About Me

My photo
This is a blog for John Weber. One of my joys in life is helping others get ahead in life. Content here will be focused on that from this date forward. John was a Skype for Business MVP (2015-2018) - before that, a Lync Server MVP (2010-2014). I used to write a variety of articles (https://tsoorad.blogspot.com) on technical issues with a smattering of other interests. I have a variety of certifications dating back to Novell CNE and working up through the Microsoft MCP stack to MCITP multiple times. FWIW, I am on my third career - ex-USMC, retired US Army. I have a fancy MBA. The opinions expressed on this blog are mine and mine alone.

2017/12/17

AudioCodes HRS 458

I have noticed, over the last few years, that companies are spending less on the fancy Video TeleConference (VTC) rooms.  I have also noticed that in my project work, the same companies want the video in Skype for Business (SfB) enabled, but they also note that it does not get used as much as they expected.  Tie that fact with the expense of the VTC room equipment, and we see the rise of the small conference room (cue ominous/heroic background music).

Now, you would think that most folks would fall over themselves trying to get on camera.  I base this on the moonbeams on reality TV who will do anything for camera time.  In the business world, it seems that a bit more prudence takes precedence.  And it turns out most times that video is not the friend of telecommuters who work, like me, in their jammies sometimes.  Or coworkers who did not have their matching suit, their hair just right, or don’t like to be on camera for some other reason.  Bottom line, video use spikes up at introduction, then usage tends to fall off. Way off.  Or at least it does in my little world.

In recognition of this phenomena, companies are starting to use smaller conference rooms.  With Skype, anyone who brings a laptop to the meeting, or if there is already something in the room with a camera, you can stream video.  No need for the bazillion dollar wall unit in every room.

To facilitate this, there have been a variety of conference room solutions whereby the audio is presented both ways, but no video.  Video becomes an add-on for SOME meetings, but not all.  Audio reigns supreme, as it has since the first conference call in 1956.  If you are really interested, you can read some sycophantic stuff here, here, and here.

Enter AudioCodes

To link, somewhat nebulously to the previous paragraphs, these conference rooms need a “something” to sit on the table and provide audio, phone services, and perhaps even a data connection.  You could bring your laptop, and many people do.  But having a static piece of gear is the way to go.  And you need it to be somewhat cost effective, and usable.  I think some emphasis needs to be on “usable” because I have seen some setups that were a tad incomprehensible. I do this for a living and found operation difficult and sometimes tedious.

The fine folks at AudioCodes present the Huddle Room System (HRS).  Ta Da!  At the top of the HRS lineup is the 458 – designed for that mid-size room that holds about 10-15, has a table about 15 feet long, you know… the semi-exec room.  Here is the full AudioCodes IP phone Series so you can visualize where this product lives.

image

For that use case you need something that has great audio pickup, clarity, great audio delivery, and maybe more importantly, looks and acts like a traditional handset.  I know, that is really counter to popular thinking.  But, you know, maybe the pundits who are not spending their own money might just be wrong, eh?

Let’s take a somewhat detailed look at the AudioCodes HRS 458.

The first thing to know is that the HRS is based on the 450HD handset.  Then, what is this thingy attached to it?  Yes, looks just like the Jabra Speak 810.  It looks just like that, because, mainly, it is.  Which also brings us to the first point.  No PoE here – I think mainly to maintain power levels for the speaker phone.  Here is your first professionally posed still life photograph:

image

I really wonder at times why I am not a photographer by trade.  Look at the composition!  The color!  Oh my.  Adelante.

The HRS came out just as I was delivering a project and I took my demo down for them to try out.  Customer loved it.  Great audio presentation just on the 450HD, but with the football attached to it, the HRS 458 can now service the entire room.  And does it in an excellent fashion.  We tried to find a spot in the room where the football would not find you talking and we failed.  Perhaps a larger room would have caused some degradation in audio quality.  Perhaps not.  Our test room was a 20 person room, long and narrow.  The 458 system simply did what was expected with overall excellent audio.

Having the 450HD as the basis for the HRS results in the customer being able to reduce the handsets needed as the 450HD base unit provides telephony services to the room – no need for a “something” on the table, and a “real” phone in the corner so you can call for help, donuts, coffee, or whatever.

IP Phone Manager

Yes, as a 450HD-derived piece of kit, there is a handy web interface to provide configuration and management. 

image

The HRS shows up in IPP Manager also.

image


Skype Connection

You know I have to do it – somehow get the Skype for Business angle highlighted.  After all, that is what I do.

Knowing that I had what amounts to a IP phone coming into the environment, I prepared a simple full user account, with a mailbox, enabled it for Enterprise Voice with a secret squirrel PIN and extension dialing.  Taking the 458 out of the box and connecting it took longer than setting up the account.  Once powered on, getting to this point here took all of two minutes… literally.  Compare the on-phone time.

image

Because we are using SfB and AudioCodes together, the experience is just like using a regular 450 – that is – so nice.  All call controls, interactions, connections, and usage patterns will be the same as the user and their own account.  Because I ginned up a regular account, the HRS had a copy of the meeting on hand for those critical single click meeting joins.

