About Me

My photo
TsooRad is a blog for John Weber. John is a Skype for Business MVP (2015-2016) - before that, a Lync Server MVP (2010-2014). My day job is titled "Technical Lead, MS UC" - I work with an awesome group of people at CDW, LLC. I’ve been at this gig in one fashion or another since 1988 - starting with desktops (remember Z-248’s?) and now I am in Portland, Oregon. I focus on collaboration and infrastructure. This means Exchange of all flavors, Skype, LCS/OCS/Lync, Windows, business process, and learning new stuff. I have a variety of interests - some of which may rear their ugly head in this forum. I have a variety of certifications dating back to Novell CNE and working up through the Microsoft MCP stack to MCITP multiple times. FWIW, I am on my third career - ex-USMC, retired US Army. I have a fancy MBA. One of these days, I intend to start teaching. The opinions expressed on this blog are mine and mine alone.

2017/05/20

Windows 10 Battery Life

The Issue

I use a Lenovo Yoga 14 for my personal stuff.  A few weeks ago I ran updates.  I noticed that battery life dropped from nearly 10 hours to less than 3.  Closing the lid puts the Yoga to sleep, so opening it is a breeze and I have a working desktop in about 20 seconds or less.  After the updates, closing the lid still did the sleep thing, but on opening the lid the Yoga was dead.

The Problem

So, I started poking.  I discovered the latest rounds of updates had installed a Lenovo Screen Updater.  Holy Battery Drain.  The CPU was grinding away at 50%+ constantly.

The Fix

Remove it.  Now I get this here:

image

Seeing as how this was associated with the touch screen concepts, I imagine that this might help Win7, Win8, Win 8.1, et cetera – anything else that runs a touch screen with Lenovo and Windows.

YMMV

2017/05/18

Stupid SfB Tricks

In a fit of angst, today I recreated the infinity mirror exercise from several years ago.

Yes, I was testing with a customer and not just bored.

image

YMMV

2017/04/19

New SfB SE won’t start

Usually I see this problem with EE pools, but in this case I have now seen it with two different SE installs.

The Problem

RTCSRV won’t start.  It just sits there for a bit, like 10 minutes and claims it is “Starting”.  Then the service status goes to “Stopped”.

Nothing in the event log, nothing shows in Powershell.  If you try to start from services.msc, it just sits there.  Nothing.

How did we get here?

A fairly locked down environment.  OK.  A severely locked down environment.  The tin-foil hat types have found a home in this place.  New install – new as in greenfield deployment.  Standard Edition installs, and before starting services for the first time, we ran the February 2017 CU into place.  All of that seemed fairly normal.

But the service wont’ start.

The Fix

Again, I usually see this with EE pools, but here is what fixed it:

Reset-CsPoolRegistrarState –PoolFqdn poolfqdn.domain.com -ResetType FullReset

YMMV

2017/03/16

Skype Test Matrix

As part of a project, Thaddeus Kurowski (CDW) and I put together a Skype test matrix to ensure that the implementation worked as designed/expected.

You may find it useful as well.

https://gallery.technet.microsoft.com/Skype-Implementation-Test-e11edf07

YMMV.

Skype Edge Server and 2:1 NAT

This morning, we resolved an issue that I have never seen before, and hope that I never do.

The Background

I tell customers during design sessions that if there are existing network issues, Skype (or Lync) is going to find them.  If there is something a bit wonky, we are going to discover the wonkiness.  And here we go.

Skype edge with 1:1 Nat.  Public IP is 71.16.x.x.  Edge server is doing the classic 3 IP thing.  Remote logins are fine.  Everything seems to be ducky.  Except we cannot talk outbound. 

Go check all the network again.  Looks good. Check the topology, servers, IP assignments, paths.  All good.  Certificates, the common culprit behind one-way federation and presence look good.  We are now scratching our heads.  We know now we are looking at something wonky, but what?

