Elan Shudnow's Blog

The Issue and the Troubleshooting that Ensued

I recently encountered the following issue when a remote user were to try to upload a PowerPoint Presentation while internal users had no problems.

Immediately, I thought that this was an issue with the reverse proxy.  For those that don’t know what the role of a reverse proxy server is in Lync Server 2010, the Reverse Proxy handles the following traffic for remote users:

• Enabling external users to download meeting content for your meetings.
• Enabling external users to expand distribution groups.
• Enabling remote users to download files from the Address Book service.
• Accessing the Microsoft Lync Web App client.
• Accessing the Dial-in Conferencing Settings webpage.
• Accessing the Location Information Service.
• Enabling external devices to connect to Device Update web service and obtain updates.

As we can see in red above, the Reverse Proxy is used for meeting content externally.  I did two things to troubleshoot whether it was the client hitting the reverse proxy and having it not function correctly.  The first thing was that I loaded up Network Monitor on my client.  What I saw is, when I would add a new distribution list to my contact list which is a function of the reverse proxy, I properly saw in the trace the client make a request out to the public IP of our Reverse Proxy Server.  Because of this, I knew the Reverse Proxy was functioning just fine, especially since I could also access our Simple URLs (dialin.domain.com and meet.domain.com from the outside).  But when I tried uploading a PowerPoint Presentation in an Online Meeting, I never saw a call go out to the Reverse Proxy.

So I went onto our Reverse Proxy Server which is Microsoft Forefront Threat Management Gateway (TMG).  I wanted to see anything that came into it with my Client IP Address.  I went to the Logs & Reports and modified the filter

Once at the bottom of the dialog, choose Filter By IP and set the Value to your Public IP Address.  You can easily obtain your Public IP on your client machine by going to www.whatismyip.com.  Once done, choose Update.  Your filter will now look as such:

Once ready to start logging, choose the Start Query Option.

When I started the Query, I saw absolutely no traffic for Web Conferencing PowerPoint Presentations at all. This verified the client was really not even getting to the point of trying to communicate with the Reverse Proxy, especially since the Network Monitor logs didn’t even see the request try to go out.

At this point, I was at a bit of a loss and went back to basic troubleshooting more and sometimes, we often overlook the basics. I tried the other Web Conferencing functionality on the client.  What I noticed is, I got the same exact errors even when trying to utilize polling or whiteboarding.  Bingo.  It’s a Web Conferencing Edge problem, not something with the client to the Reverse Proxy.

I looked at our Web Conferencing Edge and noticed two errors (neither of which you will find any information online about them… I guess I am the lucky one):

First Event Log Entry (more common)

Log Name:      Lync Server
Source:        LS Web Conferencing Edge Server
Date:          5/4/2011 5:42:28 PM
Event ID:      41990
Task Category: (1023)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      lyncedge.domain.com
Description:
Failed to verify client cookie

Over the past 44 minutes Lync Server has failed to validate cookie presented by the clients 5 time(s). The last such client which failed validation was “22.33.44.55:50307″.
Cause: This can occur if the Web Conferencing Server and Web Conferencing Edge Server machine time(s) are out of sync. This can also be the result of a client attempting to connect to Web Conferencing Server without having the appropriate permissions.
Resolution:
Check to make sure that the Web Conferencing Server and Web Conferencing Edge Server machines and verify that the connection came from a trustworthy client. This could indicate an attack being by a rogue client.
Event Xml:
<Event xmlns=”http://schemas.microsoft.com/win/2004/08/events/event”>
<System>
<Provider Name=”LS Web Conferencing Edge Server” />
<EventID Qualifiers=”50175″>41990</EventID>
<Level>2</Level>
<Task>1023</Task>
<Keywords>0×80000000000000</Keywords>
<TimeCreated SystemTime=”2011-05-04T22:42:28.000000000Z” />
<EventRecordID>20548</EventRecordID>
<Channel>Lync Server</Channel>
<Computer>lyncedge.domain.com</Computer>
<Security />
</System>
<EventData>
<Data>44</Data>
<Data>5</Data>
<Data>22.33.44.55:50307</Data>
</EventData>
</Event>

Second Event Log Entry

Log Name:      Lync Server
Source:        LS Web Conferencing Edge Server
Date:          5/4/2011 5:11:03 PM
Event ID:      41993
Task Category: (1023)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      lyncedge.domain.com
Description:
Failed to process data received from the client

Over the past 599 minutes Lync Server has disconnected clients 1 time(s) as a result of invalid data being received on client connections. The last such client which was disconnected is “22.33.44.55:46361″.
Cause: Failed to process data received from the client
Resolution:
Check and make sure that the connection came from a trustworthy client.
Event Xml:
<Event xmlns=”http://schemas.microsoft.com/win/2004/08/events/event”>
<System>
<Provider Name=”LS Web Conferencing Edge Server” />
<EventID Qualifiers=”50175″>41993</EventID>
<Level>2</Level>
<Task>1023</Task>
<Keywords>0×80000000000000</Keywords>
<TimeCreated SystemTime=”2011-05-04T22:11:03.000000000Z” />
<EventRecordID>20543</EventRecordID>
<Channel>Lync Server</Channel>
<Computer>lyncedge.domain.com</Computer>
<Security />
</System>
<EventData>
<Data>599</Data>
<Data>1</Data>
<Data>22.33.44.55:46361</Data>
</EventData>
</Event>

