Mike Stacy's Blog

SmartChat

2008-11-19T21:27:00Z

I typically blog about technical items related to Microsoft UC, but I want to draw some attention to SmartChat, which is a product that we recently released to allow customers to enable web chat on their website by leveraging their investment in OCS. In simple terms, SmartChat is a "widget" that can be placed onto a website in one or more locations to enable live chat. Obviously this isn't a new concept, but the use of OCS and Communicator is the compelling part that makes this interesting and easy for OCS customers.

In addition to simple chat, SmartChat has capabilities for reporting on the browser history ("I see you were looking at sweaters on our website"), enabling co-browsing (automatically navigating the web visitor's browser), integrating with Microsoft CRM, and adding audio/video or desktop sharing to the conversation. Best of all, you don't need any additional software on either side of the conversation. Flash is required for audio/video, but most people on the web already have this anyway.

Needless to say, we're pretty excited about releasing the product. So is Microsoft apparently - they have approached us to run a case study on it (I'll update you when it's released). In addition to obvious retail applications our existing and potential customers range from financial services organizations, who want to provide top level service through their member portals, to healthcare companies, who want to provide easier access to plan members and beneficiaries, to product and consulting firms, who want to provide better access to their product/service information and support teams. Recently companies have start talking to us about using it for their internal helpdesks as well. Overall it's really interesting to see how companies apply the technology to their businesses.

For screen shots and additional details check out the SmartChat product page. If you want to see it in action you can try it on our contact page. Because it's presence enabled it's only online when we are, so if you are outside the US or a night owl then you may just see an e-mail link because none of us are online at the moment. You may also discover that at least a few of us work late as well.

Evangelyze announces SmartVoIP

2008-11-13T05:21:11Z

Today we, in conjunction with NET/Quintum, announced our SmartVoIP solution (press release here) that brings together OCS 2007 and Microsoft Response Point. The premise for SmartVoIP is to provide a single integrated solution for customers with a corporate office and small offices/stores/branches. Take for example a retail chain - typically there is a headquarters in one location with a large group of employees. Additionally this organization will have retail stores in various locations. With SmartVoIP, customers can deploy OCS with Enterprise Voice in the corporate HQ and a low cost Response Point system in the retail stores but tie them together to allow extension dialing between the systems. Because we can do a combination of routing with POTS, SIP trunking, and OCS, customers are able to leverage the cheapest and most efficient call routing mechanism for their remote locations.

For more info see http://www.evangelyze.net/products.asp#SmartVoIP or contact me directly.

Cisco Call Manager 7 Direct SIP Connectivity

2008-11-06T15:12:52Z

Today I'll outline how to connect Cisco Call Manager 7 to OCS via Direct SIP. For ease of explanation I am using an environment with 3 digit extensions. The extensions in OCS are 1XX and the Cisco extensions are 2XX.

First, create a SIP Trunk to your OCS Mediation server in CUCM:

Other than selecting items for the required fields, there are only a couple things to ensure. First, make sure to check the box for "Media Termination Point Required." After that all you need to do is set the Destination Address to the FQDN or IP address of your Mediation server and click Save. You will receive a warning about resetting the SIP Trunk - just click ok. Since no one is using the trunk yet it's safe to reset it. Here are some reference screen shots (click on the image to see it full size):

Next, create a new Route Pattern:

In my case OCS is using 3 digit extensions that start with a 1, so I enter a pattern of 1XX. In the Gateway/Route List field I select the SIP Trunk that I just created. Click Save.

You will receive a warning that the Authorization Code will not be activated. Click OK to continue.

That's it for the Cisco side. If you had multiple Mediation servers for different route patterns then you would create a new SIP trunk and route pattern for each. If you have multiple Mediation servers to which you can route the same digit patters then you would use Route Groups and Route Lists instead. Further information on this is available in the Cisco documentation. Now we move on to the OCS side of things.

