codesalot.com

If you want to use HTTPS (without the annoying browser certificate warnings) or MTLS with a Codian MCU, you’ll need to install a certificate on the MCU.

Remember that you’ll need the “Encryption” release key to enable SSL in any form. This is a free key that kan be ordered from TAC.

Under Network -> SSL certificates, you’ll find this screen:

So we need to provide a certificate and a private key corresponding to the certificate, which means that we need to create a CSR and import both the key and the certificate to the MCU.

I’ll show how to do this using openSSL and a Windows CA. If there is an OCS/Lync implementation in the environment, you could use the wizard to create the cert, but you would have to split it up with something like openSSL afterwords anyway, so the easiest thing is just to create it all with openSSL.

openSSL can be found for almost any platform, I use openSSL for win32 

Create the CSR

Use this command to create the CSR

openssl req -new -newkey rsa:2048 -nodes -out <name_of_the_cert>.csr -keyout <name_of_the_key_file>.key -
subj "/C=<countrycode>/ST=<state>/L=<City>/O=<Organisation>/OU=<Organisational Unit>/CN=<fqdn.of.mcu>"

Exchange all the <variables> with the correct values.

This should create two files, <name_of_the_cert>.csr and <name_of_the_key_file>.key and place them in the same directory as you run the command.

Create the cert

Copy the .csr file to the CA. In a cmd window, navigate to the folder you copied the .csr to and run:

certreq -submit -attrib "CertificateTemplate: WebServer" <name_of_the_cert>.csr

If the CA is configured to issue certs automagiacally, you should have be asked where to save the .cer. If not, you’ll have to open the CA MMC snapin and issue the cert manually.

Add the cert to the MCU

Back on the MCU, browse to the .cer in the Certificate field and the .key in the Private Key field. Leave the password field empty. Restart the MCU and you should be good to go.

Creating a trust store

The trust store to be uploaded needs to be in .pem format. Export the root certificate you need to trust to a DER encoded file. (normally .cer) and run the following command:

openssl x509 -inform der -in <rootcert>.cer -out <rootcert>.pem

<rootcert>.pem can be uploaded as the trust store. 

My exellent colleague Marjus has done some testing with VCS and Lync integration!

Read his post here.

So I’ve had a lot of issues with the server running this site lately, basically related to apache2 hogging all system resources. I don’t really know what happened, but apache suddenly started using a lot of swap (all of it), and system load average was around 16.

I’ve tried fixing it for a while, but now I gave up. The site is now running nginx and load average seems to have dropped to around 0.03 now

Thanks to http://matthewhelmke.net/2009/01/08/a-short-howto-apache-to-nginx/ for the howto migrate!

To reset Cisco E20 to factory defaults, press:

** -> PC/Presentation -> ##

in less than three seconds

or

log in to the TSH CLI via telnet or SSH and enter the following:

xCommand systemunit Configuration ResetToFactoryDefaults Settings: All

I had a weird problem with an 2007R2 installation last week. The addressbook had stopped working. I checked all the normal errors, certificates and IIS on the FE, but everything seemed to be just fine. The addressbook files were created, and I could download all files in the browser. Everything seemed to be normal, except that the clients were giving the error about not being able to download the addressbook.

After a bit of searching the internets, I came across this. Seems that there was some new functionality added to IE8 where it refuses the certificate if the CRL is unreachable.

The solution is either to fix the CRL, or to uncheck “Check for server certificate revocation” under advanced settings in >IE8.

Just run the msi in an elevated cmd window. UAC is the problem

Thanks to Tonino at proexchange.be!

I’ve been having some trouble lately with call setup on incoming calls. After the call has been answered, there has in some cases gone up to 8-9 seconds before you can hear the person on the other side. Obviously this is quite a pain…

When trying to google the problem you get a lot of posts telling you to disable Windows Firewall. This actually solves the problem so if you are content with just disabling a firewall without knowing why, you can stop reading now.

Seems that when you install the mediation server on a Windows Server 2008 the firewall fails to open the proper UDP port negotiated during the RFC 3690 Early media negotiation until Windows Firewall detects an outgoing UDP stream. This can be solved/worked around by adding an inbound rule in the firewall that allows all UDP ports.

Thanks to JeffNye for tipping me in the right direction!

Just figured out that it is possible to blog directly from word via the xmlrpc.php script!

To enable it, you have to allow it in WordPress itself

Settings -> Writing -> Remote Publishing

If you don’t do this, Word will give you a “Word Cannot Register Your Account” error.

Thanks http://thebalancequest.com/blogging/wordpress-settings-%E2%80%9Cword-cannot-register-your-account%E2%80%9D-error for the tip! I did not sit all night thanks to you

In word, just press new and “blog post”, and word will help you set it up.

Now for the result… Edit: Success!

After following several guides to configuring the device update service in OCS 2007 R2, including Rui Silvas trilogy and Rick Varvels guide, I still couldn’t get the phones to update the software.

All logs were showing that it had worked, the Update service logs showing that the phone had found the right sw, and IIS logs showing me a 200 OK sent to all phones…

Troubleshooting finally led me to try downloading the CPE.nbt file manually from

http://frontendfqdn/DeviceUpdateFiles_Int/OCInterim/ENU/cpe.nbt

which just gave me a blank page.

I tried comparing the IIS configuration to one I knew was working, and saw that I had a lot less IIS roles installed on the one that was not working.

When I installed this Front End server, i used the commands in this post to install the prereqs. Turns out that if you are going to use CPE, you will probably also need the “Static Content” role service in IIS to configure the correct MIME types on the fileextensions the update serrvice uses.

There exists default MIME types for both the .xml and the .cat extensions that is used by the updater. There is however no default for the .nbt extension.

If this role service is not installed, the updater does not work. You will have to add this feature, and then manually add the correct MIME types to the DeviceUpdateFiles_Int/ and DeviceUpdateFiles_Ext/ folders, which should be:

<mimeMap fileExtension=”.nbt” mimeType=”binary/octet-stream” />

<mimeMap fileExtension=”.cat” mimeType=”binary/octet-stream” />

(I have no idea as to why the bottom one is smaller than the other, but I cant get them equal size for some reason :S)

Hey presto! The phones update themselves like magic has happened!

Got a certificate error when i tried starting the response group service today.

The provided certificate is not valid.

There was a problem validating certificate: Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was ‘<poolname fqdn>’ but the remote endpoint provided DNS claim ‘<fqdn in a sip domain>’. If this is a legitimate remote endpoint, you can fix the problem by explicitly specifying DNS identity ‘<fqdn in a sip domain>’ as the Identity property of EndpointAddress when creating channel proxy.

Turns out that the last SAN in the certificate needs to be the same as the CN in the certificate, which should be your pool FQDN. The service will fail if it isnt.