This article describes how to use Asterisk to supply standardized, company-wide, on-hold music for all your Microsoft Office Communications Server 2007 R2 end-points (softphone or Voice over Internet Protocol (VoIP) phones). Configuring each end-point in Office Communications Server 2007 R2 can be time-consuming. This scenario is intended for configurations where incoming calls pass through Asterisk first before they reach Office Communications Server, (essentially when using Asterisk as an Office Communications Server gateway).

Author: Paul Adams

Publication date: June 2010

Product version: Microsoft Office Communications Server 2007 R2 and Asterisk 1.6

During a Microsoft Office Communications Server 2007 R2 implementation, I used Asterisk 1.6 as a gateway for Office Communications Server 2007 R2 to connect to the outside world. For more information about creating a gateway, see Geoff Clark’s blog post Asterisk 1.6 with Office Communications Server 2007. On the desktops, I rolled out a mix of snom 300 series phones (with Office Communications Server firmware) and the Office Communicator 2007 R2 desk clients.

When it came to addressing the issue of on-hold music, I started thinking about how much work it would be to deploy on-hold music to each client and then change that on-hold music every time we wanted to add a new promotion or switch to “holiday tunes”—lots of work.

I remembered that Asterisk responds to requests in the call stream for on-hold music, but there is a catch—this would only work for calls that pass through Asterisk to reach Office Communications Server. This was acceptable to me because the most important people who needed to hear our on-hold music were our customers, calling in from the outside world (the on-hold music was interjected with useful company information).

In this article, I’ll show you how to get your company’s on-hold music configured in Asterisk. I’ll also cover some useful lessons that I’ve learned during my on-hold journey. I assume that if you’re using Asterisk as a gateway, you probably know how to perform most of the administrative tasks that I’ll cover here in Linux and Asterisk. I’ve tried to offer as much guidance as possible.

Note:
Asterisk works with other formats for on-hold music, but the calls to and from Office Communications Server are in Ulaw. Formatting the on-hold music files to Ulaw means that Asterisk doesn’t need to convert the music in real time to use it.

Tip:
When you’re testing, make calls from different devices, such as a regular telephone and a cell phone. I discovered that a volume setting that sounded acceptable on a regular telephone could be a little loud on a cell phone.

This article is a partner article to "Direct SIP: Cisco Unified Communications Manager 6.1" and focuses on the configuration requirements for the Mediation Server in Office Communications Server 2007 R2. The main steps include configuring CUCM as the Mediation Server's gateway and modifying Mediation Server's location profile, but you'll want to read on to get the details.

Author: Jerome Berniere, Rui Maximo

Original Publication date: December 2009

Product version: Office Communications Server 2007 R2

This article is a continuation of the article about how to configure Cisco Unified Communications Manager (CUCM), also known as CallManager, for Direct SIP with Office Communications Server 2007 R2. (For details about configuring CUCM, see Direct SIP: Cisco Unified Communications Manager 6.1.) This article focuses on the configuration requirements for the Mediation Server. The high-level tasks are described below.

Direct SIP: Configuring Mediation Server

Configure Office Communications Server 2007 R2:

1. Configure CUCM as the Mediation Server's gateway
2. Modify Mediation Server's Location Profile

The advantage of Direct SIP is that you can establish direct connectivity between Office Communications Server 2007 R2 and Cisco Unified Communications Manager without the need for a gateway, which decreases the complexity of the interop deployment and increases call quality. Figure 1 illustrates this configuration.

Figure 1. Direct SIP configuration

Configure CUCM as the Mediation Server's Gateway

You must configure the Mediation Server to connect to CUCM as its gateway. The Mediation Server needs to know the IP address of the CUCM. In our example, the Cisco CUCM's IP address is 192.168.0.210.

To configure this setting, right-click the Mediation Server node, and then click Properties in Administrative Tools (see Figure 2).

Figure 2. Administrative Tools Properties menu

From the Mediation Server's properties page, navigate to the Next Hop Connections tab. In the IP Address field under PSTN Gateway next hop, specify the CUCM's IP address (in this example, 192.168.0.210). In Port, type 5060. This is illustrated in Figure 3.

Figure 3. Properties dialog box

Modify the Mediation Server's Location Profile

Every Mediation Server must be assigned a default location profile. You can assign a location profile to the Mediation Server by navigating to the General tab of the Mediation Server's Properties as shown in Figure 4.

Figure 4. Mediation Server Properties dialog box

You must modify the Mediation Server's location profile. You must create new normalization rules to normalize the dial strings coming from CUCM across the SIP trunk. To edit the location profile in Administrative Tools, right-click the Forest node, click Properties, point to Voice Properties (see Figure 5).

Figure 5. Voice Properties menu

On the Location Profiles tab, locate the profile assigned to your Mediation Server, and then click Edit. This will bring up the Edit Location Profile dialog box where you can add new normalization rules or edit existing ones (see Figure 6).

Figure 6. Voice Properties dialog box and Edit Location Profile dialog box

A normalization rule is similar to CUCM's translation pattern. It serves the purpose of translating a phone number, which is called a dial string, from one format to another format.

One or more normalization rules must be defined depending on your needs. At a minimum, you need to define at least two normalization rules as follows:

• A normalization rule for incoming calls from CUCM users destined to Office Communicator users. This enables Cisco IP phone users to dial Office Communicator users within the organization.
• A normalization rule for incoming calls from the public switched telephone network (PSTN) to Office Communicator users. This enables external (that is, PSTN) users to call Office Communicator users.

CUCM to Office Communications Server Normalization Rule

This normalization rule applies for internal number routing so that users using a Cisco IP phone can dial an Office Communicator user within the organization by using an extension number. To be properly routable by Office Communications Server to the correct destination user, the Mediation Server must translate the extension number into an RFC3966 compliant global number. In this example, the normalization rule Internal number NR transforms an extension number, 4-digit dial string xxxx, into an RFC3966 compliant global number, +3316986xxxx, where +33 is the country code for France, 1 is the region code for Paris, 6986 is the prefix for the carrier's central office, and xxxx is for all numbers assigned to that organization. If the organization was located in Redmond, WA, the normalization rule would likely translate the 4-digit dial string, xxxx, into +1425703xxxx, where +1 is the country code for U.S., 425 is the area code for Redmond, WA as defined by NANPA, 703 is the prefix for the carrier's central office, xxxx is the prefix for all numbers for the organization.