The Fix

Simple. I tried restarting the Web Conferencing Edge Service but had the same issue.  I then restarted the Web Conferencing Service on the Front End.  The issue was resolved.  It’s apparently an issue where the Web Conferencing Edge Service had problems talking to the Web Conferencing Service on the Front End for client persistence and the services just needed to be restarted.

Elan Shudnow :: May.05.2011 :: Lync 2010 :: 22566 Comments »http%3A%2F%2Fwww.shudnow.net%2F2011%2F05%2F05%2Flync-server-2010-cannot-connect-to-sharing-server%2FLync+Server+2010+-+Cannot+Connect+to+Sharing+Server2011-05-05+14%3A05%3A11Elan+Shudnowhttp%3A%2F%2Fwww.shudnow.net%2F%3Fp%3D2256

I recently had a project where all DHCP Servers were Cisco switches.  During the configuration, we noticed that a certain DHCP Configuration worked on certain Cisco switches but not the rest but a configuration was found that worked on all switches.  More on the specifics in the VLAN section below.  In this article, I will show you how to figure out how to configure the 120 and 43 options on a Cisco switch as well as how to configure the VLAN ID using the two different methods mentioned above. Thanks to Dave Howe from Microsoft for helping out with the PIN Authentication Settings for Cisco DHCP.

PIN Authentication Settings

STEP 1

Run DHCPUtil.exe to find out hex data values for DHCP Options 120 and 43

C:\Program Files\Microsoft Lync Server 2010\> DHCPUtil.exe -sipserver  pool01.contoso.com

Sip Server FQDN:  pool01.contoso.com

Certificate Provisioning Service URL:  https://pool01.contoso.com:443/CertProv/CertProvisioningService.svc

Option 120: 00076578616D706C6503636F6D00

Vendor Class Identifier: MS-UC-Client

Option 43 (for vendor=MS-UC-Client):

Sub-Option 1 <UC Identifier>: 4D532D55432D436C69656E74

Sub-Option 2 <URL Scheme>: 6874747073

Sub-Option 3 <Web Server FQDN>: 6578616D706C652E636F6D

Sub-Option 4 <Port>: 343433

Sub-Option 5 <Relative Path for Cert Prov>: 2F4365727450726F762F4365727450726F7669736

96F6E696E67536572766963652E737663

STEP 2

Build DHCP Option 120 hex value for Cisco DHCP using DHCPUtil.exe output info

Option 120 = hex 00076578616D706C6503636F6D00

STEP 3

Build DHCP Option 43 hex value for Cisco DHCP using DHCPUtil.exe output info

Note:  Format of DHCP Option 43 hex value:

1. Compile Sub-Option 1 from DHCPUtil.exe output:

Length of data is hex value for (number of characters of Data) divided by 2 ( # of chars / 2 )

2. Compile Sub-Option 2 from DHCPUtil.exe output:

Sub-Option2
02	Length of data	Data
02	05	6874747073

3. Compile Sub-Option 3 from DHCPUtil.exe output:

Sub-Option3
03	Length of data	Data
03	0B	6578616D706C652E636F6D

4. Compile Sub-Option 4 from DHCPUtil.exe output:

Sub-Option4
04	Length of data	Data
04	03	343433

5. Compile Sub-Option 5 from DHCPUtil.exe output:

Sub-Option5
05	Length	Data
05	25	2F4365727450726F762F4365727450726F766973696F6E696E67536572766963652E737663

STEP 4

Combine the five Sub-Option values to build the DHCP Option 43 hex value for Cisco DHCP:

Compiled DHCP Option 43:

VLAN ID Settings with PIN Authentication Settings

There are a few ways to make this work:

• Link Layer Discovery Protocol (LLDP)
• Two different ways to make it work on DHCP.  DHCP is what this article will cover.

Now let’s say we have two VLAN IDs: 208 (Data) and 209 (Voice) on the same ports.  The idea here is swap the phone from the Data VLAN to the Voice VLAN. As stated earlier, we found two methods in configuring the VLAN ID Settings.  The first I will show is how it worked on a switch that supported LLDP – Catalyst 4507R – SUP-IV IOS version (cat4500-ENTSERVICESK9-M), Version 12.2(54)SGI.  The second is how it worked on the switch that was not LLDP Capable – Catalyst 6513 SUP720 (S72033_rp-PK9SV-M), Version 12.2(18)SXD7 – or higher.  Thanks to my client for enduring the painful process of figuring out the below and providing me with information and explanations on what he did to get the Cisco DHCP configured for VLAN ID as well as the switch information provided which you can see in the first two comments in this article.