I did notice that it took 5-10 minutes for the EWS read to occur which updates the calendar display on the HRS.  A little expectation setting with your users will be in order so as to avoid a bunch of bitchy help desk calls.

Logging in with the room ID, shows the current schedule for the room:

image

If you are really bright and include the phone account in a SfB meeting, then you get one-button joins as shown.  Otherwise you have a “details” | “attendees”|  “dial” button that provides calling the organizer directly.

image


Logging in as a regular user displays… duh!  Your schedule. Here is Mr. Chicken Hawk…

image

In terms of total time, maybe 10 minutes total, and I did not have to do anything special to either the SfB environment or the phone itself.  I literally plugged the 458 into the network, into power, and logged in using the 10-key.  And it just works.  Fairly perfect from over here in the cheap seats.

Summary of Findings

Standard AudioCodes build quality – which means this is excellent, solid kit.  Great materials, look, feel, functions.  All a package that works the way you do generally – kinda on the fly, groups probably not bigger than 10-15, and video not needed or wanted.    This solution should be on your short list.

YMMV


2017/12/04

O365 Exchange Voice Mail–Oracle

I have been informed, by a source that I deem to be about 75-80% reliable, that Oracle will not be participating in gymkhana that is the 3rd party PBX using Exchange O365 as a voice-mail target.

A while back, Microsoft announced that Office 365 as a valid voice mail target for 3rd party PBX systems would no longer be an option.  In fact, at the designated date, it’s not like the solution set becomes “non-supported” it will simply not be possible.  These solutions had an SBC (session border controller) sitting between the PBX and O365.   But no longer.

AudioCodes has a solution setanyNode has a solution set with which  one of my co-workers has worked.  Actual words will not be published in respect to my gentle readers.

So here is the announcement, and if you use Acme Packet SBC to connect your PBX to EOL Voice mail, then this might impact you.

“Oracle is not pursuing a product for this, mostly due to the proprietary nature of the implementation.  The interface into Exchange uses the Microsoft UCMA API/protocol which isn’t something we support.”

YMMV

2017/11/01

AudioCodes 400HD firmware v3.04

Those fine folks (and apparently busy beavers) at AudioCodes have popped a new IP Phone firmware release out into the wild. Brings a nice new set of features/abilities to the 450HD in particular.

Please note that the official GA is still 3.0.1. Version 3.0.4 will be used as a candidate GA in the next several weeks. Admin and User’s manual will be ready in several weeks. Version 3.0.4 for all other 400HD models will be available within several weeks.

Here is a partial list of version 3.0 new features. For the full list of features, please refer to the Release Notes document:

· Boss-Admin (Delegated Line).

o Allows a relationship to be established between a boss' phone and an administrative secretary's phone, to streamline office workflow and enhance efficiency.

o Each phone can support up to five Bosses or Admins. One Boss can have up to five Admins. One Admin can have up to five Bosses. A many-to-many configuration is also supported.

clip_image001

o Call Pick-up

o Admin can forward to Boss' voicemail without picking up Boss' line

· HotDesk feature for enterprises that operate according to the 'touch-down desk' concept. Employees in these enterprises typically travel frequently to remote branches, or work in shifts. They can now sign in to a phone that is already signed in by another (CAP or regular) user without signing out the original user to whom the phone was assigned for primary use.

clip_image002

· AudioCodes' IP phones support Lync AutoDiscover Web Service Protocol [MS-OCDISCWS]. This feature improves discovery of the phone's SIP home server after signing in. Using the AutoDiscover procedure the phone is capable of finding its home server URL for a specific Skype for Business account, based on user credentials. It is specially efficient for Skype for Business online and hybrid environments, when phones must sign in to a different Skype for Business server according to the user’s account. Previously, the home server was found using DNS SRV records based only on a SIP account domain [MS-CONMGMT]. If AutoDiscover is unsuccessful, the phone falls back to SRV DNS.

· The phone's Call Log is synchronized with Microsoft's Exchange server. All devices that a user signs into are fully synchronized with the server. Each device reports every call from | to that user to the server. Each device then pulls the last 20 reported calls and performs synchronization. All lists in each device's Call Log except the Missed Calls list are synchronized.

· New screen theme reflects Skype for Business 2016 client look & feel | New softkeys match the de facto Skype for Business standard. This new feature ensures uniformity across all devices used by the same user, for Unified Communications. The following figure shows the new-theme idle screen:

clip_image003

· Dial Plan Normalization. Network administrators can enable and configure dial plans on the Microsoft Skype for Business server. Normalization rules can be downloaded from the server via in-band provisioning. The feature was fully certified and tested with Microsoft in this version. It was supported in previous versions, but without Microsoft certification.

· Multiple Emergency Numbers. A caller can select an emergency number from a list of emergency destinations. A dedicated number for the police, ambulance service, fire fighting service, etc., can be selected from a list of options. If the phone locks, emergency numbers will still be available and dialable via a new Emergency softkey that is displayed after the lock takes effect.

