Wednesday, December 31, 2008

Blogpost: Inbound/outbound faxing option with Cisco CM and OCS 2007 - part1

HI,

I returned after a small silent, I have been busy with a migration of one of our big branches from the old workgroup and “Domains” to our new domain, lot of work I have been doing specially that I have inherited lot of PCs that has unique kind of worms that made my life looks like sh*t, however we made it and we were able to push around 400 PC to the new infrastructure safely and I believe with less than an hour of downtime.

 

I have been asking a lot of MS and Cisco folks about the options of inbound and outbound faxing with Exchange 2007 UM and Cisco CM also known as CCM, I didn’t have a clear answer so I tried to figure it out, please keep in mind that the below lines doesn’t hold any official responses neither from MS nor from Cisco.

 

Let us summarise what we want to do:

-          Outbound faxing, meaning that the user will send an email to whatever server then it is sent as a fax to its destination.

-          Inbound fax, meaning that a sender send a fax to a user, the user gets the fax in his mailbox and open it using the outlook.

Pretty simple but hard to achieve, why, well I believe that this problem occur because Microsoft folks are not focusing in this part “looks like the R2 will have something to bring”, and Cisco is not playing fair with MS since the don’t let their technology work with MS specially in this part.

 

Let us design a simple design for inbound faxing:

The problem that we want to deliver the fax to the user’s mailbox, we will have UM and typically OCS, to achieve that 2 things has to be known:

-          Users external extension which must be unique.

-          Users email address.

The exchange 2007 UM server can intercept the fax signal and deliver the message correctly to the user’s mailbox, the problem that it doesn’t work fine with CCM, although that Microsoft inbound faxing relies on using t.38, Cisco uses t.38 as well but Cisco’s implementation relies on UDP while Microsoft relies on what…yes TCP and there is no way to change any of them to the other protocol.

 

So using t.38 while a Cisco voice GW inplace is not possible, so we will have to let the UM server intercept the fax signal and tries to do the job by enabling EnableInbandFaxDetection, I tried it with CCM 4.3 but it didn’t work “I will upgrade mine within 2 weeks to CCM6 so I shall give you what it does with CCM 6”.

 

So what is the available option, I believe that onramp http://www.cisco.com/en/US/docs/voice_ip_comm/unity_exp/rel3_1/administration/guide/voicemail/fxgatewy.html and trying to deliver the fax either to a shared mailbox or specifically to the user.

Note: you can deliver the message directly to the user by configuring you DID distribution to be as following for example: suppose that you have xxxx5000 up to xxxx5100 as DID, so distribute odd numbers for users direct phone and even numbers for direct fax.

 

Configuring such a configuration poses a real chanllenge for organizations with large number of employees, but configuring a single extension for everything in the world relies on CCM to talk to Exchange server nicely.

 

For outbound faxing, Exchange UM doesn’t support using outbound faxing, but if you have Cisco GW inplace you can use offramp faxing, I didn’t go into designing it since I am waiting for my CCM6 boxes, once they are here I will post another blog (Part2) about if anything make any feature works, and about offramp design and implementation.

 

Happy new year and merry charismas.

Mahmoud



“The information contained in this communication is intended solely for the use of the individual or entity it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this e-mail message is strictly prohibited. If you have received this message by mistake please notify the sender immediately by e-mail, destroy it and delete it from your system. The sender is neither liable for the proper and complete transmission of the information contained in this communication nor for any special, incidental or consequential damages of any nature whatsoever resulting from receipt or use of this communication”

Tuesday, December 30, 2008

Blogpost: Access is denied when you click on the meet now

Here is a nice one.

I pushed the LMaddin.msi to all of my clients in my network (about 1500 Client), and the addin appeared in the outlook, most of my clients tried to use the new plug in but they either got access is denied or (there was a problem launching the live meeting client).

 

I tried to know what is wrong since I had working on my PC, finally I got it, I didn’t install the lmconsole.msi on my clients, this will cause you the problem since the console is not installed yet, install the console and it will work fine.

 

Note: installing the console after the addin will fix it, you don’t need to remove it and install the console.



“The information contained in this communication is intended solely for the use of the individual or entity it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this e-mail message is strictly prohibited. If you have received this message by mistake please notify the sender immediately by e-mail, destroy it and delete it from your system. The sender is neither liable for the proper and complete transmission of the information contained in this communication nor for any special, incidental or consequential damages of any nature whatsoever resulting from receipt or use of this communication”

Monday, December 29, 2008

blogpost: New OCS/OC KBs


Communicator 2005


949280   Description of the Communicator 2005 hotfix rollup package: December 19, 2008

960244   After you install Live Meeting 2007 console or Live Meeting 2007 add-in, two new menu options that do not work are added to Office Communicator 2005 Action menu

960255   After you upgrade Live Meeting Service Conference center to Live Meeting 2007, you can no longer use the Meet Now button in Office Communicator 2005

960252   Office Communicator 2005 crashes when you try to accept an inbound phone call

 


Communicator 2007


957465   Description of the Communicator 2007 hotfix rollup package: December 19, 2008

960423   Office Communicator 2007 cannot display Chinese characters in URLs when the EnableURL registry value is enabled

960424   You cannot prevent Office Communicator 2007 from controlling the call forwarding settings

 



“The information contained in this communication is intended solely for the use of the individual or entity it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this e-mail message is strictly prohibited. If you have received this message by mistake please notify the sender immediately by e-mail, destroy it and delete it from your system. The sender is neither liable for the proper and complete transmission of the information contained in this communication nor for any special, incidental or consequential damages of any nature whatsoever resulting from receipt or use of this communication”

Sunday, December 28, 2008

Blog Post: OCS 2007 R2 RTMed

OCS 2007 R2 has been RTMed, this is quick news flash as I don’t have any info about it until now, I will have an access to the software tomorrow or next week, I will post lots of stuff about it when I have it.