LLDP Switch Data Scope (Comments in Red)

ip dhcp pool Data14_Lync (VLAN 208)

option 10 hex 00d0 (Decimal 209)

option 60 ascii “CPE-OCPHONE”

LLDP Switch Voice Scope (Comments in Red)

ip dhcp pool Voice14_Lync (VLAN 209)

option 10 hex 00d0 (Decimal 209)

option 60 ascii “CPE-OCPHONE”

option 43 hex 010C4D532D55432D436C69656E7402056874747073030B6578616D706C652E636F6D040334343305252F4365727450726F762F4365727450726F766973696F6E696E67536572766963652E737663

option 120 hex 00076578616D706C6503636F6D00

Non-LLDP Switch Data Scope (Comments in Red)

When we noticed the LLDP Switch Scope configuration wouldn’t work on a non-LLDP Switch, we tried running this on Windows DHCP.  My client sniffed the traffic and found that Windows DHCP had some 43 option information passed back to the client for the VLAN ID information.  So what we did in option 43 is specify an option 10 sub-option.  The oa is the sub option. The 02 is the length of the data field divided by 2.  The 00d1 is the hex value of the data vlan.

ip dhcp pool Data14_Lync

option 43 hex 0a0200d1

Non-LLDP Switch Voice Scope

ip dhcp pool Voice14_Lync

option 120 hex 00076578616D706C6503636F6D00

option 43 010C4D532D55432D436C69656E7402056874747073030B6578616D706C652E636F6D040334343305252F4365727450726F762F4365727450726F766973696F6E696E67536572766963652E737663

Elan Shudnow :: May.02.2011 :: Lync 2010 :: 222213 Comments »http%3A%2F%2Fwww.shudnow.net%2F2011%2F05%2F02%2Fconfiguring-lync-dhcp-using-cisco-dhcp-servers-vlan-and-pin-auth%2FConfiguring+Lync+DHCP+using+Cisco+DHCP+Servers+%28VLAN+and+PIN+Auth%292011-05-03+01%3A11%3A03Elan+Shudnowhttp%3A%2F%2Fwww.shudnow.net%2F%3Fp%3D2222

General Information

With Lync 2010, there are a couple ways to handle non-DID users.  Our company uses both Lync 2010 for Enterprise Voice as well as Nortel CS1000 for other users.  Our Nortel CS1000 is configured so when you send it  improperly formatted Caller ID, it will send it out to the PSTN with the main DID number of our officelocation.  In Lync 2010, you can have users that are Enterprise Voice enabled but do not have a DID.  That are some disadvantages to not having a TEL URI such as the inability to set a Conferencing PIN when logging into your Dial-In Conferencing Web Page.

An important thing to understand is when a user is dialing out to the PSTN Gateway Object in Lync 2010, there is a SIP Invite Message that gets sent out to the Gateway.  The SIP Invite Message will be constructed differently depending on whether a user has a DID specified in the TEL URI or whether that TEL URI is blank.  Let’s take a look at how both messages are constructed.

SIP Invite Messages

User with DID:

INVITE sip:+18002223333@lyncgateway.internalAD.domain.com;user=phone SIP/2.0
FROM: “Shudnow, Elan”<sip:+13129998888@collocatedFEMediation.internalAD.domain.com;user=phone>;epid=AA4B5C1773;tag=d73f8df627
TO: <sip:+18002223333@lyncgateway.internalAD.domain.com;user=phone>

User without DID:

INVITE sip:+18002223333@lyncgateway.internalAD.domain.com;user=phone SIP/2.0
FROM: “Test, Elan”<sip:etest@internalAD.domain.com>;epid=AA4B5C1773;tag=d17641157b
TO: <sip:+18002223333@lyncgateway.internalAD.domain.com;user=phone>

As can be seen, the big change between the user with the DID and without the DID is that the FROM field for a DID user displays the user’s E.164 formatted DID that is defined in the TEL URI whereas the user without the DID has their SIP Address defined instead of a DID.  This means that, even if a user does not have a DID defined in the TEL URI but is still enabled for Enterprise Voice, their phone call requests will still go out to the gateway.

What to do?

Well, in Lync 2010, there are two options:

1. Configure our gateway to handle the user’s that have their Caller ID (Calling ID) in the form of a SIP Address instead of a telephone number and send it out to the PBX.  As stated earlier, our PBX will see this and change it to the main office DID. This solution requires you to configure your PBX to do this as well as your gateway to take the SIP Address into consideration from a Caller ID (Calling ID) perspective.
2. Configure a new Voice Policy, Phone Usages, and Voice Routes that utilize the new Supress Caller ID feature to rewrite Caller ID for any user that is utilizing those routes.  Hence the need for new routes that have new phone usages assigned to the as well as a new voice policy that uses those phone usages.  You will then take this new voice policy and assign it to all non-did users.

