codesalot.com

After following several guides to configuring the device update service in OCS 2007 R2, including Rui Silvas trilogy and Rick Varvels guide, I still couldn’t get the phones to update the software.

All logs were showing that it had worked, the Update service logs showing that the phone had found the right sw, and IIS logs showing me a 200 OK sent to all phones…

Troubleshooting finally led me to try downloading the CPE.nbt file manually from

http://frontendfqdn/DeviceUpdateFiles_Int/OCInterim/ENU/cpe.nbt

which just gave me a blank page.

I tried comparing the IIS configuration to one I knew was working, and saw that I had a lot less IIS roles installed on the one that was not working.

When I installed this Front End server, i used the commands in this post to install the prereqs. Turns out that if you are going to use CPE, you will probably also need the “Static Content” role service in IIS to configure the correct MIME types on the fileextensions the update serrvice uses.

There exists default MIME types for both the .xml and the .cat extensions that is used by the updater. There is however no default for the .nbt extension.

If this role service is not installed, the updater does not work. You will have to add this feature, and then manually add the correct MIME types to the DeviceUpdateFiles_Int/ and DeviceUpdateFiles_Ext/ folders, which should be:

<mimeMap fileExtension=”.nbt” mimeType=”binary/octet-stream” />

<mimeMap fileExtension=”.cat” mimeType=”binary/octet-stream” />

(I have no idea as to why the bottom one is smaller than the other, but I cant get them equal size for some reason :S)

Hey presto! The phones update themselves like magic has happened!

Got a certificate error when i tried starting the response group service today.

The provided certificate is not valid.

There was a problem validating certificate: Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was ‘<poolname fqdn>’ but the remote endpoint provided DNS claim ‘<fqdn in a sip domain>’. If this is a legitimate remote endpoint, you can fix the problem by explicitly specifying DNS identity ‘<fqdn in a sip domain>’ as the Identity property of EndpointAddress when creating channel proxy.

Turns out that the last SAN in the certificate needs to be the same as the CN in the certificate, which should be your pool FQDN. The service will fail if it isnt.

Today, I got to see the new OCS integration into Exchange 2010 OWA. Looks awesome! Hopefully well see even more functionality when OCS wave 14 comes!

heres how to implement it from Chris and Robin:

http://chrislehr.com/2009/11/implementing-integrated-ocs-in-owa-2010.htm

I just passed my Cisco Certified Network Associate exam that I’ve been working on the last couple of weeks! Hooray for me!

Doug Lawty has written an excellent blogpost about OCS and split brain DNS and how to configure it:

http://blogs.technet.com/dougl/archive/2009/06/12/communicator-automatic-configuration-and-split-brain-dns.aspx

Configuring connectivity to Gmail:

http://communicationsserverteam.com/archive/2009/10/01/599.aspx

Configuring connectivity to Jabber XCP 5.4

http://communicationsserverteam.com/archive/2009/10/02/620.aspx

I recently was installing OCS in a domain where we for some reason could not use an enterprise CA, so a standalone was installed. This works fine on the MOC clients, but it was a problem when we were trying to use Communicator Phone Edition.

According to the phone ed. deployment guide, the CPE gets the certificate from AD like this:

1.   The device searches for Active Directory directory objects of category certificationAuthority. If the search returns any objects, the device will use the attribute caCertificate. This attribute is assumed to hold the certificate and the device will install the certificate.

The Root CA certificate must be published in the caCertificate for Communicator Phone Edition. To place the Root CA certificate in the caCertificate attribute, use the following command:

certutil -f -dspublish <Root CA certificate in .cer file> RootCA.

2.   If the search for Active Directory objects of category CertificationAuthority does not return any objects, or if the objects have empty caCertificate attributes, the device searches for Active Directory objects of category pKIEnrollmentService in the configuration naming context. Such objects exist if certificate AutoEnrollment was enabled in Active Directory. If the search returns any objects, it will use the dNSHostName attribute returned to reference the CA and it will then use the Web interface of the Microsoft Certificates Service to retrieve the Root CA certificate by using the HTTP GET command http://<dNSHostname>/certsrv/certnew.p7b?ReqID=CACert&Renewal=-1&Enc=b64.

If neither of these methods succeeds, the device displays the error message “Cannot validate server certificate” and the user is unable to use the device.

The certutil command described above requires you to have necessary rights in the forest, which we didn’t have.

The solution ended up being:

* Run the server 2k3 reskit tool pkiview.msc
* Right click Enterprise PKI and choose Manage AD Containers
* In the NTAuthCertificates tab, add the root certificate of the standalone CA

That should be it! When we did this the phones started downloading the right certificate.

Edit: This might not be working perfectly. Some phones use an extreme amount of time downloading the right certificate. Might be the messy PKI in the forest being the problem, but i will need to test this some more…

Here are the service records needed to use the Tandberg VCS:

_h323ls._udp.company.com      srv     1 0 1719 vcs-e.company.com.
_h323cs._tcp.company.com      srv     1 0 1720 vcs-e.company.com.
_sip._udp.company.com              srv     0 0 5060 vcs-e.company.com.
_sip._tcp.company.com               srv     0 0 5060 vcs-e.company.com.
_sip._tls.company.com                 srv     0 0 5061 vcs-e.company.com.
_sips._tls.company.com               srv     0 0 5061 vcs-e.company.com.
_sips._tcp.company.com             srv     0 0 5061 vcs-e.company.com.

There should also be an a-record pointing to the vcs express. (in this example, vcs-e.company.com)

Also, should anyone ever need it, here are the ports that an endpoint needs opened outbound if it is registering directly to a VCS express:

TCP/2776 (Q931/H245 for external traversal endpoints)
UDP/2776 (RTP Media from external traversal endpoints)
UDP/2777 (RTCP Media control traffic from external traversal endpoints)
UDP/1719 (H323 RAS signaling from gatekeepers/VCSes and traversal endpoints)
TCP/1720 (Q931/H.225 call connect signaling)

UDP/5060 (SIP signaling)
TCP/5060 (SIP signaling)
TLS/5061 (Encrypted SIP signaling)

The OCS 2007 R2 Web scheduler is now available

http://www.microsoft.com/downloads/details.aspx?FamilyID=6d6848ec-e7d6-41f4-82d9-5bed3526fcbd&displaylang=en

“Web Scheduler is a 64-bit tool for Microsoft Office Communications Server 2007 R2. It provides a Web-based alternative to the add-in for the Microsoft Outlook messaging and collaboration client for the purpose of scheduling a meeting using Office Communications Server 2007 R2. It also provides a browser-based conference management experience that includes operations such as:

• Scheduling a new Live Meeting conference or conference call.
• Viewing and modifying details of an existing conference.
• Listing all existing user schedules of a Microsoft Office conference.
• Deleting an existing conference.
• Sending an e-mail invitation to conference participants by using a configured SMTP mail server.
• Joining an existing conference.”

I need to lab it before I can say anything about it, but it seems like a great addition to the family! Needs to be installed on the same IIS server as the OCS 2007 R2 web components.

The @DrRez Twitter team (http://twitter.com/DrRez) is compiling a list of all OCS/UC blogs on the net, and are publising it on the Communications Server Team blog! Great work guys!

http://communicationsserverteam.com/archive/2009/08/11/550.aspx