The Fix

I was under the impression that 1:1 NAT is 1:1.  But it turns out that a Watchguard Firebox is capable to doing 2:1 NAT.  Inbound to the Edge server worked because the firewall had 1:1 NAT from public to DMZ VLAN.  Edge trace logs showed subscriptions and connections timing out on the far side.  The connections were being made, just no return traffic.  No SYN.  Telnet client testing outbound from the edge server on 5061 ad 443 worked.  Clearly inbound connections were working or there would be no remote logins.

As long as the traffic originated from outside the organization, things worked fine and the Edge server, via the 1:1 NAT was responding as expected to the source IP.  But traffic originating from INSIDE the organization was failing.  One way presence, presence unknown, cannot send to user, etc.  Apparently…

…according to www.ipchicken, the Watchguard was sending all traffic from the DMZ external VLAN out via a completely separate set of addresses!  HUH?  Whaaaaat?  So inbound would work, but outbound went out on a separate address?

So their firewall guy fixed that, we are back to 1:1 NAT and all is good. Something to be aware of, eh? Go figure.

YMMV

2017/03/15

Inbound Call Failures due to TCP configuration

I will not attempt to embellish this content past commenting that this call failure is not common.  I have rarely seen it, most likely because my implementation practice for upgrades is to match system settings before testing.

Having said that, I think I would have thought the initial setup described here would have worked.  But apparently not.  Inbound calls follow the original port.  Something to be aware of.

Thanks to Josh Walters, CDW Senior Consulting Engineer for writing this up for us.

YMMV

Scenario: 

Customer is deploying a new 3-node Skype for Business Enterprise Pool to replace their existing 2-node Lync 2010 Enterprise pool.  Enterprise voice is enabled in Lync 2010 and Lync call traffic is directed inbound from their PRI and delivered to an Avaya Session Manager appliance, then it is delivered to Lync.  Internal call flow functions as below:

PRI --> Avaya Aura System Manager --> Lync 2010 Enterprise Pool

After deploying the new Skype for Business FE Enterprise Pool, Edge Pool, and Back-End we decided to migrate a test user who was enabled for Enterprise Voice to the new Skype for Business Pool and test call flow with the new infrastructure.  The new expected call flow should function as below:

PRI --> Avaya Aura System Manager --> Lync 2010 Enterprise Pool --> Skype for Business Enterprise Pool

After moving the user, the user was able to successfully place an outbound call to both internal and external recipients but was unable to receive an inbound call.  When attempting to dial the Line# for the migrated user we were being routed directly to Voicemail (Exchange 2010 Unified Messaging).  What gives? 

Inbound Traffic

Avaya Aura System Manager --TCP 5060--> Lync 2010 Enterprise --TCP 5060--> Skype for Business Enterprise

Outbound Traffic

Skype for Business --TCP 5060 or TLS 5067--> Lync 2010 Enterprise --TCP 5060 or TLS 5067--> Avaya Aura System Manager

Well, what we found was that Avaya was routing SIP traffic to Lync 2010 using TCP port 5060 only (as seen above).  When Lync 2010 received the SIP request it attempted to route the traffic to the Skype for Business pool where the user is homed and it tried to use the same port it received the traffic on, but we had not yet activated TCP on the Skype for Business pool for Mediation.  The Skype for Business pool was therefore rejecting the traffic and then sending the call to Voicemail. 

The fix:  Enable TCP (and make sure to use the correct port for YOUR environment) so that the Skype for Business pool is listening for traffic on said port.   After enabling TCP 5060 on the Mediation Server (Collocated) all inbound call routing for the user started working. 

clip_image002

clip_image004

2017/03/12

Reverse O365 SfBO Migration Failure

The Scenario

Existing Office 365 tenant successfully using SfBO. Exchange on-premises.  Azure AD Connect version unknown, but up and functional  PBX with voice mail on-premises. We extended schema and installed SfB on-premises with Edge.  Modified the firewall to specification and attempted to get into hybrid. 

