP address

As a Senior Support Escalation Engineer with the Unified Communications team at Microsoft, I help a lot of customers install Microsoft Unified Communications products in either their production or lab environment. I often find that for many smaller organizations, the task of deploying OCS 2007 R2 and/or Exchange Unified Messaging becomes that of the existing IT team or the network administrator. While Office Communications Server 2007 R2 is the coolest collaboration product that Microsoft has ever shipped and Unified Messaging is the perfect voice mail solution for it, the learning curve for each product isn’t just steep – it is nearly insurmountable. Considering the seemingly endless list of available features within OCS 2007 R2 and their associated requirements, figuring out exactly what you need to accomplish what you want is often a frustrating experience – especially for those who are new to the technology.

So, what do you want to do with Office Communications Server 2007 R2 and Microsoft Exchange Server 2007?

Do you want to enable instant messaging?

IM only between user accounts in your lab?

IM with federated contacts? (external IM with other labs/other companies)

IM with public providers like MSN/Yahoo/AOL?

Do you want to share meetings using Live Meeting?

Meetings only between user accounts in your lab?

Meetings that can be joined by remote users?

Meetings that can be joined remotely by anonymous users?

Meetings that offer Audio/Video capabilities?

Do you want to offer Exchange services to your OCS users?

Access to email via Outlook or Outlook Web Access?

Automatic configuration of Outlook using Outlook Anywhere

Voice mail services using Unified Messaging

Having recently moved to the Unified Communications team after supporting Exchange for the past eight years, I am also new to this technology – and I’ve experienced a similar degree of frustration when building out various lab environments. Since I seem to learn a lot more about a product by installing and configuring it versus simply reading about it from a book, I wanted to deploy a fully working Unified Communications lab environment at home where I could learn at my own pace.

While I am extremely fortunate to have unlimited access to a variety of high-end equipment at work, the equipment found in my own lab at home is a little embarrassing by comparison… :-) So, in the best interest of make do, this step-by-step guide will attempt to offer all of the services listed above in a lab environment using a single Windows 2008 Hyper-V physical host computer and a single public IP address.

Disclaimer

This information is provided AS-IS with no warranties, and confers no rights. In fact, many of the configuration steps provided in this documentation are considered UNSUPPORTED by the Microsoft RTC and Exchange product groups for production use. Although Microsoft now officially supports many of the server roles for OCS 2007 R2 on Windows 2008 Hyper-V, the roles involving RTC media streams are not supported on virtualized platforms. As such, please DO NOT use this documentation as prescriptive guidance for deploying these products in a production capacity.

Lab Overview

Using a single 64-bit computer running Windows Server 2008 and Hyper-V, you can deploy a fully functional OCS 2007 R2 / Exchange 2007 lab environment. After completing setup of this lab, you’ll be able to do instant messaging and Live Meeting conferences with full audio and video for both internal and external users. If you want to provide optional VoIP telephony services with PSTN integration, however, you’ll need to add a Mediation server and a VoIP Gateway device to your lab.

Since I chose to deploy this lab at home, there were a few constraints that I knew I had to work around. For example, my house was not pre-wired for CAT5 when it was built, so I use wireless networking for just about everything – including my laptops, my Zune, and each of my X-Box 360s. Instead of inconveniencing my family by taking the network offline while I figured out how to route everything through ISA Server 2006 running in a virtual machine, I chose instead to use ISA Server 2006 simply as an SSL proxy/redirect while leaving the firewall on my Linksys WRT54G wireless router to filter out unwanted network traffic.

Below you will find a diagram of the Unified Communications lab environment that I built at home and that we will attempt to build in the following documentation (click to enlarge).

Requirements

To build this lab environment, the following components are required:

One (1) 3.0 GHz Dual Core (or higher) 64-bit Hyper-V host computer, 8GB RAM, Gigabit NIC, two (2) 320GB SATA hard disks
- One (1) Hyper-V guest, 512MB RAM, one virtual NIC, 16GB virtual hard disk (ISA 2006)
- One (1) Hyper-V guest, 512MB RAM, one virtual NIC, 16GB virtual hard disk (OCS 2007 R2 CWA)
- One (1) Hyper-V guest, 512MB RAM, one virtual NIC, 16GB virtual hard disk (OCS 2007 R2 Mediation)
- One (1) Hyper-V guest, 1024MB RAM, two virtual NICs, 16GB virtual hard disk (OCS 2007 R2 Edge)
- One (1) Hyper-V guest, 1024MB RAM, one virtual NIC, 16GB virtual hard disk (OCS 2007 R2 Front End
One (1) Wireless or Wired Ethernet Router
One (1) Ethernet Cable Modem or DSL Modem
One (1) Public IP address, either static or DHCP assigned
One (1) publicly registered Internet domain
One (1) SSL SAN Certificate issued by a trusted PKI provider (optional)

To provide VoIP connectivity with PSTN integration, you will need the following optional component:

One (1) VoIP Gateway (similar to AudioCodes MP 114/118), or
SIP Trunk from a UCOIP Certified Provider

Unless you plan to provide Public IM Connectivity to your lab users, you will not need a UC Certificate from a trusted PKI provider. This may be good news given that UC (SAN) Certificates can be very pricey, especially for a small lab environment. You can accomplish much of the same functionality simply by using internally generated certificates, however your external users will log trust errors – at least initially. Internally generated certificates are not trusted by computers which are external to your organization. You can work around this, however, by having your external users import the certificate from your internal Certification Authority into their list of Trusted Root Certificate Authorities.

With regards to Federation, you can establish direct federation with a partner organization without using a publicly trusted UC certificate. As long as your federated partner agrees to import your internally generated CA certificate into the Trusted Root Certification Authorities list on each Edge server, you can participate in federated IM conversations and conferences.

Now… let’s get started!

Registering a Public Domain

The first step in this process is to register a public domain from a trusted registrar. The registrar you choose will ask you to provide various contact and technical information that makes up the registration, which is then stored in a central directory known as the "registry." You will also be required to enter a registration contract with the registrar, which sets forth the terms under which your registration is accepted and will be maintained. A list of trusted registrars can be found at InterNIC.

While most domain registrars also offer hosting the DNS records for purchased domains, you should look for a domain registrar which will allow you to create and edit Service Records (SRV). Office Communications Server 2007 R2 uses SRV records for Federation, Public IM Connectivity (PIC), and automatic client configuration for external users. After checking SlickDeals.net for online coupon codes, I purchased the domain name for my Unified Communications lab from GoDaddy.com. Not only did I get my domain for a fantastic price, I have been extremely pleased with their customer service – and they allow you to create DNS SRV records.

Creating Public DNS Records

Next, we will need to create several public DNS records for our Unified Communications environment. While my ISP does offers static IP addresses to their customers for an extra fee, I still use a DHCP-assigned IP address. I found that DHCP-assigned IP addresses from my ISP rarely change – maybe once every four or five months. However, when it does happen, I have to manually update my DNS records to point to the new IP address. As you can imagine, manually updating DNS records can be quite annoying.

For me, though, updating DNS to point to a new IP address isn’t big of a deal. While Microsoft only officially supports using host (A) public DNS records for deploying OCS 2007 R2, I chose instead to use CNAME records for my own lab environment. By using CNAME records, I found that I only have to update a single DNS record if my DHCP-assigned IP address changes for any reason.

The following step-by-step instructions describe how to create CNAME records with GoDaddy to support OCS 2007 R2, however, these instructions will vary by provider.

A. To create Public DNS records for your Unified Communications lab environment

Log in to your DNS service provider.
Select the appropriate option for managing DNS records for your domain.
(For GoDaddy.com customers, this option is called Total DNS Control and MX Records.)
Select the appropriate option for creating a new A record, then enter the following details:

Host Name: @
Points to IP Address: <Your IP Address>
TTL: One hour

Select the appropriate option for creating a new CNAME record, then enter the following details:

Enter an Alias Name: sip
Points to Host Name: @
TTL: One hour

Repeat this step, creating additional CNAME records for each of the following Alias names:

Alias	Points to Host Name
cwa	@
mail	@
www	@
autodiscover	@
as.cwa	@
download.cwa	@

Select the appropriate option for creating a new MX record, then enter the following details:

Host Name: @
Goes To Address: mail.contoso.com
Priority: 0
TTL: One hour
Select the appropriate option for creating a new SRV record, then enter the following details:

Service: _sipfederationtls
Protocol: _tcp
Name: Federation SRV Record
Priority: 1
Weight: 1
Port: 5061
Target: sip.contoso.com
TTL: One hour

Repeat this step, creating an additional SRV record with the following details:

Service: _sip
Protocol: _tls
Name: External User SRV Record
Priority: 1
Weight: 1
Port: 5061
Target: sip.contoso.com
TTL: One hour

This completes the configuration of the external DNS records.

Configuring the Router/Firewall

The third step in this process is to either configure port forwarding in the configuration of your router or to create rules to open ports on your firewall. As mentioned previously, I use a Linksys WRT54G wireless router and a single private network (no DMZ) for all devices. As such, I created the following port forwarding rules in the configuration of my router to accommodate network traffic for Exchange Server and Office Communications Server:

Protocol Source IP External Ports Internal Ports Internal IP Description

Both All 50000 – 59999 (same) 192.168.1.4 A/V Edge RTP Ports

TCP All 5061 5061 192.168.1.2 Access Edge

UDP All 3478 3478 192.168.1.4 A/V Edge (STUN/TURN)

TCP All 443 443 192.168.1.6 ISA SSL Listener

TCP All 442 442 192.168.1.3 Web Conferencing Edge

TCP All 441 441 192.168.1.4 A/V Edge

TCP All 80 80 192.168.1.10 Web Site

TCP All 25 26 192.168.1.10 SMTP (Email)

After saving this configuration, restart your router or firewall.

Explanation of Routing

Although it is possible to deploy both OCS 2007 R2 and Exchange 2007 using a single public IP address, to do so introduces some very interesting challenges with regards to routing. The following summary explains how routing is accomplished in this lab for internal and external connectivity.

External Routing

Client	Address	Ext Port	Path	Int Port	Target
OCS Remote User	sip.contoso.com	5061	OCS Access Edge	5061	OCS-R2.contoso.com
OCS Web Components	sip.contoso.com	443	ISA Server Proxy	443	OCS-R2.contoso.com
OCS Web Conferencing	sip.contoso.com	442	OCS Web Conf Edge	8057	OCS-R2.contoso.com
OCS A/V Conferencing	sip.contoso.com	441	OCS A/V Edge	443	OCS-R2.contoso.com
OCS CWA	https://cwa.contoso.com	443	ISA Server Proxy	443	CWA-R2.contoso.com
Outlook Web Access	https://mail.contoso.com/owa	443	ISA Server Proxy	443	Email.contoso.com
Autodiscover	https://autodiscover.contoso.com	443	ISA Server Proxy	443	Email.contoso.com
SMTP	mail.contoso.com	25	Linksys Router	26	Email.contoso.com

Internal Routing

Client	Address	Port	Path	Target
OCS Internal User	sip.contoso.com	5061	OCS Front End	OCS-R2.contoso.com
OCS Web Components	OCS-R2.contoso.com	443	OCS Front End	OCS-R2.contoso.com
OCS CWA	https://cwa.contoso.com	443	ISA Server Proxy	CWA-R2.contoso.com
Outlook Web Access	https://mail.contoso.com/owa	443	ISA Server Proxy	Email.contoso.com

Configuring the Domain Infrastructure

For the purposes of this lab, our physical host computer will run a number of services – including Active Directory, DNS, Enterprise Certification Authority, and Hyper-V virtualization. The following steps will configure the domain infrastructure for the Unified Communications lab environment.

Step 1 - Install Windows Server 2008 Enterprise Edition

The first configuration step involves installing Windows Server 2008 Enterprise Edition as the operating system for the physical host computer. Rather than reinvent the wheel here, Microsoft MVP Daniel Petri authored a fantastic step-by-step blog entry on installing Windows Server 2008. Be sure to check it out if you have never done this before. It may save you some time and effort… :-)

Step 2 - Install the Hyper-V Role

Once Windows Server 2008 Enterprise Edition has been installed on the host PC, our first configuration task will be to install the Hyper-V role which will host the four guest virtual machines that will run ISA Server 2006 and OCS 2007 R2. It is important to install the Hyper-V role first because it allows us an opportunity to configure network settings for the computer before installing Active Directory. For additional information on Windows virtualization using Hyper-V, check out the Hyper-V Getting Started Guide on Microsoft TechNet.

A. To install Hyper-V on a full installation of Windows Server 2008

Log in to the Windows 2008 computer using the built-in Administrator account.
Click Start, and then click Server Manager.
In the Roles Summary area of the Server Manager main window, click Add Roles.
On the Select Server Roles page, click Hyper-V.
On the Create Virtual Networks page, click one or more network adapters if you want to make their network connection available to virtual machines.
On the Confirm Installation Selections page, click Install.
The computer must be restarted to complete the installation. Click Close to finish the wizard, and then click Yes to restart the computer.
After you restart the computer, log on with the same account you used to install the role. After the Resume Configuration Wizard completes the installation, click Close to finish the wizard.

Step 3 – Configure Network Settings

While As mentioned previously, our Windows 2008 physical host computer will be configured to support a number of roles, including Active Directory, DNS, Certificate Services, and Exchange 2007. The IP address for this computer will be 192.168.1.10, and since it will host Active Directory and DNS, the IP address should not be assigned by DHCP. As such, we will need to complete several steps to configure our network settings.

A. To verify that Windows Firewall is enabled

Log in to the Windows 2008 computer using the built-in Administrator account.
Click Start, then open the Control Panel. Launch Windows Firewall.
From the menu on the left, click on the Turn Windows Firewall on or off hyperlink option
Verify that Windows Firewall is enabled.

B. To configure static TCP/IP settings for a Hyper-V virtual NIC in Windows Server 2008

Log in to the Windows 2008 computer using the built-in Administrator account
Click Start, then open the Control Panel. Launch the Network and Sharing Center applet.
From the Tasks menu on the left, select Manage Network Connections.
In the Network Connections window, click the Views option from the menu bar and select Details.
After installing the Hyper-V role, you will notice that a new network adapter has been added to the system. Open the properties of each adapter and locate the one that is bound only to the Microsoft Virtual Network Switch Protocol. This adapter represents the physical (hardware) network adapter, while the other represents the Hyper-V virtual adapter.
Right click on each network adapter and rename them as follows:

HyperV Internal (Physical NIC) – network adapter bound only to Microsoft Virtual Network Switch Protocol.
HyperV Internal (Virtual NIC) – network adapter bound to everything except the Microsoft Virtual Network Switch Protocol.
After renaming the network adapters, open the properties of the HyperV Internal (Virtual NIC) adapter.
Select the Internet Protocol Version 6 (TCP/IPv6) connection, then click Properties.
Select Use the following IPv6 address, then enter the following:

IP Address: fe80:0:0:0:0:0:c0a8:010a
Subnet prefix length: 64
Default Gateway: fe80:0:0:0:0:0:c0a8:0101
DNS Server: fe80:0:0:0:0:0:7f00:0001

Click OK.
Select the Internet Protocol Version 4 (TCP/IPv4) connection, then click Properties.
Select Use the following IPv4 address, then enter the following:

IP Address: 192.168.1.10
Network Mask: 255.255.255.0
Default Gateway: 192.168.1.1
DNS Server: 127.0.0.1
Click OK then Close the properties of the HyperV Internal (Virtual NIC) adapter.

After completing the network configuration steps, restart the Windows 2008 physical host computer.

Step 4 – Install Active Directory Domain Services / DNS

Having installed the Hyper-V role and configured our network settings, we’re now ready to install Active Directory Domain Services on the Windows 2008 physical host computer. Since we have not yet installed the DNS server role, you will be prompted to install the DNS role during the setup of Active Directory.

A. To install a new Active Directory forest by using the Windows interface

Log in to the Windows 2008 computer using the built-in Administrator account.
Open Server Manager by clicking Start, point to Administrative Tools, and then click Server Manager.
In Roles Summary, click Add Roles.
If necessary, review the information on the Before You Begin page and then click Next.
On the Select Server Roles page, click the Active Directory Domain Services check box, and then click Next.
Note: If you installed Windows Server 2008 R2, you might have to click Add Required Features to install .NET Framework 3.5.1 features before you can click Next.
If necessary, review the information on the Active Directory Domain Services page, and then click Next.
On the Confirm Installation Selections page, click Install.
On the Installation Results page, click Close this wizard and launch the Active Directory Domain Services Installation Wizard (dcpromo.exe).
On the Welcome to the Active Directory Domain Services Installation Wizard page, click Next.
You can select the Use advanced mode installation check box to get additional installation options.
On the Operating System Compatibility page, review the warning about the default security settings for Windows Server 2008 and Windows Server 2008 R2 domain controllers, and then click Next.
On the Choose a Deployment Configuration page, click Create a new domain in a new forest, and then click Next.
On the Name the Forest Root Domain page, type the full Domain Name System (DNS) name for the forest root domain (i.e. contoso.com), and then click Next.
If you selected Use advanced mode installation on the Welcome page, the Domain NetBIOS Name page appears. On this page, type the NetBIOS name of the domain if necessary (i.e. contoso) or accept the default name, and then click Next.
On the Set Forest Functional Level page, select the forest functional level that accommodates the domain controllers that you plan to install anywhere in the forest (Windows 2003 mode or higher is required), and then click Next.
On the Set Domain Functional Level page, select the domain functional level that accommodates the domain controllers that you plan to install anywhere in the domain (Windows 2003 mode or higher is required), and then click Next.

Note: The Set Domain Functional Level page does not appear if you select the Windows Server 2008 forest functional level on a server that runs Windows Server 2008 or if you select the Windows Server 2008 R2 forest functional level on a server that runs Windows Server 2008 R2.
On the Additional Domain Controller Options page, DNS server is selected by default so that your forest DNS infrastructure can be created during AD DS installation. If you plan to use Active Directory–integrated DNS, click Next. If you have an existing DNS infrastructure and you do not want this domain controller to be a DNS server, clear the DNS server check box, and then click Next.
If the wizard cannot create a delegation for the DNS server, it displays a message to indicate that you can create the delegation manually. To continue, click Yes.
On the Location for Database, Log Files, and SYSVOL page, browse to the volume and folder locations for the database file, the directory service log files, and the SYSVOL files, and then click Next.
Windows Server Backup backs up the directory service by volume. For backup and recovery efficiency, store these files on separate volumes that do not contain applications or existing files.
On the Directory Services Restore Mode Administrator Password page, type and confirm the restore mode password, and then click Next. This password must be used to start AD DS in Directory Service Restore Mode for tasks that must be performed offline.
On the Summary page, review your selections. Click Back to change any selections, if necessary.
To save the selected settings to an answer file that you can use to automate subsequent AD DS operations, click Export settings. Type the name for your answer file, and then click Save.
When you are sure that your selections are accurate, click Next to install AD DS.
You can either select the Reboot on completion check box to have the server restart automatically or you can restart the server to complete the AD DS installation when you are prompted to do so.

Upon restarting the server, log in using the credentials for the built-in Domain Administrator account (i.e. Contoso\Administrator). It is important that you use the built-in Domain Administrator account because it is the only account that is exempt from User Account Control restrictions. Once logged in, launch the Event Viewer and take a cursory glance at both the Application Log and System Logs from the server. Be sure to address any serious errors before proceeding.

Step 5 – Configure Internal DNS Records

To support both OCS 2007 R2 and Exchange 2007, we will need to create several host (A) records and service (SRV) records in our internal DNS zone.

A. Add internal DNS Records for OCS 2007 R2 and Exchange 2007

Log on to the Windows 2008 computer as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, point to Administrative Tools, and then click DNS.
In the DNS console, expand the Server object, expand the Forward Lookup Zones folder, and select the local Domain.
From the menu bar at the top of the DNS console, choose Action, then click New Host (A or AAAA)…

In the New Host dialog box, type the Host Name and IP Address for the new A record.

Name: sip
IP Address: 192.168.1.11

Repeat this step, creating additional DNS A records for each of the following host names:

Host Name	IP Address
autodiscover	192.168.1.6
mail	192.168.1.6
www	192.168.1.10
sip	192.168.1.11
cwa	192.168.1.6
Edge-R2	192.168.1.5
ISA	192.168.1.6

Next, select the local Domain again.
From the menu bar at the top of the DNS console, choose Action, then click New Alias (CNAME)…
In the New Resource dialog box, enter the following data, then click OK:

Alias Name: as.cwa
Fully Qualified Domain Name: as.cwa.contoso.com (automatically populated)
Fully Qualified Domain Name for Target Host: cwa.contoso.com
Choose Action, then click New Alias (CNAME)… to create an additional CNAME record.
In the New Resource dialog box, enter the following data, then click OK:

Alias Name: download.cwa
Fully Qualified Domain Name: download.cwa.contoso.com (automatically populated)
Fully Qualified Domain Name for Target Host: cwa.contoso.com
Next, select the local Domain again.
From the menu bar at the top of the DNS console, choose Action, then click Other New Records…
In the Resource Record Type dialog box, scroll down the list of available record types and choose Service Location (SRV) option and click Create Record…
In the New Resource Record dialog box, manually type in the following information (do not use the drop down list):

Service: _sipinternaltls
Protocol: _tcp
Priority: 1
Weight: 1
Port Number: 5061
Host Name: sip.contoso.com
Create a second DNS SRV record, manually type in the following information (do not use the drop down list):

Service: _sip
Protocol: _tls
Priority: 1
Weight: 1
Port Number: 5061
Host Name: sip.contoso.com
Close the DNS console after all records have been created.

This completes the configuration of the internal DNS records.

Step 6 - Install Certificate Services

Next, we need to install the Certificate Authority role on the Windows 2008 computer so that we can issue PKI certificates for the various Office Communications Server 2007 server roles.

A. To install Certificate Services and set up an Enterprise Root CA

Log on to the Windows 2008 computer as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, point to Administrative Tools, and then click Server Manager.
In the Roles Summary section, click Add roles.
On the Select Server Roles page, select the Active Directory Certificate Services check box. Click Next two times.
On the Select Role Services page, select the Certification Authority check box, and then click Next.
On the Specify Setup Type page, click Enterprise, and then click Next.
On the Specify CA Type page, click Root CA, and then click Next.
On the Set Up Private Key and Configure Cryptography for CA pages, you can configure optional configuration settings, including cryptographic service providers. However, for basic testing purposes, accept the default values by clicking Next twice.
In the Common name for this CA box, type the common name of the CA, ContosoCA, and then click Next.
On the Set the Certificate Validity Period page, accept the default validity duration for the root CA, and then click Next.
On the Configure Certificate Database page, accept the default values or specify other storage locations for the certificate database and the certificate database log, and then click Next.
After verifying the information on the Confirm Installation Options page, click Install.
Review the information on the confirmation screen to verify that the installation was successful.

After installing Certificate Services, launch Internet Explorer on the Windows 2008 computer and browse to https://{ComputerName}/Certsrv. SSL encryption should be automatically enabled for the CertSrv website, but you may need to enable it manually within the Internet Information Services (IIS) Manager console. You may also need to add this website to either your Trusted Sites or your local Intranet zone.