Sunday, December 7, 2008

New OCS updates

Communicator 2007 November Updates

959385   Description of the update package for Communications Server 2007 Web Components: November 2008

 



“The information contained in this communication is intended solely for the use of the individual or entity it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this e-mail message is strictly prohibited. If you have received this message by mistake please notify the sender immediately by e-mail, destroy it and delete it from your system. The sender is neither liable for the proper and complete transmission of the information contained in this communication nor for any special, incidental or consequential damages of any nature whatsoever resulting from receipt or use of this communication”

Saturday, November 22, 2008

Update Rollup 5 for Exchange 2007 SP1 is now released

The rollup is available on the Download Center here:
http://www.microsoft.com/downloads/details.aspx?FamilyId=652ED33A-11A1-459C-8FFE-90B9CBFE7903&displaylang=en
It will be available on Microsoft Update in 2-3 weeks from now (we will announce that). In case that you need a fix in a language that is not available right now, they are in the pipeline already so please check back.
The KB article describing this release as well as fixes is here: http://support.microsoft.com/?kbid=953467
We specifically want to call out two things fixed regarding the overall installation experience:
1) Service startup issue as described in KB http://support.microsoft.com/kb/944752 as well as our previous blog post.
The rollup installer will now make the required modifications to the config files, even create new config files if not found. If customers have already modified the config files and have a generatePublisherEvidence setting, it will be left intact. Note that you still need the right version of .NET (see KB 944752) for the fix to take effect.
Un-installation of the rollup will not rollback the addition of generatePublisherEvidence to config files.
2) Blank OWA logon page after installation of rollups 3 and 4, if you have modified logon.aspx file
The rollup installer will now overwrite any OWA script files if required to ensure proper operation of OWA. You will need to redo any customization after installation of the rollup.

Sunday, November 16, 2008

Blog Post: Tandberg, OCS 2007 and CCM 4.3 integration - part 3

Here is the final part of these posts, we will talk about configuring the CCM/Tandberg to work all together, this will let you leverage the conferencing capability from any phone anywhere, it is cool and very important and I found that most of the Tandberg customers don’t know about it.

 

To make it works, make sure to do the following steps at the 4200 MCU:

-       From the Gateway menu, add a new gateway, type in the IP of the Cisco Call manager.

And you are done J.

 

From the Cisco Call manager, follow the below steps:

-       Add the MCU as a gateway.

-       From the routing plans, add a new route pattern, this will match a number (for example 1000) and route this pattern using the gateway you just configured.

Using the above if a user internally calls 1000, he will be prompted with the Codian MCU autoattendant, the 1000 extension should be reachable from the outside using either digits manipulation..etc so users from the external telephone network can dial that number.

 

No users in the OCS can add the conference ID as a user and call that user, also call from the phone the MCU and amazingly they can hear users from the Video Conference points and on the OC clients.

 

 

Amazing.

Tuesday, November 4, 2008

BLog Post: When a small bug stops the giant dinosaur - someone will like that...

Yesterday was one of those rare days, one of those where I spent 7 hours staring to my screen trying to push couple of server to work, the problem started at 11 AM and solved by 7 PM, but the trick was in finding the problem.

 

Briefly the problem located in specific servers in a branch of mine, the damn servers didn’t want to become a domain controller no matter what I did, the problem that the SYSVOL folder didn’t want to replicate between server in HQ and server in the branch, below what was happening:

 

When I launched the Domain controller installation wizard, everything went nice, to complete the installation a restart is required and a replication of the SYSVOL folder (where group policies and domain settings resides) has to be completed after the restart, this normally takes 15 minutes, tracing the SYSVOL replication I found that the replication stops at 14 MB of the SYSVOL (it is about 120 MB), well this is normal.

 

Recycle the SYSVOL replication, 13.8 MB.

Check the SYSVOL replication scope using ntfrsutil seems right, push it using the command line, 13.6 MB.

Well, this is becoming weird, so let us bring the army. Tracing the Filesystem activity using Filmon and process explorer and…..ok I saw that the FRS.exe cannot have access to the replication delta files  after it reaches 13 MB, it gives me “Access is denied or file cannot be found”.

 

It is ok, using the burflag registry key I can rebuild the hall SYSVOL, trying that and silly me; it is 20 MB

 

Fine, let us skip the first server, let us bring the other server, now guess what, cannot exceed 25.5, first round 25.6, second round 25.4 third round 24.7, using filemon and PE I found the same output “Access is denied”.