First, I configure my Mediation server to use Call Manager as the PSTN gateway.

If you have multiple mediation servers you may need to specify the route for the Cisco extensions. In my case I'm using this Mediation server only to connect to Cisco because I have another Mediation server that is already providing PSTN routing, so I specify a route for the 2XX pattern to go through this specific mediation server.

Depending on your AD and OCS topology it may take a little while for the changes to be picked up by all the OCS servers, but once this occurs you should be good to go.

OCS SQL Query - Show last OCS logon

2008-11-05T17:00:00Z

I wrote this one a while back to help someone on the forums.

select res.UserAtHost as "SIP Address", hud.LastNewRegisterTime as "Last Logon" from rtcdyn.dbo.HomedUserDynamic hud join
(Select ResourceId, UserAtHost from rtc.dbo.Resource
group by ResourceId, UserAtHost)
res
on hud.OwnerId=res.ResourceId
order by "Last Logon"

OCS SQL Query - Return Archive User Settings

2008-11-05T16:52:00Z

From time to time I'll be posting SQL queries that I use for various reasons. I don't claim to be a SQL query expert and so I won't guarantee that these are written with the best syntax or performance characteristics.

This query will list your users by SIP address and return their archive settings.

select
res.UserAtHost as "SIP Address",

case
when (resdir.ArchivingFlags = 4) then '*' 
when (resdir.ArchivingFlags = 12) then '*' 
else '' 
end
as "Internal",
case
when (resdir.ArchivingFlags = 8) then '*' 
when (resdir.ArchivingFlags = 12) then '*'
else ''
end
as "Federated"

from rtc.dbo.ResourceDirectory resdir join
(Select ResourceId, UserAtHost from rtc.dbo.Resource
group by ResourceId, UserAtHost)
res
on resdir.ResourceId=res.ResourceId
order by "SIP Address"

Tanjay firmware will not update

2008-10-06T01:58:00Z

Recently I was working on an issue where Tanjays (Polycom CX700 or LG-Nortel IP8540) would not update their firmware. There were a variety of issues but there was one in particular that I noticed some open questions about on the forums so I thought I'd share the solution.

In this case the company's Tanjays all resided outside the organization because the workforce is mobile. All the ports and NATs seemed to be fine and indeed we could see a connection in the IIS logs to the Web Components server. However, the IIS log revealed the following:

2008-10-05 21:45:10 W3SVC1 10.1.1.13 POST /RequestHandler/ucdevice.upx - 80 - <user's external IP> Microsoft+UCPhone+Device 500 0 0

The 500 error code is the relevant item here. When the RequestHandler receives a connection from the Tanjay it then connects to the WSS site that holds the firmware using the internal FQDN that was specified during the configuration of the UC Update Service. Originally the configuration was done with different internal and external FQDNs but when an external certificate was purchased for the WSS site the Alternate Access Mappings, which basically tell WSS which URLs to use, were configured only for the external FQDN since the thought was that only external users would be using the service. However, since the RequestHandler needs to access WSS with the internal FQDN the connections were failing.

The fix was pretty simple - always make sure that WSS is accessible by both the internal and external names that you specify in the configuration. I've attached a vbs script that you can run on your OCS web components server to view the URLs that are configured for the update service. There may be another place to see this info but it was easier to just use WMI to show these values rather than figure out the lcscmd syntax if in fact that's even possible. A quick review of the validation output indicated that these values are not listed there. Just rename the file from .txt to .vbs and run it with "cscript updsrvurls.vbs" from a command line and it will list the URLs associated with the update server configuration on that OCS server. You can also run it remotely by changing the strComputer = "." line to strComputer = "<yourocsfeinternalfqdn>".

Live Meeting 2007 On-Premise Web Conference Connectivity

2008-09-29T03:28:52Z

I was recently assisting an OCS admin at another company with Live Meeting connectivity issues, during the process of which I explained how Live Meeting connectivity works for on-premise conferences (located on OCS rather than the externally hosted service). He felt like it was good info so I thought I'd share it.