Step 7 – Create the Hyper-V Guest Virtual Machines

Following a successful installation of Hyper-V and a reboot of the system, the next step is to create the five virtual machines that will host ISA Server 2006 and the four OCS 2007 R2 server roles. Again, here is the suggested configuration for each of the five virtual machines:

ISA Server 2006 - 512MB RAM, one (1) virtual NIC, 16GB virtual hard disk
OCS 2007 R2 CWA - 512MB RAM, one (1) virtual NIC, 16GB virtual hard disk
OCS 2007 R2 Mediation – 512MB RAM, one (1) virtual NIC, 16 GB virtual hard disk
OCS 2007 R2 Edge - 1024MB RAM, two (2) virtual NICs, 16GB virtual hard disk
OCS 2007 R2 Front End - 1024MB RAM, one (1) virtual NIC, 16GB virtual hard disk

A. To create and set up a Virtual Machine in Hyper-V

Log on to the Windows 2008 computer as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, point to Administrative Tools, and then click Hyper-V Manager.
From the Action pane, click New, and then click Virtual Machine.
From the New Virtual Machine Wizard, click Next.
On the Specify Name and Location page, specify the name of the virtual machine and where you want to store it.
On the Memory page, specify enough memory to run the guest operating system you want to use on the virtual machine.
On the Networking page, connect the network adapter to an existing virtual network if you want to establish network connectivity at this point.
Note: If you want to use a remote image server to install an operating system on your test virtual machine, select the external network.
On the Connect Virtual Hard Disk page, specify a name, location, and size to create a virtual hard disk so you can install an operating system on it.
On the Installation Options page, choose the method you want to use to install the operating system:
- Install an operating system from a boot CD/DVD-ROM. You can use either physical media or an image file (.iso file).
- Install an operating system from a boot floppy disk.
- Install an operating system from a network-based installation server. To use this option, you must configure the virtual machine with a legacy network adapter connected to an external virtual network. The external virtual network must have access to the same network as the image server.
Click Finish.

For best performance, place the paging file from your Windows 2008 Hyper-V host machine on one physical hard disk (C:\) and the configuration and virtual hard disk files from each of your Hyper-V guest machines on another physical hard disk (D:\). Distributing workload across at least two SATA hard disks on the Windows 2008 host machine is critical for adequate system performance.

Step 8 – Install Windows OS on each Hyper-V Guest Virtual Machine

After creating each virtual machine, you will need to install a guest operating system. While it may be desirable to install Windows Server 2008 as the operating system for each guest virtual machine, I would instead suggest using Windows Server 2003 SP2 as it generally performs better in a virtual environment with limited resources.

Please be sure to install the correct version of the Windows operating system on each virtual machine. While ISA Server 2006 is a 32 bit application that may run on a 64 bit operating system, OCS 2007 R2 is a 64 bit application that requires a 64 bit operating system. Given this, the suggested OS configuration and fully qualified distinguished name (FQDN) for each virtual machine is as follows:

ISA Server 2006 / Windows Server 2003 SP2 (x86) / ISA.contoso.com / 192.168.1.6
OCS 2007 R2 CWA / Windows Server 2003 SP2 (x64) / CWA-R2.contoso.com / 192.168.1.12
OCS 2007 R2 Mediation / Windows Server 2003 SP2 (x64) / Mediation-R2.contoso.com / 192.168.1.13
OCS 2007 R2 Edge / Windows Server 2003 SP2 (x64) / Edge-R2.contoso.com / 192.168.1.2 - 192.168.1.5
OCS 2007 R2 Front End / Windows Server 2003 SP2 (x64) / OCS-R2.contoso.com / 192.168.1.11

After installing an operating system, you will need to install Hyper-V Integration Services on each guest Virtual Machine to provide the best management experience. From the Action menu of Virtual Machine Connection, click Insert Integration Services Setup Disk (you must close the New Hardware Wizard to start the installation). The setup program should launch automatically, however it can be run manually if necessary. Within the virtual machine, simply navigate to the CD drive using Windows Explorer and launch the appropriate version of Setup.exe (x86/x64) to begin the installation.

We will configure each of the guest virtual machines later in this guide.

Configuring Exchange 2007 SP1

In addition to running Active Directory Domain Services and other domain infrastructure roles, the Windows 2008 physical host machine will host the Mailbox, Client Access, Hub Transport, and Unified Messaging server roles from Exchange 2007 SP1. The following steps will configure Exchange 2007 SP1 for both internal and external user access.

Step 1 – Install Exchange 2007 SP1 on Windows 2008 Physical Host

Since we are installing the Unified Messaging role (which can be very processor intensive), we need to install Exchange 2007 on physical hardware – which in this case also happens to be our domain controller. While most people believe that installing Exchange 2007 on a Windows domain controller is unsupported, it actually is supported – however it is not generally recommended (due to known DSAccess failover limitations in outage conditions).

A. To install Exchange 2007 SP1 on the Windows 2008 host computer

Log in to the Windows 2008 computer using the built-in Domain Administrator account (Contoso\Administrator).
Install the Prerequisites for supporting all Exchange 2007 server roles on Windows Server 2008.
Insert the Exchange 2007 SP1 installation media and double-click Setup.exe.
Select the option to Install Microsoft Exchange Server 2007 SP1.
Click Next at the Introduction screen, then click Accept at the EULA screen. Click Next.
At the Error Reporting screen, choose either Yes or No then click Next.
Choose the Custom installation option and select an appropriate installation path. Click Next.
Select the Mailbox role, the Client Access role, the Hub Transport role, and the Unified Messaging role. Click Next.
On the Exchange Organization screen, enter the name of your Organization (or accept the default value).
On the Client Settings screen, choose No (unless you want to support Outlook 2003 clients). Click Next.
Unless you already have Exchange 2000/2003 in your lab, click Next on the Mail Flow settings screen.
After completing all installation prerequisite checks successfully, click Install to begin the installation.
Once all roles have been installed successfully, click Finish to complete the installation.
Download and install the Latest Hotfix RollUp for Exchange 2007 SP1.
Restart the computer.

Upon restarting the server, log in using the credentials for the built-in Domain Administrator account (i.e. Contoso\Administrator). Again, launch the Event Viewer and take a cursory glance at both the Application Log and System Log. Be sure to address any serious errors before proceeding. Also open the Services applet and verify that all Exchange services that are configured to start automatically have, in fact, started successfully.

Step 2 – Configure the Hub Transport role

After installing the Hub Transport (HT) role on an Exchange 2007 server, you will find that two SMTP Receive Connectors are created automatically during the installation process – Client and Default. Although the Default Receive Connector (used for server connections) can be configured to allow Anonymous connections from the Internet, by default it advertises the FQDN of the local machine in the SMTP protocol banner when a connecting server issues either the EHLO or HELO command, as shown below:

Advertising the FQDN of the local machine in the SMTP protocol banner is generally considered to be an unnecessary security risk. As such, many customers elect to change this value to reflect the same FQDN that is registered in their public MX record. The Default Receive Connector is a special case, however, as it is used by other Exchange servers or server roles (like Unified Messaging) for submitting email or voice mail for delivery. The FQDN advertised in the SMTP protocol banner of the Default Receive Connector should NOT be changed, as this value is used to look up the SMTPSvc ServicePrincipalName (SPN) value of the Hub Transport server during Kerberos authentication.

Additionally, for servers to successfully authenticate using X-AnonymousTLS, the SMTP service on the Hub Transport server must be bound to at least one certificate that contains the FQDN of the local machine. During the installation of the Hub Transport role, a self-signed certificate is generated containing the FQDN of the local machine. It is important to remember that even if you purchase a PKI certificate from a publicly trusted PKI provider like DigiCert or VeriSign, unless you plan to include the FQDN of the local machine in your certificate request, you should NOT remove the self-signed certificate that is enabled for SMTP.

Our next task will be to configure SMTP connectors for sending and receiving email.

A. To create a new Send Connector to be used for routing email to the Internet

Log in to the Windows 2008 computer using the built-in Domain Administrator account (Contoso\Administrator)
Open the Exchange Management Console, then perform the following steps:
a. Under Organization Configuration, select Hub Transport
b. In the result pane, select the Send Connectors tab
In the action pane, click New Send Connector. The New SMTP Send Connector wizard starts.
On the Introduction page, configure the name and type of connector:
a. In the Name field, type Internet Send Connector
b. In the Select the intended use for this connector field, choose Internet. Click Next.
On the Address Space screen, click Add to add a new address space configured as follows:
a. The SMTP address type should already be selected by default.
b. In the Address field, enter a single asterisk to represent the wildcard ‘*’ character
c. Enable the option to Include all subdomains
d. Enter a Cost value of 1. Click OK then click Next.
On the Network Settings screen, choose the following options:
a. Select the option to Use DNS MX Records to route mail automatically.
b. Enable the option to Use External DNS lookup settings on the transport server. Click Next.
On the Source Server screen, click Add and select a Hub Transport server.
Click OK then click Next.
Click New to create the send connector

B. To modify the settings of the existing Default Receive Connector

Open the Exchange Management Console, then perform the following steps:
   a. Under Server Configuration, select Hub Transport
   b. In the result pane, select the Hub Transport server
   c. Click the Receive Connectors tab.
Open the properties of the existing Default {ComputerName} Receive Connector
Under the General tab, verify that the value in Specify the FQDN this connector will provide in response to HELO and EHLO contains the FQDN of the local machine.
Click on the Network tab
Under Use these local IP addresses to receive mail, do the following:
   a. Remove the existing value of All IPv4 Addresses listening on Port 25.
   b. Click Add to specify the IPv4 address value 192.168.1.10 and Port 25 to receive email requests.
   c. Remove the existing value of All IPv6 Addresses listening on Port 25.
   d. Click Add to specify the IPv6 address value fe80::c0a8:010a and Port 25 to receive email requests.
Under Receive mail from remote servers that have these IP addresses, do the following:
   a. Verify that the specified IPv4 address range value is 0.0.0.0 – 255.255.255.255.
   b. Verify that the specified IPv6 address range value is :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Click on the Authentication tab and verify that Exchange Server Authentication is enabled
Click OK to complete the configuration of the Default Receive Connector

C. To create a new SMTP Receive Connector for receiving Internet email

Open the Exchange Management Console, then perform the following steps:
   a. Under Server Configuration, select Hub Transport
   b. In the result pane, select the Hub Transport server
   c. Click the Receive Connectors tab.
In the action pane, click New Receive Connector. The New SMTP Receive Connector wizard starts.
On the Introduction page, configure the name and type of connector:
a. In the Name field, type Internet {ComputerName} (for example Internet EMAIL)
b. In the Select the intended use for this connector field, choose Internet. Click Next.
On the Local network settings page, click Add an IP address to receive mail.
Select the existing value of All IP addresses listening on Port 25 and click Remove.
   a. Click Add to specify binding settings for the new Receive Connector.
   b. In the Add Receive Connector Binding dialog box, select Specify an IP address.
   c. Enter the IP address of your server, 192.168.1.10. (Do not specify an IPv6 address here.)
   d. Enter the Port to receive email requests, Port 26, then click OK.
On the Local network settings page, in the Specify the FQDN this connector will provide in response to HELO or EHLO field, type the FQDN value of your public MX record (for example: mail.contoso.com). Click Next.
Click New to create the new Receive Connector.
Open the properties of the new Receive Connector.
Click on the Authentication tab.
a. Disable the option for TLS Authentication
b. Enable the option for Basic Authentication
Click OK to complete the configuration of the new Receive Connector

Once you have completed the configuration steps for handling SMTP mail flow, restart the following services:

Microsoft Exchange Mail Submission
Microsoft Exchange Transport
Microsoft Exchange Transport Log Search

Step 3 – Configure the Client Access Server role

Our next few configuration steps will be to configure the Client Access Server (CAS) role. First, we will enable RPC over HTTP so that we can use the Outlook Anywhere feature from the Internet. We will also configure each of the internal and external virtual directory URL settings for Exchange Web Services, including Exchange ActiveSync. To do all of this, we will use the Exchange Management Shell.

A. To install the RPC over the HTTP Windows Networking component in Windows Server 2008

Log on to the Windows 2008 computer as the built-in Domain Administrator account (Contoso\Administrator)
Click Start, and then click Control Panel.
Double-click Programs and Features.
Click Turn Windows features on or off. Server Manager opens.
In the left pane of Server Manager, click Features.
In the right pane, click Add Features.
In the Add Features Wizard, click to select the RPC over HTTP Proxy check box.
If the Add role services required for HTTP Proxy dialog box appears, click Add Required Role Services.
Click Next.
Read the information on the Web Server (IIS) page, and then click Next.
On the Select Role Services page, click Next.
On the Confirm Installation Selections page, click Install.
When the features are installed, click Close.

B. To enable Outlook Anywhere access from the Internet

Log on to the Windows 2008 computer as the built-in Domain Administrator account (Contoso\Administrator).
Click Start , then All Programs, then expand Microsoft Exchange Server 2007.
Launch the Exchange Management Shell, then enter the following command:

enable-OutlookAnywhere –ExternalHostname “mail.contoso.com” –DefaultAuthenticationMethod “Basic” -SSLOffloading:$False

C. To modify the virtual directory settings for Exchange Web Services

Log on to the Windows 2008 computer as the built-in Domain Administrator account (Contoso\Administrator).
Click Start , then All Programs, then expand Microsoft Exchange Server 2007.
Launch the Exchange Management Shell, then enter each of the following commands:

get-ClientAccessServer –server {ComputerName} | set-ClientAccessServer -AutoDiscoverServiceInternalURI “https://mail.contoso.com/Autodiscover/Autodiscover.xml”

get-WebServicesVirtualDirectory –server {ComputerName} | set-WebServicesVirtualDirectory –internalURL “https://mail.contoso.com/EWS/Exchange.asmx” –externalURL “https://mail.contoso.com/EWS/Exchange.asmx” -BasicAuthentication:$true –WindowsAuthentication:$true –DigestAuthentication:$false

get-AutodiscoverVirtualDirectory –server {ComputerName} | set-AutodiscoverVirtualDirectory –internalURL “https://mail.contoso.com/Autodiscover/Autodiscover.xml” -externalURL “https://mail.contoso.com/Autodiscover/Autodiscover.xml” –BasicAuthentication:$true –WindowsAuthentication:$true –DigestAuthentication:$false

get-OWAVirtualDirectory –server {ComputerName} | set-OWAVirtualDirectory -internalURL “https://mail.contoso.com/owa” -externalURL “https://mail.contoso.com/owa” -BasicAuthentication:$true –WindowsAuthentication:$true –DigestAuthentication:$false –FormsAuthentication:$false

get-OABVirtualDirectory –server {ComputerName} | set-OABVirtualDirectory -internalURL “https://mail.contoso.com/OAB” -externalURL “https://mail.contoso.com/OAB” –WindowsAuthentication:$true –BasicAuthentication:$false –DigestAuthentication:$false -requireSSL:$true

get-UMVirtualDirectory –server {ComputerName} | set-UMVirtualDirectory -internalURL “https://mail.contoso.com/UnifiedMessaging/Service.asmx” -externalURL “https://mail.contoso.com/UnifiedMessaging/Service.asmx” -BasicAuthentication:$true –WindowsAuthentication:$true -DigestAuthentication:$false

set-ActiveSyncVirtualDirectory -Identity "{ComputerName}\Microsoft-Server-ActiveSync (Default Web Site)" – internalURL “https://mail.contoso.com/Microsoft-Server-ActiveSync” -externalURL "https://mail.contoso.com/Microsoft-Server-ActiveSync”

D. To enable SSL on the Exchange ActiveSync virtual directory in IIS

Log on to the Windows 2008 computer as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, point to Administrative Tools, and then select Internet Information Services (IIS) Manager.
Within the Internet Information Services (IIS) Manager, expand the Server, then expand Sites.
Expand the Default Web Site, then select the Microsoft-Server-ActiveSync virtual directory.
From the Features View in the center window, double-click on SSL Settings.
Enable the options for both Require SSL and Require 128-bit SSL.
From the Actions menu on the right, click Apply.
Close the Internet Information Services (IIS) Manager console.

Step 4 – Configure the Unified Messaging role

Next, we will need to create the various configuration objects used by the Unified Messaging (UM) role, which is very likely the most complex role to set up. The core configuration object for Unified Messaging is the Dial Plan, which defines the expected digit pattern for user extensions. Since we will be integrating Unified Messaging with OCS 2007 R2, we will create a SIP URI Dial Plan whose users have 4 digits in their extensions.

Whenever I build a Unified Communications lab, I always configure it with the expectation that some day I may want to provide external telephone connectivity to the lab users. Since these objects will eventually be Enterprise Voice enabled within OCS 2007 R2, each configuration object will be configured with a telephone number that is correctly formatted as an E.164 dial string. With that in mind, I will use the following configuration details for each Enterprise Voice/UM enabled object in this lab:

Name	SIP URI	UM Enabled Extension	Telephone Number	Tel URI
Subscriber Access	OCSSA@contoso.com	N/A	+19807760000	+19807760000
Auto Attendant	OCSAA@contoso.com	N/A	+19807769999	+19807769999
User A	UserA@contoso.com	0001	0001	+19807760001
User B	UserB@contoso.com	0002	0002	+19807760002

A. To create and configure a UM Dial Plan

Open the Exchange Management Console, then perform the following steps:
   a. Under Organization Configuration, select Unified Messaging
   b. In the result pane, select the UM Dial Plans tab
   c. From the actions pane, click New UM Dial Plan.
Complete the information necessary to create a SIP enabled UM Dial Plan, which is required by OCS 2007 R2:

Name of Dial Plan : OCSDialPlan
Digits in Extension : 4
URI Type : SIP URI
VoIP Security : Secured
Click New to create the UM Dial Plan.
Within the Exchange Management Console, right click on the new UM Dial Plan and select Properties from the context menu.
Click on the Subscriber Access tab. Settings in this area of Dial Plan configuration control the behavior of Outlook Voice Access.
Add the Subscriber Access number ‘+19807760000’ to the UM Dial Plan. This is typically the number that external users will dial when accessing voice mail phone.
Next, click on the Features tab, locate the option ‘Callers can contact’ and choose ‘Anyone in the Default Global Address List’. This allows UM enabled users to transfer or place calls to any internal 4 digit telephone number that appears within the Global Address List.
Next, click on the Dial Rule Groups tab. Under the In Country/Region Rule Groups section of the dialog box, click Add.

In the Dialing Rule Entry dialog box, enter the following information:
Name: All
Number Mask: *
Dialed Number: *
Comment: <optional comment>
Click OK, then under the International Rule Group section, click Add to create another Dialing Rule.
Complete the configuration of another Dialing Rule Entry with the same options as shown above. Click OK, then click Apply.
Next, click on the Dialing Restrictions tab, then complete the following configuration:

Allow calls to users in the same Dial Plan: Enabled
Allow calls to extensions: Enabled
Select In Country/Region Rule Groups from Dial Plan: Click Add then choose the ‘All’ Rule
Select International Rule Groups from Dial Plan: Click Add then choose the ‘All’ Rule
Click OK to complete the configuration of the UM Dial Plan.

B. To link the Exchange 2007 server to the UM Dial Plan

Open the Exchange Management Console, then perform the following steps:
   a. Under Server Configuration, select Unified Messaging
   b. In the result pane, select the Exchange 2007 server
   c. From the actions pane, click Properties.
In the Properties of the Exchange 2007 server, click on the UM Settings tab.
Click Add and select the OCSDialPlan.
Click OK to link the new OCSDialPlan to the Exchange 2007 server.

C. To configure the UM Mailbox Policy for the OCSDialPlan

Open the Exchange Management Console, then perform the following steps:
   a. Under Organization Configuration, select Unified Messaging
   b. In the result pane, select the UM Mailbox Policies tab
   c. Select the OCSDialPlan, then from the actions pane, click Properties.
To relax security restrictions, click on the PIN Settings tab within the properties of the UM Mailbox Policy, then configure the following options:

Minimum PIN Length : 4
Pin Lifetime Days : Enabled/60
Previous PINs disallowed : 1
Allow common patterns : Enabled
Missed PINs before reset : 5
Missed PINs before lockout : 15
Next, click on the Dialing Restrictions tab, then complete the following configuration:

Allow calls to users in the same Dial Plan: Enabled
Allow calls to extensions: Enabled
Select In Country/Region Rule Groups from Dial Plan: Click Add then choose the ‘All’ Rule
Select International Rule Groups from Dial Plan: Click Add then choose the ‘All’ Rule
Click Apply then OK to complete the configuration of the UM Mailbox Policy.

D. To create and configure a UM Auto Attendant for the OCSDialPlan

Open the Exchange Management Console, then perform the following steps:
   a. Under Organization Configuration, select Unified Messaging
   b. In the result pane, select the UM Auto Attendants tab
   c. From the actions pane, click New UM Auto Attendant.
Complete the information necessary to create a UM Auto Attendant for the OCSDialPlan:

Name of Auto Attendant : OCSAA (no spaces!)
Associated Dial Plan : OCSDialPlan
Extension Numbers : +19807769999
Create as Enabled : Enabled
Create as Speech Enabled : Enabled
Click New to create the UM Auto Attendant.
Within the Exchange Management Console, right click on the new UM Auto Attendant and select Properties from the context menu.
Click on the Features tab, locate the option ‘Callers can contact’ and choose ‘Anyone in the Default Global Address List’. This allows UM enabled users to transfer or place calls to any internal 4 digit telephone number that appears within the Global Address List.
Next, click on the Dialing Restrictions tab, then complete the following configuration:

Allow calls to users in the same Dial Plan: Enabled
Allow calls to extensions: Enabled
Select In Country/Region Rule Groups from Dial Plan: Click Add then choose the ‘All’ Rule
Select International Rule Groups from Dial Plan: Click Add then choose the ‘All’ Rule
Click Apply then OK to complete the configuration of the UM Auto Attendant.

Although there are a few more steps required to finalize the configuration of the Unified Messaging role, we first need to install and configure Office Communications Server 2007 R2. As such, we will complete the configuration of Unified Messaging later in this documentation.

Step 5 – Request a TLS Certificate for Exchange services

Next, we will need to request a certificate from our Enterprise CA. Since there are a number of services hosted by the Windows 2008 host computer, we will need to request a certificate that contains Subject Alternative Name (SAN) values – one entry for each host name. To do this, we will use the Exchange Management Shell.

A. To create and assign a TLS certificate for Exchange services

Log on to the Windows 2008 computer using the built-in domain Administrator account (Contoso\Administrator)
Click Start, then All Programs, then Microsoft Exchange Server 2007, then open the Exchange Management Shell.
Assuming that the fully qualified distinguished name (FQDN) of the Windows 2008 host computer is email.contoso.com, enter the following command within the Exchange Management Shell to generate a new certificate request:

new-ExchangeCertificate –GenerateRequest –Path C:\ExchTLSCert.req –KeySize 1024 –subjectName “cn=email.contoso.com” –domainname email.contoso.com, mail.contoso.com, autodiscover.contoso.com, email –PrivateKeyExportable $true
Next, within Internet Explorer, type the URL ‘https://email/certsrv’ on the address line and press Enter to connect to the Certificate Authority.
Click Request a Certificate, then choose Advanced Certificate Request.
Click Submit a certificate request by using a base-64 encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
Using Windows Explorer, open the file ExchTLSCert.req using Notepad. Highlight and copy the data from ExchTLSCert.req.
Within Internet Explorer, paste the data from UMCert.req into the Saved Request \ ‘Base-64-encoded certificate request (CMC or PKCS #10 or PKCS #7)’ field. Additionally, choose ‘Web Server’ from the drop-down list of available Certificate Templates. Click Submit.
Upon being issued the certificate from the Certificate Authority, choose ‘DER encoded’ from the available encoding options, and choose ‘Download Certificate’. Save the certificate as ‘C:\ExchTLSCert.cer’.
After downloading the new certificate, open the Exchange Management Shell again and enter the following command to both import and assign the UM service to the new certificate:

import-ExchangeCertificate –path C:\ExchTLSCert.cer | enable-ExchangeCertificate –Services SMTP,IIS,POP,IMAP,UM

Note: If you are prompted to replace the current certificate assigned to any of the Exchange roles, choose [A] All to replace the current certificate for all roles.
After assigning the certificate, enter the following command to dump a list of Exchange certificates, and verify that your new certificate is correctly assigned to all five Exchange services.

Get-ExchangeCertificate | fl thumbprint,rootCAType,services,notbefore

Thumbprint : 844D0CC6857F16E9FF7BC424895C97761390E6F2
RootCAType : Enterprise
Services : IMAP, POP, UM, IIS, SMTP
NotBefore : 5/11/2009 8:35:58 PM
Restart all Exchange services by entering the following command in the Exchange Management Shell:

get-Service *exchange* | restart-service –force
Finally, verify that all Exchange services were restarted successfully by entering the following command in the Exchange Management Shell:

test-servicehealth

After completing these steps, you should be able to browse https://mail.contoso.com/owa from a web browser and connect successfully to Outlook Web Access. Since this FQDN appears in the list of Subject Alternative Name (SAN) values assigned to the Exchange certificate, you should not be prompted with a certificate name mismatch warning, although you may have to enter your credentials to access the web site.