 

Now it is time to know exactly why access is denied, doing advanced logging for the FRS, I found that transactional log files exist, but the FRS cannot read and write from it, doing a performance monitoing for the disk level read/writes I found that it gets so slow when a big chunk of log file gets replicated to SYSVOL temp. folder, doing a Memory trace for the handles using handle……wolla!!!!!!!!!! It is the KASPESKY.

 

The avp.exe process was scanning the a big log file (it is about 30 MB in size), the scanning takes so much time to complete, the scanning windows was bigger than the SYSVOL replication timeout windows this is a known bug here , so it times out and keeps retrying. And failing at the same file. So a very small registry key stopped my Servers to be come on line, what a mess?!

 

I checked the Kaspersky policy, I found the SYSVOL folder was excluded from the scan, but not the subfolders, added them and now I am able to run the SYSVOL replication. A smart one will say why this didn’t occur in HQ, as far as I can see this is because of HQ runs at 4 GB of RAM.

 

Nice round.

Mahmoud

Sunday, November 2, 2008

Blog post: you cannot use MCU 4200 with OCS 2007 after upgrading to V2.3

I have been working on this for 2 weeks now, I have upgraded my MCU from 2.3 to 2.4, this “as Tandberg” allows me to use NTLM authentication rather than anonymous authentication for MCU registration, but it didn’t work.

For some reason the MCU cannot obtain the GRUU that is returned from the OCS and cannot register itself in OCS, I believe that this is a bug in OCS (as far as I can see) because the OCS is using some SIP extension that has make my life harder before, I am working with Tandberg folks on it now.

So keep your MCU at 2.3 until further notice.

Mahmoud.

Monday, October 27, 2008

Blog Post: CCM AD plugin notes

I have just installed CCM plug-in for Active Directory, I have several notes to share it with you, it will be usefull for you to note them down before starting your implementation:

-       The installation guide starts here: http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_tech_note09186a0080094493.shtml :)

-       The guide tells you to specify User Search Attribute, which should be SamAccountName, the guide doesn’t tell you that this is the login name, you will be able to search by first name and last name, but this is the login name.

-       To install the plug-in in child domain (typically if you have a root/child domain) you will need access to the schema admin.

-       The Cisco container needs to be on the root domain.

-       The domain name will be the root domain and the user search base DN will point the root domain, don’t worry the plug-in will grab the users from the child domain, don’t know how LOL.

-       You will need to place the registry key to enable schema updates even if you are running windows 2003.

-       I will upgrade to windows 2008 next weeks, hopefully it will last.

Blog Post: why CCM 4.3 support has been removed from OCS?

Well this is hard question,

When OCS released it was officially supported by MS for about 3 days, and then the support removed and only V5 and V6 was supported, to tell you the truth I have been testing OCS with V4.3 for a long period in my labs, and some of my customers went to a non-supported state for a period of time, but OCS/Exchange and V4.3 all works so fine. So why it is not supported.

 

Tricky, no one knows. But based on my lab testing, I found that OCS is using additional SIP extensions and messages that are not supported by older SIP entities that uses SIP standards, I have heard from couple of my friends that meetingplace and Cisco Video conferencing are not working as supposed to be when 4.3 in there.

 

So if you don’t want support from MS, then you can go with V4.3, not supported but you can go for it in lab testing and small piloting, beware that v4.3 will be out of support by mid of next yeaaaaar.

Blog post: Tandberg - OCS 2007 and CCM all together part 2


This is the second part of how to install and configure Tandberg Video conferencing, Codian MCU 4200 and OCS 2007 along with CCM support to provide end to end unified communication experience, in the first part I made a small introduction about the subject in this part I will describe the End to End experience and going to the basic configuration of the MCU 4200.



What do you want exactly, this is a so hard to answer, especially in the UC field, all of the vendors as well as partners are introducing end to end UC solutions, so what to chose and where to place is the hardest question.



What do you want, mmmmm let us talk about that part a little bit, what do you want from UC, what you can achieve, to tell you the truth, you can do almost anything, from launching you mail/voicemail/IM end point from your mobile phone, until mounting you desktop phone from your PC or mobile, do FMC, bypass toll charges, doing audio/video/web conferencing and mixing all of them together, now you can place calls to PSTN network over GSM using E1 modules that carries SIM cards, typically anything.



So where to go, it is up to you, your budget, organization and how you do work internally, some companies work with other parties externally WW so they might need web conferencing, or you might have international branches where they want to minimize there phone bill, so ultimatly there are no best fit for you, you have to note that when you ask consultants to do assessment for your organization because vendors will start talking and talking but you need to decide what you need exactly.



Let us go back to my solution, let me give you a brief about the architecture:


- And E1 connection that comes from my service provider that hosts 100 extension over ISDN.


- One Cisco Voice gateway.


- 2 Cisco Call Manager (publisher/subscriber).


- 1 Codian MCU 4200 V2.3


- 5 Tandberg Endpoints in site1


- 1 Tandberg conferencing unit in each branch office.


In this part I will walk into configuring the MCU 4200, step by step:


- On the OCS create a normal user, you don’t need to create and email, you can give him an email address and enable OCS 2007 for him, don’t login with OC to the user as this will remove the LCS 2005 attributes from the user and MCU will lose its presense.