After the extension is translated into an RFC3966 compliant number, Office Communications Server can route the call to the appropriate Office Communicator user whose phone number matches the RFC3966 compliant number. This normalization rule is applied to inbound traffic from the CUCM. The phone pattern regular expression in this scenario is ^([0-9]{4})$, and the translation pattern regular expression is +3316986$1 as shown in Figure 7.

Figure 7. Internal number NR normalization rule

In addition to translating the TO field dial string, this normalization rule will also convert the FROM field that matches the dial string xxxx to an RFC3966 global number. Once transformed into an RFC3966 number, Office Communications Server can then resolve the RFC3966 number into the corresponding dialer's SIP URI if available.

To allow Office Communicator users to dial users using an extension number, the same normalization rule can also be added to the user's location profile. The rule normalizes that dial string into a global number. If that number can be matched against a unified communications (UC) enabled user's phone number, it is associated to a SIP URI and routed within Office Communications Server. If there is no match, the call is routed to the appropriate external route, which is CUCM in this example.

PSTN to Office Communications Server Normalization Rule

This normalization rule applies for external number routing so that PSTN users can dial an Office Communicator user. In this example, CUCM formats the dial string prepended with "00". The leading digit, "0", is configured as the external prefix number in France. An external prefix is the digit you dial to get out to the PSTN. In the U.S., most organizations use the digit, "9", for example to call out to the PSTN. For calls passed by CUCM across the SIP trunk to Office Communications Server, the FROM field contains dial strings that start with "00". The leading zero is the external prefix so that if the callee were to call back the PSTN caller the call would be properly routed to the PSTN by CUCM. The second zero is for national PSTN numbers (instead of +33). PSTN presents only one "0" and the CUCM adds a second prefix "0" to differentiate external versus internal number. The normalization rule translates the FROM field into an RFC3966 global number that is used for reverse number lookup by Office Communications Server.

The normalization rule, named National, transforms a dial string that starts with 00 followed by 9 digits into an RFC3966 compliant global number by stripping the "00" and replacing with "+33". This normalization rule is applied to inbound calls to Office Communications Server from CUCM. The phone pattern regular expression in this scenario is ^00(d\{9})$, and the translation pattern regular expression is +33$1 (see Figure 8).

Figure 8. National normalization rule

Strip Plus Sign (+) from Request URI

Because CUCM 6.1 is not fully compliant with RFC3966, it doesn't support the use of the plus sign (+) in the TEL URI. This creates an interoperability issue when the Mediation Server forwards calls to CUCM as CUCM cannot properly interpret phone numbers in RFC3966 format. Luckily, Office Communications Server provides a means to strip the plus sign (+) from the TEL URI at the Mediation Server before it forwards the call to CUCM. This is exposed as a Windows Management Instrumentation (WMI) configurable setting called RemovePlusFromRequestURI. When it is set to true, it strips the plus sign (+).

Salman Khalid, a software test engineer in the Office Communications Group, provided the following VBScript code to set the RemovePlusFromRequestURI WMI setting. To run it, copy it into an ASCII text file with a file extension of .vbs.

Query = "SELECT * FROM MSFT_SIPMediationServerConfigSetting"
 Set InstList = GetObject("Winmgmts:root\cimv2").ExecQuery(Query)
For Each Inst in InstList
      Inst.RemovePlusFromRequestURI = True
      Inst.Put_
Next
wscript.echo "Update successfully"

 Additionally, Rui Silva has posted a very good blog entry that explains various ways to set this WMI setting. You can find this post in the Additional Information section.

Additional Information

To learn more, check out the following articles:

• Direct SIP: Cisco Unified Communications Manager 6.1. at http://go.microsoft.com/fwlink/?LinkId=179795
• Setting up the Cisco Call Manager 4.2.1 for "Direct SIP with IP-PBX" at http://go.microsoft.com/fwlink/?linkid=178442
• Direct SIP with IP-PBX in Office Communications Server 2007 at http://go.microsoft.com/fwlink/?linkid=178443

• RemovePlusFromRequestURI (or how to make OCS non-RFC 3966-compliant) at http://go.microsoft.com/fwlink/?linkid=178444

Office Communications Server Resources

• Visit the Office Communications Server main page at http://go.microsoft.com/fwlink/?LinkId=132607.
• View the complete Office Communications Server documentation library at http://go.microsoft.com/fwlink/?LinkId=132106.
• Follow tweets from the Office Communications Server team at http://go.microsoft.com/fwlink/?LinkId=167909.
• Download all the Office Communications Server content as a Word document at http://go.microsoft.com/fwlink/?LinkId=133609.
• Download all the Office Communications Server content as a compiled help file at http://go.microsoft.com/fwlink/?LinkId=160355. (Make sure you scroll down to the Additional Information section to download OCSDocumentation.chm.)

The Microsoft Office Communications Server 2007 R2 Resource Kit tool, Address Book Service Configuration Tool, provides Active Directory Domain Services attribute changes and Windows Management Instrumentation (WMI) configuration updates to the Address Book Service (ABS) settings. This tool can be used to regulate which Active Directory attribute information is included in the contact information that the Microsoft Office Communicator 2007 R2 address book file contains. This tool also provides administrators with the flexibility to customize their address book information as needed.

Using Address Book Service Configuration Tool to modify the ABS WMI setting provides administrators with a way to coordinate Office Communicator 2007 R2 address book downloads to meet the needs of their Office Communications Server 2007 R2 network environments. You can download this tool and other Office Communications Server 2007 R2 Resource Kit tools from the Download Center.

Author: Mike Adkins

Publication date: March 2011

Product version: Microsoft Office Communications Server 2007 R2, Microsoft Office Communicator 2007 R2

Introduction

Address Book Service Configuration Tool provides users with a graphical user interface (GUI). This allows them access to Office Communications Server 2007 R2 Windows Management Instrumentation (WMI) classes that define the Address Book server configuration. This interface also allows access to the Communication Server-enabled Active Directory user objects. This gives Address Book Service Configuration Tool the ability to define the contents of the Office Communications Server address book file according to the needs of the network’s Office Communications Server-enabled users.