Requesting a UC Certificate

Our next step will be to request a Unified Communications Certificate from a publicly trusted Certification Authority. It is recommended to use a certificate from publicly trusted CA if you plan to allow external connectivity for your lab, however, this is only technically required if you plan to enable Public IM Connectivity (PIC). Although there are a number of publicly trusted CAs that can provide a UC Certificate (i.e. VeriSign, DigiCert, GoDaddy, Thawte), I chose DigiCert to issue the UC Certificate for my lab.

Before selecting a Certification Authority to issue a UC Certificate, you should consider the following questions:

How much does it cost to request a new UC Certificate?
If I make a mistake, can the certificate be reissued?
How many times can the certificate be reissued?
Is there any cost involved with reissuing the certificate?

The reason I chose DigiCert is because they offer a very nice web interface for creating a UC Certificate for Exchange 2007, and they allow unlimited corrections/modifications during the lifetime of the certificate. As such, the following step-by-step instructions will describe how to request a UC Certificate from DigiCert.

Please note that while Exchange Server 2007 supports the use of Wildcard Certificates, Office Communications Server 2007 R2 supports either Single Name certificates or Unified Communictions/SAN Certificates – not wildcard certificates! And even though you may choose to use an alternate provider, the DigiCert CSR Command Wizard can still be used to generate the certificate request (unless you’re a PowerShell ace and don’t need the help of a pretty interface).

Step 1 – Request a UC Certificate from a publicly trusted CA

A. To request a UC Certificate from a publicly trusted Certification Authority

Log in to the Windows 2008 physical host computer using the built-in Domain Administrator account (Contoso\Administrator).
Launch your web browser and navigate to https://www.digicert.com/easy-csr/exchange2007.htm.

Complete the SSL CSR Command Wizard using the following certificate details:

Common Name:	sip.contoso.com
Subject Alternative Names:	sip.contoso.com mail.contoso.com autodiscover.contoso.com cwa.contoso.com as.cwa.contoso.com download.cwa.contoso.com
Organization:	<Legal Name of registered owner of the domain>
Department:	<blank>
City:	<Your City>
State:	<Your State>
Country:	<Your Country>
Key Size:	1024

Click Generate to create the command that will be used to generate the request from your Exchange 2007 server.

New-ExchangeCertificate -GenerateRequest -Path c:\sip_contoso_com.csr -KeySize 1024 -SubjectName "c=US, s=South Carolina, l=MyCity, o=David Howe, cn=sip.contoso.com" -DomainName sip.contoso.com, mail.contoso.com, autodiscover.contoso.com, cwa.contoso.com, as.cwa.contoso.com, download.cwa.contoso.com -PrivateKeyExportable $True
Next click Start, then All Programs, then Microsoft Exchange Server 2007, then open the Exchange Management Shell.
Copy the command generated by the SSL CSR Command Wizard, and paste it into the Exchange Management Shell:
After creating the certificate request, open your web browser and navigate to the web site of your chosen publicly trusted Certification Authority. Choose the option to purchase a new Unified Communications (UC) or SAN Certificate.
Choose Unified Communications/SAN certificate, the lifetime (expiry) of the certificate, and your payment preference.
Next, complete the registration process for creating a new account with the provider.
Next, enter the company on behalf of whom you are requesting this certificate, or choose the default value (the name used to register the new account with the provider).
Next, click Start, then All Programs, then Accessories, then launch Notepad. Open the certificate request file C:\sip_contoso_com.csr, and then highlight and copy the Base-64-encoded content.
Next, paste the Base-64-encoded data into the Certificate Signing Request field from your provider’s web page, and choose Microsoft Exchange Server as the server software.
From the information provided in the Base-64-encoded data from your certificate request, verify that the Organization information for the certificate is correct (highlighted in yellow below). This value should be the legal name of the company or individual who appears as the registered owner of the domain in the WHOIS database.

Note: The CA provider will verify this information before issuing the certificate.
Next, verify your contact information, which will be used to contact you to verify your order and to request proof of ID.
Finally, verify your payment information and submit your order.
Upon verifying your legal identification as the owner of the registered domain, your certificate (as well as the certificate of the issuing CA) will be issued and emailed to you.

Step 2 – Import the issued UC Certificate into the certificate store of the Exchange server

Now that we have received our issued UC Certificate, our next step is to import it into the certificate store of our Windows 2008 physical host computer (Exchange server). It is important to note that this certificate will not be used on this computer; rather, our UC Certificate will be assigned to both our ISA 2006 server and to each of the external interfaces of our OCS 2007 R2 Edge server. Since the certificate was requested from this computer, however, it must first be imported on this computer before it can be used elsewhere.

A. To import a UC Certificate from a publicly trusted Certification Authority

Log in to the Windows 2008 physical host computer using the built-in Domain Administrator account (Contoso\Administrator).
Extract the certificate package (zip file) as provided by your Certification Authority to C:\Certificates.
Next click Start, then All Programs, then Microsoft Exchange Server 2007, then open the Exchange Management Shell.
Within the Exchange Management Shell, type cd C:\Certificates and then press Enter.
Again within the Exchange Management Shell, type import-exchangecertificate –path c:\certificates\sip_contoso_com.cer to import the certificate into the local computer’s certificate store. Note the thumbprint value of the certificate.
To verify that the certificate was properly imported, type get-exchangecertificate –thumbprint F92984F6873C7726683BBC7E80F8BA090CA25E61 | fl within the Exchange Management Shell. Note that there are no services assigned to this certificate (expected).

Step 3 – Export the issued UC Certificate with Private Key

Now that our UC Certificate has been properly imported into the certificate store of the requesting computer, it can be exported to be used on other servers. For the purposes of our lab, internal resources like our Exchange server and OCS Pool will be secured using internally issued certificates while external resources like OCS Edge services and web sites published by ISA server will be secured using our external issued certificate.

A. To export a certificate with Private Key from local certificate store

Log in to the Windows 2008 physical host computer using the built-in Domain Administrator account (Contoso\Administrator).
Click Start, then Run. Type mmc.exe and press Enter to launch the Microsoft Management Console.
From within the Management Console, click File, then Add/Remove Snap-in…
Within the Add/Remove Snap-in dialog box, click Add.
Select the Certificates snap-in, then click Add.
When prompted to choose which for which account to manage certificates, choose the Computer account. Click Next.
When prompted to choose which computer to manage, choose Local Computer, then click Finish.
Close the Standalone Snap-in dialog box, then close the Add/Remove Snap-in dialog box.
Expand Certificates (Local Computer), then expand the Personal certificate store.
Click on Certificates, then locate and select the UC Certificate that was issued by your public Certification Authority.
From the menu bar click Action, then All Tasks, then select Export.
At the Welcome to the Certificate Export Wizard screen, click Next.
At the Export with Private Key screen, choose Yes, export the private key. Click Next.
At the Export Format settings, choose Personal Information Exchange – PKCS #12 (.PFX). Be sure to also select the option Include all certificates in the certification path if possible, then click Next.
Enter a Password for the export file, then click Next.
Enter an Export Filename (i.e., c:\Certificates\sip_contoso_com_exported.pfx) and click Next.
Click Finish to complete the certificate export.

Step 4 – Export a copy of the certificate from the internal Certification Authority

Since neither the ISA 2006 server nor the OCS 2007 R2 Edge server will be joined to the Contoso domain, neither server will trust certificates issued by our internal Certification Authority. As such, we will need to export a copy of the certificate of our internal Certification Authority so that it can be imported on both the ISA 2006 server and the OCS 2007 R2 Edge server.

A. To export a copy of the certificate from the internal Certification Authority

Log in to the Windows 2008 physical host computer using the built-in Domain Administrator account (Contoso\Administrator).
Click Start, then Run. Type mmc.exe and press Enter to launch the Microsoft Management Console.
From within the Management Console, click File, then Add/Remove Snap-in…
Within the Add/Remove Snap-in dialog box, click Add.
Select the Certificates snap-in, then click Add.
When prompted to choose which for which account to manage certificates, choose the Computer account. Click Next.
When prompted to choose which computer to manage, choose Local Computer, then click Finish.
Close the Standalone Snap-in dialog box, then close the Add/Remove Snap-in dialog box.
Expand Certificates (Local Computer), then expand the Trusted Root Certification Authorities certificate store.
Click on Certificates, then locate and select the certificate that was issued to your Enterprise CA (ContosoCA)
From the menu bar click Action, then All Tasks, then select Export.
At the Welcome to the Certificate Export Wizard screen, click Next.
At the Export Format settings, choose DER encoded binary X.509 (.CER) then click Next.
Enter an export filename (i.e., c:\Certificates\ContosoCA.cer) and click Next.
Click Finish to complete the certificate export.

Step 5 – Remove the UC Certificate from the Exchange server

Next, we will remove the certificate from our publicly trusted Certification Authority from the Exchange server. Since OWA traffic will route inbound via ISA, and since inbound SMTP connections from the Internet will not be secured using TLS, this certificate is unneeded on the Exchange server. Unless you have a specific reason for leaving it on the Exchange server (for example, if you plan to directly service inbound OWA requests without using a reverse proxy like ISA server), I suggest removing the certificate to reduce overall complexity.

A. To remove the UC Certificate from the Exchange server

Log in to the Windows 2008 physical host computer using the built-in Domain Administrator account (Contoso\Administrator).
Click Start, then All Programs, then Microsoft Exchange Server 2007, then open the Exchange Management Shell.
Within the Exchange Management Shell, type remove-exchangecertificate –thumbprint F92984F6873C7726683BBC7E80F8BA090CA25E61 and then press Enter. Choose A to remove the certificate for all services.
Close the Exchange Management Shell.

Configuring OCS 2007 R2 Front End

Having completed the installation of Exchange 2007 SP1, we now need to focus on installing Office Communications Server 2007. We will start by installing the Standard Edition Front End server role.

Step 1 – Connect to the Virtual Machine that will host the OCS 2007 R2 Front End server

Our first task will be to configure one of the virtual machines to host the OCS 2007 R2 Front End server role. To do this, we will need to connect to the Windows 2008 host computer and launch the Server Manager console. Expand the Hyper-V role, and verify that the virtual machine for the OCS Front End server was created with the following specifications:

Role OCS 2007 R2 Front End

Memory 1024MB

Network One (1) Virtual NIC

Hard Disk 16GB Virtual Hard Disk

OS Version Windows Server 2003 SP2 (x64)

FQDN OCS-R2.contoso.com (domain-joined)

IP Address 192.168.1.11

To configure the server, double-click on the Front End virtual server within the Hyper-V section of the Server Manager console.

Step 2 – Run Prep Schema for OCS 2007 R2

Our next task will be to prepare the Active Directory schema for Office Communications Server 2007 R2.

A. Prepare the Active Directory schema

Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click SetupSE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
Any machine running the Setup for the first time will be prompted to install the Microsoft Visual C++ SP1 Redistributable and Microsoft .NET Framework 3.5 SP1. Choose Yes.
On the Deployment Wizard page, click Prepare Active Directory.
On the Prepare Active Directory for Office Communications Server page, next to Step 1: Prep Schema, click Run.
On the Welcome page, click Next.
Note the Warning you receive concerning your data in the System container and the recommendation for using the Configuration container in Active Directory. Unless you have a specific reason for using the System container, choose the Configuration naming context to store your Global Settings.
Click OK on the Warning.
On the Directory Location of Schema Files page, click Next.
On the Ready to Prepare Schema page, click Next.
On the Completion page, select the View the log when you click Finish check box, and then click Finish.
Switch to the Deployment Log.
On the far right, click Expand All.
In the Execution Result column, to confirm that the Prep Schema operation completed successfully, verify that each task’s result is Success. Close the Deployment Log window.

Step 3 – Run Prep Forest for OCS 2007 R2

After successfully extending our schema, the next step is to prepare the Active Directory forest for Office Communications Server 2007 R2.

A. Prepare the Active Directory forest

Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click SetupSE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
On the Deployment Wizard page, next to Step 3: Prep Forest, click Run.
On the Welcome page, click Next.
On the Select Location to Store Global Settings page, Click Next.
On the Location of Universal Groups page, verify that contoso.com is selected in the Domain drop-down list, and then click Next.
On the SIP domain used for default routing page, verify that contoso.com is selected in the Select SIP domain drop-down list, and then click Next.
On the Ready to Prepare Forest page, click Next.
On the Completion page, select the View the log when you click Finish check box, and then click Finish.
Switch to the Deployment Log.
On the far right, click Expand All.
In the Execution Result column, to confirm that the Prep Forest operation completed successfully, verify that each task’s result is Success. Close the Deployment Log window.

B. Modify membership of RTCUniversalServerAdmins group

Log on to the Windows 2008 computer as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
Expand the domain contoso.com, then click on the Users container.
Locate and open the properties of the RTCUniversalServerAdmins group.
Click on the Members tab.
Verify that the built-in Domain Administrator account (Contoso\Administrator) is a member of this group, otherwise Add it.
Click OK to complete the configuration of the RTCUniversalServerAdmins group.
Close Active Directory Users and Computers.

Step 4 – Run Prep Domain for OCS 2007 R2

Next, we need to prepare the Active Directory domain for Office Communications Server 2007 R2.

A. Prepare the Active Directory domain

Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click SetupSE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
On the Prepare Active Directory page, next to Step 5: Prep Current Domain, click Run.
On the Welcome Screen, Click Next to Continue.
On the next screen that provides Domain Preparation Information, read the excerpt provided and Click Next to Continue.
You are now ready to prepare the domain. Because we have only one domain and are running this step in contoso.com, our current settings will display as contoso.com. Click Next to Continue.
On the Completion page, select the View the log when you click Finish check box, and then click Finish.
Switch to the Deployment Log.
On the far right, click Expand All.
In the Execution Result column, to confirm that the Prep Forest operation completed successfully, verify that each task’s result is Success. Close the Deployment Log window.

Step 5 – Install Internet Information Services 6.0 for Windows 2003

In addition to hosting Web Components, the OCS 2007 R2 Standard Edition Front End server role now supports several telephony related applications such as Dial-In Conferencing, Outside Voice Control, and Response Groups. As such, we will need to install IIS 6.0 before installing the Front End server role.

A. To install Internet Information Services 6.0

Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Open the Control Panel and launch Add/Remove Programs.
Click Add/Remove Windows Components.
In the Components list box, click Application Server.
Click Details.
Click Internet Information Services Manager.
Click Details to select the World Wide Web Publishing Service, Active Server Pages, and Remote Administration (HTML) components to be installed.
Click OK until you are returned to the Windows Component Wizard.
Click Next and complete the Windows Component Wizard.

Step 6 – Install the OCS 2007 R2 Front End server role

Having prepared Active Directory and installed IIS 6.0 on the Windows 2003 server, we are now ready to install the OCS 2007 R2 Standard Edition Front End server role. This installation will create a single-server OCS Pool, and it will install SQL Express automatically to support the three OCS 2007 R2 databases.

A. To install the OCS 2007 R2 Front End server role

Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
In the Deployment Wizard, click Deploy Standard Edition Server.
On the Deploy Standard Edition Server page, next to Step 1: Deploy Server click Run.
Notice the Warning that states the Windows Media Format Runtime is required. This is necessary for the Dial-In Conferencing component. Click OK.
On the Welcome page, click Next.
On the License Agreement page, select I accept the terms in the license agreement and click Next.
On the Location for Server Files page, click Next.
On the Application Configuration page, take notice of the new applications for OCS 2007 R2. Make sure all four boxes are checked and click Next.
On the Main Service Account for Standard Edition Server page, create a new service account called RTCService and enter a password for the account. Click Next.
On the Component Service Account for Standard Edition Server page, create a new service account called RTCComponentService and enter a password for the account. Click Next.
On the Web Farm FQDNs page, enter sip.contoso.com for the external FQDN value (the internal FQDN value will be automatically populated). Click Next.
On the Location for Database Files page, click Next.
On the Ready to Deploy Standard Edition Server page, click Next.
When installation has finished, select the View the log when you click Finish check box, and then click Finish.
Switch to the Deployment Log that has opened.
In the Action column, expand Execute Action.
In the Execution Result column, to verify that Office Communications Server 2007 R2 was successfully installed, verify that each task’s result is Success. There may be warnings associated with the Activation.
Investigate the individual Activation Logs and verify they report Success.
Close the Deployment Log window.

Step 7 – Configure the OCS 2007 R2 Front End server role

Now that the OCS 2007 R2 Front End server role is installed, we need to configure it. This involves defining the various SIP domains that will be hosted by your environment and whether automatic client logon configuration will be supported.

A. To configure OCS 2007 R2 Front End server

Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
In the Deployment Wizard, click Deploy Standard Edition Server.
At Configure Server, click Run.
On the Welcome to the Configure Pool/Server Wizard page, click Next.
On the Server or Pool to Configure page, select the server from the list, and then click Next.
On the SIP domains page, verify that contoso.com appears in the list. If it does not, click the SIP domains in your environment box, type your SIP domain, and then click Add. Repeat these steps for all other SIP domains that the Standard Edition server will support. When you are finished, click Next.
On the Client Logon Settings page, select the option Some or all clients will use DNS SRV records for automatic logon then click Next.
Select the check box for the domain that will be supported by the server for automatic sign-in (contoso.com), and then click Next.
On the External User Access Configuration page, select Do not configure for external user access now.
When you are finished, click Next.
On the Ready to Configure Server or Pool page, review the settings that you specified, and then click Next to configure the Standard Edition server.
When the files have been installed and the wizard has completed, select the View the log when you click Finish check box, and then click Finish.
In the log file, verify that <Success> appears under the Execution Result column. Look for <Success> Execution Result at the end of each task to verify Standard Edition server configuration completed successfully.
Close the log window when you are finished.

Step 8 – Configure Certificate for OCS 2007 R2 Front End server

With the Front End server now successfully installed and configured, we now need to request and assign a certificate for it from our internal Certificate Authority. To support automatic client configuration, we will need to include a Subject Alternative Name value of sip.contoso.com in our certificate request.

A. To configure a new certificate for the Front End server

Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
In the Deployment Wizard, click Deploy Standard Edition Server.
At Configure Certificate, click Run.
On the Welcome to the Certificate Wizard page, click Next.
On the Available Certificate Tasks page, click Create a new certificate, and then click Next.
On the Delayed or Immediate Request page, click Send the request immediately to an online certification authority, and then click Next.
On the Name and Security Settings page, configure as follows:

a. Enter a meaningful name for the OCS Front End server certificate (i.e. OCSR2FrontEndCert).
b. Under Bit length, select 1024 bit length.
c. Enable the Mark cert as exportable check box.

When you are finished, click Next.
On the Organization Information page, type or select the name of your organization and organizational unit (enter contoso.com for both entries), and then click Next.
On the Your Server’s Subject Name page, configure as follows:

a. In Subject Name, verify that the FQDN of the OCS Front End server is displayed (i.e., OCS-R2.contoso.com)
b. In Subject Alternate Name, enter the value sip.contoso.com (for automatic client configuration).

When you are finished, click Next.
On the Geographical Information page, enter the Country/Region, State/Province, and City/Locality. Do not use abbreviations. When you are finished, click Next.
On the Choose a Certification Authority page, the wizard attempts to automatically detect any CAs that are published in Active Directory. Click Select a certificate authority from the list detected in your environment, and then select your certification authority (CA). Click Next.
On the Request Summary page, review the settings that you specified, and then click Next.
At the Assign Certificate Task screen, click the View button and verify that the Subject Name and Subject Alternative Names values are correct.
If the Subject Name and Subject Alternative Names values are correct , click Assign.
A dialog box appears and informs you that the settings were applied successfully. Click OK.
Click Finish.

B. To assign the new certificate to IIS on the Front End server

Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, then Programs, then Administrative Tools, and select Internet Information Services (IIS) Manager.
Within the IIS Manager console, expand the local server, then expand Web Sites.
Right click on the Default Web Site and choose Properties.
Under the Web Site tab, verify that either 192.168.1.11 or (All Unassigned) is configured as the IP address for the web site.
Click on the Directory Security tab.
Under Secure Communications, click on Server Certificate.
On the Welcome to the Web Server Certificate Wizard page, click Next.
Click Assign an existing certificate, and then click Next.
Select the certificate that you requested by using the Certificates Wizard, and then click Next.
On the SSL Port page, verify that port 443 will be used for SSL, and then click Next.
Review the certificate details, and then click Next to assign the certificate.
Click Finish to exit.
Click OK to close the Default Web Site Properties page.

Step 9 – Modify settings of OCS service accounts

When you use the OCS setup program to create the OCS service accounts, the password expiration settings for the service accounts are inherited from the domain policy settings. To prevent service startup failure due to expired passwords, we will need to change the password settings for both the RTCService and RTCComponentService accounts.

A. Change password settings for OCS service accounts

Log on to the Windows 2008 computer as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
Expand the domain contoso.com, then click on the Users container.
Locate and open the properties of the RTCService account, then click on the Account tab.
Enable the option for Password Never Expires, and verify that Account Expires is set to Never. Click OK.
Locate and open the properties of the RTCComponentService account, then click on the Account tab.
Enable the option for Password Never Expires, and verify that Account Expires is set to Never. Click OK.
Close Active Directory Users and Computers.

Step 10 – Start OCS 2007 R2 Front End services

At this point we should be ready to start services on the OCS 2007 R2 Front End server.

A. To start Front End services

Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
In the Deployment Wizard, click Deploy Standard Edition Server.
At Start Services, click Run.
On the Welcome to the Start Services Wizard page, click Next.
Click Next again to start the services.
Verify that the View the log when you click 'Finish' check box is selected, and then click Finish.
In the log file, verify that <Success> appears under the Execution Result column for each task, and then close the log window.

Step 11 – Install OCS 2007 R2 Administration Console

The last step of our Front End server installation involves installing the OCS Administration Console.

A. To install the administration console

Log on to the Windows 2008 computer as the built-in Domain Administrator account (Contoso\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
At the main deployment page, select Administrative Tools from the menu on the right.
On the License Agreement page, click I accept the terms in the license agreement and then click Next.
When the installation finishes, close the OCS 2007 R2 Deployment Tools.
Click Start, then Programs, then Administrative Tools. There you will find the Office Communications Server 2007 R2 administration console as well as the Microsoft Office Communications Server 2007 R2, Communicator Web Access CWA management console.

This completes the installation of the OCS 2007 R2 Front End server role.

Posted by DaveH | 0 Comments

Monday, August 17, 2009 9:50 AM

(Part 2 of 3) The complete step-by-step setup guide for deploying Microsoft Unified Communications products with Enterprise Voice in a lab environment using a single Windows Server 2008 Hyper-V computer and a single Internet IP address

Configuring OCS 2007 R2 Edge

Next we will install the OCS 2007 R2 Edge role, which provides connectivity to the internal OCS environment for remote clients. For the purposes of this lab, we will deploy a single Edge server supporting all three roles – Access Edge, Web Conferencing Edge, and Audio/Video Edge. While the typical configuration for Edge involves the use of at least two network cards with each connected to a different network, we will use two virtual NICs which are both connected to the same network, as shown below.

Step 1 – Connect to the Virtual Machine that will host the OCS 2007 R2 Edge role

To configure one of the virtual machines to host the OCS 2007 R2 Edge server role, we’ll need to connect to the Windows 2008 host computer and launch the Server Manager console. Expand the Hyper-V role and verify that the virtual machine for Edge was created with the following specifications:

Role OCS 2007 R2 Edge

Memory 1024MB

Network Two (2) Virtual NICs

Hard Disk 16GB Virtual Hard Disk

OS Version Windows Server 2003 SP2 (x64)

FQDN Edge-R2.contoso.com (not domain-joined)

IP Addresses 192.168.1.2 – 192.168.1.4 (External NIC)
192.168.1.5 (Internal NIC)

Although the DNS name of this server will be Edge-R2.contoso.com, it will not be joined to the Contoso.com domain. To configure the server, double-click on the Edge virtual server within the Hyper-V section of the Server Manager console.