For each option, there are some pros and cons.  As has been stated, Option #1 requires configuration on the PBX and the Gateway.  Option #2 has more configuration required on Lync itself and if you ever assign a non-DID user a DID, this user would need to be moved to the Lync Voice Policy that does not supress Caller ID.

Option #1 Configuration (Modify PBX/Gateway)

I will show how to configure the Voice Gateway (in this case, a NET UX2000 gateway) but not the PBX.

When taking a look at the Translation rules on our NET UX, you can see how we are handling E.164 calls coming in from Lync and sending it off to our Nortel.  We have a Called Address/Number (how the TO: field is specified in the SIP Invite from Lync) and a Calling Address/Number (how the FROM: field is specified in the SIP Invite from Lync).  In our translation rule, Lync is sending the TO: in E.164 format so the NET takes anything with the + and 11 digits, strips the +, and sends just the 11 digits to our Nortel. For the Calling Address Number, we take anything that has + as the starting digit, and sends the Caller ID information to our Nortel without the +.  Because of this, the Nortel will retain the original Caller ID and all is well.

But, what about non-DID users?  How can we configure our UX2000 to translate anything with Caller ID as a SIP Address and pass it off unchanged to the Nortel so it can rewrite it with the main office’s DID?  Well, it’s easy.  We just have to create an entirely new Translation rule since we can’t have more than one Calling * specified in a given Translation Rule.

As we can see in our new Translation Rule, we didn’t modify the Called Address/Number.  This stays the same because the TO: field doesn’t change between a DID and a non-DID user as can be seen above in the SIP Invite Messages section.  What does change between the DID and Non-DID user is the FROM: field.  Because of this, we need to change the Calling field.  In this Translation Rule, instead of choosing Calling Address/Number, we change the gateway to utilize Calling Numbering Type.  We choose H.323 ID or SIP as the Input Field Value.  For the Output to Nortel, we still specify Calling Numbering Type and choose the value as Unknown.  Now anything the gateway has a FROM: field specified as a SIP Address instead of a DID formatted in E.164, it’ll send it off as is to the Nortel which will then change the Caller ID to the office’s main DID number.

Option #2 Configuration (Lync Caller ID Supression)

What if Option #1 won’t work for you?  Your gateway guy doesn’t want to do it, your PBX guy doesn’t want to do it, your PBX can’t do it, etc…  Well, Lync 2010, again, provides a new option which previously didn’t exist in Office Communications Server 2007 or Office Communications Server 2007 R2.

In order to do to do this, we will need to create 3 new things:

1. Lync Voice Policy
2. Lync Phone Usages
3. Lync Voice Routes

By itself, Phone Usages don’t do anything.  They are only the secret sauce that links a Voice Policy to a Route.  If we take a look at our Lync Route, we can see the new option for Supressing Caller ID with a specific phone number. In this case, let’s assume +13125556666 is our main office DID.

In the above screenshot, we can also see that we have an Associated PSTN usage record of Non-DID.  We also have a Voice Policy assigned called Non-DID users.  For our DID users, they will be in a different Voice Policy that utilizes a Voice Route that does not have Supress Caller ID enabled.

If you decide to use this configuration, any non-DID users will have their FROM: field modified to +13125556666 once they are moved into the Non-DID Users Voice Policy.  Their SIP Invite message will now look this:

INVITE sip:+18002223333@lyncgateway.internalAD.domain.com;user=phone SIP/2.0
FROM: “Test, Elan”<sip:+13125556666@collocatedFEMediation.internalAD.domain.com;user=phone>;epid=AA4B5C1773;tag=d57257363e
TO: <sip:+18002223333@lyncgateway.internalAD.domain.com;user=phone>

So with Option #2, we will end up with the following:

DID Users

• DID Voice Policy
• DID Phone Usage assigned to DID Voice Policy
• DID Phone Usage assigned to DID Voice Route with no Caller ID Suppression linking the DID Users to the DID Voice Routes

Non-DID Users

• Non-DID Voice Policy
• Non-DID Phone Usage assigned to the Non-DID Voice Policy
• Non-DID Phone Usage assigned to the DID Voice Route with Caller ID Suppression linking the Non-DID Users tot he Non-DID Voice Routes

For more information on Phone Usages and Voice Policies, see this excellent article written by Ken Lasko here.

