About Me

My photo
This is a blog for John Weber. One of my joys in life is helping others get ahead in life. Content here will be focused on that from this date forward. John was a Skype for Business MVP (2015-2018) - before that, a Lync Server MVP (2010-2014). I used to write a variety of articles (https://tsoorad.blogspot.com) on technical issues with a smattering of other interests. I have a variety of certifications dating back to Novell CNE and working up through the Microsoft MCP stack to MCITP multiple times. FWIW, I am on my third career - ex-USMC, retired US Army. I have a fancy MBA. The opinions expressed on this blog are mine and mine alone.

2016/12/27

Server and Client OID with Skype (Lync 2013) Edge

The following is firmly in the “unsupported” range of topics. Follow this line of thinking at your own risk. Don’t blame me or anyone else should this go sideways on you. If this does not bother you, read on.

Scenario

I am working a side project that involves connecting Jabber and Lync 2013 (SfB would work also I suspect) using a mix of the Cisco guidance and Lync 2013 documentation. The intent is to create an inter-domain federation using Lync 2013 Edge services on one side, with the Jabber organization presenting services via an ASA using an ASA feature that provides a TLS proxy. Interesting, yes? Notice that I did not invoke the phrase XMPP. As in the XMPP is not being used. And this is IM/P only.

Here is what we are doing:

image

 

Why are we here?

Without stepping too far out on the edge of the cliff, this article is going to concern itself with one element of this construction – namely the requirement to establish the TLS connection between the ASA doing TLS proxy, and the Lync 2013 Edge server (or servers). Basically, it works as you would expect, however, the ASA is looking for a certificate that has both client and server OID codes. And it needs to trust the issuing CA.

Using a certificate from a public authority – well from DigiCert at any rate – will fill this requirement for you (I don’t have a cert handy from another vendor)(oops, I spoke too soon. Entrust, GoDaddy, and Verisign all do it also, but you should check your vendor to make sure). If you are doing a one-off, then you might be using your internal Windows Certificate Authority, which does NOT issue this duality by default. Nor does the standard certificate request generated by the Lync (SfB) wizard prompt you for this requirement – basically because it has no clue as to what you are fixing on doing!

So, what to do? Well, If you have a Windows Enterprise CA, then you are in luck. If you have the standard version, some bright individual will have to figure out how to make a standard edition CA allow for templates. No, I am not that bright.

With your Windows Enterprise CA firmly in hand, open the template editor.

clip_image001

Then, copy the existing “Web Server” template…

clip_image002

Change things around as needed… I don’t know all the implications of making random changes – so tread carefully on some of these items….

But, on the General Tab, you will want to change the “Template display name”, and the “Template name” to something easy to remember. In the “Template name” I suggest using something with no spaces…maybe like this?

clip_image003

After that, head over to the “Extensions” tab…select the “Edit” button…

clip_image004

Select “Add”

clip_image005

Select Client Authentication, and click the obvious button marked “OK”

clip_image006

OK again…

clip_image007

And, one more time on the “OK” button…

clip_image008

So, close the template manager, then right click “Certificate Templates” and choose New | Certificate Template to Issue…

clip_image009

From the resulting list, choose whatever it is that you called your new template, and do the “OK” thing…

clip_image010

…and now we have our squeaky clean new template ready for you to use. Finally.

clip_image011

Skype

Let’s now turn to the real reason we are here, and use this new template to get a certificate for our Edge Server. Yes, usually we will do a public cert, and we have already proved that the major public CA issuers will give us what we want – but we do need to test this in lab first – or you may be doing a one-off, yes?

Open the SfB Deployment Wizard… get yourself over to step three of “Install or Update Skype for Business Server System” and lean on the “Run Again” or “Run” option…

clip_image013

Select the external group, and do “request”…

clip_image015

Adjust the parameters to meet some common-sense items – like shorten up that friendly name – holy crap – but remember that you need the “Advanced” button down at the bottom…

clip_image016

Prepare request now, but…

clip_image017

Specify a file name…

clip_image018

Gees. Finally we are where all this has lead up to!