Step 2 – Configure OCS 2007 R2 Edge Network Settings

Before installing the OCS 2007 R2 Edge binaries, we need to configure the network settings for the virtual machine.

A. To configure OCS 2007 R2 Edge network settings

Log on to the OCS 2007 R2 Edge virtual machine as the built-in Administrator account (Edge-R2\Administrator).
Click Start, then click Run. Type ncpl.cpl and press Enter to launch Network Connections.
Rename each of the two available network connections, as follows:
a. Right click on the first interface, choose Rename, then change it to Hyper-V Internal (192.168.1.5).
b. Right click on the other interface, choose Rename, then change it to Hyper-V External (192.168.1.2 – 192.168.1.4).
Right click on the Hyper-V External (192.168.1.2 – 192.168.1.4) network interface and select Properties.
Highlight Internet Protocol (TCP/IP) and click on the Properties button.
Under the General tab of TCP/IP Properties, configure the network adapter as follows:

Choose Use the following IP address.

     IP Address: 192.168.1.2
     Subnet Mask: 255.255.255.0
     Default Gateway: 192.168.1.1 (our Linksys Router)

Choose Use the following DNS servers.

     Primary DNS Server: 4.2.2.1 (Internet root server)
     Alternate DNS Server: 4.2.2.2 (Internet root server)
While still within the TCP/IP properties of the Hyper-V External network adapter, click on the Advanced button.
Under the IP Settings tab, click Add. Enter the following two additional IP addresses:

IP Address: 192.168.1.3
Subnet Mask: 255.255.255.0

IP Address: 192.168.1.4
Subnet Mask: 255.255.255.0
Next, click on the DNS tab within Advanced settings. Under Append these DNS suffixes (in order), click Add and enter the domain contoso.com. Then, under DNS suffix for this connection, enter contoso.com. Finally, deselect the option to Register this connection’s addresses in DNS.
Click OK three times to complete the configuration of the Hyper-V External network adapter.
Right click on the Hyper-V Internal (192.168.1.5) network interface and select Properties.
Highlight Internet Protocol (TCP/IP) and click on the Properties button.
Under the General tab of TCP/IP Properties, configure the network adapter as follows:

Choose Use the following IP address.

     IP Address: 192.168.1.5
     Subnet Mask: 255.255.255.0
     Default Gateway: (empty)

Choose Use the following DNS servers.

     Primary DNS Server: (empty)
     Alternate DNS Server: (empty)
.
While still within the TCP/IP properties of the Hyper-V Internal network adapter, click on the Advanced button.
Click on the DNS tab within Advanced settings, and deselect the option to Register this connection’s addresses in DNS.
Click OK three times to complete the configuration of the Hyper-V Internal network adapter.
Close Network Connections.
Click Start, then Run. Type Notepad %windir%\system32\drivers\etc\hosts to open the hosts file for editing.
After opening the hosts file in Notepad, add each of the following entries. To minimize complexity, I use a single hosts file with identical entries on both my Edge server and my ISA server.

192.168.1.5    edge-r2.contoso.com
192.168.1.6    isa.contoso.com
192.168.1.6    cwa.contoso.com
192.168.1.6    as.cwa.contoso.com
192.168.1.6    download.cwa.contoso.com
192.168.1.6    mail.contoso.com
192.168.1.6    autodiscover.contoso.com
192.168.1.10   email.contoso.com
192.168.1.11   ocs-r2.contoso.com
192.168.1.12   cwa-r2.contoso.com
192.168.1.13   mediation-r2.contoso.com
Save your changes by clicking File then Save. If you find that you are unable to save your changes and receive an Access Denied error message, then you will need to launch Notepad as the local Administrator account, create the various entries, then save the file.
After successfully configuring the network settings for the virtual machine, restart the Edge server.

Step 3 – Install OCS 2007 R2 Edge

After configuring the virtual machine, we are now ready to install the OCS Edge server binaries.

A. To install OCS 2007 R2 Edge

Log on to the OCS 2007 R2 Edge virtual machine as the built-in Administrator account (Edge-R2\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click SetupSE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
When prompted to install the Microsoft Visual C++ 2008 Redistributable, choose Yes to install it.
When prompted to install Microsoft .NET Framework 3.5 SP1, choose Yes to install it.
On the Office Communications Server 2007 R2 Deployment Wizard page, click Deploy Other Server Roles.
On the Deploy Other Server Roles page, click Deploy Edge Server.
On the Deploy Edge Server page, at Step 1: Install Files for Edge Server, click Install.
On the License Agreement page, click I accept the terms in the license agreement, and then click Next. If you do not accept the license terms, Setup cannot continue.
On the Install location for Microsoft Office Communications Server 2007 R2, Edge Server page, in the Location box, type a path where Edge server should be installed, or accept the default location. Click Next.
After the Edge server has been installed successfully, click Close to return to the Edge deployment wizard.

Step 4 – Activate OCS 2007 R2 Edge

Having successfully installed the Edge server binaries, we are now ready to activate the server.

A. To activate OCS 2007 R2 Edge

Log on to the OCS 2007 R2 Edge virtual machine as the built-in Administrator account (Edge-R2\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
On the Office Communications Server 2007 R2 Deployment Wizard page, click Deploy Other Server Roles.
On the Deploy Other Server Roles page, click Deploy Edge Server.
On the Deploy Edge Server page, at Step 2: Activate Edge Server, click Run.
On the Welcome page, click Next.
On the Select domain service account page, select Create a New Account. Enter the name RTCProxyService in the Account name box, then type the account password in the Password box. Click Next.
Review the information on the Ready to Activate Edge Server screen. If all information is correct, click Next to activate the server.
After the server has been successfully activated, click Finish on the Activation Complete page to close the Activation Wizard.

Step 5 – Configure OCS 2007 R2 Edge

Having successfully installed and activated the Edge server role, we are now ready to configure the server.

A. To configure OCS 2007 R2 Edge

Log on to the OCS 2007 R2 Edge virtual machine as the built-in Administrator account (Edge-R2\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
On the Office Communications Server 2007 R2 Deployment Wizard page, click Deploy Other Server Roles.
On the Deploy Other Server Roles page, click Deploy Edge Server.
On the Deploy Edge Server page, at Step 3: Configure Edge Server, click Run.
On the Welcome page, click Next.
On the Import Settings screen, click Next.
On the Internal Interface configuration screen, select 192.168.1.5 (the IP address assigned to the Hyper-V Internal network interface) from the drop-down list and enter Edge-R2.contoso.com as the FQDN value. Click Next.

On the External Interface configuration screen, configure each of the interfaces as follows, then click Next:

Access Edge Server

IP Address:	192.168.1.2
FQDN:	sip.contoso.com
Federation Port:	5061
Remote User Port:	5061

Web Conferencing Edge Server

IP Address:	192.168.1.3
FQDN:	sip.contoso.com
Port (Other):	441

A/V Edge Server

IP Address:	192.168.1.4
FQDN:	sip.contoso.com
Port (Other):	442

On the Enable Edge Features screen, enable all of the following features:

ü	Allow remote user access to your network
ü	Allow anonymous users to join meetings
ü	Enable Federation
ü	Allow discovery of federation partners
ü	Federation with public IM providers
ü	MSN / AOL / Yahoo

On the FQDN of Internal Next Hop Server screen, enter the FQDN of the OCS-R2 Front End server, OCS-R2.contoso.com. Click Next.
On the Authorized Internal SIP Domains screen, enter contoso.com. Click Add, then click Next.
On the Authorized Internal Servers screen, enter each of the following FQDN values. Click Add, then click Next:

Mediation-R2.contoso.com
OCS-R2.contoso.com
sip.contoso.com
Review the information on the Configure Your Edge Server screen. If all information is correct, click Next to configure the server.
After the server has been successfully configured, click Finish to close the Configuration Wizard.

Step 6 – Copy UC Certificate and Internal CA Certificates to OCS 2007 R2 Edge server

Having successfully installed and activated the Edge server role, we are now ready to configure the server. We’ll first need to copy our UC Certificate purchased from a publicly trusted Certification Authority and the certificate from our internal Certification Authority to the new OCS 2007 R2 Edge server.

A. To copy certificates to the OCS 2007 R2 Edge server

Log on to the OCS 2007 R2 Edge virtual machine as the built-in Administrator account (Edge-R2\Administrator).
Launch Windows Explorer, and navigate to the Certificates folder using the administrative share for the C:\ hard disk on the Exchange server (\\192.168.1.10\C$\Certificates).
When prompted for authentication, enter the credentials of the built-in Domain Administrator account (Contoso\Administrator).
Within the Certificates folder, select the file sip_contoso_com_exported.pfx and the file ContosoCA.cer. After highlighting each file, choose Edit then Copy from the Windows Explorer menu bar at the top of the window, or simply press CTRL+C to copy the two certificates to the Windows clipboard.
Again within Windows Explorer, navigate to the C:\ folder from the virtual hard disk on the OCS 2007 R2 Edge server.
Choose Edit then Paste from the Windows Explorer menu bar at the top of the window, or simply press CTRL+V to paste the two certificates from the Windows clipboard into the root of drive C:\ on the Edge server.
Verify that the two certificates were successfully copied to the OCS 2007 R2 Edge server, then close Windows Explorer.

Step 7 – Configure OCS 2007 R2 Edge Certificates

Having successfully installed and activated the Edge server role, we are now ready to configure the server.

A. To configure OCS 2007 R2 Edge Certificate (Private/Internal Interface)

Log on to the OCS 2007 R2 Edge virtual machine as the built-in Administrator account (Edge-R2\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
On the Office Communications Server 2007 R2 Deployment Wizard page, click Deploy Other Server Roles.
On the Deploy Other Server Roles page, click Deploy Edge Server.
On the Deploy Edge Server page, at Step 4: Configure Certificates for Edge Server, click Run.
On the Welcome page, click Next.
At the Available Certificate Tasks page, choose Create a New Certificate, then click Next.
At the Select a Component page, choose Edge Server Private Interface, then click Next.
At the Delayed or Immediate Request page, choose Send the request immediately to an online Certification Authority, then click Next.
At the Name and Security Settings page, enter a logical friendly name for the certificate (i.e. EdgeR2Internal), select a bit length of 1024, and select the Mark cert as exportable option. Click Next.
At the Organization Information page, enter the name of your organization and organizational unit, then click Next.
At the Your Server’s Subject Name page, enter the FQDN of the Edge server (i.e. Edge-R2.contoso.com) as the Subject Name of the certificate, then click Next. Do not add any Subject Alternative Name (SAN) values in your certificate request.
At the Geographical Information page, select your Country, select your State, and enter your City. Click Next.
At the Choose a Certification Authority page, select Specify the certificate authority that will be used to request this certificate. Enter the name of your certificate authority (i.e. email.contoso.com\ContosoCA), click Next, then enter the credentials of the Domain Administrator account when prompted.
At the Request Summary page, verify that all information is correct, then click Next to submit the request.
If the certificate request was successfully completed, you will be prompted to assign the certificate. At the Assign Certificate Tasks page, choose Assign certificate immediately, then click Next twice.
Upon successfully assigning the certificate, click Finish.

B. To configure OCS 2007 R2 Edge Certificate (A/V Authentication Certificate)

Log on to the OCS 2007 R2 Edge virtual machine as the built-in Administrator account (Edge-R2\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
On the Office Communications Server 2007 R2 Deployment Wizard page, click Deploy Other Server Roles.
On the Deploy Other Server Roles page, click Deploy Edge Server.
On the Deploy Edge Server page, at Step 4: Configure Certificates for Edge Server, click Run Again.
On the Welcome page, click Next.
At the Available Certificate Tasks page, choose Assign an existing certificate, then click Next.
At the Available Certificates page, choose the EdgeR2Internal certificate that was created and assigned to the Edge Private Interface. Click Next.
At the Available Certificate Assignments page, choose the A/V Authentication Certificate option, then click Next twice.
Upon successfully assigning the certificate, click Finish.

C. To configure OCS 2007 R2 Edge Certificate (Access Edge/Web Conferencing Edge Public Interface)

Log on to the OCS 2007 R2 Edge virtual machine as the built-in Administrator account (Edge-R2\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
On the Office Communications Server 2007 R2 Deployment Wizard page, click Deploy Other Server Roles.
On the Deploy Other Server Roles page, click Deploy Edge Server.
On the Deploy Edge Server page, at Step 4: Configure Certificates for Edge Server, click Run Again.
On the Welcome page, click Next.
At the Available Certificate Tasks page, choose Import a certificate from a .pfx file, then click Next.
At the Import Certificate page, click Browse and navigate to C:\. Select the file sip_contoso_com_exported.pfx, then click Open. Verify that the option Mark cert as exportable is enabled, then click Next.
At the Import Certificate Password page, enter the Password for the certificate. This will be the same password that was used to originally export the certificate from the certificate store on the Exchange server. Click Next.
At the Assign Certificate Task page, choose Assign certificate immediately, then click Next.
At the Available Certificate Assignments page, select both the Access Edge Server Public Interface and the Web Conferencing Edge Server Public Interface, then choose Next twice.
Upon successfully assigning the certificate, click Finish.

Having completed the certificate assignments for each of the network interfaces, you may find that you are unable to federate with other OCS environments or with PIC providers. There are a number of known trust issues with certificates which may be a contributing factor to federation and/or PIC failures. A few of the more common issues are listed below:

Step 8 – Start OCS 2007 R2 Edge Services

Having successfully installed, activated, and configured the Edge server role, we are now ready to start services.

A. To start OCS 2007 R2 Edge services

Log on to the OCS 2007 R2 Edge virtual machine as the built-in Administrator account (Edge-R2\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
On the Office Communications Server 2007 R2 Deployment Wizard page, click Deploy Other Server Roles.
On the Deploy Other Server Roles page, click Deploy Edge Server.
On the Deploy Edge Server page, at Step 5: Start Services, click Run.
On the Welcome page, click Next.
At the Start OCS 2007 R2 Services page listing all of the Edge services to be started, click Next.
After services have been successfully started, click Finish.

Step 9 – Install OCS 2007 R2 Administration Console

The next step of the Edge server installation involves installing the OCS Administration Console.

A. Install the administration console

Log on to the OCS 2007 R2 Edge virtual machine as the built-in Administrator account (Edge-R2\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
At the main deployment page, select Administrative Tools from the menu on the right.
On the License Agreement page, click I accept the terms in the license agreement and then click Next.
When the installation finishes, close the OCS 2007 R2 Deployment Tools.
Click Start, then Programs, then Administrative Tools. There you will find the Office Communications Server 2007 R2 administration console as well as the Microsoft Office Communications Server 2007 R2, Communicator Web Access CWA management console.

Step 10 – Configure additional Edge settings to support External Connectivity

With the Edge server role successfully deployed, we need to configure additional settings to support external connectivity at both the Forest and Pool levels. These settings will be configured using the OCS 2007 R2 Front End server.

A. To configure Edge settings in Global Properties

Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, then Programs, then Administrative Tools, then choose Office Communications Server 2007 R2.
Within the OCS 2007 management console, right click on the Forest – Contoso.com node, then select Properties, then choose Global Properties.
Within Global Properties, click on the Edge Servers tab.

a. Under Access Edge and Web Conferencing Edge Servers, click Add.
b. Enter the FQDN of your Edge server, Edge-R2.contoso.com, then click OK.

c. Under A/V Edge Servers, click Add.
d. Enter the FQDN of your Edge server, Edge-R2.contoso.com, and port 5062 (used for A/V Authentication). Click OK.

e. Verify that your Edge Server tab settings are configured as follows:
Again within Global Properties, click on the Federation tab.

a. Select the option to Enable Federation and Public IM Connectivity.
b. Enter the FQDN of your Edge server, Edge-R2.contoso.com.
c. Enter port 5061, the port used for communications between the Edge and the OCS Front End servers.

Again within Global Properties, click on the Meetings tab.

a. Under Anonymous Participants choose the option Allow users to invite anonymous participants.
b. Under Global Policy settings choose Default Policy. Select Default Policy under Policy Definitions, then click Edit.

c. Configure the Default Policy settings as follows, then click OK:

ü	Enable Web Conferencing
ü	Use native format for PowerPoint files
ü	Enable program and desktop sharing
ü	Allow control of shared programs and desktop
ü	Allow presenter to record meetings
ü	Presenter can allow attendees to record meetings
ü	Enable IP Audio
ü	Enable IP Video
ü	Enable PSTN conference dial-in
ü	PSTN conference dial-in requires passcode

Click OK twice to complete the configuration of Global Properties.

B. To configure Edge settings in Pool Properties

Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, then Programs, then Administrative Tools, then choose Office Communications Server 2007 R2.
Within the OCS 2007 management console, expand the Forest – Contoso.com node, then expand Standard Edition Servers.
Right click on the OCS-R2 pool object, expand Properties, then choose Pool Properties.
Under the Media tab, configure the following settings:

Encryption Level: Require Encryption
A/V Authentication Service: Edge-R2.contoso.com:5062
Media Port Range: 49152 to 65535
Click OK to complete the configuration of Pool settings.

Step 11 – Restart services on the OCS 2007 R2 Front End server

Our final step of configuring OCS 2007 R2 Edge services involves restarting the services on the OCS 2007 R2 Front End server.

A. To restart services on the Front End server

Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, then Programs, then Administrative Tools. Click Office Communications Server 2007 R2 to launch the OCS 2007 R2 administration console.
Within the administration console, expand the contoso.com Forest level entry, then expand Standard Edition Servers.
Expand the OCS-R2 Pool object, then right click on the OCS-R2.contoso.com Front End server object.
Expand Stop, then select Stop all started services.
Monitor the status of the stopping of services displayed at the bottom left corner of the Administration Console window.
When all services have stopped successfully, again, right click on the OCS-R2.contoso.com Front End server object.
Expand Start, then select Start all stopped services.
Again monitor the status of the startup of services of the Front End server.

This completes the configuration of the OCS 2007 R2 Edge role.

Configuring OCS 2007 R2 Mediation

Next we will install the OCS 2007 R2 Mediation role, which provides signaling and media translation between the VoIP infrastructure and a basic media gateway. Although a typical deployment of the Mediation role involves using two network cards for enhanced security, we will use a single NIC configuration for the Mediation server in our lab.

Step 1 – Connect to the Virtual Machine that will host the OCS 2007 R2 Mediation role

To configure one of the virtual machines to host the OCS 2007 R2 Mediation server role, we’ll need to connect to the Windows 2008 host computer and launch the Server Manager console. Expand the Hyper-V role and verify that the virtual machine for Mediation was created with the following specifications:

Role OCS 2007 R2 Mediation

Memory 512MB

Network One (1) Virtual NIC

Hard Disk 16GB Virtual Hard Disk

OS Version Windows Server 2003 SP2 (x64)

FQDN Mediation-R2.contoso.com (domain-joined)

IP Address 192.168.1.13

To configure the server, double-click on the Mediation virtual server within the Hyper-V section of the Server Manager console.

Step 2 – Configure OCS 2007 R2 Mediation Network Settings

Next, we need to configure the network settings for the Mediation virtual machine. Again, we will be using a single NIC configuration in our lab.

A. To configure OCS 2007 R2 Mediation network settings

Log on to the OCS 2007 R2 Mediation Server virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, then click Run. Type ncpl.cpl and press Enter to launch Network Connections.
Right click on the Local Area Network network interface and select Properties.
Highlight Internet Protocol (TCP/IP) and click on the Properties button.
Under the General tab of TCP/IP Properties, configure the network adapter as follows:

Choose Use the following IP address.

     IP Address: 192.168.1.13
     Subnet Mask: 255.255.255.0
     Default Gateway: 192.168.1.1 (our Linksys Router)

Choose Use the following DNS servers.

     Primary DNS Server: 192.168.1.10 (our internal DNS server)
     Alternate DNS Server: None
Click OK to commit your changes.
Close the Network Connections dialog box, and restart the Mediation virtual machine.

Step 3 – Install OCS 2007 R2 Mediation

After configuring the virtual machine, we are now ready to install the OCS Mediation server binaries.

A. To install OCS 2007 R2 Mediation

Log on to the OCS 2007 R2 Mediation virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click SetupSE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
When prompted to install the Microsoft Visual C++ 2008 Redistributable, choose Yes to install it.
When prompted to install Microsoft .NET Framework 3.5 SP1, choose Yes to install it.
On the Office Communications Server 2007 R2 Deployment Wizard page, click Deploy Other Server Roles.
On the Deploy Other Server Roles page, click Deploy Mediation Server.
On the Deploy Mediation Server page, at Step 1: Install Files for Mediation Server, click Install.
On the License Agreement page, click I accept the terms in the license agreement, and then click Next. If you do not accept the license terms, Setup cannot continue.
On the Install location for Microsoft Office Communications Server 2007 R2, Mediation Server page, in the Location box, type a path where Mediation server should be installed, or accept the default location. Click Next.
After the Mediation server has been installed successfully, click Close to return to the Mediation deployment wizard.

Step 4 – Activate OCS 2007 R2 Mediation

Having successfully installed the Mediation server binaries, we are now ready to activate the server.

A. To activate OCS 2007 R2 Mediation

Log on to the OCS 2007 R2 Mediation virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
On the Office Communications Server 2007 R2 Deployment Wizard page, click Deploy Other Server Roles.
On the Deploy Other Server Roles page, click Deploy Mediation Server.
On the Deploy Mediation Server page, at Step 2: Activate Mediation Server, click Run.
On the Welcome page, click Next.
On the Select domain service account page, select Use an existing account. Enter the name RTCComponentService in the Account name box, then type the account password in the Password box. This account is already a member of the RTCComponentUniversalServices group, which is required for the Mediation service to start. Click Next.
After the server has been activated, click Close on the Activation Complete page to close the Activation Wizard.

Step 5 – Install OCS 2007 R2 Administration Console

The next step of the installation of the Mediation server involves installing the OCS Administration Console.

A. Install the administration console

Log on to the OCS 2007 R2 Mediation virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
At the main deployment page, select Administrative Tools from the menu on the right.
On the License Agreement page, click I accept the terms in the license agreement and then click Next.
When the installation finishes, close the OCS 2007 R2 Deployment Tools.
Click Start, then Programs, then Administrative Tools. There you will find the Office Communications Server 2007 R2 administration console as well as the Microsoft Office Communications Server 2007 R2, Communicator Web Access CWA management console.

Step 6 – Configure OCS 2007 R2 Mediation

Having successfully installed and activated the Mediation server role, we are now ready to configure the server.

A. To configure OCS 2007 R2 Mediation

Log on to the OCS 2007 R2 Mediation virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, then Programs, then Administrative Tools, then choose Office Communications Server 2007 R2.
Within the OCS 2007 management console, expand Forest – Contoso.com, then expand Mediation Servers.
Open the Properties of your Mediation server, Mediation-R2.contoso.com.
Under the General tab, enter the following information:
Communications Server listening IP address: 192.168.1.13
Gateway listening IP address: 192.168.1.13
A/V Edge Server: Edge-R2.contoso.com:5062
Default Location Profile: None
Under the Next Hop Connections tab, enter the following information:
Office Communications Server Next Hop FQDN: OCS-R2.contoso.com
Port: 5061
PSTN Gateway Next Hop IP Address: 192.168.1.14
Port: 5060
When you have completed configuring options for both the General and Next Hop Connections tabs, click Apply and OK to commit your changes.

Note: Since we have not yet created a location profile, we are unable to select a location profile in the configuration of the Mediation server. This will cause the following warning to appear. Just click OK.

Note: You will also receive a warning to restart Mediation services. You can safely ignore this warning.

Step 7 – Request Certificate for OCS 2007 R2 Mediation

After configuring the Mediation server role, we will need to request a certificate from our Certificate Authority.