As you're aware, OCS is SIP based in its communications, with the most obvious SIP client being Communicator 2007. What is not as obvious is that Live Meeting is also a SIP client. OCS delivers various pieces of necessary information via SIP, which means that the Live Meeting client must understand how to communicate with OCS over SIP to retrieve the information needed to operate. This is why if you must specify your OCS Access Edge/pool FQDN rather than your Web Conferencing Edge/internal FQDN if your Live Meeting settings are configured manually (example below).

If you think about the infrastructure considers of this for a moment you'll also realize that for users to be able to connect to Live Meetings without any configuration settings you must deploy the necessary SRV records for your pool and Access Edge, even if you have no intention of deploying IM to some or all users (this is a somewhat rare but not entirely unusual request from some customers I've worked with).

So, how does this all come together? First, the Live Meeting client (hereafter referred to as "LM") queries DNS for the appropriate SRV records of the domain it extracted from the conference location URI. An example of a conference URI is sip:user@domain.com;gruu;opaque=app:conf:focus:id:1652DEC23E5AE243882614D3B42600B6. It receives an INFO message back from OCS that contains a variety of information in XML format. Among this information is the FQDN and port of the Web Conferencing Edge server:

<entry>

<key>proxy[0].FQDN</key>

<value>meetings.evangelyze.net</value>

</entry>

<entry>

<key>proxy[0].Port</key>

</entry>

This information is derived from the Web Conferencing properties of the pool:

After this point LM sends a SIP UPDATE message to OCS every 7 minutes to confirm connectivity. This is one of the reasons why it's important to have your firewall timeouts set properly - unexpectedly disconnecting LM sessions are a somewhat common side effect of improperly set timeout values on the firewall.

Exchange 2007 UM SIP Integration with Mitel 3300

2008-09-16T17:19:00Z

Rather than individually send out this Mitel document to everyone that asks for it on the forums I figured I'd just post it here for people to download. I don't claim that this is the latest version or that it is accurate for all versions, etc., but since this document seems to have avoided all known search engines I've attached it here. Also be aware that Microsoft has some Mitel configuration notes for other connectivity options.

You'll find the document in the attachment link below.

OT: Blackjack 2 does not connect to WMDC

2008-09-15T22:47:14Z

Now that the official release of Windows Mobile 6.1 is finally out for the Blackjack 2, I discovered that I could not connect my phone to Vista's Windows Mobile Device Center (WMDC), which is a requirement for the upgrade. I always connect as a modem or via bluetooth, so I hadn't actually come across this before. I saw a number of other folks that had complained about the same thing and had not gotten resolution so rather than create logons and posts on each forum I figured I'd post here and hope that the search engines picked it up. The fix was pretty easy - just install the WMDC driver update from here (or, if you run 64 bit like I do, here). Once that was complete my phone was immediately recognized by WMDC.

Voice Impact Event in Houston - Sept. 29

2008-09-12T18:34:42Z

If you are in the Houston area and would like to learn how a Microsoft-powered voice platform can benefit your organization, please register for our Houston Voice Impact event session here.

Send/Receive never finishes

2008-09-03T22:05:29Z

Today I finally decided to look into an issue that I'd noticed for some time. In Outlook 2007 a manual send/receive (F9) would never complete. If I looked at the send/receive details I would see:

An Exchange task would forever say "Offline address book Connecting to Microsoft Exchange." When I looked at Outlook's Connection Status the last line is "Synchronizing Views." I decided to take a look at the IIS logs and found this:

2008-09-03 21:05:52 10.1.1.3 GET /OAB/3ebf24ed-43dc-4a50-a2a9-cc6ef51ebf84/oab.xml - 80 - 74.73.235.66 Microsoft+BITS/7.0 500 19 64 63

Indeed, browsing to that location returns a 500.19 Internal Server Error in IE. While reviewing the root OAB folder in the file system (C:\Program Files\Microsoft\Exchange Server\ClientAccess\OAB\) I noticed a web.config file. I checked another Exchange 2007 server and noticed that it did not have a web.config file in that location. I moved the web.config to another location and that corrected the issue.