· Power Saving mode. When a phone enters Power Saving mode, the screen's brightness is reduced, lowering power consumption. The phone enters the mode after being inactive for a configured period (timeout). Any user activity returns the phone to regular Active mode.

clip_image004

clip_image005

· Malicious call tracing. Users can report a malicious call. If a user gets a call and wants to report it as malicious, the phone allows them to send a report to the Skype for Business server. To allow malicious call reporting by the phone, the feature must be enabled by the network administrator on the Skype for Business server (the option 'Enable malicious call tracing' must be selected).

· Sign-in can be cancelled during the signing in procedure. Users can cancel signing in after starting the sign-in process.

· Voice Quality Check. A new option to check IP phone voice quality has been added to the phone's Device Status menu.

clip_image006

clip_image007

Things seem to be moving forward very nicely at AudioCodes.

YMMV

2017/10/06

AC firmware v3.0.1.x BToE button greyed out

Scenario

BToE is pretty nice.  But let’s face it.  Not always easy to work with.  Especially when a service provider insists that a buried setting be configured so as to disable the manual concepts and default to automatic.

So, let’s figure out how to get an AudioCodes 450HD with the latest firmware (3.0.1.9.367) to play BToE with us like WE want, not how somebody else wants. 

OOBE for a phone that is going to be qualified for SfBO is with the BToE pairing forced to “automatic.”  This results in the button being greyed out when you go to MENU on the phone.  In this mode, BToE pass-though mode works just fine.  Web login to SfBO works as expected.

But what if you want to do something like, pair a wireless laptop with the handset device always CAT5 so you can just grab the laptop and go?  Like a laptop is designed to work? 

The Fix

What we need to do is light up the BToE button so we can get a pairing code (essentially a representation of the device IP).  Not exactly easy to find for those who don’t typically read 200+ pages of setup. Like me.

Hmmm… (page 113 of LTRT-14820 450HD IP Phone for Microsoft Skype for Business User’s manual ver.3.0.1.pdf) says

clip_image002

Going to the admin manual…. ( page 157 of LTRT-09943 400HD Series IP Phone for Microsoft Skype for Business Administrator's Manual Ver. 3.0.1)

clip_image004

And that does work to enable the BToE button.

The cfg file is available here – there is the semi-standard “download the file, modify the file with text editor, upload the file to phone routine.”

image

Here is how the phone cfg file looks by default…

image

And here is how it needs to look.  After uploading the cfg file, the phone will restart and you can then manually pair.  Remember that the manual pair code is case sensitive.

image

SfBO policy

Make sure that your Office 365 admins, if that role is not you, changes your online policy for ip phones to enable BToE, and further more to not change the pairing setting.  For more information see this.

https://webcache.googleusercontent.com/search?q=cache:hYptjYU9T9AJ:https://technet.microsoft.com/en-us/library/mt629497.aspx+&cd=1&hl=en&ct=clnk&gl=us

clip_image002[7]

Summary

BToE button greyed out, but automatic pass-through BToE works.  You want control of that button so manual pairing is possible for wireless connections.  Modification of the cfg file is required.

As always,


YMMV

2017/10/05

Restricted Office 365 OWA–Skype on-premises Integration

Scenario

Office 365 tenant established.  Exchange Online (EOL) for the user mailbox.  Skype for Business on-premises for IM/P.  Users are mixed – some have full Office suite, others are just a browser.  Security is tight.  No federation is desired or allowed with partners, vendors, spammers, or public (consumer) Skype. In addition, the requirement also stipulates that no authorized user can use the system remotely without going through a VPN. 

This last requirement means that remote users via the Edge server must be disallowed – but….won’t the Office 365 users be remote?  Great question.  We will cover that down below.

Because of the user software mix, we need the pure browser user to have OWA (EOL) integrate with the SfB on-premises.  Not the most attractive (visually and functionally) solution from the user perspective, but it does work.  Specifically, the function requirement was for OWA users to have presence information and be able to IM.

This article will not attempt to show the end user how to muddle through using SfB with EOL OWA.  The focus is just providing the service.

So, here is a visual of what we want… presence going both directions between the on-premises SfB users, and at least one of the users is using EOL OWA.

OWA User

clip_image002

On-premises user

image

How to

Obviously, we need an on-premise pool of some sort, and an edge server.  And then get your hybrid working.  In this case, the tenant (and the EOL work) was up and running before the SfB project started, so all we had to do was make sure that the Azure AD Connect was done right. 

  Danger Will Robinson!  

Because the AAD Connect was done prior to to SfB schema extension, the AAD connect will need to be FORCED to reread schema and synchronize.  You can read about this in a somewhat related post here. 

Moving on…

Having taken care of the obvious install and configuration items, the next thing is to establish hybrid posture.  If you have not already done so, you can read up on it here, here, and here.  Pay particular attention to this last reference.  Failure to do this will result in a no-go..  If you want all the fancy-schmancy integration, then you will need to do this here also. 