After giving the IP of the MCU, and configuring the initial configuration like system name…etc follow the below steps:


- From the settings page go to the SIP pane,


- Enter the SIP address and the SIP proxy address for the MCU, this will be dialed from the OCS clients to join the Conf.


1.


-

Note that in version 2.3.1.8 you cannot use the authentication since the firmware support basic auth, you need to upgrade to version 2.4 to support NTLM, I upgraded to 2.4 but it didn’t work so I rolled back and I work with Tandberg support on it.


- To over come the auth, issue you need to add the IP of the MCU in OCS server in the authorized hosts tab and you need to mark it tread as authenticated.


- Once finished you will note that registered mark appears as above.


- Now you can add the MCU in your buddy list and you can dial it, once dialed you will be prompted for the conf. ID enter it and you can see/hear the conf.


I have tried to register the MXP 75, but it looks that the firmware 6.3 has a bug in registering the GRUU, I will acquire the latest MXP firmware (v 7) and once finished I will update you with it.



In the next post I will post the CCM configuration followed by an article for configuring Exchange 2007 UM with CCM 4.3, keep reading J

Monday, October 20, 2008

Blog Post: you cannot use GFI Endpoint security due to Remote HW/Registry locdown policy by Windows Vista SP1

Hi,

I have been working with GFI support team for that last couple of weeks to diagnose a problem that looks so hard in the first place but it was so easy to spot once we identified the cause, I have several Windows Vista SP1 laptops since all of them comes shipped with it, we wanted to deploy GFI Endppoint security and we were testing the product, everything works fine on XP SP3 machines, but on windows Vista SP1 it didn’t work, the problem that we couldn’t detect the drivers on the machine that runs Vista Sp1, the error was “Failed to enumerate devices on the machine”; if we try to deploy the agent manually it yells at us saying that you don’t have permissions to install this product so what the heck going on?

 

After several hours of regmon and filemon, I found that the agent access the machine using remote registry, so you have to:

-       Start the remote registry service.

-       On Vista SP1 machines, you need to allow the access for HKLM hive totally remotely.

-       The GFI agent service needs to run as domain admin!!!

1.Go to Computer Configuration \ Administrative Templates \ System \ Device Installation
2.Double click on  "Allow Remote Access to the PnP interface" and enable the policy

 

Finally it works, now we need to test it out, please read more about the security lockdown settings of windows Vista and the new registry access restrictions for windows Vista.

Saturday, October 18, 2008

Blog Post: Integrating OCS 2007, Cisco Call manager, Tandberg MCU 4200 all together - part 1

Hi,

I have to say that all of you will like this topic a lot, I have been doing a lot of work in the previous 2 months to mount my new infrastructure in my new company, one of the challenges that I had is to provide a centralized conferencing and unified communication solution.

 

The challenge that I had is providing UC service across different sites (I had many), Audio conferencing, Video conferencing, Web conferencing , Telephony conferencing , Voice mail and all of nice stuff all together; well it wasn’t an easy task.

 

When I came to my company I found CCM 4.3 mounted already and in place, so I had to work it out with OCS 2007, we decided to have a HW video conferencing solution and not relying on the round table since it is not available in the middle east yet so we investigated Cisco/Polycom and Tandberg and we chose Tandberg.

 

At the early time I wasn’t involved yet in the vendor selection for the video conferencing, so I was working in choosing a telephony conferencing solution, knowing that OCS R2 will provide that module for me made it much harder to choose between Alcatel, Cisco and Nortel.

 

When Tandberg solution mounted in our HQ and was in place in 3 of our sites I found that it is amazingly works with OCS 2007 and Cisco Call Manager, so I decided to integrate them together which worked so perfectly after, I will share my experience with you across several configuration notes, solution design posts and Finally showing you how an End to End solution will be implemented between the 3 island and connecting them together.

 

I will be posting within 2-3 days a entry blog about the design notes for the solution, I am working on some TMS (Tandberg Management Server) design and some MCU issues, so I will post the first blog about the design consideration for such an integrated solution, posting afterwards a configuration notes and tips.

 

See you in the upcoming post.

 

Mahmoud

Blog post: how to avoid importing the GUID into the new computer information

Here is a nice tip,

If you are importing the computer information to the SCCM for new client OS deployment you will find that you need to import the MAC and the GUID, the GUID is the hardest part, but to get rid of it, you can fill the GUID information with 1s and this will do the trick.

 

So the MAC address plus 1s in the GUID will make your life much easier J.

 

Cool one.

Friday, October 17, 2008

We are back

Hellooooooooooooooooooooo fellows,

I am back, I have been not posting since 3 months, but I moved to new country, new job, new place so it was all mixed up, any way so many things happened and I will get back with very new posts that will make you explode,

First posts will go about OCS 2007, CCM and Tandberg conferencing integration, I will explain the integration points and how you can do all of it in my upcoming posts, hold tight because afterwards I will post some interesting stuff about hyper-v , P2V windows 2008.

See you.