Specify your alternate template name now. And if you did not heed the advice to use a name with no spaces, my guess is going to be caps count, and don’t use the spaces. Cleverly, having run into this before, I know not to use long certificate template names and long CA names. Adelante! If you have been reading along (or not) you will see that my modified template name is WebServerAndClient…

clip_image019

…which plugs into the SfB Deployment Wizard thusly:

clip_image020

At this point, you can proceed normally. At last.

 

Clean it up

If you do use an internal certificate source for the outside of your edge server, you will need to provide a copy of the trusted root that issued your Edge certificate to anyone who is wanting to connect – hence the reason we use public certificates.  But, for our scenario, we placed the issuing root cert onto the ASA and wala!

 

Summary:

For whatever reason, you want to get a certificate for your SfB/Lync Edge Server that has both server and client OID authentication. We can fairly certain that public CA providers provide certificates with both by default. Windows Enterprise Certificate Authorities do not provide both OID’s by default – you must create and publish a custom certificate template. And we showed how to use that custom template with the SfB deployment wizard.

YMMV

2016/11/02

Microsoft Teams goes Preview

For the past few months, I have had the privilege of participating in the testing of the Microsoft Teams offering that went public preview today.

I am not Mr. Persistent Chat. If nothing else, Persistent Chat was not going to make the jump to Office 365 – too many hurdles there.  Most of my projects have deployed Persistent Chat, and customers that need the feature set really get into it.  With that said, *I* don’t use it to any great extent – but I can see where the history of the conversation between many users can be very helpful – see IT projects, financial folks, etc.

So into the Office 365 breach steps the intrepid group responsible for Microsoft Teams.  IMHO, they have created a very nice application – one that I will use, if for nothing else, for each and every project I am on.  The meeting space alone is worth whatever the price of admission is.  I have tried the web app from IE, FireFox, and Chrome, and it works so well, it is almost scary.  Excellent work.  The desktop app is slick, and all content is homed in the cloud – so swapping between web-based and desktop is, as far as I can tell, seamless.

clip_image002

For those interested in some technical detail, here are the primary features:

  • Threaded, persistent chat organized by teams and channels (topics)
  • A team work space organized around tabs including conversation, files (integrated with SharePoint) and notes (integrated with OneNote), Office files, Power BI reports, and web sites
  • Private 1:1 and group messaging
  • Built-in voice, video and MeetUp capabilities
  • Emoji, stickers, giphys and custom memes
  • @mentions
  • Native integration to SharePoint, OneNote, and Office apps 
  • Over 65 out-of-the box 3rd party Connectors

Note the fourth item down.  Ooooh.  Aaaaah.  Nice beyond further comment.

clip_image002[5]

Interested?  Here are some links to get you going.

Introduction to Microsoft Teams:  This session will explain why Microsoft Teams is the chat-based workspace in Office 365.  With Microsoft Teams, all your team conversations and context - all the related files, notes and content - are kept together in one place and easily accessible by everyone on the team, with everything tightly integrated with the other Office 365 apps you use.  Learn how Microsoft Teams will help your team to communicate more effectively http://aka.ms/microsoft-teams-introduction

Deploy and manage Microsoft Teams:  This session will go into detail what IT Pros need to consider when enabling Microsoft Teams for their users. We will go walk through the process for rolling out Microsoft Teams and configuring the infrastructure, as well as taking a closer look at the supporting technologies for Microsoft Teams. http://aka.ms/microsoft-teams-deployment

https://products.office.com/en-US/microsoft-teams/group-chat-software

https://mva.microsoft.com/en-US/training-courses/introducing-microsoft-teams-in-preview-16877?l=1VQruH2AD_4001937548

How do I get this in my tenant?

Well, as you might expect, login to your tenant portal… and then go to Settings | Services & add-ins.  Scroll down a bit to “Microsoft Teams”  click.

image

Turn Teams on!

image

 

Select the features you want.  You want all of them.

image

All set!  Watch the vids!

Usually, I end with YMMV… but seriously, you are going to love this.

2016/10/19

Call Flow Manager

I think that RGS is a wonderful thing, and something that every SfB deployment should evaluate for applicability.  Do you detest the SfB Response Group Service?  Then you might not want to read any further.  However, should you recognize the utility of said service, then this review might be just the thing you need to read.