Now that you have all that done, we are done.  Right?

Well, no.  Remember that we needed to have no federation with anyone other than an Office 365 user, and no remote user access?  That seems to be a bit conflicting, yes?  But no.  A remote user is someone using a full client.  A bit of testing showed that Office 365 connecting to the on-premises SfB was a federation user not a remote user.

As a final bit of constraint, we did not want to be changing the external firewall.  So what to do?  Maybe we need to do a little something with Edge configuration and policy, eh?

Here is our Access Edge Configuration:

image

From the top down, we need to federate – Office 365 is a federation.  Per security requirement, no partner domain discovery, which closes out contacting anyone other than our own domain.  No need to send an archiving disclaimer to people we cannot talk to.  Per security, no remote user access.  Lastly, no outside access to web conferencing, so no need for those pesky anonymous attendees.  Just to confirm your deepest doubts, here is the SIP Federated Domains list:

image

Here is the External Access Policy:

image

Again, from the top, and note that we only have one thing checked…federated users is the requirement.  Nothing else needed… XMPP is pretty much dead nowadays anyhow; no remote users, ergo, no need for that, and without public user federation, no need for that either.

Conclusion

We had a set of requirements:  OWA integration between EOL and on-premises SfB.  Security concerns were that no other domains be contacted, and none of our domain users can be remote.  EOL users were not using Outlook, just OWA and we needed presence and IM.  We did not do the full OAuth as those features were not part of the specification.

YMMV

2017/10/04

AudioCodes Updated 4xx firmware

Audiocodes has released an updated 3.0.1 version for all 400HD models. Comparing to the 3.0.1 GA, this version includes mainly bug fixes. Please refer to the new release notes document to see the list of fixes. For customers that still did not move to 3.0.1 GA and plan to move to 3.0.1, it is recommended to use this version (instead the 3.0.1 GA).

Version name:

  • UC405HD_3.0.1.276.img
  • UC420HD_3.0.1.276.img
  • UC430HD_3.0.1.276.img
  • UC440HD_3.0.1.276.img
  • UC450HD_3.0.1.89.367.img

According to my source, these new firmwares are anticipated to be posted to the AudioCodes website (www.audiocodes.com) sometime early next week.  In the meantime, my phones (420, 440, 450) seem to get along right well with the new code.

As an interesting side note…my web login/BToE combination now works as expected.  Previously this was not working, and I know our corporate IT recently changed the Office 365 BToE status, and it could have been the firmware.  If you are having issues, maybe this firmware will help you.

I have a zip file with updated documentation and firmware files here.

YMMV

2017/09/06

AudioCodes X-UM

By now, I hope you already know that as of July 2018, Office 365 will no longer work with SBC connections linking your off-brand PBX to Exchange Online UM services (read voice mail).  For an actual read of the announcement, see this.

Here are the solutions offered by Microsoft:

  • Option 1: Complete migration from 3rd party on-premises PBX to Office 365 Cloud PBX.
  • Option 2: Complete migration from 3rd party on-premises PBX to Skype for Business Server Enterprise Voice on-premises.
  • Option 3: For customers with a mixed deployment of 3rd party PBX and Skype for Business, connect the PBX to Skype for Business Server using a connector from a Microsoft partner, and continue using Exchange Online UM through that connector. For example, TE-SYSTEMS’ anynode UM connector can be used for that purpose. (sic)
  • Option 4: For customers with no Skype for Business Server deployment or for whom the solutions above are not appropriate, implement a 3rd party voicemail system.

Personally, I would change Option 1 and Option 2.  Especially if you have any combination of complexity, multiple locations, and user count.  Couple that risk scale item with sheer lack of calendar, and I think it would be easier to get on-premises fired up and connected.  And, IMHO, doing 2 would make getting to 1 easier with a better user experience.

Option 4 is not really an option is it?  Everyone should want, need, and implement SfB.  Life is better with SfB.  Trust me.

About this time, the alert reader will notice that I skipped Option 3.  That’s because those nice folks at AudioCodes have somewhat solidified their plans for stepping into the breach.  How nice of them! 

AudioCodes has put together a very nice, comprehensive, suite of solutions based on their outstanding hardware and CCE experience. 

image

As the X-UM solution set, there are three of them:

image

Here is a bit different look at it…being a visual kinda guy, this is the view that helped me the most:

image

And then we have these further details for each scenario:

image

image

Microsoft licensing for the X-UM solution you choose is not covered, which makes sense, there are too many variations.  Here is the official blurb:

 image

How about some architecture oulines?  I like pictures that show me things.  Here is the X-UM Standard and Lite.  Note that the “Lite” version relies on existing on-premises SfB resources.

image

image

Now, based on my current project, I know that there is going to be someone out there in reader-land who needs a visual of the call flows.  I know I do.

image

image

Summary

About now you are most likely wondering which of these will work for you. AudioCodes X-UM is based on proven hardware and proven solution approaches (CloudBond, CCE). If your environment is more complex, needs that existing PBX to coexist with Office 365 for your VoiceMail needs, then choose the flavor that answers your needs.  AudioCodes has you covered for any of the option 3 scenarios and could possibly help you (in the Lite version) with Option 1 and 2 also.