Elan Shudnow :: Mar.03.2011 :: Lync 2010 :: 21642 Comments »http%3A%2F%2Fwww.shudnow.net%2F2011%2F03%2F03%2Flync-2010-enterprise-voice-did-vs-non-did-users%2FLync+2010+Enterprise+Voice+DID+vs+Non-DID+Users2011-03-04+03%3A27%3A38Elan+Shudnowhttp%3A%2F%2Fwww.shudnow.net%2F%3Fp%3D2164

One of the new features in Lync 2010 is the ability to provide Lync clients enhanced privacy controls.  What this provides is the ability for Lync users to restrict their presence to users who are in their contact list.  By default, this feature is not enabled.  You may think to yourself, why?  Well, it’s because OCS 2007 R2 users can connect to Lync Server 2010 if the Client Policies allow for it.  Communicator 2007 R2 does not provide the capability to set these enhanced privacy controls.  It is because of this, you will want to make sure all users are utilizing Lync 2010 in the organization prior to enabling Enhanced Privacy Controls.  If for whatever reason, you have enabled enhanced privacy controls for a user, and they happen to downgrade to Communicator 2007 R2, these privacy settings are lost which is why it is important to restrict the ability for Communicator 2007 R2 users to be able to connect to Lync Server 2010.

To check what the current configuration is set at, we can run the following command:

We can see the EnablePrivacyMode is configured to False.

In the Lync 2010 client options, we see there are no options to prevent anybody from seeing our presence if they are not on our contact list.

But let’s say our Client Policies are preventing Communicator 2007 R2 clients from connecting.  We can set Privacy Mode to true.  Keep in mind, in order for Response Group Agents to receive Response Group calls, they will need to add their Response Group Agents to their contact list.  The Response Group workflow creation process creates a Response Group contact object in Active Directory.  Because of this, there is nothing special you have to do.  It will be as simple as utilizing the search feature in Lync 2010 just like you were trying to find any other user, and adding the Response Group user/contact to the Response Group agent’s contact list.

Now to enable Enhanced Privacy mode, we run the following command:

Because Lync 2010 clients retrieve this mode through in-band provisioning, it will be necessary for Lync 2010 clients to log off and log back in.

Once users have logged back in, we can go back to the Lync 2010 options, go to status, and we see some new options.

We can now see the options look different.  By default, only people in the user’s contact list will be able to see their presence.

To illustrate what this looks like, I have two users:

• Elan Shudnow
• Elan Test

On the Elan Test account, I have Elan Shudnow added to the contact list.  But Elan Shudnow is showing up as Offline.  In fact, Elan Shudnow is actually set to Available.  Elan Shudnow just doesn’t have Elan Test as a contact.

I will now go ahead and add Elan Test as a contact to the Elan Shudnow account. Once doing so, I immediately see Elan Shudnow’s presence go to Available without doing a single thing on the Elan Test account.

Elan Shudnow :: Feb.07.2011 :: Lync 2010 :: 214216 Comments »http%3A%2F%2Fwww.shudnow.net%2F2011%2F02%2F07%2Flync-2010-enhanced-privacy-controls%2FLync+2010+Enhanced+Privacy+Controls2011-02-07+14%3A15%3A48Elan+Shudnowhttp%3A%2F%2Fwww.shudnow.net%2F%3Fp%3D2142

General Information

I just migrated a OCS 2007 R2 Edge on Windows Server 2008 last night to Lync Edge 2010 Edge on Windows 2008 R2.  All I can say is, it was a less than pleasant experience if you’re doing federation.  This is not a native Lync problem per se, but is more due to Windows 2008 R2; of course, this depends on your Outlook.

The migration process to migrate an OCS 2007 R1 Edge to Lync 2010 Edge is documented at the following URL:

http://technet.microsoft.com/en-us/library/gg425785.aspx

The migration process to migrate an OCS 2007 R2 Edge to Lync 2010 Edge is documented at the following URL:

http://technet.microsoft.com/en-us/library/gg398413.aspx

Note: The migration steps are in different locations.  The R2 migration documentation has you migrating federation and Media at the same time as an R2 Edge can do media for a Lync Pool.  The R1 migration documentation has you configuring Lync to use Lync Edge for Media while R1 Pool uses R1 Edge as an R1 Edge cannot do media for a Lync Pool.  Then, at a later time after all pools have been migrated, you cut over federation.

The Issue

The general issue is that Windows 2008 R2 has much fewer root certificates installed than does a Windows 2008 or previous operating system version.  In fact, Windows 2003 even has many more root certificates than Windows 2008. This doesn’t seem like a good trend going forward. Let’s take a look at a comparison between Windows 2003, Windows 2008, and Windows 2008 R2:

Windows 2003

Windows 2008

Windows 2008 R2

You can see, the amount of root certs has gone down drastically.  Now the problem is that when doing federated communication from our Lync 2010 Edge Server to other partners, the communication will occur using TLS.  This means the federated partner needs to contain the root certificate for our external edge certs and our Lync Edge needs to contain the root certificate for our federated partner’s external edge certs.  As you can see, Windows 2008 R2 doesn’t contain many root certs so this presents more risk for federated communication failures.  And… this is exactly what we saw.

What we actually saw is many of the following errors for many different federated organizations:

As we can see, we’re missing the root certs to communicate properly with our federated partners.  What to do?  Well… the solution is actually relatively simple.

