About Me

My photo
This is a blog for John Weber. One of my joys in life is helping others get ahead in life. Content here will be focused on that from this date forward. John was a Skype for Business MVP (2015-2018) - before that, a Lync Server MVP (2010-2014). I used to write a variety of articles (https://tsoorad.blogspot.com) on technical issues with a smattering of other interests. I have a variety of certifications dating back to Novell CNE and working up through the Microsoft MCP stack to MCITP multiple times. FWIW, I am on my third career - ex-USMC, retired US Army. I have a fancy MBA. The opinions expressed on this blog are mine and mine alone.

2015/07/23

Lync 2013 Edge Server Replication Failing

Background reading: http://tsoorad.blogspot.com/2015/07/windows-pki-sha-1-to-sha-2.html

Environment Outline:

Mixed Lync 2013 (Edge) with SfB user pools.  CMS on SfB SE. Operating systems:  All user pools are 2012R2, Edge servers are 2012 (no R2).  Windows updates are current.  PKI is public for Edge external land FE external; PKI is AD DS for FE internal and Edge internal.  Customer changed  AD certificate authority from sha-1 to sha-2.  New root cert pushed to all servers via active directory routines; edge server new trusted root manually imported.

The Issue:

Lync Edge server fails to pick up on the concept that the domain root cert had changed even after we manually imported the new root cert (sha-2) into the certificate store. The certs on both the CMS master and the Edge server all chained up properly, but the cmsreplication was failing. All the certificates assigned to all services in the Lync/SfB environment checked good, were all current, and all showed that they chained properly to either the internal PKI root or the Digicert root.  Basic connection testing using <telnet fqdn 4443> were successful both directions.

The Fix:

We had to reboot the Edge server to get it to recognize the trusted root cert chain.

Logic path:

The CMS master was presenting the edge server with changes, but the Edge server did not like the new cert on the CMS master. The Edge server had a copy of the new Root Cert, but would not accept the TLS from the CMS master until the Edge restarted. Restarting services on the Edge server did not resolve the issue; a reboot was needed.

Conclusion:

If you change the domain Root cert, Lync and SfB may or may not like the root certificate change AT THE OPERATING SYSTEM LEVEL, until a reboot, or even longer. <Sigh>

YMMV

2015/07/15

Windows PKI SHA-1 to SHA-2

(How do you hear me now?)

Thanks go to fellow CDW co-workers Dean Sesko, Russell Despain, and Keith Crosby

 

What is the issue here?

Basically, the issue is that SHA-1 for PKI is going away in favor of SHA-2, and you WILL have customers that need help with this.

 

Reference:

 

AND…?

Any Microsoft supported operating system, properly patched/upgraded, and any Microsoft supported application, again properly patched/upgraded, will support SHA-2 PKI certificates.

 

Reference:

…there are some caveats: notably around XP and Server 2003, and oddly, Server 2008.

Reference:

So, there is not an issue with Microsoft supported products; the issue is with BYOD and Microsoft making a HUGE effort to support alternative browsers and operating systems. And those browsers and operating systems are fixing on deprecating their support of SHA-1.

 

Reference:

However, there are going to be numerous AD internal CA’s out there that are issuing SHA-1 certificates, and depending on how the environment is configured, the customer will need to renew their application certificates for internal use. Logically, it makes sense that the desirable outcome of renewing the application certificates is that the issuing PKI be SHA-2.

CDW AD resident experts advise instantiating a new Root CA, and if needed, a new subordinate CA for issuing SHA-2 certificates. But, you know those pesky customers, they may not want to do this. Which would call for modifying the existing structure to hand out SHA-2 vice SHA-1.

 

Reference:

Experimentation over the last several hours has revealed the following:

  • Migrating the existing SHA-1 CA went just fine.
  • The new SHA-2 Root Certificates updated almost immediately into the Trusted Root

clip_image001

  • I was able to request new SfB certificates and they were issued by the CA based on the new 3DES/SHA-2 root
    • However, the host server was not able to chain them up into the Trusted Root.
    • I rebooted.
    • I ran GPUpdate –force
    • I rebooted.
  • After waiting overnight, THEN the new certs chained up properly. Why this delay in chaining to the new Root I have no idea. I suggest that if you do this for real, that you do the work on one day and then plan on waiting for at least 8 hours before attempting to get new certificates and expecting them to chain up to the new root.

clip_image002

Testing:

After updating the internal certificates on my SfBSE to a new SHA-2 I successfully tested

  • using Win8.1 and Win7sp1
    • IE 11
    • Chrome Version 43.0.2357.134
  • Surface Pro 2 (8.1) IE
  • iPad (iOS 8.0.2) Safari

Firefox 39 fails – due to it not liking the root cert – why is FF so blinking difficult? Why does it have to have its’ own key chain? The O/S has the root cert! It does this same shit when installed on *nix. After manually importing my new root cert, it worked just fine.

clip_image004

clip_image005

  • SIP Phones.  I had to restart services (stop-cswindowsservice start-cswindowsservice) AFTER I changed the certificate to the new SHA-2 certificate before my AudioCodes 420HD and Polycom VVX-600 would log in.  Why, I do not know.

