About Me

My photo
This is a blog for John Weber. One of my joys in life is helping others get ahead in life. Content here will be focused on that from this date forward. John was a Skype for Business MVP (2015-2018) - before that, a Lync Server MVP (2010-2014). I used to write a variety of articles (https://tsoorad.blogspot.com) on technical issues with a smattering of other interests. I have a variety of certifications dating back to Novell CNE and working up through the Microsoft MCP stack to MCITP multiple times. FWIW, I am on my third career - ex-USMC, retired US Army. I have a fancy MBA. The opinions expressed on this blog are mine and mine alone.


Official SfB 2015 Server Disable TLS 1.0 and 1.1 part 3 guidance

updated 20181107

Microsoft update to what they think they are doing, how they are going to do it, and basically, another waffle episode on their part.


As you may be aware, we have covered the upcoming 31 October 2018 TLS 1.0/1.1 support being removed from O365.  You can find that guidance here.  As promised, Microsoft has finally published the last pieces of the series.
You can find part 3 here.
As usual, I strongly recommend that you start looking at this now – some of this might take a bit of planning and coordination on your part to accomplish in a clean fashion.

Now is the time to get your sales types contacting existing customers and offering to help.  This will not be a clean thing; rest assured that there will be “issues” and IMHO there is significant potential for unintended consequences.



IPP Manager Express Redux

A while back, I did a little write-up of Audiocodes IP Phone Manager Express.  You can read that right here.  A few days ago I installed a newer version and there is enough difference to warrant a redux.  Specifically, I would like to record for my own purposes a configuration that works (so I don’t forget) and maybe you can use it also.

Pre-Conclusion Statement

If you read no further, know this, I like the IPP Manager, I really do.

What are we doing here?

What we need to do is support a number of Audiocodes IP phones – a bunch of 405HD and 450HD models. We want some very basic changes made to the default OOBE configuration, nothing major, but we do want to be able to hand the phone to the user and have it just work.  Audiocodes calls this “Zero Touch” – which was enough of an attraction to get me to try it.  But, I ran into some “difficulties” when I attempted to interpret what somebody thinks is really outstanding documentation into a workable configuration.  After several emails, and several configuration sessions, I managed to achieve parity with the configuration genie. 

Diving In

Installation went as easily as before.  I did not understand the need for a clean server before and I don’t now.  Fuzzy logic on that one.  But, OK, I am in a freebie lab situation.  While the install is happening, let’s verify DHCP Option 160.  And right there we started having issues.  Which option to choose seems to be an ambiguous question as both seem to to work equally well, with ONE of them being preferred, but not required, and no clear (to me) guidance of which is which for my needs.  What I thought would work did not.  I had to use plan B.

Plan A:;ipp/dhcpoption160.cfg

Plan B:;ipp/tenant/Default

This did not jive with MY reading of the docs.  However, I am sure that I was doing something wrong, so I tried plan B.  At that point I was in Tshooting mode, and I don’t really know if the DHCP Option 160 choice fixed it or if it was the other part I did.  Either way, I found the documentation a smidge confusing.

At any rate

The install churns along, and before too long, we have this lovely “modern” “more visually attractive” “metro” site open on our local machine. You will note the devices already registered – so nice.


One of the things I neglected on my first pass through on the config of the tool, was the tenant.  Because the documentation said there was already one there… and so there was!  But it needed a touch of configuring itself, and that was a bit fuzzy as well. This version of the IPP Manager Express requires a “tenant” which is loosely equated to subnets, but could be a separate fiscal entity.  Clearly this line of management tool is meant for something much larger than my little slice of life.  OK, I can work with that.  A few more emails and a few guesses worked out the kinks in that one.


If you are doing the “see if the picture matches” thing, here is where you will find the mismatch.  My default tenant picture there is of my lab, where only have one subnet in my lab.  It is just me and my 8 favorite cartoon characters.  254 addresses is more than enough.  But, I have this customer.  You know those pesky customers.  They always seem to expect some sort of defined success.  And don’t you know these folks expected this tool to provision their phones when they have at least 12-15 subnets in the 172.xx.xx.xx/16 range, and the potential for having  SfB clients or a SfB-hosted phone on any of those segments to include the VPN segment.  Yes, Jimmy, I told them not to run the audio/video across the VPN.  You may sit now.

Defining the “tenant” with the proper subnet mask is REQUIRED.  Now, I suppose you could do something dogmatic and create a tenant for each subnet.  You could.  But I did not have a business requirement (see above) for that.  And notice that the subnet in the pic is a MASK not an actual IPv4 address.  We will wait while that runs through a digest cycle.

What we did was define the client subnet as or, /8 which is actually a huge supernet.  But works for the simplicity angle we were also looking for.  We know it is not technically correct to address it that way; but what it did was allow the one IPP Manager to handle ANY address needed.  According to the default tenant in this configuration of  IPP Phone Manager Express, any address that can talk to the server is on a valid subnet.

Moving On

The next thing was the need for a blank template per IPP model (the 405HD and 450HD) and then each needed a customization file.  Included in the install distribution is firmware from about April 2018, and the phones will make use of those firmware files that are newer than the phone. The point here is that I needed to create my own templates before things worked.  I may have (almost certainly) done something wrong in my initial setup.  I know I expected it to be more like my old version – so there is no telling what I did wrong.  I just know that what I have now works. 



I am not going to go through the tenant template file – yours won’t be like mine, but you can clearly see where I have a default tenant configuration template for each phone type and they are tagged (the green/white check mark) as the default.

Once you get this far, you still have a dead stock phone.  Let’s take a look at the edit from here out.  Navigate through the various options and see what is what.   Then click on the button indicated.

That gets you to this:  Fill things out to suit your needs:


Make sure that you select the “default” button or not depending on your needs.  You can always go back and make a new one if needed. I know that was needed in my case. Now, you would think that would do it, right?  Well, unless I was making a lot of bad choices, no, now you need to EDIT the entire thing. 

“Ah saved it.”  Huh?  Did I not already do that?  I guess not.

Let’s select “Edit” on our new template.


And you get this:


Scroll your badself down to the bottom – and there are multiple panes here – confusing as all get out when you work remote…. get to here:


Generate your Global Configuration Template for this ONE PHONE MODEL.



Now, not done yet, we want to edit the template:

Select this “Features” button:


In my case I needed the Daylight Savings Time and the Pin Lock.

Here is one, you can figure out the other I think.  But know that when you “SAVE” at the bottom, it will write a secondary config file that the global template will read and enforce.  And that file IS created when you click save.  Don’t ask me, the inconsistency killed me too.


Save it…this file is actually located on the ACPhoneMgr drive.


Why the different file saving scheme I have no idea.  But you need both for this to work.  At this point, power cycling a phone does the trick. Phone installs new firmware; reboots, then changes configuration as we want.  So nice.


There is some disconnect between the versions, perhaps due to my lack of mental agility.  This version seems to have some fuzzy documentation – again it could be me.  This is nice piece of kit once you get it cranked. 


I bricked a 450HD while testing this. Phone recovery did not go so well.  Have you ever wondered why a phone with a USB port doesn’t read that port for firmware and as part of the phone bootstrap routine install whatever it finds there?

As always, YMMV

test 02 Feb

this is a test it’s only a test this should be a picture