I know that somewhere above 75% of my customers all have some sort of “mixed deployment” usually due to call centers, business process, and culture.  Notice that none of those are easily changed before July 2018.  Ergo, we need to do something else in the short time we have available.  I submit that AudioCodes X-UM might well be that something.


As always, YMMV


2017/07/28

SfB Default AD Containers

Scenario

You know how those tin-foil-hat types are…

image

If it can be changed to “enhance” security, then by golly!  Let’s do it!  The problem, of course, is the rule of unintended consequences.  You know, what happens to something else because of action A, that is totally unplanned, and no one knows about it.

And, while I am mentioning it… have you ever noticed that the same team YOU have to run everything through for approval never asks your team if it is OK if they make a change?  They just do it?  Odd how that works out, eh?

Adelante.

The Oops!

It turns out that about 6 weeks ago, the aforementioned team instituted a change to the default AD containers.  To whit, they changed the default computer container to be something other than the OOBE.

Turns out that breaks SfB big time.  As in no more publishing the topology.  A Get-CsAdDomain fails.  But that is the clue to the fix.

The Fix

Simply run the SfB Domain prep again.


YMMV

2017/07/19

Technical Consulting

Something went through both of my brain cells today. And to keep a long story short, it centers on your approach to the question – whatever the question might be at the moment. But, let’s confine the definition to work, where we spend a goodly portion of our life, and how we would like that portion of life to be as good as possible.

I was listening to a hotshot answer what I narcissistically thought was a great question when the light bulb lit. His answer was not only covering the technical aspects that I needed to hear that he knew, but he was (quite cleverly) also feeding in the business angle aspects to the answer formula. In essence, he was answering my follow-on questions of “what is the business reason for taking this action and does this action resolve the situation with the minimum staff adjustments in terms of time and skill set and did you cover the hidden costs as well as storage, cpu, ram, racks, et cetera.”

In short, he was doing really well answering my question. And I know he was the same in front of the customer. Everyone needs to have this guy on the team.

At any rate, the light bulb lit up on the concept of technical v consulting answers. Mr. Hotshot could have stuck with the pure techno-babble, with lots of numbers, specifications, descriptions of how to do it, and all of that fun stuff. Surely, there is great value in having someone know exactly how to do whatever it might be right off the top of his or her head. I wish I could do that sometimes. I usually revert to being able to point them right at some reference work. Works for me. And reserves my spare brain cell for other things.

Details are critical to our success. Mr. Hotshot was clearly in the right spot – he can bang out the details like no-one’s business. And he knows what he does not know. And he knows how to defer the question to an issue parking lot for follow-up. Perfect.

Mr. Hotshot could also have just gone the technical route and ignored the consulting aspects until asked. All the logistics questions and staff and culture type stuff could have waited. There is some tremendous value in knowing all of that stuff even if at first glance it does appear to out of scope for our project. After all, “how is lunch served around here?” is an important project scheduling point.

But more to the point, what about using those consulting skills to identify architectural detail about the environment, impact to the project (and affecting the defining business goals/requirements) and perhaps dredge up more business? Gees. That sounds awful salesy huh? How about the idea that the design might need to change in mid-project? There is a benefit to having your very own in-house consultant, eh?

We have two approaches to doing what we do. You can be deep technical. You can dive in deep. I know a guy that you can call at almost any hour and pose some bizarre Active Directory or Registry question. Just be prepared to scribble fast because there is no way you will remember the details the forthcoming answer will encompass – but it is going to answer your issue. He knows some serious technical depth stuff.

But you can go too deep and lose your audience. What we do must be tailored to the audience. If a business decision maker is in the room, then you better be including that person in your audience profile. The technical team can wait a bit while you fill in their boss with the business details stuff and make his staff look like they were all over it from the beginning.

In our work, I see a real-life need for a consultant who can get into the technical errata, be able to walk and talk at the same time, and discuss business to the extent of your understanding; all of that without getting into even minor prevarication or truth stretching.

And here is our intrepid Mr. Hotshot fieldling my question tree with answers that meld the technical with the consulting. “Choices made for these reasons which tie to this technical answer and so on to this business requirement.” Or “we discussed the need for expanded storage” and “I expressed my concern that the network might not support the technical solution.” I know he gave those same answers to the customer and guess who was in the room? The customer’s CIO. And Mr. Hotshot is giving me answers like that. The conclusion should be obvious.

We have more work coming from that customer. That makes your work life better.

YMMV

2017/05/31

SQL Change Ports

The Port Change Issue

On a project where the SQL team has a policy of changing the SQL port away from the default of 1433? 

This does not pose a huge problem for your intrepid Skype (or Lync) deployment engineer.  If you are needing to know what to do, and maybe you have, oh, 30 or so front ends to modify, then maybe I can help you out a tad.