SfB Response Groups allow the creation of simple hunt group or IVR-type grouping of agents to handle calls to a common DID.  They can work to the outside world, or be simply internal; but either way, the RGS is a great tool for those situations to which the RGS talents are applied.  I won’t go into what those talents are, or how to put the entire thing together in this article; rather this is a review of a spiffy tool from New Zealand Skype (well, Office Server and Services) MVP Andrew Morpeth.  What he and his team have done is create a nice GUI interface to the entire RGS management problem.  Let’s take a look at Call Flow Manager (CFM), shall we?

Before we start, you may wish to review the official documentation for RGS.

Install

If you have issues un-zipping a distribution and placing it a server that has met the prerequisites then you have larger issues than I can help with.  Dirt simple.  Just leave things in one folder, and put that folder on the drive.  Execute CallFlowManager.UI.exe and away you go.  You might want to make sure you know the license information before you start, as that will be the first question asked when the tool starts up. And oh yes, run this tool as administrator.

What are those prerequisites you might ask?  Simple: 

  • Supported for Lync 2013 or Skype for Business 2015
  • Microsoft .Net Framework 4.5
  • Lync/SfB Administrative Tools
  • Install the “Local Configuration Store” – this is step 1 of the Lync/SfB deployment wizard. Querying Response Group information requires this component to be installed
  • Outbound internet access on port 443 to https://theucguys.com
  • Minimum screen resolution of 1024×768
  • You may need to Run as administrator to ensure all feature work as expected

As you might ascertain, you will have best results doing CFM on an SfB Front End server.  I put mine on the Tsoorad.Net Test Lab SE.  Truly an awesome piece of gear; used and abused on a regular basis.

Integration

OOBE RGS requires three separate interfaces – an admin headache at the very least.  CFM puts all of that into one GUI.  I had a little challenge getting my head around the interface, but that was me – in the end, I like it quite a bit.  Especially the creation and assignment of business and holiday hours – a PowerShell goat rope for OOBE RGS management.

CFM also offers 10 IVR options rather than four.  And you can flip an RGS workflow between hunt and IVR.   Phone number visibility rounds out the technical offering. 

Functionality

I had zero issues using CFM on my SfB SE.  In fact, one of the nicer things that I always forget is to run things as admin.  C’mon Microsoft.  I am logged in as an administrator, why make me right-click and runas?  CFM checks for you, and rather than barfing in your face, flips up this nice little notice and offers to fix it for you.

image

If like me, you forget your brain at times, CFM has a nice search feature.  Here I have searched for RGS1 and discovered those elements that pertain to anything in my SfB that hints at RGS1…

image

Very nice.  You might also notice that I carefully name my RGS components to include the workflow name…makes things stick out later when you discover that your documentation is not as up-to-date as you claim in your work reviews. You can search on almost anything.  You have no idea how stupid I can get while creating RGS workflows – I forget what I called what, and who belongs to what all the time. This feature alone is worth giving CFM a test drive.  Here I have quick search for TWO letters…

image

Interface Walkthrough

Let’s take a look at the overall GUI. CFM opens to this screen.  I have exercised the upper-left pull down to select an RGS workflow.  Here you can see pretty much the basics of the workflow.  You can change/edit anything on the display, and then save it before moving to something else.  I like this much better than the native tool.

image

Across the top, Call Flow Designer, Queues, Groups, Business Hours (oh yes), Holidays (oh yes #2), Numbers (oh yes #3, and Logs.