DNS mods we easy. Creating a test user and synching up to O365 went fine.  Enabling the test user for SfB went fine.  Another AAD sync and we were in business.  Moving the test user to O365 (so we could test moving back to on-premises) went just fine. And there the problems began.  Attempts to move the user back to on-premises failed with the following non-help message:

PS C:\Source\scripts> move-csuser -Identity sfb.test3@domain.com -Target domain-sfbfe01.domain.com -Credential $cred –HostedMigrationOverrideUrl https://admin0a.online.lync.com/HostedMigration/hostedmigrationservice.svc -Verbose
VERBOSE: CN=sfb test3,OU=hometown_Users,OU=domain_Users,DC=domain,DC=com

Confirm
Move-CsUser
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): Y
VERBOSE: Validating parameters for move operation.
VERBOSE: Calculating new server information for user [domain-sfbfe01.domain.com].
VERBOSE: Moving user [sip:sfbtest3@domain.com] across deployments.
VERBOSE: Creating source external move endpoint.
VERBOSE: Validating the hosted migration override URL provided:
[https://admin0a.online.lync.com/HostedMigration/hostedmigrationservice.svc].
VERBOSE: Retrieving web ticket URL.
VERBOSE: Retrieving live id token.
VERBOSE: Initializing source external move endpoint.
VERBOSE: Creating target external move endpoint.
VERBOSE: Initializing source external move endpoint.
VERBOSE: Validating user [sip:sfbtest3@domain.com] online, for on premises to online move.
move-csuser : I
ndex was outside the bounds of the array.
At line:1 char:1
+ move-csuser -Identity sfb.test3@domain.com -Target domain-sfbfe01.domain.com -Credenti ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (CN=sfb test3,OU...,DC=domain,DC=com:OCSADUser) [Move-CsUser], IndexOutO
   fRangeException
    + FullyQualifiedErrorId : MoveError,Microsoft.Rtc.Management.AD.Cmdlets.MoveOcsUserCmdlet

"Index was outside the bounds of the array."

You know how many hits googlepedia produces for that?  None of them helpful.  So we triple-checked our work.  Reviewing the overall picture, it was apparent that there was some issue with the on-premises environment, but everything we looked at came up good.

The Root Cause

The root cause was that Azure AD Connect was installed and configured BEFORE the extending schema for SfB.  As it turns out in the end, Azure AD Connect does not refresh schema very well, if at all, unless you tell it to. 

And even then, maybe not. There is a button inside the missclient (Synchronization Service Manager) that SAYS it will do it.  I mean, it clearly says “refresh schema”

image

…and the following message sure says it will…

image

But, guess what, that is not the case.

As you can probably guess, the root issue causing our migration failure was that the AAD Connect had no knowledge of the SfB attributes coming in with the online user.  Now, I would have thought they would have seeing as how we were successful in installing SfB, creating a good on-premises user, and moving that user up into the tenant.  But no.

Interesting side note is that once we twigged onto the schema concept, using the button on AAD connector populated SOME valiues – we could see them.  But still moving back to on-premises failed.

The Fix

It seems that if you run "C:\Program Files\Microsoft Azure Active Directory Connect\AzureADConnect.exe", you get a few options. Specifically, take a look at the third option from the top.

image

I do not pretend to know the difference between “refresh schema” in one location as opposed to the other, but I do know that running the “refresh directory schema” from this location, followed by a full synch on both connectors resolved our failed user moves.

Keeping your Azure AD Connect up to date might be helpful also and in theory the reinstallation process will trigger a schema refresh.  You can get a clean copy of that installer right here.

Of course, once you know what to look for, there is this also.