Mahmoud

Monday, July 14, 2008

OCS: How many ports required for outbound telephony calls

Here is a nice question, suppose that you have your PBX infrastructure and you have OCS 2007 as well, you want to allow outbound/inbound calls from OCS to the external world, so how many port you need..

Well, this depends on the configuration you have, here is the options:

- For E1/T1 connection you don’t need any extra configuration, why, because if you have E1 this is will be an ISDN interface that has 30 channel so you have a 30 calls (outbound/inbound) in total so you might need to recalculate how many calls you do and if you need extra E1s, same applies for T1.

- If you have analog lines, then each analog line can do 1 call at a time, so you might need to recalculate that.

- If you have primacells, same here as analog lines.

- For faxing (In total) treat is a normal phone call so if you do faxing using your E1, so you have 30 channels, if analog lines same as above.

mahmoud

Thursday, July 3, 2008

CCM 6 + CUPS + OCS 2007 integration notes:

I would like to summarize the integration notes for the above configuration, kindly find below the latest notes for OCS/CUP integration:

- To have CCM/OCS integration you will need to have a SIP trunk between the Mediation server GW facing NIC and the CCM, otherwise it will not work (calls will get service unavailable errors).

- To have Voice-mail auto redirection (a phone missed called redirected directly to the extension’s Voice mail) you will have to enable caller-ID on the SIP trunk, otherwise the user will get an auto-attendant.

- For Auto-attendant feature in Exchange, just create a new auto-attendant as voice enabled, assign an extension and create an Extension routing rule on the CCM to redirect the call to the Exchange feature and it will work.

- To do presence integration you will need CUPS in-place, we didn’t have the time to test that.

- Feature that has been tested successfully:

o PC to phone calls

o Phone to PC calls.

o Dual forking (from calls coming from OC).

o Multi-group conferencing (OC – Phone – phone).

o Voice mail and missed call notification.

o Call forwarding to phone, PC and VM.

o OVA

Thursday, June 26, 2008

using ASA and OCS video conferencing server

During my attendance of OCS ignite tour training and some other OCS events, we have been informed that OCS edge video servers cannot be located behind a NAT device e.g. firewall, this is due to the fact the Video conferencing doesn’t work correctly with NATing, so the design was saying give the Edge NIC a real IP and place it directly on the internet.

I have been working a while with ASA and I have tested my configuration, you don’t need a NAT device in ASA (5520,5540) V7 or V8 (this is my testing so results could be true), the edge server could have a real IP on its NIC, and placed in the DMZ for example, in this case the ASA will filter the packets only as a firewall and will not do Natting, creating a DMZ for the edge server might be a hustle but this is not the case if you created sub interfaces.

This might be a tricky discussion when talking to Microsoft partner or consultant since this is not the case of ISA 2006, but you can do the above configuration safely on your ASA.

I am thinking about creating routing rule between the DMZ in ISA server and the internal/external network but I didn’t have the chance to test it, so this might do the trick instead of placing your video edge server naked in the desert.

Wednesday, June 11, 2008

fast tip for controlling OCS bandwidth

Here is a fast one, you can use a client policy to control the total bandwidth of OCS and livemeeting traffic using the following registry keys:

HKLM\software\policies\Microsoft\LiveMeeting\MaxAudioVideoBitrate

HKLM\software\policies\Microsoft\Communicator\MaxAudioVideoBitrate

Thursday, May 22, 2008

SSL redirection in NLB configuraiton for CAS servers in windows 2008

Situation:

We have two CAS Servers as NLB cluster on Windows 2008

CAS1.contoso.internal

CAS2.contoso.internal

NLB has A Record in DNS: mail.contoso.com

OWA access works with https://cas1/exchange or https://cas1/owa or https://cas2/exchange or https://cas2/owa

To redirect incoming https://mail.contoso.com to one of the CAS Servers It’s a little different with IIS7.

· You need to go into inetmgr

· Select the default website

· Go to HTTP-Redirection

· Select first option and type only /exchange (or /owa)

· Then select 3rd option

· Save and close Inetmgr

(Sorry, only German Screenshot available)

cid:image002.jpg@01C8BC06.D41041C0

HTTPS Redirection is similar

· Create SSLRedirect.htm according to below Technet Article and save to C:\inetpub\wwwroot

· Open intetmgr

· Select the default website

· Go to Error codes

· Add new Entry with Error code 403.4 (note the period instead of the semicolon mentioned in article)

· Save and close inetmgr

Note:

Double-check the HTTPS redirection URL in your SSLRedirect.htm. The article says https://%3cservername%3e/exchange .