Queues allows you to create and manage RGS Queues.  About the same as the CSCP, but with CFM, you get everything you need in one interface.  IMHO, clearly much better.

image

Groups does the same as Queues, and my comment above holds true here also.

image

And now to the “good stuff” – Business Hours (and Holidays).  In the CSCP, webpage, PowerShell combination of native tools, business hours and holidays are, again IMHO, a royal PITA.  El Yucko to paraphrase my second child.  In CFM, you are given a nice GUI to create, edit, and play with both of these options that allow the final customization of the RGS in terms of open hours and closed hours.  The business hours selection comes with pre-worked up day selections, so that you don’t even have to think too much.  Pretty nice for those of use with both brain cells that are already full.

image

The Holiday hours works pretty much the same.

image

The Numbers page will show you all the DIDs that available so that you don’t do the John thing and try to assign a number to an RGS that is already assigned.

image

…and finally, Logs.  This little nifty detail will show you all the PowerShell that is going on under the hood as you create or modify various elements of the RGS structure.  I think it would be even nicer if the entire PowerShell command string was shown rather than a brief “hey, we did this general command.”

image

Nit Picks

I have always disliked the CSCP view of the RGS with the workflow, queue, and group arrangement.  My brain operates on the group, then queue, then create workflow concept, and the tool could be rearranged to reflect that.  However, having observed that, there is nothing WRONG with what is here.  I will reiterate my comment about the logs, and then that is that.  For something like this to have only TWO nitpicks is remarkable all by itself.

Praises

Without reworking all the screen caps already shown, here is the same workflow as above, but seen from the native web tool.

imageimageimage

Note that the queues and groups are not here, and to put together the business and holiday sets, you will need PowerShell. Clearly, CFM does a much better job of presenting options, creating answers, working up the solution, etc. 

And the final Bit of Goodness

CFM can take a workflow that is “hunt group” and transform it to an “IVR” – something that the native tools cannot do (to the best of my knowledge).  If you choose to take this action, be warned that it appears to be a one-way street.  Once an IVR, always an IVR.

image

And when you get to the IVR slice of life, the native tools only gives you four levels, CFM blows past that as mentioned above.  So nice.

Where to get this piece of greatness

Simple.  Just go to TheUCGuys.com

Conclusion

I like it. A lot. I won’t say more.

YMMV

2016/10/15

SfB & Jabber via XMPP & Cisco Express

Much thanks and deep appreciation to Justin O’Sullivan, Cisco dood extraordinaire. (http://www.syferstrategies.com/blog)

Background

Microsoft Skype for Business and Cisco Jabber are, by far, the two most popular IM/P applications for the general business community.  Yes, there are some fringe applications that offer some really good features, and they work well, but for the mainstream business community, it really boils down to either Microsoft SfB or Cisco Jabber.

This is empirically proved by my blog tracking. Since its’ original posting in May of 2013, my #2 most viewed article, month after month, has been http://tsoorad.blogspot.com/2013/05/connecting-lync-2013-and-cisco-jabber.html.

Seeing as how both applications have had several years to mature and evolve, I thought this would be a good time to revisit the entire scenario of connecting the two most popular suites so your business can connect to another to streamline process and communication.

To achieve this lofty goal, I leveraged my SfB lab, which is currently running SfB update to the June 2016 Cumulative Update.  I also leveraged one of my awesome Cisco-centric co-workers, Justin O’Sullivan.  Justin runs a full Cisco lab in the course of his job, and he graciously agreed to burn up his off hours helping create the SfB <-> Jabber federation.

Initial Environment Layout

As stated, my lab is SfB, running a full edge on three IP’s. All SfB components are updated to 6.0.9319.259. (and yes, I know that not all components update to that version, but they are all 6.0.9319, and Microsoft does not update components that have no need to update).

Justin’s Cisco lab is an alphanumeric soup of Expressway C/E Version: 8.8.0, Cisco IM & Presence Version: 10.5.2.22900-2, Cisco UCM Version: 10.5.2.12901-1, & Cisco Jabber Version: 11.7.1.  Whew!

As in the previous Lync-Jabber article, the SfB side is extremely simple, but we’ll step through all the necessary configurations and considerations (with pictures so that Amanda sitting in the back of the class will understand), and then we’ll do the same with the Jabber side.

Skype for Business XMPP setup.

First, make sure that XMPP is enabled in your environment. At the site level and at the Edge Pool level:

imageimage

Personally, I always light up every possible configuration on initial install, so I don’t have to go back and do it again later.  You can just turn things off later, but if you waited until now, you will need to publish the topology when you get done with this step, and then either run step 2 of the deployment wizard on the appropriate servers, or bootstrap the appropriate servers so that the necessary bits are turned on to make this work.