 

The SfB/Lync Connection!

You may have been wondering why *I* am worried about this.  Well, on literally every project with which I have been involved over the last few years, they all had *nix and Mac workstations, along with loads of iPhones, iPads, *nix tablets, droids, surface tablets, and here and there the odd Windows phone.  And, you have to know that, in most cases, all of these were attached to an internal corporate wireless.  And in some cases, the internal wireless was dropping these devices into the production network, which put them in a position to being able to directly contact Lync/SfB resources on internal servers, that, for the most part, had a PKI certificate from an internal CA.  With SHA-1.  You knew it had to be simple, right?

Any input to solving/addressing the observed delay would be most welcome. I, for one, totally expected to have the new certificate chain immediately – the appropriate root cert was in place!

YMMV

2015/07/06

Addasound Crystal UC2702 & UC2822

A Little Background

VOIP is here to stay.  And a high number of my projects include a goodly percentage of users who already know and love their headset and have no intention of using a “traditional” telephony handset.  Personally, I feel that handsets have their place; but not anywhere near my laptop.

Handsets aside, you can imagine that the competition for the headset market is a little heated.  Vendors compete; features get better, prices get a little lower, all is good.  Microsoft even maintains a 3PIP (Microsoft-defined 3rd Party Interoperability Program) and has a web site that shows you all the stuff that has been approved for either the “Optimized” or “Certified” or otherwise qualified to wear the Lync/SfB logo.

But there are many other devices, while not on the list, that work just fine with Lync or SfB.  I have in mind a USB headset that I purchased from the local bodega years ago that, to this day, works just peachy-keen with my SfB, Skype, and services such as Ventrilo.

And as the market evolves, new players come on board.  Addasound is one of these new players. Addasound comes out of Denmark and has burgeoning line of headsets that work just fine with Skype for Business.  What we are here for today is to take a look at two of these headsets and get a little feel for their quality, comfort, and suitability with SfB.

One of the Addasound selling points is that they have a full line to connect to just about whatever your connection is, or will be.  Conceivably you could buy an Addasound headset (provided you choose the right one) and convert it at a later date to a different type of connector.  Pretty slick.   A little search of a popular website showed a plethora of options.

Crystal UC2702

Addasound says that “…Crystal 2702 Headsets specially designed for cost-effective call center users. Guaranteed comfort, simultaneously providing excellent noise-cancellation and great call quality to users.”  Here is the official blurb.

image

  • Noise cancelling microphone blocks 80% background noise and highlights your voice.
  • Easily compatible with different telephone and PC via varieties of QD cords.
  • Maximum volume control protects your hearing under intensive usage.
  • Ultra lightweight design for all-day comfort.
  • Adjustable headband to be most suitable for your wearing.

Ok.  They are right comfortable. Lightweight. Noise cancellation was excellent also. Audio quality, to my un-metered ear, was very nice.

SfB

Controls worked as expected, Volume up/down, mute, end call, A very basic set of controls. Oddly, the headset shows up this way in SfB and Device Manager:

imageimage

General Impression

As opposed to General Patton – build quality seems to be on par with the market.  That is to say, I found nothing wrong with connections, materials, button pushing, or cables.  Everything seems to be as good as anyone else.  For my gourd, this unit is more comfortable than others I have tried.

I plugged into an available USB port, my Windows 8.1 discovered and installed, and SfB started using the new device.  Can’t ask for more than that!  On a minor odd note, SfB calls, when using this headset, did not mute, or reduce the volume of other streams.  This could be just my setup though.

Crystal UC2822

Quoting the Addasound website:  “…ADDASOUND always keeps pace with the developments of the call center industry in order to provide headsets that meet the special requirements of professional users. With its strong R&D background, ADDASOUND made Crystal 2822 an ergonomic noice cancelling headset especially for call centers and noisy working environments. “

image

  • Advanced evaporation technology to display textured appearance
  • 180° horizontal adjustable ear cap and 270°-300° bendable boom to fit custom need of every user
  • Ergonomic design for an extremely comfortable wearing experience
  • Ultra lightweight design allows all-day wearing

This headset showed up in Device Manager much the same way that the 2702’s did.  Based on reading this, the 2822 model is more adjustable and does wide-band audio processing. And due to the adjustable ear cups, the 2822 was markedly more comfortable than the 2702 model.

And to save space, the comments made above regarding the 2702 can be applied to the 2822 as well.  Nice, solid, comfortable headsets. If I had to choose, I would pick the 2822 as it fit my aural device holder better than the 2702.