A. To request a certificate for OCS 2007 R2 Mediation

Log on to the OCS 2007 R2 Mediation virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Launch Windows Explorer, and navigate to the \Install\setup\amd64\ folder.
Double-click DeploySE.exe, the setup program for the Standard Edition version of OCS 2007 R2.
On the Office Communications Server 2007 R2 Deployment Wizard page, click Deploy Other Server Roles.
On the Deploy Other Server Roles page, click Deploy Mediation Server.
On the Deploy Mediation Server page, at Step 4: Configure Certificate, click Run.
At the Certificate Wizard splash screen, click Next.
At the Available Certificate Tasks screen, choose Create a New Certificate, then click Next.
At the Delayed or Immediate Request screen, choose the option Send the request immediately to an online certificate authority, then click Next.
At the Name and Security Settings screen, enter the following information, then click Next:

Name: OCSR2MediationCert
Bit Length: 1024
Mark cert as exportable: Enabled
At the Organization Information screen, enter contoso.com for both the Organization name and the Organizational Unit. Click Next.
At the Server’s Subject Name screen, enter Mediation-R2.contoso.com for the Subject Name value. Do not enter any Subject Alternative Names for this certificate. Click Next.
At the Geographical Information screen, enter your Country, State/Province, and City/Locality, then click Next.
At the Choose a Certification Authority screen, select Email.contoso.com\ContosoCA from the drop-down list of Certificate Authorities, then click Next.
At the Request Summary screen, verify that all of the information was entered correctly, then click Next.
Upon successfully submitting the certificate request, a new certificate should be issued by the Certificate Authority from your environment. Choose the Assign option to assign the certificate immediately, then click Finish.
You will be prompted to restart services, however you can ignore this warning.

This completes the deployment of the OCS 2007 R2 Mediation Server role.

Configuring Enterprise Voice

Next we will configure Enterprise Voice functionality for Office Communications Server. There are several steps that must be completed to configure Enterprise Voice, especially when Unified Messaging is involved. As you will see, this is one of the more challenging tasks in deploying OCS 2007 R2.

Step 1 – Get the Phone Context value of the Unified Messaging Dial Plan

To successfully integrate OCS 2007 and Unified Messaging, the name of the Location Profile for your Enterprise Voice users must match the Phone Context value of your Unified Messaging Dial Plan. To get this value, we will use the Exchange Management Shell on the Windows 2008 physical host computer.

A. Get Phone Context value of UM Dial Plan

Log on to the Windows 2008 physical computer as the built-in Domain Administrator account (Contoso\Administrator).
Launch the Exchange Management Shell by clicking Start > Programs > Microsoft Exchange Server 2007 > Exchange Management Shell.
Within the Exchange Management Shell, enter the following command to get details of all Exchange UM Dial Plans:

get-UMDialPlan | fl name,uritype,voipsecurity,phonecontext,umservers

[PS] C:\> get-umdialplan | fl name,uritype,voipsecurity,phonecontext,umservers

Name : OCSDialPlan
URIType : SipName
VoIPSecurity : SIPSecured
PhoneContext : OCSDialPlan.contoso.com
UMServers : {EMAIL}
Note that the PhoneContext value of the OCSDialPlan is ‘OCSDialPlan.contoso.com’. The name of the Location Profile you will create must match this value.

Step 2 – Install the OCS 2007 R2 Resource Kit Tools on the Mediation Server

To create and configure the OCS Location Profile, we will use Enterprise Voice Route Helper, which is installed with the OCS 2007 R2 Resource Kit tools. We will need to install the resource kit tools on the Mediation server.

A. To install the OCS 2007 R2 Resource Kit tools

Log on to the OCS 2007 R2 Mediation virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Launch Internet Explorer, and navigate to http://www.microsoft.com/downloads/details.aspx?FamilyID=9e79a236-c0df-4a72-aba6-9a9602a93ed0&DisplayLang=en.
Download and save the OCSResKit.msi installation file to disk.
Double-click on the file OCSResKit.msi to launch the installation of the Resource Kit tools for Office Communications Server 2007 R2.
At the installation splash screen, Click Next, then accept the License Agreement.
When prompted for the installation path, just accept the default value and click Next.
When the installation of the OCS Resource Kit tools finishes, click Close.

Step 3 – Create a Location Profile using Enterprise Voice Route Helper

Next we will use the Enterprise Voice Route Helper tool to create a Location Profile for our Enterprise Voice enabled users.

A. To create a Location Profile

Log on to the OCS 2007 R2 Mediation virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Launch Enterprise Voice Route Helper by clicking Start > Programs > Microsoft Office Communications Server 2007 > Resource Kit > Enterprise Voice Route Helper.
From the Menu bar in Enterprise Voice Route Helper, click Insert > New Location Profile.
Enter the name ‘OCSDialPlan.contoso.com’ for the name of the new Location Profile. This is the same value found in the PhoneContext field of the UM Dial Plan from Step 1. Click OK.
Within the Location Profile Editor, enter Default Location Profile for the Description value of the location profile, then click Add to enter phone number Normalization Rules for the new Location Profile.
You will likely need to create several Normalization Rules both to correctly handle user dialing behavior within Office Communicator and to correctly format dial strings from telephone numbers stored in Active Directory and in Microsoft Outlook. For the purposes of this lab, we will only create three very simple normalization rules:

Rule Name: 4 Digit Internal Dialing
Internal Enterprise Extension: Enabled
Use Translation When Dialing from Device: Enabled
Starting Digits: (empty)
Length: Exactly 4 Digits
Number of Digits to Strip: 0
Digits to Prepend: +1980776
Automatically Update Description: Enabled

Rule Name: 10 Digit Dialing
Internal Enterprise Extension: Disabled
Use Translation When Dialing from Device: Enabled
Starting Digits: (empty)
Length: Exactly 10 Digits
Number of Digits to Strip: 0
Digits to Prepend: +1
Automatically Update Description: Enabled

Rule Name: 11 Digit Dialing
Internal Enterprise Extension: Disabled
Use Translation When Dialing from Device: Enabled
Starting Digits: (empty)
Length: Exactly 11 Digits
Number of Digits to Strip: 0
Digits to Prepend: +
Automatically Update Description: Enabled
When all three normalization rules have been added, click Apply and then OK.
Next, choose Edit > Edit Phone Usage from the Menu Bar.
Save/Upload your work by clicking File > Upload Changes from the Menu Bar.
After the changes have been uploaded successfully, click OK on the Change Report screen.
From the Phone Usage dialog box, click Add to add a new Route.
From within the Route Picker dialog box, click New.
With the Route Details box, configure the new route as follows:

    a. Enter PSTN Route as the Route Name value.
    b. Under the Target Phone Numbers\Prefixes tab, choose Match all numbers except as noted.

    c. Under the Gateways tab, click Add then select Mediation-R2.contoso.com from the list of available gateways.

   d. To complete the configuration of Route Details, click OK twice.
Save/Upload your work by clicking File > Upload Changes from the Menu Bar.
After the changes have been uploaded successfully, click OK on the Change Report screen.
Close the Enterprise Voice Route Helper application.

Step 4 – Associate the OCS Environment with the Location Profile

After having created our new Location Profile, we now need to associate it to our OCS environment.

A. To associate the Location Profile

Log on to the OCS 2007 R2 Mediation virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, then Programs, then Administrative Tools. Click Office Communications Server 2007 R2 to launch the OCS 2007 R2 administration console.
Within the administration console, expand the contoso.com Forest level entry, then expand Mediation Servers.
Right click on the Mediation-R2.contoso.com server object, then select Properties.
In the Default Location Profile drop down box, choose the newly created OCSDialPlan.contoso.com Location Profile.
Click OK to commit your changes

Step 5 – Start services on the OCS 2007 R2 Mediation server

Now that we have configured Enterprise Voice, we need to restart services on the Mediation server.

A. To start services on the Mediation server

Log on to the OCS 2007 R2 Mediation virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, then Programs, then Administrative Tools. Click Office Communications Server 2007 R2 to launch the OCS 2007 R2 administration console.
Within the administration console, expand the contoso.com Forest level entry, then expand Mediation Servers.
Right click on the Mediation-R2.contoso.com server object, then click Start.
Monitor the status of the startup of services displayed at the bottom left corner of the Administration Console window.

Step 6 – Restart services on the OCS 2007 R2 Front End server

Our final step of configuring Enterprise Voice involves restarting the services on the OCS 2007 R2 Front End server. This is done to ensure that our end users receive details regarding the default location profile and normalization rules though in-band provisioning during the client logon process.

A. To restart services on the Front End server

Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, then Programs, then Administrative Tools. Click Office Communications Server 2007 R2 to launch the OCS 2007 R2 administration console.
Within the administration console, expand the contoso.com Forest level entry, then expand Standard Edition Servers.
Expand the OCS-R2 Pool object, then right click on the OCS-R2.contoso.com Front End server object.
Expand Stop, then select Stop all started services.
Monitor the status of the stopping of services displayed at the bottom left corner of the Administration Console window.
When all services have stopped successfully, again, right click on the OCS-R2.contoso.com Front End server object.
Expand Start, then select Start all stopped services.
Again monitor the status of the startup of services of the Front End server.

This completes the configuration of OCS 2007 R2 Enterprise Voice.

Configuring a VoIP Gateway or SIP Trunk

To provide external telephony connectivity for users in your lab, you will need to either purchase a VoIP gateway or a SIP trunk from a UCOIP certified provider. Currently, there are currently three vendors that offer VoIP gateways and four vendors that offer SIP trunks which have been certified for use with OCS 2007 R2. Given the enormity of scope with regards to configuring PSTN connectivity for Office Communications Server 2007 R2, this topic will not be covered in this documentation.

For more information, please check the Microsoft Unified Communications Open Interoperability Program website at http://technet.microsoft.com/en-us/office/ocs/bb735838.aspx#trunking.

While Dialogic, Quintum, and Audiocodes offer VoIP gateways for use with OCS 2007 R2, I purchased the Audiocodes MP-114 Media Gateway for my lab environment. In February 2009, I published a blog entry on Microsoft TechNet which provides configuration details for configuring PSTN connectivity for OCS environments using an Audiocodes MP-114 or MP-118 Media Gateway. If you have an Audiocodes media gateway, you may find this information useful if you plan to configure PSTN connectivity for your own lab.

Integrating AudioCodes MP-114/MP-118 Media Gateways with Microsoft Unified Communications Products

http://blogs.technet.com/daveh/archive/2009/02/01/integrating-audiocodes-mp-114-mp-118-media-gateways-with-microsoft-unified-communications-products.aspx

Configuring Users

Our next task will be to create and configure users for our lab environment. Each user will be enabled for email, voice mail, and OCS with Enterprise Voice. If you’re like me and find it difficult to come up with names for users in your lab, check out a random name generator like the one at http://www.behindthename.com/random.

Step 1 – Create a Mailbox-Enabled User using Exchange Management Console (EMC)

Our first step will be to connect to our Exchange server (the Windows 2008 physical host computer) and create a mailbox-enabled user for our lab. To do this, we will use the Exchange Management Console.

A. To create a Mailbox-Enabled user account

Log on to the Windows 2008 physical host computer (Exchange 2007 server) as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, then All Programs, then Microsoft Exchange Server 2007, then choose Exchange Management Console.
Within the Exchange Management Console, expand the Recipient Configuration object in the Navigation pane on the left, then select New Mailbox from the Action pane on the right.
Within the Introduction page, select the User Mailbox option, then click Next.
At the User Type page, choose New User, then click Next.
At the User Information page, enter a First Name, Last Name, and Display Name value for your user account. Additionally, configure a User Principal Name (user@domain.com), a pre-Windows 2000 Login Name (domain\user), and a Password value for your account. Click Next.
At the Mailbox Settings page, enter a mailbox Alias for your user, then click Browse to select a Mailbox Database. Choose the Mailbox Database from your Exchange 2007 server, then click OK. Click Next.
At the Configuration Summary page, click New to create the mailbox-enabled user account.
Next, right click on the new user account and choose Properties from the context menu.
Within the Properties of the user account, click on the Address and Phone tab.
Enter a Business phone number for the user account (i.e. 60001). The number of digit in this extension should equal the number of digits specified in your Unified Messaging Dial Plan (i.e. 5 digits). Click OK.

Step 2 – Enable the user for Office Communications Server

Our next step will be to enable the user for Office Communications Server. This will add the user to the OCS database and allow the user to connect to the OCS Front End server using Microsoft Office Communicator.

A. To enable a user for Office Communications Server

Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, and then click Run. In the Open box, type dsa.msc, and then click OK.
In the console pane of Active Directory Users and Computers, expand the Users container or other organization unit where your user accounts reside.
Right-click the mailbox-enabled user that you create in Step 1 above (i.e., Spongebob Squarepants), and then click Enable users for Communications Server.
On the Welcome to the Enable Office Communications Server Users Wizard page, click Next.
On the Select Server or Pool page, select the Standard Edition server OCS-R2.contoso.com from the list, and then click Next.
On the Specify Sign-in Name page, select Use user’s e-mail address to generate the SIP URI for the user account, then click Next.
At the Ready to Enable Users page, click Next.
Verify that the user was enabled successfully, and then click Finish.

Step 3 – Configure OCS settings for enabled users

After enabling our account for Office Communications Server, our next step will be to configure the account for external connectivity and Enterprise Voice.

A. To configure a user for Office Communications Server

Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, and then click Run. In the Open box, type dsa.msc, and then click OK.
In the console pane of Active Directory Users and Computers, expand the Users container or other organization unit where your user accounts reside.
Right-click on the user account that you created in Step 1 above, then select Configure Communications Server Users.
At the Welcome to the Configure Users Wizard splash screen, click Next.
At the Configure User Settings page, Enable the Federation, Public IM Connectivity, Remote User Access, and Enhanced Presence options for all selected users. Click Next.
At the Configure User Settings anonymous meeting participation page, click Next. (This option will be grayed out)
At the Configure User Settings meeting policy page, click Next. (This option will be grayed out.)
At the Configure Enterprise Voice Settings page, enable the option for Change Enterprise Voice Settings and select the option for Enable Enterprise Voice. Click Next.
At the Configure Enterprise Voice Settings and Location Profile page, enable the option Change location profile for selected users, then choose the OCSDialPlan.contoso.com location profile from the list of available location profiles. Click Next.
At the Ready to Configure Users page, click Next.
At the Configure Operation Status page, verify that your user was successfully configured for Office Communications Server.

Step 4 – Configure Enterprise Voice details for users

Our next step will be to configure the Line URI value for our user account. This value allows us to define a E.164 telephone number for our user.

A. To configure a Line URI value for a user

Log on to the OCS 2007 R2 Front End virtual machine as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, and then click Run. In the Open box, type dsa.msc, and then click OK.
In the console pane of Active Directory Users and Computers, expand the Users container or other organization unit where your user accounts reside.
Right-click on the user account that you created in Step 1 above, then select Properties.
Click on the Communications tab, and verify that the user is enabled for OCS.
Under Telephony settings, click Configure.
Under Telephony Options, verify that Enterprise Voice is enabled. Enter the Line URI value tel:+19807760001 and select the OCSDialPlan.contoso.com Location Profile. Click OK.
Click OK to close user properties.

Step 5 – Enable the User for Unified Messaging using Exchange Management Console (EMC)

Our next step will be to enable the account for Unified Messaging. This will allow unanswered or busy calls to this user to be diverted to voice mail. Again, we will use the Exchange Management Console for this task.

A. To enable the user account for Unified Messaging

Log on to the Windows 2008 physical host computer (Exchange 2007 server) as the built-in Domain Administrator account (Contoso\Administrator).
Click Start, then All Programs, then Microsoft Exchange Server 2007, then choose Exchange Management Console.
Within the Exchange Management Console, expand the Recipient Configuration object in the Navigation pane on the left, highlight the mailbox in the Results pane in the center, then select Enable Unified Messaging from the Action pane on the right.
At the Introduction page, you will find options to configure the UM Mailbox Policy and UM PIN Settings. To select a UM Mailbox Policy, click Browse and choose the OCSDialPlan Default Policy. Click OK. Then select the option Manually specify PIN, and to the right enter the desired PIN for this user. Click Next.
At the Extension Configuration page, select the option Manually entered mailbox extension and enter the Business extension (i.e. 60001) from Step 1 above. Again, the number of digits in the extension should match that of your UM Dial Plan. Also select the option Manually entered SIP or E.164 address, and enter the email address of the user. Click Next.
At the Configuration Summary page, click Enable to enable the account for Unified Messaging.

Step 6 – Generate Grammar Files for UM Dial Plan and Global Address List

After enabling our accounts for Unified Messaging, we need to be sure to include them in the grammar files used by Unified Messaging. Although these files are created and/or updated by the server around 1:30am each day, the Directory Search feature of our Auto Attendant will not find our new UM enabled users until these files are generated.

A. To generate the grammar file for Unified Messaging

Log on to the Windows 2008 physical host computer (Exchange 2007 server) as the built-in Domain Administrator account (Contoso\Administrator).
From the Exchange server, open a command prompt.
Create a new folder to hold the log files created by the galgrammargenerator utility using the following command:

md C:\temp
Navigate to the folder where the galgrammargenerator utility resides by entering the following command:

cd C:\Program Files\Microsoft\Exchange Server\Bin
Next, run the following command to generate the grammar files for our Dial Plan:

galgrammargenerator.exe –s {servername} –o c:\temp\DialPlan_GrammarGeneration.log
Next, run the following command to generate the grammar files for our Global Address List:

galgrammargenerator.exe -g -o c:\temp\GAL_GrammarGeneration.log
Examine each of the log files in the C:\temp folder to verify that the UM Enabled user was included in the compiled grammar files.

This completes the configuration of the user account for Exchange Server and Office Communications Server.

Posted by DaveH | 0 Comments

Sunday, May 17, 2009 8:52 PM

A deep dive into the Office Communicator 2007 R2 file transfer process

I had an opportunity recently to dig into the file transfer mechanism in Microsoft Office Communicator 2007 R2 (MOC). As you may already know, although a server from the OCS Pool is used to route setup information for the file transfer session between the participating clients, the file transfer itself occurs peer-to-peer directly between the participating clients. Depending on the configuration of the network, either a two-way or a three-way handshake transaction will be performed to set up the file transfer session, immediately followed by the file transfer itself using TFTP over a randomly chosen TCP port from the range of 6891 – 6900.

How file transfers between Office Communicator 2007 R2 clients typically work

When an Office Communicator client prepares to transfer a file, the client will check whether the file transfer is allowed by policy and whether the file contains an extension that is not blocked by the Intelligent IM Filter (IIMF). The sending client will then prepare an INVITE MESSAGE request and send it to the receiving client via the OCS Pool. This MESSAGE request will contain several critical pieces of information for the receiving client to process, including:

Content-Type: text/x-msmsgsinvite (specifies that this is a transfer type request)
Application-Name: File Transfer (specifies that this is a file transfer)
Invitation-Command: INVITE (specifies that this is the initial handshake transaction)
Invitation-Cookie: 513756658 (used to identify / track requests and responses)
Application-File: Readme.txt (specifies the name of the file to be sent)
Application-FileSize: 4690 (specifies the size of the file to be sent)
Connectivity: N (if present, specifies that the client is using a NAT address)
Encryption: R (specifies whether encryption is ‘S’ supported or ‘R’ required)

Upon receiving the INVITE MESSAGE request, the receiving client will send 200 OK to update the sender that the packet has been accepted. It will then construct and send its own ACCEPT MESSAGE request to the sending client via the OCS Pool. This MESSAGE request will also contain several pieces of information for the sending client to process, including:

Content-Type: text/x-msmsgsinvite (specifies that this is a transfer type request)
Invitation-Command: ACCEPT (specifies whether receiver will accept or reject file transfer / second handshake transaction)
Invitation-Cookie: 513756658 (used to identify / track request and responses)
Request-Data: IP-Address: (not used)
Encryption-Key: qiQkTTcCtvxDgYOJllkVaB6mEyrez7ML (used to encrypt the data for the file transfer)
Hash-Key: 50raTj9w5BWC63JEVlAlgNT7oNAStr22 (used to decrypt the transferred data)
IP Address: 192.168.1.10 (specifies the advertised address used for the file transfer)
Port: 6891 (specifies the advertised port from 6891-6900 range for the file transfer)
PortX: 11178 (global constant set as default AI Port value / may not be used)
AuthCookie: 27079318 (used for identification for pending TFTP session)
Sender-Connect: True (if present, specifies that sending client must connect to receiving client to transfer file)

Likewise, upon receiving the ACCEPT MESSAGE request, the sending client will send 200 OK to update the receiver that the packet has been accepted. Using the information contained within the MESSAGE request, the sending client will then open a TFTP file transfer session directly to the IP Address (192.168.1.10) and Port (6891) advertised by the receiving client to transfer the file. The following transaction will then occur between the sending and receiving clients:

Sending client connects to Receiving client
Receiving client sends VER MSN_SECURE_FTP
Sending client sends VER MSN_SECURE_FTP
Receiving client sends USR receivinguser@contoso.com 27079318
Sending client sends FIL 4698
Receiving client sends TFR
Sending client transfers the encrypted file to specified IP address/Port
Receiving client sends BYE 16777989
Sending client sends MAC (signature using encrypted hash)
Sending client tears down the connection

As mentioned previously, this is how the file transfer process in Office Communicator 2007 R2 typically works – or at least, this is how it is typically documented (see the Office Communications Server 2007 R2 Resource Kit, pages 175–179). However, there is much more to this process, as you will see…

How file transfers between Office Communicator 2007 R2 clients really work

The deep dive into the file transfer process actually begins with evaluating the network infrastructure used by the two participating Office Communicator 2007 R2 clients. Whenever a user prepares to send a file using Office Communicator, both the sending client and the receiving client perform suitability testing to determine the appropriate network adapter to use for the file transfer attempt. The individual results of this network suitability testing directly affects how the file transfer session is established between the two participating clients.

Assuming that the file transfer is allowed by policy and that the file name to be sent does not have an extension value that is filtered by the Intelligent IM Filter (IIMF), the following steps describe the behavior of a file transfer attempt in much greater detail.

Step 1 – Sending client performs suitability testing to determine which network adapter should be used for the file transfer attempt.

The sending client calls a function that returns a list of network adapters that are enabled on the local machine. From the list of enabled adapters, it performs suitability testing to determine the most suitable IP address to use for the file transfer.

- Prefer any adapter that has an internet IP address (any non-private, routable IP address), but only if it was used to log on to OCS Pool
- Prefer any adapter with an RFC1918 private IP address (10.X.X.X, 172.16.X.X, or 192.168.X.X), but only if it was used to log on to OCS Pool
- Reject any adapter that is considered as automatically assigned (169.X.X.X)
- Reject any adapter that is considered a loopback adapter (127.X.X.X)

Note: If the most suitable network adapter is assigned an RFC1918 private IP address, the Connectivity flag for the sender will be marked as N (NAT).

Step 2 – Sending client constructs INVITE MESSAGE (initial handshake) and sends it to the receiving client via the OCS Pool.

Upon evaluating the network adapters from the local system and selecting the most suitable adapter for the file transfer, we can tell from the contents of the INVITE MESSAGE session description that this adapter is not using a NAT IP address. Since the Connectivity flag is not present in the packet, the sending client will be responsible for sending an IP Address/Port to the receiving client. This will result in a three-way handshake transaction between the participating clients.

Content-Type: text/x-msmsgsinvite; charset=UTF-8
Content-Length: 224
Application-Name: File Transfer
Application-GUID: {5D3E02AB-6190-11d3-BBBB-00C04F795683}
Invitation-Command: INVITE
Invitation-Cookie: 513756658
Application-File: Readme.txt
Application-FileSize: 4690
Encryption: R

Had the most suitable network adapter been assigned an RFC1918 private IP Address, the Connectivity flag (Connectivity: N) would have appeared in the session description. This means that the sending client would have been marked as not listening, or incapable of providing a valid IP Address/Port for establishing connectivity during the file transfer. Instead, the burden of providing a valid IP Address/Port would have then fallen on the receiving client.

Step 3 – Receiving client responds with 200 OK and processes the INVITE MESSAGE from the sending client.

The receiving client examines the inbound file transfer request and performs the following checks based on the details contained in the MESSAGE session description:

Is the sending client using a NAT IP address (Connectivity: N)?
Does the sending client support or require encryption (Encryption: S or R)?
Does the file have a safe filename (reject filenames containing ( *?\”<>| )?

Step 4 – Receiving client performs suitability testing to determine which network adapter should be used for the file transfer attempt.