Next, you need to head off for your Control Panel.  I suppose you could also do this next piece from PowerShell, but I like GUI when I can GUI.

Inside CSCP (yes, still called that) go to your Federation and External Access tab on the left, and check your External Access Policy.  Make sure the “Enable communications with XMPP federated users is checked.

image

Now go to the XMPP Federated Partners and setup a partner as shown.

image

Get yourself an admin PowerShell window open on your server and do get-csxmppallowedpartner so you can double-check your work (read your spelling).

image

You might also want to have your dialbackpassphrase set.  Just set it to something easy-peasy.  If I am not too mistaken, I set this example to “xmppdialback” – if you need a primer on just what this part does, see this.

image

Now, go to your external DNS provider, and get yourself a squeaky clean SRV record:

_xmpp-server._tcp.domain.com or in my case, _xmpp-server._tcp.tsoorad.net.  Port 5269.  In DNS parlance, you want to submit, if you need to, _xmpp-server._tcp.domain.com 0 0 300 5269 sip.domain.com, where the numbers mean 0 weight, 0 priority, TTL 300, port 5269, and a target of sip.domain.com.  An NSLOOKUP from the world should reveal something that looks a lot like this:

image

Set your firewall to allow port 5269 inbound and outbound from your Edge server (or servers).  At this point, I can expect things to work from the SfB side of life.

And now the fun (?) begins

As a preface, Justin worked through this one time, but it took a few server restarts before he could convince his system to operate as expected.  Neither of us could figure that out but, what the heck, eh?

Reference Material Used:

http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-5/XMPP-Federation-with-Cisco-Expressway-and-IM-and-Presence-Service.pdf

Expressway C/E Version: 8.8.0

Cisco IM & Presence Version: 10.5.2.22900-2

Cisco UCM Version: 10.5.2.12901-1

Cisco Jabber Version: 11.7.1

JabberID = sAMAccountName@domain.com

In this example, we will be configuring external XMPP federation using the Cisco Expressway solution as opposed to the IM&P based XMPP federation option. When deploying external XMPP federation, you must choose one or the other and not both. Verify the service is correctly enabled on the selected option (Expressway) and disabled on the other (IM&P).

Service disabled on CUPS/IM&P

clip_image002

clip_image004

Follow the certificate requirements as per Cisco documentation.

Add the local domains to the Expressway-C server and verify XMPP Federation is set to “On”:

Navigate to Configuration > Domains

clip_image006

clip_image007

On the Expressway-E, further enable the XMPP federation settings as below:

Navigate to Configuration > Unified Communications > Configuration

clip_image009

Notes:

1. In our example, we are not using TLS as depicted above

2. If in use, the Dialback Secret must be the same on other Expressways in the domain

XMPP DNS Records

For foreign systems to resolve/authenticate your domain correctly, set up the below SRV record for XMPP services:

_xmpp-server._tcp.{domain} (priority) (weight) (port 5269) (Target Host)

(e.g. _xmpp-server._tcp.syferstrategies.com 0 0 5269 expe.syferstrategies.com)

Group Chat Records

For group chat node DNS resolution to work properly with federated domains, configure the below external SRV records:

_xmpp-server._tcp.{chatnode}.{domain} (priority) (weight) (port 5269) (Target Host)

(e.g. _xmpp-server._tcp.chatnode1.syferstrategies.com 0 0 5269 expe.syferstrategies.com)

Notes:

1. Alternatively, static routes can be used on the local Expressway if the remote system does not have these DNS records enabled

a. This can be added under Configuration > Unified Communications > Federated Static Routes

Checking XMPP Federation status

Navigate to Status > Unified Communications > XMPP Federation Connections

clip_image010

Jabber Experience

clip_image011

Add the external contact

clip_image012

Enter the IM address of the external contact

clip_image013

New federated contact seen below

clip_image002[1]

 

 

Back to SfB to see how that looks!

image

Summary

We have demonstrated a SfB XMPP configuration then the Cisco Expressway/Jabber configuration. Works great, less filling.  Let the commo begin!

YMMV

test 02 Feb

this is a test it’s only a test this should be a picture