But if you simplified the URL already according to the above settings you need to remove /exchange from the redirection URL here. (e.g.: https://server23 instead of https://server23/exchange )

Friday, May 9, 2008

notes from the field configuraing and installing OCS and MP114

Here is a nice tips for MP114 configuration for a customer of mone I did OCS implementation for him:

OCS is installed in Site1, MP114 installed in site2.
This decision was taken to test the functionality of MP-114 across multiple sites, then MP-114 will be moved to Site1.
Configuring the OCS consists of the following steps:
- Install Mediation server.
- Configure the mediation server and add MP-114 as PSTN GW.
- Configure default location profile, normalization rules for all of BMW sites, external call, mobile calls.
- Enable users for enterprise voice:
o Add telephone number, mobile number and work number in user's properties in AD in E.164 format (+XXXXX)
o Enable PBX integration and add the Tel: URI
§ Currently each user has to have separate extension for phone numbers and OCS number (to call the user fro phone to communicator), this is because dual forking is not currently available (simultaneous ringing on phone and OC), this will be available in the second quarter of 2008, for example to dial user x on phone call from OC he has to have extension 14000 (which is configured in the Tel: URI) and to call him from OC to phone he has extension 4000 (which is configured in the phone properties.
o Synchronize the Database with the new numbers:

§ C:\Program Files\Microsoft Office Communications Server 2007\Server\Core>ABServer.exe –regenUR to Synchronize the users from AD to OCS DB.

§ C:\Program Files\Microsoft Office Communications Server 2007\Server\Core>ABServer.exe –synchnow to Synchronize the address book with the users DB.

o Configure the MP-114
§ The current PBX (HIPATH 5000) doesn't understand the phone numbers in E.164 format, when we dial 4000 the normalization rule translate the number to +4000 format, this number is not understandable by the PBX, we use the protocol management > manipulation Table in the MP-114 GW to manipulate the destination number to remove the + (by stripping 2 numbers and adding the dial plan identifier) (attached the INI file for final MP-114 configuration).
o Test the calls from OC to PSTN, PBX.
o Calls are successfully done in local sites, across the sites (OC > GW > Local PBX > remote Site PBX), and thus we need single GW and single Mediation server for the implementation.

Monday, April 21, 2008

The sum of all of really silly OCS questions

I had those silly OCS questions, asked some good folks and have them answered so you might want to take a look on them:
  • In web conferencing, I know that the conferencing server has a built-in load balancing functionality, so if we have a pool of servers and new conference will start, the least loaded server will be selected to host the conference, now suppose that a user 1 scheduled a conference in a pool with 3 conf. server. Server 1 is elected to host the conference. Within the conference user 8 and user 9 wanted to join the conference but server1 became loaded so what exactly will happen, user 9 and user 8 will be hosted on server2, or will not be able to join the conf?.
All Conference states and information are on the focus which is in the SQL Data Base… So even if user 1 is on Server 1 the conference info and state are in SQL… So when users 8,9 connects to Servers 2 and 3 no problems…
  • In the VOIP when a user forward a call to his mobile, how is the caller/receiver are charged? User1 called user2 and he forwarded the call to his mobile. So user1 will be charged on that as mobile call, does user’s 2 phone system get charged for the call forward?
User 1 calls User 2 (Users 2 pay for costs for calling initial User 1 number)… Users 2 decided to forward to his mobile from system… System of User 2 will pay costs to call User 2 mobile number… User 2 happened to be roaming and kidding around then User 2 pays roaming bills… Think of it as separate phone calls each paying the cost of his decision…
  • In the OCS planning examples I found a note that indicates that in the OCS topology only 1 edge server in the OCS topology should serve the external IM access even for multiple pools. Doesn’t seems logic for me why I cannot have multiple edge server for each site and users configured the FQDN for the edge serve and login using edge server in their site.
Because you could only have one FQDN with the name (SIP.company.com) and this is what is initially supported and tested… The main Access edge server has to also be the destination of the FQDN (Sip.company.com)
  • If the note in point 3 is right, this means that I will have to plan the BW at the central location to serve the hall clients logging in, and I will need a director as well. The other point the access proxy redirect or proxy the traffic?
Bandwidth for logon and text is not a big deal.. Yes anyway for your first question… For the second question… The Access Proxy Server will proxy the user’s traffic coming from the internet to the user’s internal pool…
  • What is the HA planning for the Media Gateway?, searched for that and didn’t find it mentioned any where…
Is it mentioned in the Voice Ignite material… HA planning is to have redundant Media Gateways with similar configuration…
  • How to schedule a telephony meeting?
Currently telephony conference role is to integrate with your telephony conference provider, this is planned in the future releases.
 
Duhhhhh J.
 

What is passive SUP for?

Long time I haven’t blogged sorry I was busy with some re-allocation to new place..etc

 

A nice discussion I have involved in about the benefit of having a passive SUP in the SCCM hierarchy, well NOTHING.

 

you do need to create a non active SUP to install the active Internet-based SUP (selected and configured in the Software Update Point Component Properties) and when creating an NLB for the active SUP.  The non active SUP would be installed on each server in the NLB and then the active SUP would be configured as the NLB.

 

Other than this, you cannot use it for reporting. I thought that clients in branch sites can report to the local WSUS and this info will be replicated to the parent WSUS somehow, well this is wrong. So if you will not deploy a WSUS you don’t need passive SUPs.

 

Regards,

Mahmoud.

Tuesday, April 15, 2008

SCCM across forests - one final note

Hello,

One final note regarding this topic, if you will install SCCM site in different forest, Microsoft doesn’t support installing the secondary site in the new forest,  you will have to install a child site only on the new site. So all the planning has to be done base on child site planning.