Additionally, Address Book Service Configuration Tool can be used to administer how and when the address book file should be made available to the Office Communications Server users on the network. You can download this tool and other Office Communications Server 2007 R2 Resource Kit tools from the Download Center.

Description

Address Book Service Configuration Tool at first glance is visually confusing. It provides a graphical view of the information that can be distributed with the downloadable address book file. User information such as first and last name, location, phone numbers, company name, e-mail addresses, and manager’s name are just a few of the user object attributes that can be changed to provide a user experience that is more suitable on the existing network environment that is hosting Office Communications Server services.

Address Book Service Configuration Tool manages a variety of Active Directory user information for Office Communicator 2007 R2 clients on the Office Communications Server-enabled network. This user information management is as follows:

• Use custom field names to replace the default Communicator 2007 R2 attribute field names.
• Filter address book downloads based on user object attribute values.
• Select specific phone number information for the Communicator 2007 R2 user.

ABS relies on its WMI configuration for the management of phone number normalization, address book synchronization, and other address book file download and update choices.

Address Book Service Configuration Tool can be used to customize the Address Book Service’s WMI configuration for the following settings:

• Voice over Internet Protocol (VoIP)-enabled Communicator 2007 R2 client phone number normalization
• Specifying when the address book file will be synchronized for the Office Communications Server-enabled network
• Specifying the requirements for address book creation
• Organizing address book distribution based on Active Directory design

Output

By default, the Office Communications Server 2007 R2 Resource Kit tools will use the following default installation path.

<local drive>\Program Files\Microsoft Office communications Server 2007 R2\ResKit folder

This is where the executable for Address Book Service Configuration Tool (absconfig.exe) is located. Use Windows Explorer to locate the absconfig.exe file, and then double-click it to begin using Address Book Service Configuration Tool.

As previously mentioned, this tool has a GUI that can be used to show the contents of the Communicator 2007 R2 address book file (as shown in Figure 1). The Address Book Service Configuration Tool GUI can also be used to access the Address Book server WMI property settings (see Figure 2).

Figure 1. Address Book Service Configuration Tool Configure Attributes user interface

Purpose

The purpose of Address Book Service Configuration Tool is to manage the customization of the default features of the Communicator 2007 R2 address book file. Modifications to the design of the address book file allow the provisioning of user-related information that can be specific to an organization’s network environment. Following are examples of such modifications:

• Office Communications Server can be deployed in a pre-existing VoIP infrastructure that requires the deployment of legacy phone number normalization policies to the Communicator 2007 R2 client. This allows the Communicator 2007 R2 client’s VoIP features to integrate with the existing VoIP phone network.
• The phone numbers that are being used with user accounts on a pre-existing network can become part of the downloadable Communicator 2007 R2 address book file by using the phone number configuration options that Address Book Service Configuration Tool has to offer.
• When Office Communications Server-enabled users are added to the network, the size of the address book file will get bigger. Each new Communicator 2007 R2 user must download a complete copy of the address book file. The size of the address book file can hinder deployment when Office Communications Server-enabled users are added to the network. In such cases, using the following Address Book Service Configuration Tool features can be used to manage the size of the first address book file to be downloaded for the new Office Communications Server users on the network (OU refers to organizational unit):
  • Partition ABS data by Organizational Unit OU and create individual ABS files per OU
  • Which users do you want to include in ABS files?
• Managing network bandwidth is a task that is oriented to a business’ schedule. The address book file’s Synchronization features provides straightforward way to set the time that address book file synchronization occurs.

Requirements

• Windows Server 2008 operating system
• Windows Server 2003 Standard Edition operating system with Service Pack 2 (SP2)
• Windows Server 2003 Enterprise Edition operating system with Service Pack 2 (SP2)
• Permissions that are equivalent to a member of the RTCUniversalServerAdmins group or the Domain Admins group in the Active Directory domain that hosts the Office Communications Server infrastructure

Examples

The following information provides a detailed description of the features in Address Book Configuration Tool. Also covered is how to use these features to manage the user information that is stored in the address book file and how to change the Office Communications Server Address Book server WMI configuration. Figure 1 shows the Configure Attributes tabbed page.

Configure Attributes Tabbed Page

Following are column headings for the Configure Attributes tabbed page:

• AD Attribute Name Provides a default list of Active Directory attributes. These attributes can be used to customize the contact information for the Communicator 2007 R2 address book download. (AD refers to Active Directory.)
• OC Field Name Provides a list of individual field names that are used for a custom tabular representation of each Active Directory user object attribute.
• Is this Attribute Required? Provides selections for a specific Active Directory attribute. When selected, that user object attribute will become part of the address book file download.
• Type of Attribute Provides a default list of seven Active Directory attribute types. They are as follows:
  • None
  • proxyAddress - Tel Only
  • proxyAddress - SMTP Only
  • proxyAddress - Tel or SMTP
  • Phone
  • Email
  • Group

These types are used to categorize how a user object attribute is represented in the address book file download. A good example of this is how the user object’s proxyAddress attribute contents are added to the address book file. The proxyAddress attribute can contain more than one value; for example, the user’s SMTP address and the Tel or Phone extension. If you want only the user’s SMTP address added to the address book file, you would assign the SMTP Only Type to the proxyAddress attribute when using Address Book Configuration Tool.

• Include in Devices Provides a list of values. When these values are selected, devices such as the Polycom CX700 IP phone, will be able to download the corresponding attributes as contact information for its address book file download.

The Address Book Service Configuration Tool GUI allows the addition of existing Active Directory user attributes as downloadable Communicator 2007 R2 contact information. This GUI also makes it possible to delete any of the Active Directory user attribute information that you don’t want to use as downloadable Communicator 2007 R2 contact information. This means that Office Communications Server administrators can customize the contents of their downloadable Communicator 2007 R2 address book files to match the design of their Office Communications Server and VoIP environments. In addition, removing unneeded Active Directory attribute information from the address book file provides a more compact Communicator 2007 R2 address book file. It provides efficient use of the Office Communications Server network’s bandwidth.