The receiving client then calls the same function to return a list of network adapters from the operating system. It also uses the same suitability testing to determine the most suitable IP address to use for the file transfer.

- Prefer any adapter that has an internet IP address (any non-private, routable IP address), but only if it was used to log on to OCS Pool
- Prefer any adapter with an RFC1918 private IP address (10.X.X.X, 172.16.X.X, or 192.168.X.X), but only if it was used to log on to OCS Pool
- Reject any adapter that is considered as automatically assigned (169.X.X.X)
- Reject any adapter that is considered a loopback adapter (127.X.X.X)

Step 5 - The receiving client constructs ACCEPT MESSAGE (second handshake) and sends it to the sending client via the OCS Pool

After evaluating its own list of network adapters for suitability, the receiving client sends an ACCEPT MESSAGE (second handshake) response to the sending client. The receiving client will construct its response based on the following logic:

Request - Sending client is using an adapter with an Internet IP Address and the INVITE MESSAGE does not contain a Connectivity flag value of N (NAT).
Response - Regardless of local adapter settings, the ACCEPT MESSAGE sent by the receiving client will not contain any connectivity information.

Content-Type: text/x-msmsgsinvite; charset=UTF-8
Content-Length: 181
Invitation-Command: ACCEPT
Invitation-Cookie: 249893901
Request-Data: IP-Address:
Encryption-Key: qiQkTTcCtvxDgYOJllkVaB6mEyrez7ML
Hash-Key: 50raTj9w5BWC63JEVlAlgNT7oNAStr22

Request - Sending client is using an adapter with an RFC1918 private IP Address and the INVITE MESSAGE contains a Connectivity flag value of N (NAT).
Response - Receiving client is using an adapter with an Internet IP Address. ACCEPT MESSAGE sent by the receiving client will contain a valid IP Address/Port.

Content-Type: text/x-msmsgsinvite; charset=UTF-8
Content-Length: 306
Invitation-Command: ACCEPT
Invitation-Cookie: 249893901
Request-Data: IP-Address:
Encryption-Key: qiQkTTcCtvxDgYOJllkVaB6mEyrez7ML
Hash-Key: 50raTj9w5BWC63JEVlAlgNT7oNAStr22
IP-Address: 207.46.193.254
Port: 6891
PortX: 11178
Auth-Cookie: 2142425484
Sender-Connect: TRUE

Request - Sending client is using an adapter with an RFC1918 private IP Address and the INVITE MESSAGE contains a Connectivity flag value of N (NAT).
Response - Receiving client is using an adapter with an RFC1918 private IP Address. ACCEPT MESSAGE sent by the receiving client will contain a NAT IP Address/Port.

Content-Type: text/x-msmsgsinvite; charset=UTF-8
Content-Length: 181
Invitation-Command: ACCEPT
Invitation-Cookie: 249893901
Request-Data: IP-Address:
Encryption-Key: qiQkTTcCtvxDgYOJllkVaB6mEyrez7ML
Hash-Key: 50raTj9w5BWC63JEVlAlgNT7oNAStr22
IP-Address: 192.168.1.10
Port: 6891
PortX: 11178
Auth-Cookie: 2142425484
Sender-Connect: TRUE

Step 6 – Sending client responds with 200 OK and processes the ACCEPT MESSAGE from the receiving client.

The sending client examines the ACCEPT MESSAGE and performs the following checks based on the details contained in the session description:

Does the Encryption-Key provided by the receiving client meet the minimum security requirements (i.e. S-Supported / R-Required)?
Is the receiving client listening for inbound connections (i.e. is Sender-Connect set to TRUE)?

Step 7 – Network connectivity determines next action of sending client in response to the ACCEPT MESSAGE sent by the receiving client.

Upon receiving the ACCEPT MESSAGE, the sending client must determine how to establish connectivity to the receiving client to complete the file transfer. The response of the sending client is determined by the presence of the Sender-Connect flag in the session description of the ACCEPT MESSAGE sent by the receiving client.

If the ACCEPT MESSAGE sent by the receiving client contains Sender-Connect: TRUE

The Sender-Connect flag instructs the sending Office Communicator client to connect to the receiving client on the IP Address/Port specified in the session description of the ACCEPT MESSAGE. The mere presence of Sender-Connect within the body of the ACCEPT MESSAGE sent by the receiving client may indicate a diminished chance of success for the file transfer, for two reasons:

Sender-Connect will only be set to TRUE if the sending client is determined to be using a NAT IP Address

When Sender-Connect is set to TRUE, IP Address / Port offered by receiving client may be either an Internet IP Address or a NAT IP Address

If Sender-Connect is set to TRUE, the sending client will establish a connection to the IP Address/Port advertised by the receiving client. The encrypted file will then be streamed to the receiving client using the same TFTP process described previously in this article.

Connectivity between the sending client and the receiving client may fail if either client is logged on externally via the Access Edge role, or if a network route does not exist between two NAT IP addresses (i.e. 192.168.1.10 and 172.16.100.10). File transfers may also fail if network traffic is filtered by a firewall device or by software such as Windows Firewall.

If the ACCEPT MESSAGE sent by the receiving client does not contain any connectivity information

If the ACCEPT MESSAGE sent by the receiving client does not contain either the Sender-Connect flag or any connectivity information, a third handshake is required to complete the file transfer request. This behavior will only occur when the network adapter used by the sending client is determined to be an Internet IP Address. The sending client will again examine its list of network adapters, and the most suitable adapter will be used to send another ACCEPT MESSAGE (third handshake) to the receiving client, this time containing connection information for the file transfer.

Content-Type: text/x-msmsgsinvite; charset=UTF-8
Content-Length: 162
Invitation-Command: ACCEPT
Invitation-Cookie: 513756658
IP-Address: 207.46.192.254
Port: 6891
PortX: 11178
AuthCookie: 514242609
Request-Data: IP-Address:

Step 8 – Receiving client responds with 200 OK and processes the ACCEPT MESSAGE from the sending client.

The receiving client examines the inbound file transfer request and examines the content of the session description. Here it finds the IP Address / Port information to use for the file transfer session.

Step 9 – Receiving client connects to the IP Address and Port provided by the sending client

The receiving client establishes a network connection to the IP Address and Port provided by the sending client. The encrypted file will be streamed to the receiving client using the same TFTP process described previously in this article.

As always, I hope this helps… :0)

-- Dave

Posted by DaveH | 1 Comments

Tuesday, April 07, 2009 10:43 AM

How to locate and dial a mail-enabled contact using the Directory Search functionality in Unified Messaging

Contrary to statements published in various third party integration documents, it is possible to include mail-enabled contacts in the Directory Search functionality of a Dial Plan or an Auto Attendant in Unified Messaging. Although the following configuration steps can provide this functionality, you should exercise caution when enabling outbound dialing from Unified Messaging.

Calls to the Subscriber Access (SA) line of a UM Dial Plan are considered unauthenticated until the caller enters a valid PIN. Outbound dialing restrictions set on the Dial Plan affect unauthenticated SA callers.
Calls to the Subscriber Access (SA) line of a UM Dial Plan are considered authenticated only after the caller enters a valid PIN. Outbound dialing restrictions set on the associated UM Mailbox Policy affect authenticated SA callers.
Calls to a UM Auto Attendant (AA) are considered unauthenticated as the caller is never prompted to enter a PIN. Outbound dialing restrictions set on the Auto Attendant affect unauthenticated AA callers.

For example, if you allow unauthenticated callers to search/dial mail-enabled contacts from an Auto Attendant menu, you may incur national or international long distance charges unless proper dialing restrictions are enforced.

Please see the following TechNet article for more information:

Managing Outdialing in Unified Messaging ( http://technet.microsoft.com/en-us/library/bb232135.aspx )

Configuration Steps

Launch the Exchange Management Console and drill down to Recipient Configuration in the navigation pane on the left
Click on Mail Contact, then select New Mail Contact from the actions pane on the right
Create a new Mail Contact called UMContact with an email alias of UMContact and an external email address (i.e. umcontact@nwtraders.com)
Open the properties of the UMContact object and enter a telephone number in the Business field of the Address and Phone tab
Next, open the properties of your UM Dial Plan (or UM Auto Attendant), click on the Features tab, and allow callers to contact Anyone in the Default Global Address List
Open the Exchange Management Shell, then enter the command: set-contact “UMContact” –createdtmfmap $true
Using AD Sites and Services, replicate all of your domain controllers in the Active Directory site where your UM servers reside
On each UM server associated with the UM Dial Plan, open a command prompt and navigate to \Program Files\Microsoft\Exchange Server\BIN
From the command prompt, run: galgrammargenerator.exe –g –o .\generateGAL.log to manually generate the grammar file for the Global Address List
Open the generateGAL.log file using Notepad and verify that the UMContact object was processed successfully
Using a telephone, call the Outlook Voice Access/Subscriber Line for the UM Dial Plan, and log in as a UM Enabled user
From the main menu, say ‘Directory’ then search for the UMContact object (it should find the contact object and prompt you for confirmation)
Next, say ‘Call the Office’, then place a call to the Business phone number of the UMContact object

-- Dave

Posted by DaveH | 0 Comments

Wednesday, April 01, 2009 2:52 PM

How to enable ‘broadcast’ functionality for voice mail messages in Exchange 2007 Unified Messaging

In Exchange 2007 Unified Messaging, there are no options exposed within the Exchange Management Console that would allow an administrator to configure broadcast or announcement capabilities for voice mail messages. For example, let’s say that you need to send a voice mail message to your entire staff announcing a mandatory meeting later today. There really is no easy way to configure this functionality in the current release – but it can be done, thanks to the following solution provided by Wayne Harper, a Senior SEE for the UM escalation team in Las Colinas, Texas.

Caveats:

Exchange 2007 Service Pack 1 must be installed on the server hosting your Unified Messaging role
Mail-enabled Universal Distribution Groups should be used, as Security Groups are not processed by grammar generation process

Configuration Steps:

Launch the Exchange Management Console and drill down to Recipient Configuration in the navigation pane on the left
Click on Distribution Group, then select New Distribution Group* from the actions pane on the right
Create a new Universal Distribution Group called UMAnnouncements with an email alias of UMAnnouncements
After creating the new distribution group, open its properties in the Exchange Management Console and click on the Mail Flow Settings tab
Open the properties of Message Delivery Restrictions and configure the distribution group to only Accept Mail from Senders (add a designated UM Enabled user)
Open the Members tab and add selected UM Enabled users to the membership list of the distribution group, then commit your changes
Next, open the properties of your UM Dial Plan, click on the Features tab, and allow callers to contact Anyone in the Default Global Address List
Open the Exchange Management Shell, then enter the command: set-distributiongroup “UMAnnouncements” –createdtmfmap $true
Using AD Sites and Services, replicate all of your domain controllers in the Active Directory site where your UM servers reside
On each UM server associated with the UM Dial Plan, open a command prompt and navigate to \Program Files\Microsoft\Exchange Server\BIN
From the command prompt, run: galgrammargenerator.exe –g –o .\generateGAL.log to manually generate the grammar file for the Global Address List
Again from the command prompt, run: galgrammargenerator.exe –l –o .\generateDL.log to manually generate the grammar file for Distribution Lists
Open both the generateGAL.log file and the generateDL.log file using Notepad and verify that the UMAnnoucements group was processed successfully
Using a telephone, call the Outlook Voice Access/Subscriber Line for the UM Dial Plan, and log in as the designated UM Enabled user from Step 5
From the main menu, say ‘Directory’ then search for the UMAnnouncements group (it should find the distribution group and prompt you for confirmation)
Next, say ‘Send A Message’, then leave a voice mail message for the UMAnnouncements group. Say ‘Send It’ to confirm delivery and hang up the phone
The voice mail message should be delivered to all UM Enabled users who are a member of the UMAnnouncements distribution group.

Hope this helps!

-- Dave

Posted by DaveH | 1 Comments

Monday, March 30, 2009 12:33 PM

‘Incompatible Security Setting’ error encountered when calling voice mail from Microsoft Office Communicator

After successfully integrating Office Communications Server 2007 with Exchange Unified Messaging, you may find that you are unable to call voice mail to check for new messages from your Office Communicator client. Upon placing the call, you may receive an ‘Incompatible security setting’ error as shown below:

In OCS 2007 R2, both Standard Edition servers and Enterprise Pools are automatically configured to require encryption for all media exchanges. The setting that controls this behavior can be found in the properties of the Pool object using the OCS 2007 R2 Management Console:

Previous guidance had suggested that OCS integrated Dial Plans in Unified Messaging should be configured with a VoIP security setting of ‘SIP Secured’ (require encryption for SIP traffic only). However, this VoIP security setting on the Dial Plan is insufficient if the OCS Pool is configured to require encryption (require encryption for both SIP and RTP traffic). If this discrepancy exists, all calls to Unified Messaging from the OCS Pool will fail resulting in the ‘Incompatible security setting’ error seen above.

To resolve this issue, you have two possible options:

Reconfigure the properties of the OCS Pool to ‘Support Encryption’ (not advised)
Reconfigure the VoIP security setting in the properties of the UM Dial Plan to use ‘Secured’ (preferred)

Thanks to Geoff Clark for this solution!

-- Dave

Posted by DaveH | 1 Comments

Monday, March 30, 2009 12:24 PM

Error joining IM/LiveMeeting conferences in Office Communications Server 2007

You may find that all users within an OCS Pool are unable to join a three-way IM conference or join a Live Meeting conference in Office Communications Server 2007. In examining the logs of the OCS 2007 Front End server, you may see the following related events:

Event Type:    Error
Event Source:    OCS MCU Infrastructure
Event ID:    61030
User:        N/A
Computer:    OCS1
Description:
The process RtcHost(5432) did not receive a certificate from the client.

Event Type:    Error
Event Source:    OCS MCU Infrastructure
Event ID:    61013
User:        N/A
Computer:    OCS1
Description:
The process DataMCUSvc(2596) failed to send health notifications to the MCU factory at https://OCS1.contoso.com:444/LiveServer/MCUFactory/.
Failure occurrences: 3491, since 3/24/2009 10:05:18 PM.

Event Type:    Error
Event Source:    OCS MCU Infrastructure
Event ID:    61013
User:        N/A
Computer:    OCS1
Description:
The process IMMcuSvc(1404) failed to send health notifications to the MCU factory at https://OCS1.contoso.com:444/LiveServer/MCUFactory/.
Failure occurrences: 3491, since 3/24/2009 10:05:03 PM.

Event Type:    Error
Event Source:    OCS User Services
Event ID:    30988
User:        N/A
Computer:    OCS1
Description:
Sending C3P request failed. Conferencing functionality will be affected if C3P messages are failing consistently. Sending the message to https://OCS1.contoso.com:444/LiveServer/MCUFactory/ failed. Error code is 2EFE.
Resolution: Check the destination server to see that it is listening on the same URI and it has certificate configured for MTLS. Other reasons might be network connectivity issues between the two servers.

If you run the Web Conferencing validation wizard from the OCS Pool, you may find the following error in the output log:

MCU Type: meeting
URL: https://OCS1.contoso.com:444/LiveServer/MCUFactory/
HTTP Connectivity Error : ReceiveFailure
HTTP Connectivity Error : Receive failure typically indicates that the connection was closed by
the remote host. This can happen if the remote server does not trust the certificate presented by the
Local Server.

HTTP Connectivity Error : Ensure that the certificate of the local server and remote server are both
valid, have not expired, and contain valid subject name. In addition, ensure that the certificate chain
of both Server(s) are valid. Ensure that the certificate chain of the local server is installed
on the remote server and vice-versa. The most up-to date certificate chain that was used to issue
the server certificate must be present.

When you see errors like these, it usually indicates that a certificate-related authentication problem exists with the OCS Pool (or with a particular OCS Front End server). Most of the time, this turns out to be a problem with the certificate from an issuing Certification Authority. To troubleshoot this issue, you would typically perform the following steps:

1. Log in to the affected OCS 2007 Front End server either locally or remotely using Remote Desktops.

2. Click Start > Run and type in MMC.exe. Press Enter. This should launch the Microsoft Management Console.

3. From the menu bar at the top, click File > Add/Remove Snap-in…

If you are running Windows 2003:

Click Add
Scroll down the list of available snap-ins and choose Certificates, then click Add
Choose Computer Account
Choose Local Computer: (the computer this console is running on)
Click Finish
Click Close
Click OK

If you are running Windows 2008:

Scroll down the list of available-snap-ins and choose Certificates, then click Add
Choose Computer account
Choose Local Computer: (the computer this console is running on)
Click Finish
Click Ok

4. Within the Certificates console, expand Personal > Certificates

5. On the right, double-click on the certificate that is assigned to your OCS Pool or Standard Edition server

6. Click on the Certification Path tab

7. Note the name of the issuing Certificate Authority (the previous CA in the list, as highlighted) and the certificate status

8a. If the issuing CA is a Root CA (the top of the list), expand Trusted Root Certification Authorities > Certificates

8b. If the issuing CA is an Intermediate CA (not the top of the list), expand Intermediate Certification Authorities > Certificates

9. From the list of CA certificates, right click on the certificate highlighted in yellow above and choose Properties

10. Under the General tab, verify that Enable all purposes for this certificate is selected (or, if Enable only the following purposes is selected, verify that both Server Authentication and Client Authentication are enabled)

11a. Click OK to close the properties of the CA certificate.

11b. If this was an Intermediate CA certificate, repeat steps 6 through 10 until these settings from all certificates in the trusted certification chain are verified

12. Close the Certificates Management Console (be sure to restart services if you made any changes)

While these steps will resolve this issue 99% of the time, there are no guarantees. Sometimes you just get burned…

See, support engineers in Microsoft CSS are generally at a disadvantage at the outset of every call. We hone our investigative skills with each call, probing for answers to questions that help us define the scope of a given problem, and digging through piles of debug logs for clues as to why a particular component may be failing to work per specification. There are three questions that should be asked by a Microsoft engineer during every support call:

Did it ever work?
When did it stop working?
What changes were made in your environment?

Sometimes changes are made within a customer’s environment that result in problems with our products. Often these turn out to be undocumented changes that result in hours of investigative work and troubleshooting engagements in an effort to resolve the problem. This is why proper change control and change documentation is critical for the success of an IT infrastructure. Otherwise, you sometimes can (and will) get burned.

I was burned while troubleshooting this exact issue on March 25, 2009.

After troubleshooting this issue for almost two hours (and getting nowhere), I had to hand off the call to one of my colleagues Martin Barron due to a previously scheduled appointment. I just knew it had to be certificate-related, due to the following errors logged by the OCS Front End server:

TL_ERROR(TF_COMPONENT) [0]0AB0.0F80::03/25/2009-21:33:33.808.00000058 (MCUInfra,ExceptionTracer.WriteLine:1243.idx(26))
   An exception 'System.ObjectDisposedException' was thrown while processing '15794481' at '
      at System.Net.Security.SslState.ValidateCreateContext(... X509Certificate serverCertificate, X509CertificateCollection clientCertificates...)
      at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
      at System.Net.TlsStream.BeginWrite(Byte[] buffer, Int32 offset, Int32 size, AsyncCallback asyncCallback, Object asyncState)
      at System.Net.PooledStream.BeginWrite(Byte[] buffer, Int32 offset, Int32 size, AsyncCallback callback, Object state)
      at System.Net.ConnectStream.InternalWrite(Boolean async, Byte[] buffer, Int32 offset, Int32 size, AsyncCallback callback, Object state)
      at System.Net.ConnectStream.BeginWrite(Byte[] buffer, Int32 offset, Int32 size, AsyncCallback callback, Object state)
      at Microsoft.Rtc.Server.McuInfrastructure.HttpRequestContext.BeginWrite(Stream stream, AsyncCallback callback, Object state)
      at Microsoft.Rtc.Server.McuInfrastructure.HttpTransport.GetStreamCallback(IAsyncResult asyncResult)'.
   Message 'Cannot access a disposed object. Object name: 'SslStream'.'

Upon receiving the call, the first thing Martin did was browse to the web site logged in the error output from the Validation Wizard:

https://OCS1.contoso.com:444

Although I had previously opened telnet.exe and verified that port 444 was listening, I had not thought to browse to it using a web browser. Guess what answered?

Without the customer’s knowledge, someone had installed the Communicator Web Access component directly on the OCS Front End server, bound to port 444 in IIS (the same port used by the MCU Factory). This caused all conference escalations to fail with the errors listed above. Once the CWA component was removed and services were restarted, the issue was resolved.

I will not soon forget this one… :-/

-- Dave

Posted by DaveH | 0 Comments

Sunday, March 22, 2009 11:12 AM

A noisy (and annoying) red herring in Microsoft Exchange Unified Messaging…

After integrating Office Communications Server 2007 R2 with Microsoft Exchange Unified Messaging, you will likely begin seeing the following warning events in the application log of your Exchange UM server:

Log Name:      Application
Source:        Microsoft Exchange Speech Engine
Date:          3/18/2009 3:20:59 PM
Event ID:      32768
Task Category: Telephony Application Host
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      exchange.contoso.com
Description:
The Telephony Manager declined a call with Call Id 'dc792cb1-3c0e-4a97-a8dc-ec948047af15' for the following reason in component telephony session: 'The media description received from the remote SIP peer has an invalid content type 'multipart/alternative'.'.
Further trace information for support personnel follows:
Microsoft.SpeechServer.Core.InvalidMediaException: The media description received from the remote SIP peer has an invalid content type 'multipart/alternative'.
   at Microsoft.SpeechServer.Core.MediaNegotiation..ctor(LoggingContext loggingContext, ContentDescription rtcRemoteMediaOffer)
   at Microsoft.SpeechServer.Core.TelephonySessionInbound.CreateMediaNegotiation(ContentDescription rtcMediaDescription, SessionInfo sessionInfo, CallInfo callInfo, IPEndPoint sipPeerEndpoint)
   at Microsoft.SpeechServer.Core.TelephonySessionInbound.Initialize(SessionInfo sessionInfo, SessionReceivedEventArgs e, CallInfo callInfo, EventSerializer serializer, SpeechSession speechSession, Boolean isTlsConnection)
   at Microsoft.SpeechServer.Core.TelephonySessionInbound..ctor(SessionInfo sessionInfo, SessionReceivedEventArgs e, CallInfo callInfo)
   at Microsoft.SpeechServer.Core.TelephonyManager.CreateSession(Int32 inviteReceivedTickCount, SessionReceivedEventArgs e)
   at Microsoft.SpeechServer.Core.TelephonyManager.SignalingSessionReceived(Object sender, SessionReceivedEventArgs e)

When establishing a new communication session, Office Communications Server 2007 R2 servers and Office Communicator 2007 R2 clients send INVITE packets containing two content-types in the Session Description Protocol header - multipart/alternative and application/sdp. An example of a SIP INVITE packet containing a multipart/alternative SDP header is as follows:

INVITE sip:+99999@contoso.com;user=phone SIP/2.0
FROM: <sip:8035551212;phone-context=OCSDialPlan.@contoso.com;user=phone>;epid=F01E04E310;tag=f956eca3
TO: <sip:+99999@contoso.com;user=phone>
CSEQ: 2 INVITE
CALL-ID: 79d13a14-43ec-4e13-a6a6-f979b1be29bc
MAX-FORWARDS: 70
VIA: SIP/2.0/TLS 172.16.100.14:51389;branch=z9hG4bKea1445fc
CONTACT: <sip:mediation.contoso.com@contoso.com;gruu;opaque=srvr:MediationServer:ZhPi_7KMWUmmgB7TjsJGFwAA;grid=65a46c0db6a94987b6112fdf75debae1>;isGateway
CONTENT-LENGTH: 3756
SUPPORTED: replaces
SUPPORTED: ms-safe-transfer
SUPPORTED: gruu-10
SUPPORTED: 100rel
USER-AGENT: RTCC/3.5.0.0 MediationServer
CONTENT-TYPE: multipart/alternative; boundary=PEWk0jo6TZDEZV6x20NdmKWLb77TQXmJ
ALLOW: UPDATE
ms-call-source: non-ms-rtc
ALLOW: Ack, Cancel, Bye,Invite,Refer
--PEWk0jo6TZDEZV6x20NdmKWLb77TQXmJ
Content-Type: application/sdp
Content-Disposition: Session;handling=optional;ms-proxy-2007fallback
v=0
o=- 0 0 IN IP4 172.16.100.14
s=session
c=IN IP4 172.16.100.14
b=CT:1000
t=0 0
m=audio 61403 RTP/AVP 0 8 115 13 118 97 101
c=IN IP4 172.16.100.14
a=rtcp:63118
a=candidate:8uYF8WoopUJPCI4MDrHCjMd7pqDEw4pwmi+20YQQPdU 1 G4uv9228YqA+oymvWVNWxQ UDP 0.830 172.16.100.14 61403
a=candidate:8uYF8WoopUJPCI4MDrHCjMd7pqDEw4pwmi+20YQQPdU 2 G4uv9228YqA+oymvWVNWxQ UDP 0.830 172.16.100.14 63118
a=candidate:wuGldT9QcjdnV2grSvcspxkD1p60lv4IYc0IQwvFTro 1 X0QWDqNOUrMRQMUY2UgMbw UDP 0.840 192.168.1.6 62529
a=candidate:wuGldT9QcjdnV2grSvcspxkD1p60lv4IYc0IQwvFTro 2 X0QWDqNOUrMRQMUY2UgMbw UDP 0.840 192.168.1.6 61678
a=candidate:6e022tbN+JijS66/X2ox6uibF06W+gXwSmDEe3f8qn0 1 HAdnegImYwjYqJN+C4Lv1w TCP 0.150 192.168.1.4 57675
a=candidate:6e022tbN+JijS66/X2ox6uibF06W+gXwSmDEe3f8qn0 2 HAdnegImYwjYqJN+C4Lv1w TCP 0.150 192.168.1.4 57675
a=candidate:q8m0LE/ANqdYI+blG2DdKq9l2IHBRSz5kAEJrwUfeRs 1 plsV5Xw4383v6y+TvuRNpg UDP 0.450 192.168.1.4 50345
a=candidate:q8m0LE/ANqdYI+blG2DdKq9l2IHBRSz5kAEJrwUfeRs 2 plsV5Xw4383v6y+TvuRNpg UDP 0.450 192.168.1.4 55579
a=candidate:pfsQA8Ln5g+1rTF/cIgcFnConcOe8kKO8usfhShSf1U 1 +pQb87qvxhvEmbXtEL3SSA TCP 0.250 172.16.100.14 62535
a=candidate:pfsQA8Ln5g+1rTF/cIgcFnConcOe8kKO8usfhShSf1U 2 +pQb87qvxhvEmbXtEL3SSA TCP 0.250 172.16.100.14 62535
a=cryptoscale:1 client AES_CM_128_HMAC_SHA1_80 inline:aCRifvWJaqBraHSwOnxCbJ+eYLSBcbVAJWmlBxN5|2^31|1:1
a=crypto:2 AES_CM_128_HMAC_SHA1_80 inline:W6hq2uEdw7KTE40QD3W0VQELX5N0SOHPqb5FnEdd|2^31|1:1
a=crypto:3 AES_CM_128_HMAC_SHA1_80 inline:9ultE2zyH47xhIUoP+1F+45rwuPTrkmJPOyrxvjF|2^31
a=label:main-audio
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:115 x-msrta/8000
a=fmtp:115 bitrate=11800
a=rtpmap:13 CN/8000
a=rtpmap:118 CN/16000
a=rtpmap:97 RED/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
--PEWk0jo6TZDEZV6x20NdmKWLb77TQXmJ
Content-Type: application/sdp
v=0
o=- 0 0 IN IP4 172.16.100.14
s=session
c=IN IP4 172.16.100.14
b=CT:1000
t=0 0
m=audio 62656 RTP/AVP 0 8 115 13 118 97 101
c=IN IP4 172.16.100.14
a=rtcp:61136
a=ice-ufrag:EemT
a=ice-pwd:QpAk7SA0jndrKxm4H3KJ6c80
a=candidate:1 1 UDP 2130706431 172.16.100.14 62656 typ host
a=candidate:1 2 UDP 2130705918 172.16.100.14 61136 typ host
a=candidate:2 1 UDP 2130705919 192.168.1.6 61612 typ host
a=candidate:2 2 UDP 2130705406 192.168.1.6 61014 typ host
a=candidate:3 1 tcp-pass 6555135 192.168.1.4 58713 typ relay raddr 192.168.1.4 rport 58713
a=candidate:3 2 tcp-pass 6555134 192.168.1.4 58713 typ relay raddr 192.168.1.4 rport 58713
a=candidate:4 1 UDP 16647679 192.168.1.4 53984 typ relay raddr 192.168.1.4 rport 53984
a=candidate:4 2 UDP 16647678 192.168.1.4 53202 typ relay raddr 192.168.1.4 rport 53202
a=candidate:5 1 tcp-act 7076351 192.168.1.4 58713 typ relay raddr 192.168.1.4 rport 58713
a=candidate:5 2 tcp-act 7075838 192.168.1.4 58713 typ relay raddr 192.168.1.4 rport 58713
a=candidate:6 1 tcp-act 1684797439 172.16.100.14 62831 typ srflx raddr 172.16.100.14 rport 62831
a=candidate:6 2 tcp-act 1684796926 172.16.100.14 62831 typ srflx raddr 172.16.100.14 rport 62831
a=cryptoscale:1 client AES_CM_128_HMAC_SHA1_80 inline:aCRifvWJaqBraHSwOnxCbJ+eYLSBcbVAJWmlBxN5|2^31|1:1
a=crypto:2 AES_CM_128_HMAC_SHA1_80 inline:W6hq2uEdw7KTE40QD3W0VQELX5N0SOHPqb5FnEdd|2^31|1:1
a=crypto:3 AES_CM_128_HMAC_SHA1_80 inline:9ultE2zyH47xhIUoP+1F+45rwuPTrkmJPOyrxvjF|2^31
a=label:main-audio
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:115 x-msrta/8000
a=fmtp:115 bitrate=11800
a=rtpmap:13 CN/8000
a=rtpmap:118 CN/16000
a=rtpmap:97 RED/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
--PEWk0jo6TZDEZV6x20NdmKWLb77TQXmJ--

Although these SDP headers are easily handled by OCS 2007 R2 servers and OC clients, the Speech Engine component of Exchange Unified Messaging will log an exception and reject any call containing an SDP header with the multipart/alternative content-type.

Fortunately, after rejecting the initial call attempt, OCS 2007 R2 will retry the call by immediately sending a second INVITE to the Unified Messaging server. On the second attempt, the OCS 2007 R2 server will send a Session Description Protocol header containing only the application/sdp content-type. Unified Messaging will accept and process this SDP header successfully, allowing the call to be established.

You can safely ignore these warnings, as this is expected behavior in OCS 2007 R2 / Unified Messaging integrated environments.

Posted by DaveH | 0 Comments

Sunday, March 22, 2009 2:38 AM

File transfer problems in OCS 2007 R2 Group Chat

After installing the Group Chat component from Office Communications Server 2007 R2, you may encounter the following error while attempting to upload or download files while joined to a chat room (see screenshot):

A file transfer error occurred. Server was unable to process request. ---> Object reference not set to an instance of an object.

If you enable logging in IISAdmin and check the IIS logs, you will likely see the following HTTP 500 error:

#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2009-03-13 11:01:06

#Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken

2009-03-13 11:01:06 W3SVC1 GROUPCHAT-R2 192.168.1.13 GET /MGCWebService/MGCWebService.asmx disco 443 - 192.168.1.13 HTTP/1.1 - - - groupchat-r2.contoso.com 200 0 0 1054 118 2348

2009-03-13 11:01:27 W3SVC1 GROUPCHAT-R2 192.168.1.13 POST /MGCWebService/MGCWebService.asmx - 443 - 192.168.1.65 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+2.0.50727.3521) - - groupchat-r2.contoso.com 500 0 0 675 651 917

By default, the MGCWebService virtual directory in IIS is configured to automatically use Anonymous Access using the IUSR_<ComputerName> account, which is a member of the Guests group of the local machine. However, in looking at the NTFS permissions of the File Repository folder used by Group Chat, you will find that the Guests group is not found in its Access Control List (ACL):

To resolve this issue, change the account used for Anonymous Access in the properties of the MGCWebService to either the Group Chat Admin service account or the Group Chat Channel service account, as per the following TechNet article:

http://technet.microsoft.com/en-us/library/dd425247(office.13).aspx

To configure the Web site settings in IIS

1. Open Internet Information Services (IIS) Manager by clicking Start, pointing to All Programs, pointing to Administrative Tools, and then clicking Internet Information Services (IIS) Manager.

2. In the console tree, expand the local computer, expand the Web Sites folder, right-click the application for the Web site (MGCWebService), and then click Properties.

3. On the Directory Security tab, under Authentication and Access Control, click Edit.

4. In the Authentication Methods dialog box, verify that the Enable Anonymous Access check box is selected.

5. In the User Name and Password boxes, specify the credentials for an account that has read/write permissions on the file repository folder. (This must be an account with RTCComponentUniversalServices permissions because the account needs to access the file repository and Message Queueing. You can use the Channel service account for this purpose.)

Happy Uploading! :-)

-- Dave

Posted by DaveH | 0 Comments

Thursday, March 19, 2009 7:52 AM

OCS 2007 R2 Group Chat on Windows Server 2008

Recently I worked with a customer who was trying to install OCS 2007 R2 Group Chat on a member server running Windows Server 2008. Each time the customer launched ServerSetup.EXE to install Group Chat, he encountered error 0x80070005 (Access is Denied) while binding to the IIS metabase path IIS://localhost/W3SVC/1, as shown in the following screenshot:

The user account used to install Group Chat should meet the following criteria:

Member of the Domain Admins Group
Member of local Administrators Group
Member of RTCUniversalServerAdmins Group

Additionally, the computer should meet the following prerequisites before installing Group Chat:

Microsoft .NET Framework 3.0

Manages the execution of the program. During the installation of Group Chat, if this version or a later version of the software is not already installed on the computer, Group Chat installs it.

Internet Information Services (IIS)

Hosts the Web Service for the purpose of posting files to chat rooms. Windows Server 2008 users must enable the IIS 6.0 Compatibility feature.

ASP.NET 2.0

Used to build dynamic Web sites, Web applications, and XML Web services. ASP.NET 2.0 is a Web application.

Message Queuing

Used by the Group Chat Compliance service, if deployed.

Microsoft Web Services Enhancements (WSE) 3.0

Implements additional Web service specifications in areas including security, reliable messaging, and sending attachments. WSE is required on the Group Chat Server only, not the Compliance service. WSE is an add-on to the .NET Framework.

Even after meeting these requirements, you may still encounter this error during Group Chat setup. During installation, a new virtual directory called MGCWebService is created under the Default Web Site in IIS. For this task to succeed, the SeImpersonatePrivilege is required. On a Windows 2008 computer, this privilege is automatically granted in the security token of the Domain\Administrator account (Built-in account for administering the computer/domain), but not for other members of Domain Admins. To prove this we can use the Whoami utility.

Whoami.exe /all (logged in as a member of Domain Admins)

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

Whoami.exe /all (logged in as Domain\Administrator)

Privilege Name                  Description                               State
=============================== ========================================= ========
SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Disabled
SeSecurityPrivilege             Manage auditing and security log          Disabled
SeTakeOwnershipPrivilege        Take ownership of files or other objects Disabled
SeLoadDriverPrivilege           Load and unload device drivers            Disabled
SeSystemProfilePrivilege        Profile system performance                Disabled
SeSystemtimePrivilege           Change the system time                    Disabled
SeProfileSingleProcessPrivilege Profile single process                    Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority              Disabled
SeCreatePagefilePrivilege       Create a pagefile                         Disabled
SeBackupPrivilege               Back up files and directories             Disabled
SeRestorePrivilege              Restore files and directories             Disabled
SeShutdownPrivilege             Shut down the system                      Disabled
SeDebugPrivilege                Debug programs                            Disabled
SeSystemEnvironmentPrivilege    Modify firmware environment values        Disabled
SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled
SeRemoteShutdownPrivilege       Force shutdown from a remote system       Disabled
SeUndockPrivilege               Remove computer from docking station      Disabled
SeManageVolumePrivilege         Perform volume maintenance tasks          Disabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege         Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege   Increase a process working set            Disabled
SeTimeZonePrivilege             Change the time zone                      Disabled
SeCreateSymbolicLinkPrivilege   Create symbolic links                     Disabled

Here you can see that the SeImpersonatePrivilege right is clearly missing in the security token of the Domain Admin account. Without this privilege, Group Chat setup will fail. To work around this problem, launch ServerSetup.EXE with elevated privileges (Run as Administrator) or log on using the Domain\Administrator account and launch Group Chat setup.

-- Dave

Posted by DaveH | 1 Comments

Sunday, February 01, 2009 4:38 PM

Integrating AudioCodes MP-114/MP-118 Media Gateways with Microsoft Unified Communications Products

As one of the Subject Matter Experts (SMEs) for the Microsoft Exchange Unified Messaging product within Microsoft CSS, I am often asked how to provide PSTN connectivity to both Office Communications Server 2007 and to Exchange UM. Microsoft has worked with a number of vendors to establish support guidelines for IP PBX and IP Gateway integration with our UC products (as you’ll read below). After doing a lot of reading about different products (and following some good advice from my friend Tim McMichael), I decided to purchase the AudioCodes MP-114 Media Gateway device for my home lab (yes, with my own $$). It took a while, but I finally got my home UC lab working – with full PSTN connectivity!

These are my personal configuration notes…

Introduction

Microsoft Office Communications Server 2007 offers a feature-rich telephony experience for Enterprise Voice enabled users, especially when Microsoft Exchange Unified Messaging is leveraged for voice mail functionality. While Office Communications Server 2007 does not natively provide connectivity with users on the Public Switched Telephone Network (PSTN), a media gateway can be used to connect OCS 2007 to an existing PBX system or to the PSTN network. Microsoft has implemented the Open Interoperability Program for vendors to certify their devices and solutions. For more information about these partners, please visit http://technet.microsoft.com/ucoip.

The AudioCodes MP-114 and MP-118 Media Gateways are affordable options for testing and/or demonstrating many of the telephony features offered by Office Communications Server 2007 and/or Exchange Unified Messaging. You may have seen these devices used at many of the OCS 2007/UM demonstrations at Microsoft TechEd or on the Microsoft Ignite! tour. While neither the MP-114 nor the MP-118 supports the RTAudio media codec used by Office Communications Server 2007, the Mediation Server role can be leveraged by both of these gateways to provide PSTN connectivity for Office Communicator clients.

The AudioCodes MP-114 and MP-118 Media Gateways offer an Ethernet port for connecting to an existing IP network and a total of four (2 FXO/2 FXS) or eight (4 FXO / 4 FXS) analog telephony ports for connecting to telephone handsets and to the PSTN. Each gateway can be configured using a GUI interface from a web browser or by uploading a configuration file to the device. AudioCodes offers a demo toolkit that can be downloaded from their website and used to configure either gateway for use with Office Communications Server 2007 or Microsoft Exchange Unified Messaging.

The documentation is provided merely as an example of how to integrate Microsoft Unified Communications products with the AudioCodes MP-114 or MP-118 media gateway in a lab environment – not as prescriptive guidance for enterprise deployments. This documentation assumes that you have a working knowledge of both OCS 2007 and Unified Messaging, and that you have deployed a working lab environment containing both products.

Lab Details

Let’s assume that your lab environment is configured as follows:

AudioCodes MP-114 Media Gateway                       10.1.1.5/24 (firmware version 5.40A.013.004)
Global Catalog / DNS / Cert Authority                 10.1.1.10/24 (gc.contoso.com)
OCS Front End/Pool (Standard Edition)                 10.1.1.11/24 (ocs.contoso.com)
OCS Mediation Server (Standard Edition)               10.1.1.12/24 (mediation.contoso.com)
Exchange 2007 Server/Unified Messaging                10.1.1.13/24 (exchange.contoso.com)

OCS 2007 Enterprise Voice Location Profile            Charlotte.contoso.com
Unified Messaging Dial Plan (SIP URI type)            Charlotte (Charlotte.contoso.com)
Auto Attendant (ocsAA@contoso.com)                    +17045559999
Subscriber Access (ocsSA@contoso.com)                 +17045559998
AudioCodes MP-114, port FXS 1 (physical phone)        7045551000
AudioCodes MP-114, port FXS 2 (physical phone)        7045552000
Office Communicator User (user@contoso.com)           +17045553000

Note:

Your AudioCodes gateway should be running at least firmware version 5.40A.013.004 (contact AudioCodes to upgrade your firmware).
Your Mediation server should be configured with the IP address of the AudioCodes gateway as PSTN next hop.
Your Mediation server should be configured with the FQDN of the OCS Pool/Front End as internal next hop.
Your OCS Location Profile should be configured to normalize all numbers to E.164 format (i.e. +1704555XXXX).

Now, open a web browser and connect to your AudioCodes gateway. Let’s get to work… :-)

Configuring Ports and Hunt Groups

The following is a summary of the steps involved in configuring the various port and hunt group options for the AudioCodes MP-114 Media Gateway device:

1. Create Hunt Groups 1 and 2 (for the AudioCodes MP-118, create Hunt Groups 0 and 1)
2. Assign End Point Phone Numbers to analog ports and associate them with with Hunt Groups
    a. Associate the FXS ports to Hunt Group 1
         i. Assign phone number ‘7045551000’ to analog port FXS 1
         ii. Assign phone number ‘7045552000’ to analog port FXS 2
    b. Associate the FXO ports to Hunt Group 2
         i. Assign label ‘SubscriberAccess’ to external port FXO 3
         ii. Assign label ‘AutoAttendant’ to external port FXO 4
3. Configure Automatic Dialing for Inbound PSTN calls
    a. Calls placed to FXO 3 will automatically forward to +17045559998 (UM Subscriber Access)
    b. Calls placed to FXO 4 will automatically forward to +17045559999 (UM AutoAttendant)

Step 1 - Create ‘Hunt Groups’

Connect and log in to the AudioCodes MP-114 Media Gateway via its web interface
From the navigation menu on the left, click on the ‘Configuration’ button
From the menu options on the left of the screen, expand ‘Protocol Configuration’ then ‘Hunt/IP Group’
Select the ‘Hunt Group Settings’ menu option

This menu allows you to configure the various Hunt Groups which will be used for routing telephone calls:

Hunt Group ID 1 – select mode ‘By Dest Phone Number’
Hunt Group ID 2 – select mode ‘Ascending’

Click ‘Submit’ to commit changes

Step 2 – Configure ‘Endpoint Phone Numbers’

While connected to the AudioCodes gateway via the web interface, click on the ‘Configuration button’ from the navigation menu
Expand ‘Protocol Configuration’ then ‘Endpoint Number’
Select the ‘EndPoint Phone Number’ menu option

This menu allows you to configure each of the channels, or analog ports, on the AudioCodes MP-114 Media Gateway:

Channel 1 (port FXS 1) – Assign 10 digit number ‘7045551000’ and associate with Hunt Group ID 1
Channel 2 (port FXS 2) – Assign 10 digit number ‘7045552000’ and associate with Hunt Group ID 1
Channel 3 (port FXO 3) – Assign label ‘SubscriberAccess’ and associate with Hunt Group ID 2
Channel 4 (port FXO 4) – Assign label ‘AutoAttendant’ and associate with Hunt Group ID 2

Click ‘Submit’ to commit changes

Step 3 - Configure ‘Automatic Dialing’ (Inbound PSTN Calls)

While connected to the AudioCodes gateway via the web interface, click on the ‘Configuration button’ from the navigation menu
Expand ‘Protocol Configuration’ then ‘Endpoint Settings’
Select the ‘Automatic Dialing’ menu option

This menu allows you to configure automatic dialing for inbound calls placed from external PSTN telephone numbers. Calls received on port FXO 3 will automatically forward to the number assigned to UM Subscriber Access, while calls received on port FXO 4 will automatically forward to the number assigned to the UM Auto Attendant.

Configure Port 3 FXO as +17045559998, the E.164 telephone number of UM Subscriber Access. Choose ‘Enable’.
Configure Port 4 FXO as +17045559999, the E.164 telephone number of UM Auto Attendant. Choose ‘Enable’.

Click ‘Submit’ to commit changes

Configuring Outbound Call Handling (IP -> TEL calls)

The following is a summary of the steps involved in configuring call routing for outbound calls placed from the internal IP-based Unified Communications environment to the analog ports on the AudioCodes gateway:

1. Manipulate dial string before routing
     a. Strip ‘+1’ from normalized dial string for calls placed to local numbers
     b. Strip ‘+’ from normalized dial string for calls placed to long distance/international numbers
2. Route manipulated dial string
     a. Route manipulated dial string matching 7045551000 to Hunt Group 1 (internal call - route to port FXS 1)
     b. Route manipulated dial string matching 7045552000 to Hunt Group 1 (internal call - route to port FXS 2)
     c. Route all other manipulated dial strings to Hunt Group 2 (external call – route to port FXO 3 / FXO 4)

The success implementation of external routing depends greatly on passing a properly formatted dial string to the Public Switched Telephone Network. If your local calling area supports a number of different dialing prefixes, you may need to define additional number manipulation rules for handling local numbers. To find a list of telephone prefixes which are considered local to you, do the following:

Browse to http://www.localcallingguide.com/lca_listexch.php
Enter your Area Code and Click ‘Submit’
Choose your city from the list of rate centers associated with your Area Code
Click ‘See All Local Prefixes’

Step 1 - Configure ‘Destination Phone Number Manipulation Table for IP -> Tel Calls’ (Outbound Tel Calls)

Connect and log in to the AudioCodes MP-114 Media Gateway via its web interface
From the navigation menu on the left, click on the ‘Configuration’ button
From the menu options on the left of the screen, expand ‘Protocol Configuration’ then ‘Manipulation Tables’
Select the ‘Dest Number IP -> Tel’ menu option

This menu allows you to manipulate telephone dial strings for calls placed from IP clients (Office Communicator clients or from Unified Messaging) to analog telephony devices. Since both the 704 and 980 area codes are local to Charlotte, NC, we will need at least two manipulation rules to handle calls placed to these prefixes.

Add manipulation rule that strips the first 2 characters off any dial string starting with +1704 sent from any IP address.
Add manipulation rule that strips the first 2 characters off any dial string starting with +1980 sent from any IP address.
Add manipulation rule that strips the first character off any number starting with + sent from any IP address.

Create other manipulation rules as necessary
Click ‘Submit’ to commit changes

Step 2 - Configure ‘IP to Hunt Group Routing’ (Outbound Tel Calls)

While connected to the AudioCodes gateway via the web interface, click on the ‘Configuration button’ from the navigation menu
Expand ‘Protocol Configuration’ then ‘Routing Tables’
Select the ‘IP to Trunk Group Routing’ menu option

You can define a number of entries here (up to 24) for routing outbound TEL calls from IP clients. Under the option IP to Tel Routing Mode, be sure to choose ‘Route calls after Manipulation’ from the drop-down box.

Add entry for routing manipulated dial strings matching ‘7045551000’ to Hunt Group ID 1 (routes to FXS 1).
Add entry for routing manipulated dial strings matching ‘7045552000’ to Hunt Group ID 1 (routes to FXS 2).
Add entry for routing all other manipulated dial strings to Hunt Group ID 2 (routes to either FXO 3 or FXO 4).