Thursday, April 10, 2008

PXE boot creates a new record for computers after reinstalling the OS using PXE

Hi,
I spent this week trying to understand this issue from a lot of SCCM folks, thanks god I finally got it, so I would like to share it with you:

When you take a laptop, PXE boots it and drops an image onto it. ConfigMgr client installs and laptop joins site and applies packages – cool! Now then you clear PXE advertisement and roll out an OS onto that system again. There has been no change at all on the laptop so all the BIOS GUIDS etc. are identical, however a new ConfigMgr resource record and a new ConfigMgr GUID is assigned to the machine. The machine maintains its domain SID, MAC address, SMBIOS GUID etc. so why SCCM is creating the a new records:

This is the default behavior If site in mixed mode, and manually resolve conflicts is not enabled, the rebuilt machine gets new sccm identity (guid). If the site setting to manually resolve conflicts is enabled, then those records would appear in the resolve conflicts node. If in native mode this should not occur.

The basic problem is that when a computer is re-imaged from bare-metal in mixed mode security, ConfigMgr has no way to know if it’s really the same computer and you want it to have the same identity, or whether it is some rogue computer trying to usurp the identity of an already managed computer. PXE is a very insecure protocol, and things like the MAC address and SMBIOS are easily spoofed.




The “Manually resolving conflicting records” option is a site-wide setting, but if you set it, it requires IT Admin intervention to resolve the conflict. The current behavior is not considered to be a bug, though arguably we should offer an “automatically merge” option that doesn’t require IT Admin intervention

In native mode you don’t have this issue because of the certificates, In native mode, essentially SCCM punted the problem off to whomever (or whatever) is issuing the certificates. If the certificate issuer thinks it’s the same computer, then the new issued certificate should have the same subject name and #2 under Native Mode Security in the slide below applies. If the certificate issuer doesn’t think it’s the same computer or doesn’t know, then the new issued certificate should have a different subject name and #3 under Native Mode Security applies.

But How the certificate issuer knows that the computer is old is new one then?

Could be by a wide spectrum of different ways, depending on how certain the certificate issuer wants to be that it really is the same computer and not some rogue.

At the least secure, but most automatic, end of the spectrum, the certificate could be issued by AD automatically for any computer joining the domain, with the subject name set of the FQDN of the computer. In this case, if the computer runs an OS deployment task sequence, it will be able to join the domain (since the task sequence has the domain join credentials) and it will automatically get a certificate from AD without the IT Admin doing anything. Obviously, this isn’t very secure.

At the other end of the spectrum, and IT Admin might have to physical visit the computer, verify its identity, and install the certificate from removable media once he has verified the identity of the computer. This is the most secure approach, but the hardest because of the manual steps required.

Any given customer will have to decide what approach meets their needs on the security/ease-of-use tradeoff.

In the case of PXE boot, the MAC address of the computer and/or the SMBIOS UUID of the computer are matched against entries in the ConfigMgr database. Assuming that a matching entry is found, the computer name from the database entry is sent back to the computer running the task sequence and that computer name is assigned, this is how SCCM recognize the machine in the case of PXE where not certificate is installed on the machine the machine is wiped off.




Wednesday, April 9, 2008

SCOM is not monitoring DHCP server cluster resource

here is interesting info:

My customer has DHCP server is running on a cluster node, all of the other cluster groups are monitored but not the DHCP group this result that the virtual server not  included in the windows 2003 DHCP group and DHCP on it is not monitored, I found the issue: the issue that the discovery is processing the start reg value with object of 2, on the cluster the attribute is set to 3:

<Configuration>

  <ComputerName>$Target/Property[Type="WindowsLibrary!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

  <RegistryAttributeDefinitions>

    <RegistryAttributeDefinition>

      <AttributeName>Microsoft_Windows_DHCP_Server</AttributeName>

      <Path>SYSTEM\CurrentControlSet\Services\DHCPServer\Start</Path>

      <PathType>1</PathType>

      <AttributeType>2</AttributeType>

As I searched and most of my fellow consultants did, it looks that the DHCP MP is not cluster aware, and this will be fixed in the next version, so be careful as this is not mention anywhere in the documentation either in DHCP MP or cluster MP.

 

Bye

Monday, April 7, 2008

SCCM distributed application is not monitored - SCOM 2007

Hi,

Here is some tips for people who cannot monitor SCCM using the latest SCOM management pack:

-          Make sure the agent proxy is enabled on the SCCM server.

-          Make sure that you have created  SMS_INSTALL_DIR_PATH system variable.

-          Make sure that you installed the SCOM x86 agent, you cannot monitor SCCM using the x64 agent, this is a known issue, so you might need to install the agent manually.

I am pretty sure that the SCCM distributed application will be monitored now J

Saturday, April 5, 2008

what information are lost when using the restore-mailbox

Here is a nice info you have to consider,

When restoring mailboxes from RSG all of the information are retained like special folders, dumpster and calendar items, but when it comes to rules, ACL and views they are lost.

Rules, views, forms and ACLs are not recoverable when you use an RSG, so you might need to make sure to document those down and make sure that you inform the end-user about that to avoid any troubles.

deploying OS using SCCM to unknown computers

Because people might want to know how, Michael Niehaus posted a great article about it here http://blogs.technet.com/mniehaus/archive/2008/01/19/microsoft-deployment-configmgr-boot-media-unknown-computers-web-services.aspx so visit it you will like it.