Which users do you want to include in the ABS files? (Specify Filters)

Using these filters provides Office Communications Server administrators with three types of filters. They can be applied to the contact information that is used to create the Communicator 2007 R2 address book file. These filters are as follows:

• Only include users that have a value for this AD attribute
• Exclude all users who have a value for this AD attribute
• Do not apply any include or exclude features (this is the default)

These filters allow Office Communications Server administrators to choose which users on the network can list their contact information in the downloadable Communicator 2007 R2 address book file. This is a good way to manage the amount of contact information that is added to the downloadable Communicator 2007 R2 address book file.

Which value of the phone number do you want to include in the ABS files?

These choices allow Office Communications Server administrators to define the format a contact's phone number in the Communicator 2007 R2 address book file. These choices are as follows:

• Use normalization rules and include the normalized number for the phone attributes This option processes the contact's phone numbers that are designated with the Phone "Type of Attribute" in the format that is provided by a matching address book service normalization rule. After it’s normalized, the contact's phone number is added to the Communicator 2007 R2 address book file.
• Include the phone number value that is present in the ProxyAddresses attribute in the AD The Active Directory user objects host the proxyAddress attribute. It can list multiple, separate string values; for example, SMTP address, SIP user URI, and a phone extension. The phone extension value can be added to the proxyAddress attribute by using the Microsoft Exchange Server 2007 or Microsoft Exchange Server 2010 Management Console or Management Shell. This Exchange user mailbox configuration feature allows an IP phone extension that is managed by a PBX to be integrated with a user's Exchange Unified Messaging (UM)-enabled mailbox.
• Include phone number value that is currently present in the AD for the phone number attributes and the ProxyAddresses attributes This option adds each contact's normalized phone numbers to the contact information in the Communicator 2007 R2 address book file. The only requirement is that the contact's phone numbers have either of these "Type of Attribute" choices applied to it—but not both:
  • proxyAddress - Tel Only Filter
  • Phone
• Include the phone number value that is currently present in the AD If a contact's user object has a phone number value for the telephoneNumber attribute (also known as work number), the work number is added to the contact information in the Communicator 2007 R2 address book file.

Configure WMI Tabbed Page

The choices on the Configure WMI tabbed page, shown in Figure 2, allow modifications to be made in the Office Communications Server WMI that affect the ways Address Book Service Configuration Tool processes the address book contact information. The Office Communications Server WMI class, MSFT_SIPAddressBookSetting, contains all the properties as configuration options.

Figure 2. Address Book Service Configuration Tool Configure WMI user interface

Organizational Unit (Configuration Option)

Partition ABS data by Organizational Unit and create individual ABS file share per OU This allows the Office Communications Server administrator to toggle the Boolean value for the MSFT_SIPAddressBookSetting:PartitionOutputByOU property between True or False. False is the default value for this setting. True allows the address book file information to be managed by organizational units (OUs) that contain Office Communications Server-enabled users. Separate file shares are created for the full and delta address book files for the corresponding user objects that are contained in each separate OU.

Synchronization (Configuration Options)

Scheduled time for daily synchronization of ABS data The default is 1:30 AM. The value is of the Integer data type and is entered as 130. When you update this, the change will be made in the Office Communications Server the MSFT_SIPAddressBookSetting:RunTime setting.

Time interval in seconds to check for synchronization The default is 300 seconds or 5 minutes. If the ABS synchronization is scheduled to run at 1:30 AM, the synchronization process is probably delayed for up to 5 minutes or until the next interval for the synchronization polling occurs. When this configuration option is updated, the integer value stored in the MSFT_SIPAddressBookSetting:SynchronizePollingIntervalSecs setting will be updated with the new value.

Normalization Rules

ABS allows the use of two types of phone number normalization rules—generic built-in normalization and company-specific normalization. ABS uses a default WMI configuration that allows ABS to process both types of phone number normalization rules.

Following are brief definitions of the two types of phone number normalization rules.

Generic built-in normalization ABS provides by default a concise set of phone number normalization rules.

Company-specific normalization When they are made available to ABS, it will process a user-defined set of phone number normalization rules. The default installation of Office Communications Server places a text file that contains a list of sample phone number normalization rules into the ABS Files folder or share. This file is named Sample_Company_Phone_Number_Normalization_Rules.txt. ABS cannot process the phone number normalization rules that are contained in this by file until it is renamed to Company_Phone_Number_Normalization_Rules.txt. After this is done, ABS can provision the additional phone number normalization rules to the Communicator 2007 R2 clients on the Office Communications Server network.

Apply both generic built-in normalization rules and company-specific normalization rules This updates the Boolean value for MSFT_SIPAddressBookSetting:UseNormalizationRules from False to True (its default value). Ensure that Company_Phone_Number_Normalization_Rules.txt is available in the ABS Files folder or share.

Apply only generic built-in normalization rules This turns off the availability of the ABS's company-specific normalization rules by setting the Boolean value for MSFT_SIPAddressBookSetting:UseNormalizationRules to False, its non-default value.

Apply only company-specific normalization rules This turns off the availability of the ABS's generic built-in normalization rules by setting the Boolean value for MSFT_SIPAddressBookSetting:IgnoreGenericRules to True, its non-default value.

Apply no rules This turns off the availability of both the ABS's generic built-in normalization rules and the company-specific normalization rules. This is done by setting Boolean values for MSFT_SIPAddressBookSetting:IgnoreGenericRules to True and MSFT_SIPAddressBookSetting:UseNormalizationRules to False.

Delta Files

Create a Delta ABS file, only if the ABS file is changed by specified percentage The occurrence of the Communicator 2007 R2 address book full file download can be determined by this WMI setting. The default setting for this configuration is 12.50 percent. This means that after the size of the Communicator 2007 R2 address book delta file download is 12.50 percent of the full file size, the next incremental delta file download is skipped. Now the Office Communications Web Components Server the Communicator 2007 R2 address book full file download is triggered by the ABS. Adjusting this setting allows Office Communications Server administrators to download a full Communicator 2007 R2 address book file with the frequency they need. When this option is updated, the MSFT_SIPAddressBookSetting:MaxDeltaFileSizePercentage string value is updated.

Troubleshooting Phone Number Normalization

Address Book Service Configuration Tool can be used to analyze issues that may be occurring with Communicator 2007 R2 contact’s phone number normalization. If you are experiencing this issue, use Address Book Service Configuration Tool to toggle between the options for phone number normalization.