On a side note, this also corrects an issue with RSS feeds not updating automatically.

Cannot upload cab file to UC Device Update Management Console

2008-09-02T08:15:00Z

One of the best documented reasons for a cab file upload to fail is due to timeout settings in IIS. For an overview of this please see http://blogs.technet.com/jenstr/archive/2008/02/28/uploading-of-a-cab-file-to-update-server-wss-site-fails-with-an-exception-and-the-message-thread-was-being-aborted.aspx. In the case of the timeout issue the upload will process for a while before the error is returned. However, there is another reason you may see the same error:

"The file upload was unsuccessful due to an unknown error. Please try again"

In this case the error will be thrown about 10 seconds after the upload process begins. If you check the corresponding debug logs (UpdateServer > Logs > Server > Debug > UpdatePackageHandler), you'll see the following:

Debug        :
09/02/2008 07:08:52, Debug        : -------------------------------------
09/02/2008 07:08:52, Debug        : Started Upload Updates From Cab Call
09/02/2008 07:08:52, Debug        :
#Sharepoint Server Path : http://wss.domain.com/sites/ucupdateserver/
#Updates Path : Updates/
#Approval Path : Server/DB/
#Temp Extract Path : C:\Program Files (x86)\Microsoft Office Communications Server 2007\Web Components\UC Device Updates\Management Console\LCS
#Log Path : Logs/Server/Debug/UpdatePackageHandler/
09/02/2008 07:08:52, Debug        : Started Reading Cab file C:\Program Files (x86)\Microsoft Office Communications Server 2007\Web Components\UC Device Updates\Management Console\LCS/633559361262490130\UCUpdates.cab
09/02/2008 07:08:53, Debug        : Extracted all files under temp location C:\Program Files (x86)\Microsoft Office Communications Server 2007\Web Components\UC Device Updates\Management Console\LCS\a7992c72-7fb3-4f6f-b4c3-a2494f984ad1
09/02/2008 07:08:53, Debug        : Converted UpdatesInfo.xml into new format
09/02/2008 07:08:55, Exception    : Exception: Exception While Uploading file Updates/CPE.nbtThe request failed with HTTP status 401: Unauthorized.   at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Microsoft.RTC.UCUPDATESSERVER.SHAREPOINTSERVICES.Service.UploadFileToSharepoint(String SPSiteUrl, String FolderPath, Boolean CreateFolder, String FileName, Byte[] content, Boolean Publish, Boolean CheckIn, Boolean overwrite)
   at UPHService.UploadToSharepoint(String TempExtractedPath, DataSet dsUpdateInfo)
09/02/2008 07:08:57, Exception    : Exception: Exception While Uploading file Updates/CPE.nbtThe request failed with HTTP status 401: Unauthorized.   at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Microsoft.RTC.UCUPDATESSERVER.SHAREPOINTSERVICES.Service.UploadFileToSharepoint(String SPSiteUrl, String FolderPath, Boolean CreateFolder, String FileName, Byte[] content, Boolean Publish, Boolean CheckIn, Boolean overwrite)
   at UPHService.UploadToSharepoint(String TempExtractedPath, DataSet dsUpdateInfo)
09/02/2008 07:09:00, Exception    : Exception: Exception While Uploading file Updates/CPE.nbtThe request failed with HTTP status 401: Unauthorized.   at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Microsoft.RTC.UCUPDATESSERVER.SHAREPOINTSERVICES.Service.UploadFileToSharepoint(String SPSiteUrl, String FolderPath, Boolean CreateFolder, String FileName, Byte[] content, Boolean Publish, Boolean CheckIn, Boolean overwrite)
   at UPHService.UploadToSharepoint(String TempExtractedPath, DataSet dsUpdateInfo)