Click ‘Submit’ to commit changes

Configuring Inbound Call Handling (TEL -> IP calls)

The following is a summary of the steps involved in configuring call routing for inbound calls placed from the analog ports on the AudioCodes gateway. The intended recipient of an analog call will be either an IP client (i.e. call placed from FXO 4 to the UM Auto Attendant) or another analog extension (i.e. call placed from port FXS 1 to port FXS2):

1. Manipulate dial string before routing
    a. Prefix dial string ‘1000’ with ‘704555’, resulting in 10 digit dial string ‘7045551000’
    b. Prefix dial string ‘2000’ with ‘704555’, resulting in 10 digit dial string ‘7045552000’
    c. Prefix dial strings ‘300x’ with ‘+1704555’, resulting in E.164 dial string ‘+1704555300x’
    d. Prefix dial strings ‘999x’ with ‘+1704555’, resulting in E.164 dial string ‘+1704555999x’
2. Route manipulated dial string
    a. Route manipulated dial string matching ‘7045551000’ to IP address 10.1.1.5 (AudioCodes gateway)
    b. Route manipulated dial string matching ‘7045552000’ to IP address 10.1.1.5 (AudioCodes gateway)
    c. Route all other manipulated dial strings to IP address 10.1.1.12 (OCS Mediation Server)

Step 1 - Configure ‘Destination Phone Number Manipulation Table for Tel -> IP Calls’ (Inbound IP Calls)

Connect and log in to the AudioCodes MP-114 Media Gateway via its web interface
From the navigation menu on the left, click on the ‘Configuration’ button
From the menu options on the left of the screen, expand ‘Protocol Configuration’ then ‘Manipulation Tables’
Select the ‘Dest Number Tel->IP’ menu option

This menu controls number manipulation for inbound analog calls placed to IP clients (i.e. UM Auto Attendant or Office Communicator users) or for calls placed from one analog extension to another (i.e., FXS 1 to FXS 2).

Add manipulation rule that prefixes ‘704555’ to dial string matching ‘1000’, resulting in ‘7045551000’
Add manipulation rule that accepts dial string matching ‘7045551000’ as-is, with no manipulation
Add manipulation rule that prefixes ‘704555’ to dial string matching ‘2000’, resulting in ‘7045552000’
Add manipulation rule that accepts dial string matching ‘7045552000’ as-is, with no manipulation
Add manipulation rule that prefixes ‘+1704555’ to dial strings beginning with ‘300’ resulting in ‘+1704555300x’
Add manipulation rule that prefixes ‘+1’ to dial strings beginning with ‘704555300’ resulting in ‘+1704555300x’
Add manipulation rule that prefixes ‘+1704555’ to dial strings beginning with ‘999’ resulting in ‘+1704555999x’
Add manipulation rule that prefixes ‘+1’ to dial strings beginning with ‘704555999’ resulting in ‘+1704555999x’

Click ‘Submit’ to commit changes

Step 2 - Configure ‘Tel to IP Routing’ (Inbound IP Calls)

While connected to the AudioCodes gateway via the web interface, click on the ‘Configuration button’ from the navigation menu
Expand ‘Protocol Configuration’ then ‘Routing Tables’
Select the ‘Tel to IP Routing’ menu option

You can define a number of entries here (up to 50) for routing inbound TEL calls to IP clients. Under the option Tel to IP Routing Mode, be sure to choose ‘Route calls after Manipulation’ from the drop-down box.

Add entry for routing manipulated dial strings matching ‘7045551000’ to IP address 10.1.1.5 (AudioCodes gateway).
Add entry for routing manipulated dial strings matching ‘7045552000’ to IP address 10.1.1.5 (AudioCodes gateway).
Add entry for routing manipulated dial strings matching ‘704555300x’ to IP address 10.1.1.12 (OCS Mediation server).
Add entry for routing manipulated dial strings matching ‘704555999x’ to IP address 10.1.1.12 (OCS Mediation server).
Add entry for routing all other manipulated dial strings to IP address 10.1.1.5 (AudioCodes gateway).

Click ‘Submit’ to commit changes

Configuring Miscellaneous Options

The following is a summary of the steps involved in configuring other miscellaneous options for the AudioCodes MP-114 Media Gateway. Please keep in mind that the selections for the configuration options shown in this documentation may not apply to regions outside the United States.

Step 1 – Configure SIP Protocol options

The Office Communications Server 2007 Mediation Server role and Exchange 2007 Unified Messaging will only respond to SIP protocol requests transmitted over TCP. To verify that the AudioCodes MP-114 Media Gateway is configured to support SIP/TCP, follow these steps:

Connect and log in to the AudioCodes MP-114 Media Gateway via its web interface
From the navigation menu on the left, click on the ‘Configuration’ button
From the menu options on the left of the screen, expand ‘Protocol Configuration’ then ‘Protocol Definition’
Select the ‘SIP General Parameters’ menu option

Verify that the following options are configured with the following values:

Enable Early Media – Disabled
SIP Transport Type – TCP
SIP UDP Port – 5060
SIP TCP Port – 5060
SIP TLS Port – 5061
Enable SIPS – Disabled
SIP Destination Port – 5060

Click ‘Submit’ to commit changes

Step 2 – Select a proper ‘Coder’ (media codec)

A VoIP codec is used to encode voice signals into a media stream that can be routed over an IP network. One of the most popular codecs is G.711, which uses two different compression algorithms: PCM µ-Law (used in North America and Japan) and PCM A-Law (used in Europe and everywhere else). The AudioCodes MP-114 Media Gateway, the OCS Mediation server role, and Exchange Unified Messaging all support either of these codecs.

While connected to the AudioCodes gateway via the web interface, click on the ‘Configuration button’ from the navigation menu
Expand ‘Protocol Configuration’ then ‘Protocol Definition’
Select the ‘Coders’ menu option

For best results with OCS Mediation Server role, choose only one entry from the list of available codecs:

G.711 U-law codec (common choice for North America and Japan)
G.711 A-law codec (common choice for Europe and elsewhere)

Click ‘Submit’ to commit changes

Step 3 – Configure DTMF and Dialing Options

To enable the correct options for DTMF handling, follow these steps:

While connected to the AudioCodes gateway via the web interface, click on the ‘Configuration button’ from the navigation menu
From the menu options on the left of the screen, switch to FULL display (the default setting is BASIC display)
Expand ‘Protocol Configuration’ then ‘Protocol Definition’
Select the ‘DTMF & Dialing’ menu option

Verify that the following DTMF options are configured with the following values:

Max Digits in Phone Num – 11 (adjust this value for international dialing or if you must dial ‘9’ to place external calls)
Declare RFC 2833 in SDP – Yes
1^st Tx DTMF Option – RFC 2833
RFC 2833 Payload Type – 101

Click ‘Submit’ to commit changes

Step 4 – Enable ‘Caller ID’ (Inbound TEL Calls)

To enable ‘Caller ID’ for inbound analog calls over port FXO 3 or FXO 4, follow these steps:

While connected to the AudioCodes gateway via the web interface, click on the ‘Configuration button’ from the navigation menu
From the menu options on the left of the screen, switch to FULL display (the default setting is BASIC display)
Expand ‘Protocol Configuration’ then ‘SIP Advanced Parameters’
Select the ‘Supplementary Services’ menu option

Verify that the following options are configured with the following values:

Enable Caller ID – Enabled
Caller ID Type – Standard BellCore

Click ‘Submit’ to commit changes

Step 5 – Configure Additional Options for Inbound TEL Calls

Additional options for inbound TEL calls from analog ports may be set as shown.

While connected to the AudioCodes gateway via the web interface, click on the ‘Configuration button’ from the navigation menu
Expand ‘Advanced Applications’
Select the ‘FXO Settings’ menu option

Verify that the following options are configured with the following values:

Dialing Mode – One Stage
Waiting for Dial Tone - No
Time to Wait before Dialing [msec] – 1000
Answer Supervision – No
Rings before Detecting Caller ID – 1
Disconnect Call on Detection of Busy Tone – Enable
Disconnect on Dial Tone – Disable

Click ‘Submit’ to commit changes

Summary

Upon completing the configuration steps contained in this documentation, your AudioCodes MP-114 Media Gateway should route inbound and outbound calls successfully. If after completing these steps you find that you are unable to route calls through your AudioCodes gateway, verify that your UC lab environment is configured correctly.

You can perform the following tests to verify whether you have successfully configured your AudioCodes device. If any of these test scenarios fail, troubleshoot as follows:

Enable debug logging on OCS Mediation Server (choose all levels/all tags for MediationServer and S4 components)
Enable debug logging on OCS Front End Server (choose all levels/all tags for SIPStack, S4, and ExumRouting components)
Enable logging on the AudioCodes Gateway (‘Status & Diagnostics’ button, ‘Message Log’ menu option)
Collect network traffic capture from OCS Mediation Server using Microsoft Network Monitor

Test Scenarios - Inbound Calls

Test - Connect external PSTN line to port FXO 3 and place inbound call
Result – Unified Messaging should answer and present caller with Outlook Voice Access feature (Subscriber Access)
Test – Connect external PSTN line to port FXO 4 and place inbound call
Result – Unified Messaging should answer and present caller with Auto Attendant feature
Test – Place call to ‘9998’ or ‘7045559998’ from analog telephone handset connected to port FXS 1
Result – Unified Messaging should answer and present caller with Outlook Voice Access feature (Subscriber Access)
Test – Place call to ‘9999’ or ‘7045559999’ from analog telephone handset connected to port FXS 2
Result – Unified Messaging should answer and present caller with Auto Attendant feature
Test – Place call to ‘3000’ or ‘7045553000’ from analog telephone handset connected to port FXS 1
Result – Enterprise Voice-enabled OCS User should receive incoming call toast in Office Communicator client

Scenarios - Outbound Calls

Test – Place call to ‘1000’ or to ‘7045551000’ from analog telephone handset connected to port FXS 2
Result – Analog telephone handset connected to port FXS 1 should ring
Test – Place call to ‘411’ from analog telephone handset connected to port FXS 1
Result – Call should be placed to the PSTN over port FXO 3 or port FXO 4
Test – Place call to ‘7045552000’ from Enterprise Voice-enabled OCS User in Office Communicator client
Result – Analog telephone handset connected to port FXS 2 should ring

Posted by DaveH | 0 Comments

Sunday, January 25, 2009 9:14 PM

How to troubleshoot OCS Mediation server Quality of Service Event ID 25022

This week I accepted a case escalation out of Microsoft EMEA which involved the Quality of Experience monitoring and reporting component of Office Communications Server 2007. Knowing absolutely nothing about QoE, I downloaded the OCS 2007 Quality of Experience Monitoring Server package from Microsoft and added it to my existing lab environment. After an interesting (and challenging) installation experience, I cracked open the case notes that were logged by previous engineers.

Problems:

Incomplete QoE reporting (missing or incomplete QoE reports)
Event ID 25022 repeatedly logged in Application Log on Mediation Server(s)

The following is a sample of one of the error messages:

Event Type: Error
Event Source: OCS Mediation Server
Event ID: 25022
Computer: OCSMedSvr01
Description:
The Quality-Metric server cannot be contacted. The Quality metric reports are not sent to the server.
Exception:
Microsoft.Rtc.Signaling.OperationTimeoutException: This operation has timed out.
at Microsoft.Rtc.Signaling.SipAsyncResult.ThrowIfFailed()
at Microsoft.Rtc.Signaling.Helper.EndAsyncOperation[T](Object owner, IAsyncResult asyncResult)
at Microsoft.Rtc.Signaling.RealTimeEndpoint.EndSendMessage(IAsyncResult asyncResult)
at Microsoft.RTC.MediationServerCore.QosReport.SendMessageCallback(IAsyncResult result)
Cause:
Either the Quality-Metric server is not running or unreachable.
Resolution:
Verify that Quality-Metric server is reachable from the computer running Office Communications Server.

After establishing associations between the Quality of Service server and the OCS Pool and Mediation servers, the Mediation server will send a quality metric report upon the completion of each call to the QoS server. The details of the quality of the call will be contained in a XML blob sent via a SERVICE message over secure SIP, TCP port 5061. Jitter, packet loss, network utilization, and audio quality are some of the metrics that are captured and reported for each call. Upon receiving the SERVICE request, the QoS server will respond to the Mediation server with 202 Accepted. If the QoE report fails to reach the QoS server, or if the response is never received by the Mediation server, there is no attempt to resend. QoE reporting is very much a fire-and-forget type of process.

While the error shown above is indicative of a network problem between the Mediation server and the QoS server, it can be a confusing to troubleshoot. So, where do you begin?

OCSLogger and Snooper, of course!

The first troubleshooting step is to install the OCS Resource Kit tools on the Mediation server(s) in your environment. The OCS 2007 Resource Kit tools can be downloaded from the Microsoft Download Center here. Once installed, open the OCS 2007 management console and drill down on Mediation Servers. Right click on your Mediation server and choose Logging Tool > New Debug Session. This will open the options for the OCSLogger tool.

Enable logging for the following components, leaving everything else configured with the default options:

Component: Mediation Server
Level: All
Flags: All Flags

Component: S4
Level: All
Flags: All Flags

Click Start Logging, then let it run for about an hour (or as long as it takes to reproduce the error as shown above). Once you see Event ID 25022 appear in the event log of your Mediation server, click Stop Logging. Click Analyze Log Files > Analyze to launch Snooper.

At the top of the Snooper window, enter the word SERVICE in the search blank, then click on the green magnifying glass. This will highlight all QoE reports sent from the Mediation server. Each SERVICE message will contain a quality metric report sent from the Mediation server, and each SERVICE message should be followed by 202 Accepted. Any break in this sequence will result in Event ID 25022, as shown below:

From the highlighted area in the screenshot above, we can tell that the Mediation server sent the QoE report at the conclusion of this call. However, the QoS server never responded with 202 Accepted to the Mediation server. If the Mediation server does not receive an acknowledgement for the receipt of the QoE report within approximately 30 seconds, the reporting event will time out and Event ID 25022 will be logged by the Mediation server.

So what’s next? Network Monitor!

From the Mediation server, download and install Microsoft Network Monitor from the Microsoft Download Center here. Once installed, launch Network Monitor and capture network traffic for about an hour or until Event ID 25022 appears in your application log. In chatty environments, network captures can grow quite large in a very short period of time. This is especially true of OCS Mediation servers, where voice streams sent over RTP/UDP can account for a significant percentage of network traffic in a large capture file. You may want to consider using a capture filter to limit much of the extraneous noise on the wire:

Capture Filter: ipv4.address==10.32.10.45 && tcp

After an hour has passed or as soon as Event ID 25022 appears in your application log, stop and save the network trace file. Then, click on the Display Filter tab and enter and apply the following display filter:

Display Filter: tcp.flags.reset==0x1 && tcp.port==5061

This is where troubleshooting this issue can become a bit confusing. See, the Mediation server and the QoS server never talk directly to each other, so you will never see a network failure occur directly between those two IP addresses. Instead, both the Mediation server and the QoS server communicate via the SIP protocol – and all SIP communication in OCS flows through the Front End servers in the OCS Pool.

And what device is responsible for handling network traffic sent to an OCS Pool hosting multiple Front End servers? You got it … a network load balancer!

Now let’s look at the network traffic captured by Network Monitor:

Here you can see a number of hard network resets (note only the reset flag ‘R’ is present), most of which originate from 10.32.12.141 – the virtual IP address of the load balancer sitting in front of the OCS Pool. These network resets occur at frequent intervals throughout the day and are responsible for the failed submission and/or acknowledgement of QoE reports between the Mediation and QoS servers.

If you are experiencing this problem, check the TCP idle timeout window for cleaning up stale connections in the configuration of your load balancer. Many load balancers are configured with a very small TCP idle timeout window (i.e. less than 5 minutes), which can cause semi-active TCP connections (like those involving SIP traffic) to be inadvertently garbage collected.

In LCS/OCS environments, load balancers should be configured with a 20 minute TCP idle timeout window as a best practice. Making a slight configuration change on your load balancer will often resolve this and many other quirky connectivity issues in your OCS environment.

Hope this helps!

Dave

Posted by DaveH | 0 Comments

Thursday, December 25, 2008 9:13 AM

Possible integration problem with Avaya SIP Enablement Services (SES) and Microsoft Exchange Unified Messaging

Over the past few months, I have encountered at least four instances of customers who are having problems integrating Avaya SES (SIP Enablement Services) with Microsoft Exchange Unified Messaging. All calls routed to Unified Messaging from Avaya SES 4.0.x or Avaya SES 5.0.x fail without ever connecting successfully, resulting in the following events which can be found in the application log of the Unified Messaging server:

Log Name: Application

Source: MSExchange Unified Messaging

Date: 12/22/2008 12:54:59 PM

Event ID: 1152

Task Category: UMCore

Level: Warning

User: N/A

Computer: umserver1.corp.fourthcoffee.com

Description:

The Unified Messaging server has received a SIP header that is not valid

from an incoming call with ID "d58f1efd-4201-4933-ab6b-06596f52fc58".

Header details follow: "System.FormatException: Original called number

information could not be obtained from the Diversion header:

""MSExchange" <sip:69001@corp.fourthcoffee.com>;index=1.2".”

Log Name: Application

Source: MSExchange Unified Messaging

Date: 12/22/2008 12:54:59 PM

Event ID: 1021

Task Category: UMCore

Level: Warning

User: N/A

Computer: umserver1.corp.fouthcoffee.com

Description:

The Unified Messaging server rejected an incoming call with the ID

"d58f1efd-4201-4933-ab6b-06596f52fc58". Reason: "Original called

number information could not be obtained from the Diversion header:

""MSExchange" <sip:69001@corp.fourthcoffee.com>;index=1.2"."

Log Name: Application

Source: Microsoft Exchange Speech Engine

Date: 12/22/2008 12:54:59 PM

Event ID: 32768

Task Category: Telephony Application Host

Level: Warning

User: N/A

Computer: umserver1.corp.fourthcoffee.com

Description:

The Telephony Manager declined a call with Call Id 'd58f1efd-4201-

4933-ab6b-06596f52fc58' for the following reason in component

telephony session: 'The application has requested that the call be

declined during media negotiation.'.

On an Exchange 2007 Unified Messaging server, the Unified Messaging service (UMService.exe) listens for inbound SIP connections on ports TCP/5060 and TLS/5061. Upon receiving an inbound connection request, the Unified Messaging service will redirect the calling device to either TCP/5065 or TLS/5066 where a waiting worker process (UMWorkerProcess.exe) will handle all signaling aspects of the call.

A successful call to Unified Messaging from a traditional PBX/IP Gateway should appear as follows:

While some gateways use the SIP Diversion header for recording historical routing information for a given call, Avaya uses the SIP History-Info header. Every routing or rerouting target throughout the history of a call is appended as an entry with an index value in the History-Info header. This means that when a voice mail call to the Unified Messaging service on port 5060 is redirected to the UM Worker Process listening on port 5065, three entries are added to the History-Info header by Avaya SES.

In Avaya SES 4.0.x, each routing or rerouting target is added as a separate line in the History-Info header for a given call. For example, a call placed to extension 27001 that is subsequently sent to voice mail will have a History-Info header similar to the following after being redirected (302 Moved Temporarily) to the UM Worker Process:

History-Info: <sip:27001@corp.fourthcoffee.com>;index=1

History-Info: "Microsoft UM" <sip:27001@corp.fourthcoffee.com?Reason=SIP%3Bcause%3D302%3Btext%3D%22Moved%20Temporarily%22&Reason=Redirection%3Bcause%3DCFI>;index=1.1

History-Info: "Microsoft UM" <sip:27001@corp.fourthcoffee.com>;index=1.2

In Avaya SES 5.0.x, each routing or rerouting target is added as a separate entry on the same line in the History-Info header for a given call. For example, the same voice mail call handled by Avaya SES 5.0.x will have a History-Info header similar to the following after being redirected to the UM Worker Process:

History-Info: <sip:27001@corp.fourthcoffee.com>;index=1,"Microsoft UM" <sip:27001@corp.fourthcoffee.com?Reason=SIP%3Bcause%3D302%3Btext%3D%22Moved%20Temporarily%22&Reason=Redirection%3Bcause%3DCFI>;index=1.1,"Microsoft UM" <sip:27001@corp.fourthcoffee.com>;index=1.2

While SIP Enablement Services appears to be RFC compliant in their presentation of History-Info information, the software also appends a display name value for each redirected History-Info entry, as highlighted below:

History-Info: "Microsoft UM" <sip:27001@corp.fourthcoffee.com>;index=1.2

We are currently investigating whether the inclusion of a display name value in History-Info could possibly be a contributing factor to the call transfer failures between Avaya SES and Unified Messaging. I have contacted Avaya regarding this issue, and their engineers have confirmed that SIP Enablement Services cannot be configured to omit the inclusion of display name values in History-Info.

Please contact me directly if you have any questions.

DaveH

Posted by DaveH | 1 Comments

My life as a UC n00b...

This Blog

Syndication

Search

Tags

News

Archives

How PIN expiration status is calculated in Microsoft Exchange Unified Messaging

(Part 3 of 3) The complete step-by-step setup guide for deploying Microsoft Unified Communications products with Enterprise Voice in a lab environment using a single Windows Server 2008 Hyper-V computer and a single Internet IP address

(Part 1 of 3) The complete step-by-step setup guide for deploying Microsoft Unified Communications products with Enterprise Voice in a lab environment using a single Windows Server 2008 Hyper-V computer and a single Internet IP address

(Part 2 of 3) The complete step-by-step setup guide for deploying Microsoft Unified Communications products with Enterprise Voice in a lab environment using a single Windows Server 2008 Hyper-V computer and a single Internet IP address

A deep dive into the Office Communicator 2007 R2 file transfer process

How to locate and dial a mail-enabled contact using the Directory Search functionality in Unified Messaging

How to enable ‘broadcast’ functionality for voice mail messages in Exchange 2007 Unified Messaging

‘Incompatible Security Setting’ error encountered when calling voice mail from Microsoft Office Communicator

Error joining IM/LiveMeeting conferences in Office Communications Server 2007

A noisy (and annoying) red herring in Microsoft Exchange Unified Messaging…

File transfer problems in OCS 2007 R2 Group Chat

OCS 2007 R2 Group Chat on Windows Server 2008

Integrating AudioCodes MP-114/MP-118 Media Gateways with Microsoft Unified Communications Products

How to troubleshoot OCS Mediation server Quality of Service Event ID 25022

Possible integration problem with Avaya SIP Enablement Services (SES) and Microsoft Exchange Unified Messaging

Role	OCS 2007 R2 Communicator Web Access
Memory	512MB
Network	One (1) Virtual NIC
Hard Disk	16GB Virtual Hard Disk
OS Version	Windows Server 2003 SP2 (x64)
FQDN	CWA-R2.contoso.com *(domain-joined)*
IP Address	192.168.1.12

Role	ISA Server 2006
Memory	512MB
Network	One (1) Virtual NIC
Hard Disk	16GB Virtual Hard Disk
OS Version	Windows Server 2003 SP2 (x64)
FQDN	ISA.contoso.com (not domain-joined)
IP Address	192.168.1.6

Protocol	Source IP	External Ports	Internal Ports	Internal IP	Description
Both	All	50000 – 59999	(same)	192.168.1.4	A/V Edge RTP Ports
TCP	All	5061	5061	192.168.1.2	Access Edge
UDP	All	3478	3478	192.168.1.4	A/V Edge (STUN/TURN)
TCP	All	443	443	192.168.1.6	ISA SSL Listener
TCP	All	442	442	192.168.1.3	Web Conferencing Edge
TCP	All	441	441	192.168.1.4	A/V Edge
TCP	All	80	80	192.168.1.10	Web Site
TCP	All	25	26	192.168.1.10	SMTP (Email)

Role	OCS 2007 R2 Front End
Memory	1024MB
Network	One (1) Virtual NIC
Hard Disk	16GB Virtual Hard Disk
OS Version	Windows Server 2003 SP2 (x64)
FQDN	OCS-R2.contoso.com *(domain-joined)*
IP Address	192.168.1.11

Role	OCS 2007 R2 Edge
Memory	1024MB
Network	Two (2) Virtual NICs
Hard Disk	16GB Virtual Hard Disk
OS Version	Windows Server 2003 SP2 (x64)
FQDN	Edge-R2.contoso.com *(not domain-joined)*
IP Addresses	192.168.1.2 – 192.168.1.4 (External NIC) 192.168.1.5 (Internal NIC)

Role	OCS 2007 R2 Mediation
Memory	512MB
Network	One (1) Virtual NIC
Hard Disk	16GB Virtual Hard Disk
OS Version	Windows Server 2003 SP2 (x64)
FQDN	Mediation-R2.contoso.com *(domain-joined)*
IP Address	192.168.1.13