Applying ABS’s use of phone number normalization rules is based on the configuration of the Office Communications Server WMI class instance for MSFT_SipAdressBookSetting. Use Address Book Service Configuration Tool to toggle between Apply only generic built-in normalization rules and the Apply only company-specific normalization rules phone number normalization choices. Be sure to download a new address book file to Communicator 2007 R2 clients with each configuration choice. This troubleshooting step can help reduce phone number normalization issues that occur when phone number normalization rules overlap each other.

Phone number normalization rules are tested linearly by ABS when it has to normalize a contact’s phone number. The first phone number normalization rule that is a match for the contact’s phone number is used. However, this could provide unwanted results. Using the step in the previous paragraph eliminates the use of the ABS generic phone number normalization rules or the use of the company rules phone number normalization rules. This helps determine the set of phone number normalization rules that contains the unwanted normalization rule. Address Book Service Configuration Tool has the following important caveats:

• Apply changes applies the changes that are configured in Address Book Service Configuration Tool immediately—the operation cannot be canceled. If the applied configuration was not the correct one, the operation has to be performed again with the correct address book file configuration.
• Restore defaults sets the configuration of the address book file to the defaults used by Address Book Service Configuration Tool and not the default configuration of ABS. This can result in the creation of address book files that contain no contact phone number information. This occurs because Restore defaults sets the Apply no rules phone number normalization option. Clicking Restore defaults restores the defaults immediately—the operation cannot be canceled.

Summary

Address Book Service Configuration Tool, part of the Office Communications Server 2007 R2 Resource Kit Tools group, simplifies the task of customizing the Communicator 2007 R2 address book file. By providing a GUI that can be used to manipulate the Office Communications Server-enabled users contact information that resides in the Active Directory domain and by simplifying access to the ABS MSFT_SipAddressBookSetting WMI class instance, the Address Book Service Configuration Tool makes a straightforward task out of what would be difficult Office Communications Server configuration tasks. This convenience makes this tool an invaluable choice for those who need to create an address book file that can match the design of their Office Communications Server network environment.

Additional Information

For more information, check out the following:

• Office Communications Server 2007 R2 Resource Kit Tools
• Office Communicator does not Display Phone Numbers for Contacts

Address Book Service Configuration Tool Known Issue

• WMI settings and Active Directory attributes are reset back to default values after you have configured them by using Office Communications Server 2007 R2 ABS Configuration Tool
• Network performance issues that are caused by Global address list (GAL) file downloads or by GAL delta file downloads in Office Communicator 2007 R2

Address Book Service Technical Information

• Address Book Server: Advanced Address Book Features
• User Replicator and Address Book Server for Office Communications Server 2007 R2
• Managing the Address Book Server from the Command Line

Lync Server Resources

• Lync Server 2010 documentation in the TechNet Library
• NextHop blog
• Lync Server and Communications Server resources

We Want to Hear from You

• Fan us on Facebook
• Follow us on Twitter
• Send us e-mail

Keywords: absconfig.exe, address, book, WMI, contacts, file, Resource, Kit

Companies that allow employees to remotely sign in to Microsoft Lync Server 2010 communications software from the Internet can be susceptible to denial-of-service (DoS) and brute-force attacks. Both types of attacks involve guessing users' passwords or locking out user accounts when too many incorrect password attempts are made to a valid Active Directory Domain Services user account when a password policy is enforced. Although internal security is not compromised, both types of attacks can be disruptive to users and consume internal server resources. To help prevent your organization from such attacks at the network perimeter, the security filter for the Microsoft Lync Server 2010, Edge Server monitors sign-in attempts and enforces account lockout at the network perimeter. A security filter update is now available for Lync Server 2010.

Author: Rui Maximo 

Publication date: April 2011

Product version: Microsoft Lync Server 2010

Update

This update to the Protecting Against DoS Attacks from Locking User Accounts article that I originally published in early 2010 releases a newer and improved version of the security filter built for Lync Server 2010. Since the moment I initially released the security filter for Microsoft Office Communications Server 2007 R2, I discovered many organizations deployed this application in production. In some cases, consultants reached out to me because their clients required this application to be installed in order to deploy Office Communications Server 2007 R2 within their organization.

IT administrators from companies all over the world contacted me with suggestions and help. This gave me the surprising opportunity to discover who was using my utility from banks and telecoms to automotive companies. Encouraged by the customer feedback, I incorporated additional features on my personal time.

The Lync Server version of the security filter incorporates the following changes:

• Port code base to Lync Server.
• Identify and parse the TLS-DSK authentication protocol. Because TLS-DSK authenticates the user based on their client certificate that was issued by Lync Server, the security filter parses the client's certificate from the Generic Security Services API (GSS-API) data, and then verifies that the SIP URI matches the Subject Name of the certificate.
• When users sign in from a computer that is not joined to the corporate Active Directory domain, Lync Server automatically attempts to sign in by using the local computer's credentials. Such credentials will result in an authentication failure. To prevent the security filter from locking out the user, which it can from too many sign-in attempts, it doesn't count them.
• Many IT administrators wanted the application to automatically start and stop whenever the Microsoft Lync Server 2010, Edge Server was restarted (such as after a Windows update). This required turning the application into a Windows service.

• Create an installer to set up the Windows service.

Introduction

When exposing services to the Internet to allow employees more flexibility and mobility in working remotely, there's always the concern of attacks. In Lync Server, the Lync Server 2010, Edge Server provides protection against unauthorized access by using industry-standard security measures. All communications are encrypted and authenticated. However, some customers might be concerned about denial-of-service (DoS) and password brute-force attacks, and these are legitimate types of attacks. Brute-force attacks on user passwords can be prevented by using client certificates for authentication (TLS-DSK) or the lockout security policy in Active Directory Domain Services. However, this policy poses a nuisance to legitimate employees who are trying to connect to the corporate service when their Active Directory accounts have been locked out.

Overview

DoS attacks are nearly indistinguishable from legitimate sign-in requests. The only differentiation is in the frequency of sign-in attempts and their origin. A large number of sign-in attempts in rapid succession can be indicative of a DoS attack. DoS attacks attempt to guess the user's password to gain unauthorized access, and often result in locking out the user account if the security policy is enabled in Active Directory Domain Services.