The issue is modifying the registry to tell your host server where to go to access the requisite port on the target SQL server.  As it turns out, I had to remember this, as it has been a bit since I had to last do this task. 

The Simple Fix to the Simple Issue

Luckily for you and me, it seems that every copy of a Windows operating system I looked at for this post (Win7, Win8, Win10, Server 2008+) have a utility in \windows\system32 called cliconfg.exe.  You can read up on that utility here.

A wonderful tool.  Here is it in Windows 10 form.  Which looks the same as Win7, so I think they will all pretty much appear to be the same. Actually, the Win7 version has a different set of window frames, so the appearance is more rounded instead of the ugly-ass Win10 metro crap.  But I digress.

image

What we need to do is select the Alias tab…the select Add.

image

For the purposes of this exercise, I need my system to talk to my SQL server (FQDN = sqlalwayson-a.tsoorad.net) on port 49001.  So, you set it up like this and then say OK.

image

image

Follow up that OK with an APPLY and your newly modified operating system will for thereafter talk to SQL server sqlalwayson-A.tsoorad.net on port 49001 vice 1433.  Simple.  Easy.  Works well.  Less filling.  Man, I am thirsty!

But Wait!  What if…

…you have like four user pools, and they all need to talk to the same monitoring server, but different archive targets per pool?  And what if there are like 30 front ends that need this modification, and every time you type this stuff in there is the possibility of spelling errors that mean system failure.  Now, I am sure there is some folks out there in techie land that are starting to chant “PowerShell!  PowerShell” -  but in this case, I am going to ignore them, and simply export a registry key, and then incorporate that into my server build process – which can be PowerShell-ized if you wish.

Here is the registry key to export.  HKLM\software\microsoft\mssqlserver\client\connectto

In my project, we had four SQL AG clusters, each with two nodes, a cluster name, and the AG name; all that needed to resolve by DNS.  So, our registry key looked somewhat like this: 16 entries with AG, cluster, node1, and node2 per supporting SQL cluster.  We then simply imported that into each server at build time.

image


Summary

The SQL mavens might well change ports on you.  If they do, there is an answer in form of cliconfg.exe.  If the scale is a tad larger than manual typing will cover, you can regedit your way to success.

YMMV








2017/05/20

Windows 10 Battery Life

The Issue

I use a Lenovo Yoga 14 for my personal stuff.  A few weeks ago I ran updates.  I noticed that battery life dropped from nearly 10 hours to less than 3.  Closing the lid puts the Yoga to sleep, so opening it is a breeze and I have a working desktop in about 20 seconds or less.  After the updates, closing the lid still did the sleep thing, but on opening the lid the Yoga was dead.

The Problem

So, I started poking.  I discovered the latest rounds of updates had installed a Lenovo Screen Updater.  Holy Battery Drain.  The CPU was grinding away at 50%+ constantly.

The Fix

Remove it.  Now I get this here:

image

Seeing as how this was associated with the touch screen concepts, I imagine that this might help Win7, Win8, Win 8.1, et cetera – anything else that runs a touch screen with Lenovo and Windows.

YMMV

2017/05/18

Stupid SfB Tricks

In a fit of angst, today I recreated the infinity mirror exercise from several years ago.

Yes, I was testing with a customer and not just bored.

image

YMMV

2017/04/19

New SfB SE won’t start

Usually I see this problem with EE pools, but in this case I have now seen it with two different SE installs.

The Problem

RTCSRV won’t start.  It just sits there for a bit, like 10 minutes and claims it is “Starting”.  Then the service status goes to “Stopped”.

Nothing in the event log, nothing shows in Powershell.  If you try to start from services.msc, it just sits there.  Nothing.

How did we get here?

A fairly locked down environment.  OK.  A severely locked down environment.  The tin-foil hat types have found a home in this place.  New install – new as in greenfield deployment.  Standard Edition installs, and before starting services for the first time, we ran the February 2017 CU into place.  All of that seemed fairly normal.

But the service wont’ start.

The Fix

Again, I usually see this with EE pools, but here is what fixed it:

Reset-CsPoolRegistrarState –PoolFqdn poolfqdn.domain.com -ResetType FullReset

YMMV

2017/03/16

Skype Test Matrix

As part of a project, Thaddeus Kurowski (CDW) and I put together a Skype test matrix to ensure that the implementation worked as designed/expected.

You may find it useful as well.

https://gallery.technet.microsoft.com/Skype-Implementation-Test-e11edf07

YMMV.

Skype Edge Server and 2:1 NAT

This morning, we resolved an issue that I have never seen before, and hope that I never do.

The Background

I tell customers during design sessions that if there are existing network issues, Skype (or Lync) is going to find them.  If there is something a bit wonky, we are going to discover the wonkiness.  And here we go.

Skype edge with 1:1 Nat.  Public IP is 71.16.x.x.  Edge server is doing the classic 3 IP thing.  Remote logins are fine.  Everything seems to be ducky.  Except we cannot talk outbound. 

Go check all the network again.  Looks good. Check the topology, servers, IP assignments, paths.  All good.  Certificates, the common culprit behind one-way federation and presence look good.  We are now scratching our heads.  We know now we are looking at something wonky, but what?