09/02/2008 07:09:02, Exception    : Exception: Exception While Uploading file Updates/CPE.nbtThe request failed with HTTP status 401: Unauthorized.   at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Microsoft.RTC.UCUPDATESSERVER.SHAREPOINTSERVICES.Service.UploadFileToSharepoint(String SPSiteUrl, String FolderPath, Boolean CreateFolder, String FileName, Byte[] content, Boolean Publish, Boolean CheckIn, Boolean overwrite)
   at UPHService.UploadToSharepoint(String TempExtractedPath, DataSet dsUpdateInfo)
09/02/2008 07:09:04, Exception    : Exception: Exception While Uploading file Updates/CPE.nbtThe request failed with HTTP status 401: Unauthorized.   at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Microsoft.RTC.UCUPDATESSERVER.SHAREPOINTSERVICES.Service.UploadFileToSharepoint(String SPSiteUrl, String FolderPath, Boolean CreateFolder, String FileName, Byte[] content, Boolean Publish, Boolean CheckIn, Boolean overwrite)
   at UPHService.UploadToSharepoint(String TempExtractedPath, DataSet dsUpdateInfo)
09/02/2008 07:09:06, Exception    : Exception: Exception While Uploading file Updates/CPE.nbtThe request failed with HTTP status 401: Unauthorized.   at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Microsoft.RTC.UCUPDATESSERVER.SHAREPOINTSERVICES.Service.UploadFileToSharepoint(String SPSiteUrl, String FolderPath, Boolean CreateFolder, String FileName, Byte[] content, Boolean Publish, Boolean CheckIn, Boolean overwrite)
   at UPHService.UploadToSharepoint(String TempExtractedPath, DataSet dsUpdateInfo)
09/02/2008 07:09:09, Exception    : Exception: Exception While Uploading file Updates/CPE.nbtThe request failed with HTTP status 401: Unauthorized.   at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Microsoft.RTC.UCUPDATESSERVER.SHAREPOINTSERVICES.Service.UploadFileToSharepoint(String SPSiteUrl, String FolderPath, Boolean CreateFolder, String FileName, Byte[] content, Boolean Publish, Boolean CheckIn, Boolean overwrite)
   at UPHService.UploadToSharepoint(String TempExtractedPath, DataSet dsUpdateInfo)
09/02/2008 07:09:11, Exception    : Exception: Exception While Uploading file Updates/CPE.nbtThe request failed with HTTP status 401: Unauthorized.   at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Microsoft.RTC.UCUPDATESSERVER.SHAREPOINTSERVICES.Service.UploadFileToSharepoint(String SPSiteUrl, String FolderPath, Boolean CreateFolder, String FileName, Byte[] content, Boolean Publish, Boolean CheckIn, Boolean overwrite)
   at UPHService.UploadToSharepoint(String TempExtractedPath, DataSet dsUpdateInfo)
09/02/2008 07:09:11, Debug        : Completed Upload to sharepoint server
09/02/2008 07:09:11, Exception    : Exception: UploadUnApprovedXMLToSharepoint Method Collection was modified; enumeration operation might not execute.   at System.Data.RBTree`1.RBTreeEnumerator.MoveNext()
   at UPHService.UploadUnApprovedXMLToSharepoint(String TempExtractedPath)
09/02/2008 07:09:11, Debug        : Deleted all files under temp location C:\Program Files (x86)\Microsoft Office Communications Server 2007\Web Components\UC Device Updates\Management Console\LCS\a7992c72-7fb3-4f6f-b4c3-a2494f984ad1
09/02/2008 07:09:11, Debug        : Calling Clear Cache for Image Updates
09/02/2008 07:09:11, Debug        : End Upload Updates From Cab Call
09/02/2008 07:09:11, Debug        : -------------------------------------

I've highlighted the relevant section above which you'll see is repeated a number of times. When the Sharepoint UC Update package is installed it creates a site called ucupdateserver that contains 2 document libraries - Logs and Updates. The issue in this case is that the ucupdateserver site has the appropriate permissions set, and these permissions are inherited by the Logs document library (which allowed for the above log to be created). However, the Updates document library is set to use custom permissions and there the cab file upload is failing.