The Edge Server doesn't protect against such DoS attacks. However, because Lync Server provides a flexible programming platform, you can use the Microsoft SIP Processing Language (MSPL) to create server applications that intercept SIP messages on the server and perform specialized logic. This is exactly what the security filter does. It's a server application that inspects all incoming sign-in requests. Because the remote user is not authenticated at the Edge Server, the sign-in request is passed to the Director or directly to the internal pool, which then performs the authentication process. The response is passed back to the Edge Server. The security filter inspects the response. If the sign-in failed, the security filter tracks the number of failed attempts for each user account. The next time a client attempts to sign in to the same user account, and the number of failed attempts exceeds the maximum number of allowed sign-in attempts, the security filter immediately rejects the request without passing the request to the Director or internal pool for authentication. By enforcing account lock-out at the Edge Server, the security filter blocks DoS attacks at the edge of the network perimeter. As a result, the security filter protects the internal Lync Server resources.

Design

Lync Server introduces support for the TLS-DSK authentication protocol. With TLS-DSK, remote users can be authenticated by using a client certificate that was issued by Lync Server. TLS-DSK provides a much stronger authentication mechanism because it uses certificate-based authentication. By presenting the client certificate that was issued by the internal Lync Server, the remote user is authenticated from a device (that is, computer, IP phone) that was pre-authorized. Because the device must have been connected at least once to the internal corporate network to be issued a client certificate from Lync Server, there is stronger assurance that the remote user is connecting from an authorized device. An attacker would need to either steal the user's device or at the very least the client certificate from the device to stage an attack. Of course, the disappearance of the device would tip off the owner to immediately notify corporate IT security.

It is possible to force the Edge Server to negotiate down the authentication protocol to NTLM 2. In this case, the attacker can attack the user's account. The attacker can lock out the account if it is configured by an Active Directory group policy to lock the account after X number of failed attempts. This causes a denial of service attack. If the account isn't protected by an Active Directory group policy, the attacker can brute-force the user's password.

To prevent attacks on user accounts, there were several options that I investigated, with the help of Adrian Maclean and the Communications Server Masters community, to determine how to uniquely identify the user. We could have used the source IP address, sign-in name (that is, the SIP URI), or account name. When we investigated each of these options, we determined that rogue clients that were mounting a DoS attack could spoof the source IP address, eliminating this choice as a way to uniquely identify the user. The sign-in name, although necessary to successfully sign in to Lync Server, is not used to authenticate the user. The sign-in name can be changed in sign-in requests and still lock out the same user account. Therefore, neither the source IP address nor the sign-in name were good sources to identify the user. Only the account name uniquely identifies the user account.

The account name, which consists of the user name and domain name, can only be extracted from the authentication protocol. Users trying to sign in from the Internet use the NTLM 2 authentication protocol, not Kerberos. The NTLM protocol uses a three-stage handshake authentication process. The client passes the user's credentials in the third stage of the NTLM handshake. Because the security filter runs as a trusted server application on the Edge Server, it's allowed to intercept this sign-in (that is, REGISTER) request. The security filter decodes the user name and domain name from the NTLM authentication message. Because the account name is not available in the response, the security filter maps the response to the request by using the message ID.

When either the internal pool or the Director sends the authentication response to the Edge Server, the security filter captures the REGISTER response. If the sign-in failed, the security filter increments the count of failed attempts. If the sign-in succeeds, the security filter resets the count of failed attempts to zero.

Every time the Edge Server receives a sign-in request, it is passed to the security filter. It checks whether the sign-in request has exceeded the maximum allowed number for the particular user account. If the request has not exceeded the maximum lock-out count permitted, the security filter allows the request to continue its course to either the internal pool or the Director. If the request exceeds the maximum lock-out count permitted, the security filter blocks the request, and returns a 403 response. This rejects the request. Any further sign-in attempts are rejected for the duration of the lock-out period. After the lock-out period expires, it is reset to allow new sign-in requests to be authenticated.

Configuration

Before you can run the security filter application, you must first register the application with your Edge Server. This registration needs to be done only once. Perform the following steps to complete this registration. Run these Lync Server 2010 Windows PowerShell cmdlets with Lync Server administrative permissions.

1. Run the following Windows PowerShell cmdlet to register the security_filter application from any Lync Server. Specify the Edge Server's fully qualified domain name (FQDN) in the parameter, <Edge Server FQDN>:

new-CsServerApplication -identity "EdgeServer:<Edge Server FQDN>/security_filter" -uri "http://www.maximo.ws/security_filter" -critical $false

2. Run the following Windows PowerShell cmdlet to initiate the replication of Central Management store configuration to the Edge Server:

invoke-CsManagementStoreReplication

3. Run the following Windows PowerShell cmdlet on the Edge Server to verify the proper registration of security_filter:

get-CsServerApplication -localstore

To run the security filter, three parameters must be passed to the command-line version. For the Windows service version, the installer will prompt you for these parameters.

The first parameter specifies a comma-delimited list of your internal domain names. They are the domain names that are used by remote users who are authenticating to your internal Lync Servers when connecting through your Edge Server. For example, if your company, Woodgrove Bank, has the following three internal Active Directory forests (a legacy from mergers and acquisitions), woodgrovebank.com, contoso.com and fabrikam.com, and employees have accounts from each of each forests, you should specify "woodgrovebank,contoso,fabrikam" as the value for this first parameter to the security filter. These domain names are used to verify that remote users who are trying to sign in to Lync Server are connecting by using credentials from one of these three domains (for example, contoso\bob, fabrikam\alice, and so on).

The second parameter is the account lock-out count. This is the number of failed sign-in attempts that are allowed before an account lock out is triggered.

The third parameter is the account lock-out period. After an account is locked out, this lock-out period specifies how long the account remains locked before another sign-in attempt is allowed. Any sign-in attempts during this lock-out period are immediately rejected without verification.

Summary

With support for the authentication protocol, TLS-DSK, introduced in Lync Server, it becomes more difficult for attackers to either attempt to brute-force user's passwords or to stage a denial-of-service attack. These attacks can still be mounted against valid Active Directory user accounts from the Internet by targeting the Edge Server, forcing the authentication negotiation to use NTLM. Thus, it's possible to lock out valid remote users from connecting to your internal Lync Servers.