Open up one MMC console but add 2 certificate snap-ins.  One is local on the Lync 2010 Windows 2008 R2 Edge and one is remotely connected to either a Windows 2003 or a Windows 2008 Server.  From the Remote 2008 or 2003 box, in the Trusted Root Certification Store, copy root certs (don’t cut as you still need them on the remotely connected machine) and paste into the Trusted Root Certificate Authorities store on your Lync 2010 Windows 2008 R2 Edge Server.

Afterwards, you will now have a Lync 2010 Windows 2008 R2 with the proper Trusted Root certificates in order to negotiated TLS with your federated partners.   One thing to keep in mind, you may still be missing a root cert after doing this.  You can still monitor 14428 event entries on your Lync 2010 Server 2008 R2 Edge and see what certificate vendor they are using.  Then go hunt down that root certificate on either a Windows 2008, Windows 2003 Server, or via the CA vendor’s website.

Elan Shudnow :: Feb.01.2011 :: Lync 2010 :: 216612 Comments »http%3A%2F%2Fwww.shudnow.net%2F2011%2F02%2F01%2Flync-2010-edge-utilizing-windows-server-2008-r2-federation-tls-issues%2FLync+2010+Edge+Utilizing+Windows+Server+2008+R2+Federation+TLS+Issues2011-02-01+21%3A16%3A52Elan+Shudnowhttp%3A%2F%2Fwww.shudnow.net%2F%3Fp%3D2166

In Lync 2010, you may see some Response Group warnings such as the following:

These warnings happen only if you click on the Refresh button for either Workflow, Queue, or Group.

Taking a look at the Response Group traces done by using Lync Logger, we can see the following error:

We can see the warning is occurring because the Lync 2010 Control Panel is going through every Lync site and checking to see whether is has an Application Database associated with it.  This includes the BackCompatSite.  For those that don’t know what the BackCompatSite is, when doing a migrate from either OCS 2007 R1 or OCS 2007 R2, Lync 2010 sees the legacy Communications Server servers and inserts it into a site called BackCompatSite. The problem though, is that OCS 2007 R1 or R2 does not have an Application Database specific for Response Groups.  It stores Response Group information inside databases that are shared with other OCS functionality.  Beginning in Lync 2010, Response Group information is stored in its own two application databases called rgsconfig and rgsdyn as you can see in the following screen shot:

So if you are seeing these warnings, it is a display issue only, does not hinder functionality of Lync 2010, and you can safely ignore these warnings.  In fact, once you are completely finished migrating from OCS 2007 R1 or R2, one of the final steps is that you can delete your BackCompatSite site after you have decommissioned your OCS 2007 R1 or R2 servers. Once you have done so, these warnings will go away since there’s no BackCompatSite site to check and find that there’s no Response Group application database.

Thanks to Geoff Clark, a Microsoft Escalation Engineer for figuring this one out.

Elan Shudnow :: Jan.30.2011 :: Lync 2010 :: 21481 Comment »http%3A%2F%2Fwww.shudnow.net%2F2011%2F01%2F30%2Flync-2010-response-group-warnings%2FLync+2010+Response+Group+Warnings2011-01-30+19%3A34%3A09Elan+Shudnowhttp%3A%2F%2Fwww.shudnow.net%2F%3Fp%3D2148

Read the Office Communications Server 2007 R2 version of this article here.

There are several ways in which we can utilize Audio/Video streams in Lync Server 2010.   If you have read my Office Communications Server 2007 R2 article, you will see the first part of this article will show that the methods in which you restrict ports and the amount of flexibility in Lync Server 2010 has vastly changed.  You will also see that the second half of this article is identical to Office Communications Server 2007 R2 as the method in which clients connect is identical.

There aren’t really any places out there that describe how the media session works in different circumstances for Lync Server 2010.  For example, what servers and ports are utilized when doing Audio/Video through legacy clients or Lync 2010 based clients. How do we configure Lync Server 2010 to restrict port usage for various modalities?  How can we configure this for legacy clients?  How can we configure this for native Lync Clients? How about when you do a peer to peer with both users being internal to the network?  How about both users being external to the environment and connecting through the Edge?  How about when you do a peer to peer with one user being internal and one user being external?  Want to know?  Read on…

Media Ports and Restricting Amount of Ports Being Used

The first thing to understand is that in Lync Server 2010, when a user attempts to activate any type of audio and/or video, they first attempt a peer to peer session.  The ports utilized here are TCP/UDP 1024-65535.  At least that’s what the documentation says as you can see here.  This actually isn’t entirely true.  If you do a Get-CSConferencingConfiguration you will actually see that they’re not using that entire range.  It’s just that it’s supported to utilize that entire range. The ports that are actually utilized by default start at 5350.  Later in this article, when we take a look at Set-CSConferencingConfiguration, we take a look at the default ports.

If you want users to utilize peer to peer audio while internal to the network, you must ensure that this port range is open even if users are in different sites. But what if you don’t want this entire port range open between your sites?  You can utilize in-band provisioning  to limit the amount of ports that are being used.  This is very different than how it was configured in OCS 2007 R2.  OCS 2007 R2 utilized Group Policies to set these options whereas in Lync, it uses Client Policies which in turn, provide Lync clients settings via in-band provisioning.  You can read up on how Client Policies work on my previous article here.