To fix this I first set the appropriate permissions at the ucupdateserver site level (I gave full permissions to RTCComponentServices and read permissions to NT AUTHORITY\Authenticated Users). Next I navigated to the Updates library and clicked Settings/Document Library Settings. Now click Permissions for this document library. When the permissions appear click Actions -> Inherit Permissions. You will get a prompt verifying that you want to overwrite the custom permissions. Once you select OK you will see the page update with the permissions that are set at the site level. This fixes the upload problem and also enables you to make easy site-wide permissions changes in the future if necessary.

SQL Query to return number of users per Front End

2008-08-29T14:37:00Z

In the last couple weeks myself and some other folks I've spoken with have had the need to know how many users were connected to a particular front end. Unfortunately there's no interface to provide this sort of information, so I decided to poke around SQL to figure out what I needed to read to determine this info. With a little help from my co-worker and UC developer extrordinaire Simon Booth, we whipped up a query in a couple minutes that gives you that data:

select fe.Fqdn,c.connections from rtcdyn.dbo.FrontEnd fe join
(Select COUNT(*) as connections, FrontEndId from rtcdyn.dbo.DeliveryContext
group by FrontEndId)
c
on fe.FrontEndId=c.FrontEndId

To execute this, open SQL Management Studio and connect to the instance which contains your OCS databases. Click the "New Query" button and paste in the text above. Click "Execute" and you'll receive output that shows the number of connections per front end.

Of course you could extend this to tell you users names or other information, but it's a good base query to see what it takes to pull info from the OCS databases.

Common Certificate issue with Vista

2008-08-22T13:15:00Z

I got a call from an industry colleague yesterday who was trying to set up an OCS lab environment. He hit what has become an increasingly common issue as Vista becomes more heavily adopted in the enterprise. The scenario is almost always the same - "My XP computers can download the address book without a problem but Vista cannot." User Account Control is commonly suspected as the problem, but in this case it has nothing to do with the actual issue. In fact, the issue is actually a default setting in IE7: Check for server certificate revocation.

The error that you'll see is:
"Cannot Synchronize with the corporate address book. This may be because the proxy server setting in your web browser does not allow access to the address book. If the problem persists, contact your system administrator."

The error message is a bit misleading. What is actually happening is that IE is checking the CRL Distribution Points property of the certificate that is provided by the web conferencing server and trying to connect to the paths specified. If it cannot connect to any of these it will fail with the above error message. The reason this does not cause Communicator logons to fail is because the the address book download process uses the WinInet API just like IE since the connection is https. Communicator does not use WinInet for its logon, so the logon succeeds as long as the certificate is trusted by the client.

This scenario is most common in lab environments because the lab will often use a separate AD environment but users whose machines are joined to the production AD forest will try to connect with Communicator. Without any trusts and/or DNS replication of the test forest, the client will not be able to connect to either the LDAP or HTTP paths referenced in the CRL Distribution Points property. Here is an example of a CRL DP from a certificate generated by a Windows CA:

[1]CRL Distribution Point

Distribution Point Name:

Full Name:

URL=ldap:///CN=EVAN-CA,CN=EVAN-DC1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=corp,DC=evangelyze,DC=net?certificateRevocationList?base?objectClass=cRLDistributionPoint

URL=http://evan-dc1.corp.evangelyze.net/CertEnroll/EVAN-CA.crl

You can imagine by looking at the paths above that a computer without any knowledge of the namespaces used would have a problem connecting to them. This problem can also manifest itself in a production environment if you have machines that are not members of the same forest or for any other reason cannot resolve or connect to the paths referenced in the CRL DP. In any case there are only 3 options:

1) Disable certificate revocation checking in IE. This can be done manually or via group policy. The setting can be found in the Security section of the Advanced tab in Internet Options.