By taking advantage of the programmable extensibility that is available in the Lync Server SDK, I was able to create a security filter application that runs on the Edge Server. This server application inspects SIP REGISTER requests and responses, and then enforces logic similar to the account lock-out policy in Active Directory Domain Services to prevent DoS attacks on user accounts.

Lync Server Resources

• Lync Server 2010 documentation in the TechNet Library
• NextHop blog
• Lync Server and Communications Server resources

We Want to Hear from You

• Fan us on Facebook
• Follow us on Twitter
• Send us e-mail

Keywords: Lync Server, Edge Server, security denial of service attacks, password brute force attacks, account lock-out, defend network perimeter, REGISTER message

This is part two of a two-part article that describes the many features of Microsoft Lync 2010 communications software that are available to users of Microsoft Office 2010, Microsoft SharePoint 2010, and Microsoft Exchange 2010. Lync 2010 has now become a part of these products through its ability to provision the integration of the many features in Lync 2010. Now the corporate photographs, instant messaging, enhanced presence, and conferencing features that are available in Lync 2010 are accessible through SharePoint 2010 and Office 2010 (these features are available in only Microsoft Outlook 2010, Microsoft Word 2010, Microsoft Excel 2010, and Microsoft PowerPoint 2010).

Part one of this two-part article describes the integration features available through Exchange 2010, Office 2010, and Lync 2010. Exchange 2010 extends Lync Server 2010 instant messaging and enhanced presence features for use with Microsoft Outlook Web App. Exchange 2010 can publish corporate photographs to Active Directory Domain Services. These photos can be accessed through both Lync 2010 and Office 2010. Part one shows how to provision these amenities to Office 2010, Outlook Web App, SharePoint 2010, and Lync 2010.

Author: Mike Adkins

Publication date: April 2011

Product versions: Microsoft Lync 2010, Microsoft Office 2010, Microsoft SharePoint 2010, Microsoft Exchange 2010, Microsoft Lync Server 2010

The release of Microsoft SharePoint 2010, Microsoft Office 2010, and Microsoft Lync 2010 provide a combination of services that can greatly enhance the Microsoft end user's experience. Instant messaging, enhanced presence, e-mail, and conferencing features are now available through the coexistence of SharePoint 2010, Office 2010 (these features are available in only Microsoft Outlook 2010, Word 2010, Microsoft Excel 2010, and Microsoft PowerPoint 2010), and Lync 2010. These new integration features allow users to initiate an audio/video call, a desktop sharing session, schedule a conference, or send instant messages while viewing the presence and picture of the persons with whom they want to communicate.

Lync 2010 Shares Features with Office 2010 and SharePoint 2010

Office 2010 and SharePoint 2010 clients include new design features that are adaptable to the instant messaging, conferencing, and enhanced presence features in Lync 2010. They are available through their respective user interfaces as shown in Figure 1.

Figure 1. SharePoint 2010 client with Lync 2010 conferencing features

The SharePoint 2010 client and Office 2010 must have the following to display these enhanced presence and communications features:

• Lync 2010 installed locally and running on a Windows client computer.

• Members of the SharePoint 2010 site and Office 2010 users are contacts in the contact list in Lync 2010.

Use Enhanced Presence Features with SharePoint 2010 and Office 2010

The following steps show you how to use the enhanced presence features with SharePoint sites and Office 2010.

1. On a computer that is running a Windows client, open a SharePoint site or an integration-capable Office 2010 application.

Note   Outlook 2010 would be an excellent choice with which to test presence features.

2. In one of these applications, locate a user who is listed with an active enhanced presence status.

3. Pause the pointer on the illuminated user name.

4. Locate a user that is active on the Lync 2010 contact list

5. Pause the pointer on the chosen user's presence-illuminated name. The following communications options appear on a shortcut menu:

Contact Information

• Send a Instant Message
• Place a audio call
• Send an e-mail message

More Options include the following:

• Share Desktop
• Start a Video Call
• Schedule a Meeting

These communication choices require that SharePoint 2010 client integrate with Lync 2010 and that it is installed locally on a Windows client. In other words, Lync 2010 has to be up and running on the Windows client. Here's why:

• Contact information that consists of work, home, and mobile phone numbers, e-mail address, location, department, and office information are unavailable. This information comes from the attributes of a signed-in user's Active Directory domain user account and is made available to Lync 2010 through locally cached contact information.
• The ability to send an e-mail message or schedule a live meeting are still available when a user is not signed in to Lync 2010: however, the other options for communication that are directly related to Lync 2010 are not.

• If Lync 2010 is not installed or has not been started prior to opening a SharePoint site or Office 2010, the shortcut menu isn't available to the user who is signed in to the client computer.

Manage Presence Features by Using Office 2010 Group Policies

Presence features can be managed through the SharePoint 2010 and Office 2010 interfaces by applying Active Directory group policy objects to user accounts in the domain. These group policies are made available through the application of the Microsoft Office 2010 Administrative Template files (ADM, ADMX, ADML) and the Office Customization Tool (OCT). They are available from the Microsoft Download Center. The user configuration group policies as shown in Figure 2 can be used to customize the user's presence and shortcut menu choices when using Office 2010 and SharePoint 2010.

These Office 2010 Contact Card group polices are available beneath the Administrative Templates or Classic Administrative Templates group policies for the user configuration in the Windows Group Policy Management Editor that is located on the Programs, Administrative Tools menu as shown in Figure 2.

Figure 2. Viewing the Office 2010 group policies in the Group Policy Management Editor

Following are definitions of the Office 2010 group policies that can be used to control Lync 2010 features in both the Office 2010 and SharePoint 2010 clients:

• Do not display Hover Menu Enables or disables the shortcut menu that hosts the range of additional communications options for the Office 2010 user and the SharePoint 2010 site member. This group policy has no effect on Lync 2010.
• Turn off presence integration Enables or disables the presence feature for the Office 2010 user and the SharePoint 2010 site member. This group policy has no effect on Lync 2010.
• Do not display photograph Enables or disables showing the user's photograph with their contact information in Office 2010 and SharePoint 2010 clients.
• Configure presence icons When enabled, this group policy has the following settings that control how Office 2010 displays presence for a user:
• Display all Presence icons are displayed in the UI.
• Display some Presence icons are displayed only in the Contact Card, Quick Contacts, and SharePoint 2010.
• Display none Presence icons are not displayed in the UI.