In order to allow Lync to push the information on port restrictions to client’s, you must first enable Lync Server to do so by running the following command:

Legacy Clients

When migrating to Lync Server 2010, you can use Lync 2010 Client or the Office Communicator 2007 R2 Client.  When utilizing the OCS 2007 R2 infrastructure, you would use Group Policy to configure Media Port restrictions.

These two settings include:

• PortRange/MaxMediaPort
• PortRange/MinMediaPort

The above group policy settings modify the following three registry keys:

• HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Communicator\Portrange\Enabled REG_DWORD 1
• HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Communicator\Portrange\MaxMediaPort REG_DWORD 40039 (for example)
• HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Communicator\Portrange\MinMediaPort REG_DWORD 40000 (for example)

In Lync Server 2010, there is an equivalent property that provides this Media Port Range restriction to legacy clients. The Lync Server 2010 PowerShell cmdlet used is Set-CSConferencingConfiguration.  So let’s take the above command and make sure that when upgrading to Lync Server 2010, Lync Server 2010 provides the legacy clients the same port restrictions:

The above command will set the starting Media (audio/video/etc.) port to 40000 and allow the next consecutive 40 ports to be used for media.  This will be the equivelant of 40000 as the MinMediaPort and 40039 as the MaxMediaPort.  Again, this should be within the supported 1024-65535 range as mentioned earlier in this article.

Configuring Native Lync Clients Dynamic Port Ranges

Lync now has the ability to utilize different in-band provisioning settings for several different modalities; not just Audio/Video.  The following are modalities you can separately configure port ranges for:

• Application Sharing:
  Set-CSConferencingConfiguration -ClientAppSharingPort <beginning of port range (5350 by default)> -ClientAppSharingPortRange <extent of port range, at least 40 (40 by default)>
• Audio:
  Set-CSConferencingConfiguration -ClientAudioPort<beginning of port range> -ClientAudioPortRange <extent of port range, at least 20 (40 by default)>
• Video:
  Set-CSConferencingConfiguration -ClientVideoPort <beginning of port range> -ClientVideoPortRange <extent of port range, at least 20 (40 by default)>
• File Transfer:
  Set-CSConferencingConfiguration -ClientFileTransferPort <beginning of port range> -ClientFileTransferPortRange <extent of port range, at least 20 (40 by default)>
• Dynamic SIP (Client Side SIP Ports):
  Set-CSConferencingConfiguration -ClientSIPDynamicPort <beginning of port range> -ClientSIPDynamicPortRange <extent of port range, at least 20 (40 by default)>

As you can see, the first 4 modalities above are all set to have a default starting port of 5350 and use 40 ports. This is the recommended configuration and allows you to restrict all modalities to 40 ports which would the equivalent of what the configuration in OCS 2007 R2 would look like.  It’s just now, you have more granularity should you decide the need to do so.  You can certainly utilize a larger port range as needed or even use different port ranges for different modalities. Key thing to remember here is that in order to support QOS for clients, each modality needs to have a separate port range.

Note: For immediate application of these settings, service restarts are required.

Configuring Server Dynamic Port Ranges including QOS

The following three modalities are utilized by QoS:

• Application Sharing
• Audio
• Video

To ensure Port Ranges are restricted for QoS reasons, each modality above needs to be unique.  By default, on a server, Audio and Video are already unique.  Application Sharing is not.  If Application Sharing QOS is not required, there is no need to change Application Sharing to utilize a unique port range.

For a Front End Server or a stand-alone A/V Conferencing Server:

For a Mediation Server:

For an Application Server:

For an Edge Server:

You can also configure dynamic port ranges for the Web Server functionality.  This will not be beneficial from a QOS standpoint but rather will be beneficial if you want to restrict the ports down to a certain range.  For example, if you wanted to lock your firewall down.  The command for a Web Server would be:

Audio/Video Connectivity Scenarios

The following list contains a list of media connection scenarios in Lync Server 2010.  I do not talk about Media Bypass as I have written a previous article on it.  In short, Media Bypass allows Lync 2010 client endpoints to communicate to a gateway via G.711 directly instead of sending the media to a Mediation Server.  For more information on Media Bypass, please view my other article here.

Two Users Internal to the Network (media ports open)

When these two users are internal , they will attempt peer to peer.  Because they can successfully connect to each other, they utilize peer to peer media.  This is why OCS scales pretty high; because a lot of connections are one to one which means that peer to peer media connections are never bridged through the server.  Because these users connect directly to each other for media, they have no need to connect to the Edge.

Note: The red arrow signifies a successful media connection only.  The diagram does not reference any other signaling such as SIP.