The Fix

I was under the impression that 1:1 NAT is 1:1.  But it turns out that a Watchguard Firebox is capable to doing 2:1 NAT.  Inbound to the Edge server worked because the firewall had 1:1 NAT from public to DMZ VLAN.  Edge trace logs showed subscriptions and connections timing out on the far side.  The connections were being made, just no return traffic.  No SYN.  Telnet client testing outbound from the edge server on 5061 ad 443 worked.  Clearly inbound connections were working or there would be no remote logins.

As long as the traffic originated from outside the organization, things worked fine and the Edge server, via the 1:1 NAT was responding as expected to the source IP.  But traffic originating from INSIDE the organization was failing.  One way presence, presence unknown, cannot send to user, etc.  Apparently…

…according to www.ipchicken, the Watchguard was sending all traffic from the DMZ external VLAN out via a completely separate set of addresses!  HUH?  Whaaaaat?  So inbound would work, but outbound went out on a separate address?

So their firewall guy fixed that, we are back to 1:1 NAT and all is good. Something to be aware of, eh? Go figure.

YMMV

2017/03/15

Inbound Call Failures due to TCP configuration

I will not attempt to embellish this content past commenting that this call failure is not common.  I have rarely seen it, most likely because my implementation practice for upgrades is to match system settings before testing.

Having said that, I think I would have thought the initial setup described here would have worked.  But apparently not.  Inbound calls follow the original port.  Something to be aware of.

Thanks to Josh Walters, CDW Senior Consulting Engineer for writing this up for us.

YMMV

Scenario: 

Customer is deploying a new 3-node Skype for Business Enterprise Pool to replace their existing 2-node Lync 2010 Enterprise pool.  Enterprise voice is enabled in Lync 2010 and Lync call traffic is directed inbound from their PRI and delivered to an Avaya Session Manager appliance, then it is delivered to Lync.  Internal call flow functions as below:

PRI --> Avaya Aura System Manager --> Lync 2010 Enterprise Pool

After deploying the new Skype for Business FE Enterprise Pool, Edge Pool, and Back-End we decided to migrate a test user who was enabled for Enterprise Voice to the new Skype for Business Pool and test call flow with the new infrastructure.  The new expected call flow should function as below:

PRI --> Avaya Aura System Manager --> Lync 2010 Enterprise Pool --> Skype for Business Enterprise Pool

After moving the user, the user was able to successfully place an outbound call to both internal and external recipients but was unable to receive an inbound call.  When attempting to dial the Line# for the migrated user we were being routed directly to Voicemail (Exchange 2010 Unified Messaging).  What gives? 

Inbound Traffic

Avaya Aura System Manager --TCP 5060--> Lync 2010 Enterprise --TCP 5060--> Skype for Business Enterprise

Outbound Traffic

Skype for Business --TCP 5060 or TLS 5067--> Lync 2010 Enterprise --TCP 5060 or TLS 5067--> Avaya Aura System Manager

Well, what we found was that Avaya was routing SIP traffic to Lync 2010 using TCP port 5060 only (as seen above).  When Lync 2010 received the SIP request it attempted to route the traffic to the Skype for Business pool where the user is homed and it tried to use the same port it received the traffic on, but we had not yet activated TCP on the Skype for Business pool for Mediation.  The Skype for Business pool was therefore rejecting the traffic and then sending the call to Voicemail. 

The fix:  Enable TCP (and make sure to use the correct port for YOUR environment) so that the Skype for Business pool is listening for traffic on said port.   After enabling TCP 5060 on the Mediation Server (Collocated) all inbound call routing for the user started working. 

clip_image002

clip_image004

2017/03/12

Reverse O365 SfBO Migration Failure

The Scenario

Existing Office 365 tenant successfully using SfBO. Exchange on-premises.  Azure AD Connect version unknown, but up and functional  PBX with voice mail on-premises. We extended schema and installed SfB on-premises with Edge.  Modified the firewall to specification and attempted to get into hybrid. 

DNS mods we easy. Creating a test user and synching up to O365 went fine.  Enabling the test user for SfB went fine.  Another AAD sync and we were in business.  Moving the test user to O365 (so we could test moving back to on-premises) went just fine. And there the problems began.  Attempts to move the user back to on-premises failed with the following non-help message:

PS C:\Source\scripts> move-csuser -Identity sfb.test3@domain.com -Target domain-sfbfe01.domain.com -Credential $cred –HostedMigrationOverrideUrl https://admin0a.online.lync.com/HostedMigration/hostedmigrationservice.svc -Verbose
VERBOSE: CN=sfb test3,OU=hometown_Users,OU=domain_Users,DC=domain,DC=com