Note   The Configure presence icons group policy has no affect on the SharePoint 2010 client or the Lync 2010 client.

Enable the Lync 2010 Default Corporate Picture by using SharePoint 2010

SharePoint 2010 provides a way to enable an Active Directory domain user account to display user photos. Doing so may require the forest-level permissions of the Schema Admins group and requires the domain-level permission of the local Domain Admins group. This procedure requires a working knowledge of SharePoint 2010 to complete the needed configuration steps.

Verify that thumbnailPhoto has Permissions set on its ACL

The following process is in most cases optional; however, it's prudent to verify that the thumbnailPhoto attribute has the needed permissions set on its access control list (ACL) to allow the thumbnailPhoto attribute to replicate throughout a multiple domain controller environment. The verification process comprises several procedures and is as follows.

To verify thumbnailPhoto attribute ACL verification

1. On the taskbar, click Start, and then click Run. Type regserver32 schmmgmt.dll.

2. In Run, type mmc.exe to open a new Microsoft Management Console (MMC).

3. In MMC, select File Add or Remove Snap Ins to add the Active Directory Schema snap in.

4. Scroll through the Attributes listing to locate the thumbnailPhoto attribute.

5. Double-click the thumbnailPhoto attribute to open it in its Attribute Property Editor.

6. Click the Replicate this value to the global catalog option of the thumbnailPhoto attribute.

7. Close the Attribute Property Editor.

8. Close the MMC that is hosting the Active Directory Schema snap in.

9. If you are in a disparate Active Directory environment, be sure to allow replication to complete.

To ensure that the User Profile Service Application service is started

1. On the SharePoint 2010 Central Administration menu, click Application Management, and then locate the Service Applications area. Click Manage Service Applications.

2. Scroll down to User Profile Service Application; ensure that it is started.

To create an Active Directory connector for thumbnailPhoto attribute synchronization

1. On the SharePoint 2010 Central Administration menu, click Application Management, and then locate the Service Applications area. Click Manage Service Applications.

2. Scroll to and then click User Profile Service Application.

3. Locate the Synchronization area, and then click Configure Synchronization Connections.

4. Click Create a New Connection.

5. Type a meaningful name for the Active Directory connection.

6. Click Active Directory as the type of connection.

7. Complete the operation by entering the rest of the required information (as prompted).

Note   SharePoint 2010 can be configured for many environments. To complete these instructions, deployment information may prove helpful. For more information, see Configure Profile Synchronization (SharePoint Server 2010).

To map the thumbnailPhoto attribute to the SharePoint 2010 Picture attribute

1. On the SharePoint 2010 Central Administration menu, click Application Management. Locate the Service Applications area, and then click Manage Service Applications.

2. Scroll to and then click User Profile Service Application.

3. Locate the People area, and then click Manage User Properties.

4. Scroll down to locate the Picture attribute.

5. On the Picture attribute's shortcut menu, click the Edit the Picture attribute.

6. On the Edit User property page, scroll down to Add New Mapping.

7. Click the Source data connection name that was created in step 6 of the To create an Active Directory connector for thumbnailPhoto attribute synchronization section of this article.

Note   If the Source data connection name value is not listed as described in the previously shown step 7, open services.msc on the local computer that is running Windows Server. Ensure that Microsoft Forefront Identity Manager Service and Forefront Identity Manager Synchronization Service are started. If either of these services has to be started, the SharePoint 2010 Edit User Profile property page has to be refreshed to view the updates.

8. On the Attribute shortcut menu, click the thumbnailPhoto Active Directory Domain Services attribute.

9. On the Direction shortcut menu, click Export.

10. Click Add. The Property Mapping for Synchronization selections should resemble those shown in Figure 3.

11. Click OK to complete the operation.

Figure 3. Property mapping for the thumbnailPhoto attribute

Warning   Using the previously shown step 2 with Action for the attribute mapping set to Import, SharePoint 2010 removes any pre-existing mapping to the image that the Active Directory domain user account thumbnailPhoto attribute contains. This may result in the removal of the user photograph from all user accounts that may have been pre-configured with an image by using the thumbnailPhoto attribute.

To add the SharePoint Workspace e Member's Photo to their User Profile

1. On the SharePoint 2010 Central Administration menu, click Application Management. Locate the Service Applications area, and then click Manage Service Applications.

2. Scroll down to and then click User Service Profile Application.

3. Locate the People area, and then click Manage User Profiles.

4. Type the Active Directory user name for the profile that needs to be updated, and then click Find.

5. On the Account Name shortcut menu, click Edit My Profile.

6. On the User Profile page, scroll to Picture, and then click Choose to select the image file of the user's photo.

7. Click Save, Close to save the user's updated profile information.

To perform the attribute synchronization process

1. On the SharePoint 2010 Central Administration menu, click Application Management.

2. Locate the Service Applications area, and then click Manage Service Applications.

3. Scroll to and then click User Profile Service Application.

4. Locate the Synchronization area, and then click Start Profile Synchronization.

The Profile Synchronization process's completion time can vary based on the hosting environment.

For more information about configuring the SharePoint Server 2010 synchronization process, see Manage profile synchronization (SharePoint Server 2010).

Summary

The default features in Lync 2010 that integrate with SharePoint 2010 and Office 2010 help provide their users with an enriched product experience that captures the efficient use of Lync 2010. Office 2010 group policies provide administrators with efficient ways to control these new product enhancements throughout their unified communications environment.

Additional Information

For more information, check out the following articles:

• Lync 2010, Exchange 2010, SharePoint 2010, and Office 2010 Integration: Part 1
• Manage profile synchronization (SharePoint Server 2010)
• Configure Profile Synchronization (SharePoint Server 2010)

Lync Server Resources

• Lync Server 2010 documentation in the TechNet Library
• NextHop blog
• Lync Server and Communications Server resources

We Want to Hear from You

• Fan us on Facebook
• Follow us on Twitter
• Send us e-mail

Keywords: Office, 2010, SharePoint, Outlook, Web, App, remote, client