Audio/Video through the Web Conferencing Server

When users are connected through On-Premise Web Conferencing and activate Live Meeting (when internal or external… doesn’t matter), they are connecting directly through the Front End’s Conferencing MCU’s.  Because of this, even when it’s two users, the user’s are still connecting to the Front End MCUs.  If both user’s are external, they still connect through the Front End MCUs but are proxied through the Edge Server.

Note: The red arrow signifies a successful media connection only.  The diagram does not reference any other signaling such as SIP.

Two Users Internal to the Network and Any Users External to the Network

As previously stated, any time you have more than two users, peer to peer is no longer utilized and users always connect directly to the MCU on the Front End Servers.  This means that both users internal to the network will connect to their Front End server(s) and the external user will connect to the Front End server as well utilizing the Edge Server for proxying to the Front End.  There is absolutely no peer to peer connectivity in this situation.

Note: The red arrow signifies a successful media connection only.  The diagram does not reference any other signaling such as SIP.

Two Users on the Internet

When these two users are external , they will attempt peer to peer.  Because they can successfully connect to each other, they utilize peer to peer media.  This is why OCS scales pretty high; because a lot of connections are one to one which means that peer to peer media connections are never bridged through the server.  Because these users connect directly to each other for media, they have no need to connect to the Edge for Audio/Video.  You will still see the user connected to the Access/Edge over port 443 and/or 5061 (if these are your remote access port and federation port if you are using federation).  When users are connected through On-Premise Web Conferencing and activate Live Meeting, they are connecting directly through the Front End’s Conferencing MCU’s.  The Front End will have a certificate that contains the Pool Name and will/can contain SAN names for additional SIP domains that you may contain.  Because of this, SAN names are supported on Front End Servers.

Note: The red arrow signifies a successful media connection only.  The diagram does not reference any other signaling such as SIP.

Two Users Internal to the Network (media ports closed)

When these two users are internal , they will attempt peer to peer.  During their ICE negotiation, as previously stated, they will know the Internal Edge NIC in case their peer to peer connectivity fails. Because they fail to connect to each other, they will connect to the internal Edge NIC over either UDP 3478 or TCP 443.  ICE has a mechanism where it will test a lot of candidates to see where connections should be made.  ICE will test UDP 3478 and TCP 443 in parallel and if UDP 3478 works, the client will receive UDP 3478 due to it having less overhead.  If UDP 3478 does not work, the client will receive TCP 443.

If you anticipate on blocking ports between your users, make sure your Edge Server can scale high enough to deal with the amount of Audio/Video connections it will be handling.  To block one of your sites from doing peer to peer with other sites, block the peer to peer port range (discussed at the beginning of this article) from that site and block that site from communicating over UDP 3478 and TCP 443 to the Edge Server.  This will prevent clients from doing any type of media communication from user’s outside of their own site.  If you want to allow them to do peer to peer for users in some sites, modify the firewall ACLs accordingly for those sites.

Note: Diffserv markings for Quality of Service (QoS) are lost through an Audio/Video Edge Server.

Note: The red arrow signifies a successful media connection only.  The diagram does not reference any other signaling such as SIP.

One User External and One User Internal

When one user is internal and one user is external , they will attempt peer to peer but not in the same sense as in two internal users. The external user will hit TCP 5061 to the Access Edge Server and will be provided with either UDP 3478 or TCP 443 for the Audio/Video Edge.  As stated earlier, UDP 3478 is preferred even if the connection test for TCP 443 and UDP 3478 were successful in testing.  If you attempt a telnet edgeserver.domain.com over the Internet, telnet will fail to connect.  This is because telnet uses TCP.  You can do a netstat -an to see your server listening on UDP 3478 and utilize a different program such as netcat which can attempt telnet to UDP by using netcat -u host 3478.  More information on netcat here.

Moving on… we see that the user will connect to the A/V Edge over UDP 3478 or TCP 443, but what about the internal user?  Because this is technically peer to peer, the internal user will NOT connect to the MCU on the Front End but will instead connect directly to the A/V Edge Server’s Internal NIC over UDP 3478 or TCP 443 as well.  The Front End A/V MCU will not be used in this scenario.  When you add a 3rd person to the conversation, the external user will connect to the Front End Server’s A/V MCU in which the A/V Edge will proxy this data for the user, and the internal users will connect to the Front End A/V MCU instead of the Internal Edge NIC.

Note: Diffserv markings for Quality of Service (QoS) are lost through an Audio/Video Edge Server.

Note: The red arrow signifies a successful media connection only.  The diagram does not reference any other signaling such as SIP.

Elan Shudnow :: Dec.06.2010 :: Lync 2010 :: 208846 Comments »http%3A%2F%2Fwww.shudnow.net%2F2010%2F12%2F06%2Flync-server-2010-port-ranges-and-audiomedia-negotiation%2FLync+Server+2010+Port+Ranges+and+Audio%2FMedia+Negotiation2010-12-06+05%3A56%3A08Elan+Shudnowhttp%3A%2F%2Fwww.shudnow.net%2F%3Fp%3D2088