Confirm
Move-CsUser
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): Y
VERBOSE: Validating parameters for move operation.
VERBOSE: Calculating new server information for user [domain-sfbfe01.domain.com].
VERBOSE: Moving user [sip:sfbtest3@domain.com] across deployments.
VERBOSE: Creating source external move endpoint.
VERBOSE: Validating the hosted migration override URL provided:
[https://admin0a.online.lync.com/HostedMigration/hostedmigrationservice.svc].
VERBOSE: Retrieving web ticket URL.
VERBOSE: Retrieving live id token.
VERBOSE: Initializing source external move endpoint.
VERBOSE: Creating target external move endpoint.
VERBOSE: Initializing source external move endpoint.
VERBOSE: Validating user [sip:sfbtest3@domain.com] online, for on premises to online move.
move-csuser : I
ndex was outside the bounds of the array.
At line:1 char:1
+ move-csuser -Identity sfb.test3@domain.com -Target domain-sfbfe01.domain.com -Credenti ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (CN=sfb test3,OU...,DC=domain,DC=com:OCSADUser) [Move-CsUser], IndexOutO
   fRangeException
    + FullyQualifiedErrorId : MoveError,Microsoft.Rtc.Management.AD.Cmdlets.MoveOcsUserCmdlet

"Index was outside the bounds of the array."

You know how many hits googlepedia produces for that?  None of them helpful.  So we triple-checked our work.  Reviewing the overall picture, it was apparent that there was some issue with the on-premises environment, but everything we looked at came up good.

The Root Cause

The root cause was that Azure AD Connect was installed and configured BEFORE the extending schema for SfB.  As it turns out in the end, Azure AD Connect does not refresh schema very well, if at all, unless you tell it to. 

And even then, maybe not. There is a button inside the missclient (Synchronization Service Manager) that SAYS it will do it.  I mean, it clearly says “refresh schema”

image

…and the following message sure says it will…

image

But, guess what, that is not the case.

As you can probably guess, the root issue causing our migration failure was that the AAD Connect had no knowledge of the SfB attributes coming in with the online user.  Now, I would have thought they would have seeing as how we were successful in installing SfB, creating a good on-premises user, and moving that user up into the tenant.  But no.

Interesting side note is that once we twigged onto the schema concept, using the button on AAD connector populated SOME valiues – we could see them.  But still moving back to on-premises failed.

The Fix

It seems that if you run "C:\Program Files\Microsoft Azure Active Directory Connect\AzureADConnect.exe", you get a few options. Specifically, take a look at the third option from the top.

image

I do not pretend to know the difference between “refresh schema” in one location as opposed to the other, but I do know that running the “refresh directory schema” from this location, followed by a full synch on both connectors resolved our failed user moves.

Keeping your Azure AD Connect up to date might be helpful also and in theory the reinstallation process will trigger a schema refresh.  You can get a clean copy of that installer right here.

Of course, once you know what to look for, there is this also.

YMMV

2017/03/03

AudioCodes UC 3.0.x Office 365 MFA support

 

I feel a bit like Steve Martin

AudioCodes is due, very shortly I hope, to publish new firmware for the 440HD and 450HD phones (dare I hope for the 430HD also? 405? 405HD? 420HD?) that enables the device to do a web sign-in to an MFA-enabled Office 365 tenant account.  Wow, that was one long sentence.  My English prof at St Thomas Aquinas would beat me about the head and shoulders.  However, there it is.

Let’s walk through this process.

Update the firmware on the phone device. How you do that is up to you.  Personally, I used my IP Phone Manager Express.

My 440HD at 3.0.1.89, my 450HD is at 3.0.1.63.214.  After getting the firmware updated, both devices appeared to be the same.  I am sure there is some detail that I did not notice, but they look the same to me.

Open either the web interface, or the phone screen, and start the sign-in process.

phone:

image

phone web interface:

image

select the web sign-in option….

image

What results from either method is this:

image

or

image

Inside the red box (which you will not get on your phone or browser screen) is the two critical pieces of information to complete the login process.  First is the URL http://aka.ms/sphone.  Go there with your code.

The code is not case sensitive.

So you go to the indicated URL and follow the prompts, then enter your code.  You will see where I did lower case while the phone and the browser GUI both indicated caps.

What follows is a bit round-about – but you get thrown into the office portal login…

image

and a redirect to the corporate AD sign-in…

image

and after working my way through the MFA routine, I get this:

image

after entering the requisite code… remember, not case sensitive, the page magically morphs to this:

image

Select continue, because I am assuming you WANT to get the device to work…and you get this

image

For you eagle-eye readers, you will note that now this page, which appears to look just like a few steps before now says I am signed in.  How nice.  Observing the device, I note that it SAYS it is logged in, but you know, it still looks pretty unusable at this point.  So, click on your account that was signed in…

image

Wala!

and now the device itself looks like the following – well, it will in a bit – patience padiwan!

image

BTW, you have 15 minutes to complete the web sign-in gymkhana.  If you blow the 15 minute limit, you will need to start over.

image

I am told, by an source who only spoke on the condition of anonymity (this makes me equal to all the reporters in any nation’s capitol), that we can expect this new firmware code to be out in the wild sometime around the end of Q1 2017.

YMMV

test 02 Feb

this is a test it’s only a test this should be a picture