Thoughts, ponderings and technical solutions, tips and tricks about Unified Communications and Video Conferencing
Archive for the ‘video conferencing’ Category.
There seems to be a bug eith the openSSL running on VCS X6.0. It has some problems with .pfxes created by the MS Certificates snapin. Should be fixed before X6.3.
In the mean time, we’ll have to use openSSL elsewhere to create certs for the VCSes and Codian MCUs.
I made a quick and dirty php script to check if your domain is correctly configured in DNS to support standards based URI dialling. Just input your URI domain and your target gateway, and the script will check if the SRV records are correctly configured and that the A record for the gateway exists.
I’ll add more functionality and nicer looks as time goes by 
feature requests in comments.
http://www.codesalot.com/dnscheck/
Getting my new iPad this weekend, I got to try the Cisco (Tandberg) VC Dialer from Sping BV on some of my endpoints. It seems to be working perfectly! It is basically an app that can dial any number from any MXP, C, EX or E series endpoint. You can get it from the AppStore, search for VC Dialer (it is an iPhone app originally). The app is free for a limited number of downloads, after which it will be priced €4.99
The dialer screen
Last calls screen
Choose endpoint
Add endpoint screen
You need to be able to reach the endpoints on http (s?), and you need the admin password of the endpoint to be able to control it.
You can only make calls and hang up with the app, it is not a full remote control of the endpoint, but I can still se uses for this.
If you want to use HTTPS (without the annoying browser certificate warnings) or MTLS with a Codian MCU, you’ll need to install a certificate on the MCU.
Remember that you’ll need the “Encryption” release key to enable SSL in any form. This is a free key that kan be ordered from TAC.
Under Network -> SSL certificates, you’ll find this screen:
So we need to provide a certificate and a private key corresponding to the certificate, which means that we need to create a CSR and import both the key and the certificate to the MCU.
I’ll show how to do this using openSSL and a Windows CA. If there is an OCS/Lync implementation in the environment, you could use the wizard to create the cert, but you would have to split it up with something like openSSL afterwords anyway, so the easiest thing is just to create it all with openSSL.
openSSL can be found for almost any platform, I use openSSL for win32
Use this command to create the CSR
openssl req -new -newkey rsa:2048 -nodes -out <name_of_the_cert>.csr -keyout <name_of_the_key_file>.key - subj "/C=<countrycode>/ST=<state>/L=<City>/O=<Organisation>/OU=<Organisational Unit>/CN=<fqdn.of.mcu>"
Exchange all the <variables> with the correct values.
This should create two files, <name_of_the_cert>.csr and <name_of_the_key_file>.key and place them in the same directory as you run the command.
Copy the .csr file to the CA. In a cmd window, navigate to the folder you copied the .csr to and run:
certreq -submit -attrib "CertificateTemplate: WebServer" <name_of_the_cert>.csr
If the CA is configured to issue certs automagiacally, you should have be asked where to save the .cer. If not, you’ll have to open the CA MMC snapin and issue the cert manually.
Back on the MCU, browse to the .cer in the Certificate field and the .key in the Private Key field. Leave the password field empty. Restart the MCU and you should be good to go.
The trust store to be uploaded needs to be in .pem format. Export the root certificate you need to trust to a DER encoded file. (normally .cer) and run the following command:
openssl x509 -inform der -in <rootcert>.cer -out <rootcert>.pem
<rootcert>.pem can be uploaded as the trust store.
My exellent colleague Marjus has done some testing with VCS and Lync integration!
Read his post here.
To reset Cisco E20 to factory defaults, press:
** -> PC/Presentation -> ##
in less than three seconds
or
log in to the TSH CLI via telnet or SSH and enter the following:
xCommand systemunit Configuration ResetToFactoryDefaults Settings: All
Doug Lawty has written an excellent blogpost about OCS and split brain DNS and how to configure it:
Here are the service records needed to use the Tandberg VCS:
_h323ls._udp.company.com srv 1 0 1719 vcs-e.company.com.
_h323cs._tcp.company.com srv 1 0 1720 vcs-e.company.com.
_sip._udp.company.com srv 0 0 5060 vcs-e.company.com.
_sip._tcp.company.com srv 0 0 5060 vcs-e.company.com.
_sip._tls.company.com srv 0 0 5061 vcs-e.company.com.
_sips._tls.company.com srv 0 0 5061 vcs-e.company.com.
_sips._tcp.company.com srv 0 0 5061 vcs-e.company.com.
There should also be an a-record pointing to the vcs express. (in this example, vcs-e.company.com)
Also, should anyone ever need it, here are the ports that an endpoint needs opened outbound if it is registering directly to a VCS express:
TCP/2776 (Q931/H245 for external traversal endpoints)
UDP/2776 (RTP Media from external traversal endpoints)
UDP/2777 (RTCP Media control traffic from external traversal endpoints)
UDP/1719 (H323 RAS signaling from gatekeepers/VCSes and traversal endpoints)
TCP/1720 (Q931/H.225 call connect signaling)
UDP/5060 (SIP signaling)
TCP/5060 (SIP signaling)
TLS/5061 (Encrypted SIP signaling)
To be able to add Movi2 endpoints to phonebooks on systems registered in TMS, TMS should automagically create an external source and a provisioning phonebook when the provisioning key is installed on the system. If this for some reason does not happen, here’s how to add one: (or to verify that the phonebook was installed correctly)
In TMS, go to: Phone Book > Manage External Source
If there is an external source there that is called “Provisioning Source”, chances are that the phone book was installed correctly. If not, add a new external source and select “TANDBERG Provisioning Directory” as source type.
The rest of the fields should be like this:
| Connection Details | |
| Name | Provisioning Source |
| Default Bandwidth for Imported Entries | 384 kbps |
| Force Default Bandwidth (all entries, not only Auto entries) | Unchecked |
| IP Address/DNS | localhost |
| Username | CN=Directory Manager |
| Password | TANDBERG |
| Advanced Connection Details | |
| LDAP Port Number | Blank |
| Search Base (DN) | dc=provisioning |
| Search Scope | Recursive |
| Custom LDAP Filter | Blank |
| Field on User Object to Prefix Display Name in TMS | displayName |
With this setup, movi users are added to the phone book on the format “<firstname> <lastname> <provisioningprofile>”. I will try some different settings to see if I can filter and change the format in the phonebook. I will add this in a later post.
After this, create a new phonebook and connect it to the new external source.
Source: Tandberg Deployment guide: Provisioning. february 2009
Todays topic is Bandwith and call control
There will also be a test today.
To be able to call out on the internet on the VCS, you need to add the DNS Zone. It should only be added on the Express, not on the control. It will not be there by default. On the Gatekeeper/BorderController this is not necessary.
If you are neighboring gatekeepers, you need to use a pattern type to reach the endpoints on another gatekeeper. It will work fine without, but if you plan to use bandwith control the call will not be in the correct link if you don’t use a pattern. This is possibly a bug, and will probably be fixed in version X3.
SIP <-> H.323 interworking will also work when contacting an endpoint on the outside, but it will consume 1 ekstra traversal license because of the interworking, so it will use 2 traversal licenses.
And I passed the TCEP as well 