Backing up Exchange 2007 using Veritas 11d

Well, most of us had issues with backing up Exchange 2007 using Veritas 11d, I fought for over of 2 months to get it working and finally I did, I found that there is a lof of folks out there that were fighiting with it with no luck, but after opening so many cases with Symantec and Microsoft we managed to push it to work, most of us got the ugly error:

Completed status: Failed
Final error: 0xe0008488 - Access is denied.
Final error category: Security Errors

For additional information regardaxing this error refer to link V-79-57344-33928

Errors
Click an error below to locate it in the job log
Backup- Exchange2007.lab.localMicrosoft Information StoreFirst Storage Group V-79-57344-33928 - Access is denied.
Access denied to database Log files.
Backup- Exchange2007.lab.localMicrosoft Information StoreSecond Storage Group V-79-57344-33928 - Access is denied.
Access denied to database Log files.

Exceptions
Click an exception below to locate it in the job log
Backup- Exchange2007.lab.localMicrosoft Information StoreFirst Storage Group WARNING: "Exchange2007.lab.localMicrosoft Information StoreFirst Storage GroupLog files" is a corrupt file.
This file cannot verify.
Backup- Exchange2007.lab.localMicrosoft Information StoreSecond Storage Group WARNING: "Exchange2007.lab.localMicrosoft Information StoreSecond Storage GroupLog files" is a corrupt file.
This file cannot verify.
Verify- Exchange2007.lab.localMicrosoft Information StoreFirst Storage Group WARNING: "Log files" is a corrupt file.
This file cannot verify.
Verify- Exchange2007.lab.localMicrosoft Information StoreSecond Storage Group WARNING: "Log files" is a corrupt file.
This file cannot verify.

This guide will contain the required detailed steps to configure Veritas 11d to make things works.

here is the guide

veritaswithexchange2007.doc

Edge server is not applying Recpient filtering

I implemented a big Exchange organization (couple of Clustered mail server and hubs and CASs and edge server) however when I tested Email filtering on the edge server I found that the HUB server is delivering the NDR not the EDGE as below:

Microsoft Mail Internet Headers Version 2.0

Received: from mail.ourdomain.corp ([z.z.z.z]) by mail2.ourdomain.corp with Microsoft SMTPSVC(6.0.3790.3959);

                 Wed, 4 Jul 2007 22:38:23 +0300

Received: from mail-relay.Domain.com ([x.x.x.x]) by mainserver.domain.com with Microsoft SMTPSVC(6.0.3790.3959);

                 Wed, 4 Jul 2007 23:38:00 +0400

Received: from Edge.Domain.local (Edge.Domain.com [y.y.y.y])

                by mail-relay.Domain.com (Postfix) with ESMTP id 519514F856

                for <user@mydomain.com>; Wed,  4 Jul 2007 15:34:02 -0400 (EDT)

Received: from Hub-cas.Domain.local (10.10.20.12) by edge.Domain.com

 (10.10.10.10) with Microsoft SMTP Server (TLS) id 8.0.700.0; Wed, 4 Jul 2007

 22:33:27 +0300

MIME-Version: 1.0

From:

To:

Date: Wed, 4 Jul 2007 22:34:00 +0300

Content-Type: multipart/report; report-type=delivery-status;

                boundary="b5fe7bbb-1255-4b2c-a096-a956efb3c516"

Content-Language: en-AU

Message-ID:

In-Reply-To: <5486BE6683AFD54F935039CCF748F6645EB83E@EGMAIL02.SPSEGY.synergyps.corp>

References: <5486BE6683AFD54F935039CCF748F6645EB83E@EGMAIL02.SPSEGY.synergyps.corp>

Thread-Topic: sdkfj

Thread-Index: Ace+chJwkNcA93RTS0eP7gFPEivGtwAADLvH

Subject: Undeliverable: sdkfj

Return-Path: <>

X-OriginalArrivalTime: 04 Jul 2007 19:38:00.0514 (UTC) FILETIME=[D4908A20:01C7BE72]

 

--b5fe7bbb-1255-4b2c-a096-a956efb3c516

Content-Type: multipart/alternative; differences=Content-Type;

                boundary="2b3dfb83-92ed-49eb-83af-e3cc6a5daa71"

 

--2b3dfb83-92ed-49eb-83af-e3cc6a5daa71

Content-Type: text/plain; charset="us-ascii"

Content-Transfer-Encoding: quoted-printable

 

--2b3dfb83-92ed-49eb-83af-e3cc6a5daa71

Content-Type: text/html; charset="us-ascii"

Content-Transfer-Encoding: quoted-printable

 

 

--2b3dfb83-92ed-49eb-83af-e3cc6a5daa71--

--b5fe7bbb-1255-4b2c-a096-a956efb3c516

Content-Type: message/delivery-status

 

--b5fe7bbb-1255-4b2c-a096-a956efb3c516

Content-Type: message/rfc822

Although that the agent were enabled in the GUI, it seems that the transport agent were disabled when I got them using the get-trasnportagent cmdlet, enabling them using enable-trasnportagent solved the issue J.