2) Modify your infrastructure in such a way as to make the CRL DP accessible to all users.

3) Use a public CA to issue the certificate rather than an internal CA. This is the best solution if you have non-domain joined users connecting to your internal pool.

The OCS Director - reasons, benefits and dependencies

2008-08-21T14:32:00Z

I field a fair amount of questions from my customers and users on the Technet forums about the Director role - why is it needed, how does it play into a global architecture, etc. I thought I'd address a few of these topics for other folks with the same questions.

The first thing to know about the Director role is that it's built into OCS Standard and Enterprise - it is not a separate installation like an Edge or Mediation server. Every Standard server and Enterprise pool acts as a Director by default. So why do we need to dedicate one or more servers to this role? First let's review the purpose of a Director.

If you've ever configured an Edge server you noticed that it needs to know it's next hop. The Edge server is pretty intelligent when it comes to blocking traffic that is not permitted and taking care of other OCS security functions, but by design it does not have knowledge of where users are homed and how to authenticate them (which is why it can and should be deployed without being a member of Active Directory). The Edge relies on the next hop server to handle these items. Once it confirms that a set of communication should be passed to the inside, the next hop server can do a few things. Two major steps take place when a user logs on to Communicator:

1) Match the SIP address to a user account in AD and perform authentication

2) After authentication succeeds, route the traffic to the pool specified in the user's AD properties

These steps are basically the same whether the user connects via the Edge (remote access) or from the internal network, though the benefits are slightly different. In both cases the Director provides the benefit of offloading authentication from the pool. This is most helpful if you are pushing the limits on capacity. In an Edge scenario you have the added benefit of an extra security boundary. In the event that an attacker is able to pass through an Edge server or initiate a successful DoS attack, your internal pool environment would not be impacted.

So far, this all sounds pretty good. If you've made the decision to deploy a Director all you have to do is deploy a Standard server, Enterprise pool, or array of Standard servers and disable the services you don't need (Web Conferencing, A/V Conferencing, and Web Components - see page 48 of the Edge Server Deployment Guide for more details), change the next hop on your Edge server, and modify your _sipinternaltls._tcp SRV record to point to the new Director(s).

Now, if you are in the process of architecting a global topology complete with redundancy, you'll pause about the time you think about the contents of the SRV record. Since there can be only one _sipinternaltls._tcp record per domain and it can only point to a single FQDN, where do you put the Director(s)? For simplicity's sake let's assume you have pools in North America, Europe, and Asia. We're also going to assume you have a fully replicated DNS infrastructure (AD or otherwise). If you place a pool of Directors in North America and the connection between Europe and NA goes down (another freight ship somehow ran over the transatlantic fiber run that your telco uses ), your European users will be unable to login to Communicator until the SRV record is modified or the connection is re-established. To guard against that you can deploy an array of Standard servers in all your data centers, but now comes the major dependency - global redundancy. Because this is now at the network layer there's nothing we can do within OCS to design for this. GSLB (global server load balancing) is basically your only option. Various vendors can employ this (F5, Foundry, Cisco, etc.), and the exact deployment requirements are defined by those vendors, so check with them for details. However, no matter which vendor you choose you'll need this capability to accomodate for such a scenario.

There are other topologies and options. Some customers I've worked with have separate internal DNS zones for each country, so we were able to deploy regional SRV records. This only works if you will not use PIC or federation since most internal DNS namespaces are not internet routable. In another instance it was decided to use group policy to deploy the server settings to the clients and forego autodiscovery altogether (political, regional, and technical complexities all played into this decision).

I hope you'll find this information helpful. Byron Spurlock also has some related information on his blog as well if you'd like to read up a little more on Directors.