The only question I have after comparing the two models is the 2822 is touted as having “Classic Nordic Design” – please, someone explain to me what that is.

YMMV

2015/07/01

Logitech ConferenceCam Connect

Business conferencing is an excellent way to connect knowledge workers with others for collaboration.  Various vendors will be most happy to provide your company with seriously expensive solutions to getting full audio and video to the various meeting attendees.  The problem of course, is the size of the meeting room, or rooms.

Microsoft will happily provide you with metrics that show the average meeting size is in the 4-5 person range.  Yet the room systems are sized more for the 12-20 person room. What to do?

There are some options out there:  Logitech BCC950 is one; if you have a 5-10 person meeting room, this is a great choice.  If you want to get into the slightly bigger room, Logitech also has the CC3000e

However, one of the current trends in the corporate office space is towards open floors.  With conference rooms of various sizes – to include those little rooms where only 3-4 fit comfortably.  And they are usually just a table and chairs, no frills.  And with wireless becoming almost ubiquitous, they often don’t have Cat5 or a telephone, sometimes they don’t even have a power outlet on the wall.  Just a space with a door that can be closed for privacy.

So, you take your laptop into your meeting, but you have 2-3 others in the room with you – and your laptop video is not going to cut it.  Now what?

Logitech has a solution for your dilemma.  The ConferenceCam Connect.

What is it?

Well it is this right here!  .

image

Here is the support site, and there is a setup guide in PDF format on this page.  I doubt you will need it.  Even *I* figured it out all by myself..  The remote control stores on the device itself and covers up the onboard controls and the camera lens.  Pretty slick.  It comes OOBE with a USB cable that can charge it from your USB port and also a handy power outlet charger.  But, it can also run for an undermined length of time on an internal battery.  Testing continues here at the secret Tsoorad Test Lab, but I can tell you that several hours of use does not kill it. Because I am a lazy typist, the ConferenceCam Connect will hereafter be referred to as “CCC.”

A friendly Logitech representative offered up this market-speak regarding the CCC:  “…It offers full HD 1080p video calling with a 90 degree field of view.  It has a 4x zoom, also in full HD.  You are able to pan, tilt, and zoom with a remote control or downloadable app.  It is Bluetooth and NFC enabled.  The unit has 360 degree wideband audio.  Your meeting participants can hear and be heard within a 12 foot range. “

Oh really?  I did not measure the angle of the dangle, but it seems like something close to 90 degrees.  And it does in fact do the zoomy thing, It also pans lefty-righty and uppy-downy.  And the audio is “very good” to “excellent” in terms of sound quality.  Here is the field of view with the CCC about 30 inches from my right shoulder.  Note the excellent image quality.

image

About the zoom, tilt, and pan: you need to have camera zoomed IN to some degree before tilt and pan worked.  I don’t know if this was just my unit or because the tilt/pan is being done electronically by image manipulation.  The camera lens itself is not moving.  I guess I just sort of expected that the behavior of the BCC950 and the CC3000 would have carried forward – and their cameras definitely are mechanical zoom, tilt, and pan.

For those interested in the zoom, here is the same view angle, but at full zoom. Don’t I look good?

image

Build quality seems to be first rate.  Fit, finish, audio quality, image quality – all great.  Just what you would expect from Logitech business products.

You can read up on all the official Logitech market-speak here, as well as look at all the pertinent device specifications.Here is a riveting video on the CCC.  For those of us who need the kindergarten version of “how to use this thing?” here it is.

Skype for Business

But we are here because of Skype for Business, or Lync.  Right?  Ok, so how did that go?  Pretty well.  The box says it is “Optimized for Lync” while on this product datasheet PDF, if you zoom in, has a “Certified for Skype for Business” logo.  Right, but does it actually work?  BORING.  Power up, connect up; bing-bong, done.  I did have to actually select the unit as my default device.  The horrors of it all!

And then I find out that I can screen share my phone with this thing, and the CCC can HDMI up to my TV.  Oh nice.  Makes you think of turning your local small gathering room into your favorite hangout.  Basically, if you have an HDMI cable, you can (I tested this one) host the meeting on your phone using Lync Mobile, screen share to the CCC, and then put that up on the big screen for all to see.  Slick.

And if you have a semi-permanent office space with a desktop, the CCC makes a pretty nice external camera and speaker phone.  The laptop user who needs to run to the aforementioned small conference room doesn’t even need to bring the power brick.  Just a USB cable.  I am assuming that the reason the CCC does not work with my Logitech USB dongle is due to the bandwidth (or lack thereof) in the BT channel. 

Summary

If you are looking for a relatively inexpensive “something” to place into a smallish conference room for people to use in that room, this little gem just might your ticket.

If you desire to possess one of these paragons of meeting goodness, you can get one right here.

YMMV

test 02 Feb

this is a test it’s only a test this should be a picture