YMMV

2017/03/03

AudioCodes UC 3.0.x Office 365 MFA support

 

I feel a bit like Steve Martin

AudioCodes is due, very shortly I hope, to publish new firmware for the 440HD and 450HD phones (dare I hope for the 430HD also? 405? 405HD? 420HD?) that enables the device to do a web sign-in to an MFA-enabled Office 365 tenant account.  Wow, that was one long sentence.  My English prof at St Thomas Aquinas would beat me about the head and shoulders.  However, there it is.

Let’s walk through this process.

Update the firmware on the phone device. How you do that is up to you.  Personally, I used my IP Phone Manager Express.

My 440HD at 3.0.1.89, my 450HD is at 3.0.1.63.214.  After getting the firmware updated, both devices appeared to be the same.  I am sure there is some detail that I did not notice, but they look the same to me.

Open either the web interface, or the phone screen, and start the sign-in process.

phone:

image

phone web interface:

image

select the web sign-in option….

image

What results from either method is this:

image

or

image

Inside the red box (which you will not get on your phone or browser screen) is the two critical pieces of information to complete the login process.  First is the URL http://aka.ms/sphone.  Go there with your code.

The code is not case sensitive.

So you go to the indicated URL and follow the prompts, then enter your code.  You will see where I did lower case while the phone and the browser GUI both indicated caps.

What follows is a bit round-about – but you get thrown into the office portal login…

image

and a redirect to the corporate AD sign-in…

image

and after working my way through the MFA routine, I get this:

image

after entering the requisite code… remember, not case sensitive, the page magically morphs to this:

image

Select continue, because I am assuming you WANT to get the device to work…and you get this

image

For you eagle-eye readers, you will note that now this page, which appears to look just like a few steps before now says I am signed in.  How nice.  Observing the device, I note that it SAYS it is logged in, but you know, it still looks pretty unusable at this point.  So, click on your account that was signed in…

image

Wala!

and now the device itself looks like the following – well, it will in a bit – patience padiwan!

image

BTW, you have 15 minutes to complete the web sign-in gymkhana.  If you blow the 15 minute limit, you will need to start over.

image

I am told, by an source who only spoke on the condition of anonymity (this makes me equal to all the reporters in any nation’s capitol), that we can expect this new firmware code to be out in the wild sometime around the end of Q1 2017.

YMMV

2017/02/17

Server 2012 R2 KB2919355–WTF?

Last week, I innocently decided to build myself a new Server 2012 R2 image – and then sysprep it so I could easily spin up a new host for whatever I needed.

Yes, I know I could use Server 2016 – but the vast majority of my customers are using 2012 R2 – and what good is a lab exercise if it does not reflect what you will be doing in production?  So, off I go to build myself my squeaky clean image.

The install went so easy.  And the then update nightmare begins.  I have no idea why it has to be so &^%#$@! difficult.  It’s not like I am trying to do something that is way out there.  I just want to get all the operating system updates applicable up to and including today.

As we should know by now, Server 2012 R2 will go through multiple iterations of updates for a variety of reasons.  One of them being what some people called SP1 to R2 – specifically KB2919355.  Roughly 800MB of (eh?) goodness.  After that is another 190+ updates.

For my new image, KB2919355 refused to be seen, let alone install.  Dang.  Last time this happened I had to throw the server away.  Oddly, and why I am ranting today, is that the next server build, like 5 minutes later, went right through with zero issues.  This time, I resolved to figure it out rather than give in. 

Here is what I found.  This may or may not work for you.  It may or may not trip your trigger – you may just wish to throw things away and start the Server 2012 R2 Update Roulette game over again.

After doing some reading about the well-known issue that is KB2919355, I downloaded the components of the KB separately.  https://www.microsoft.com/en-us/download/details.aspx?id=42334. I also downloaded KB2919442 separately from here: https://www.microsoft.com/en-us/download/details.aspx?id=42162.

Then I installed/ran them in the following order:

  • kb2932046
  • kb2934018
  • kb2937592
  • kb2938439
  • kb2959977
  • kb2919442
  • clearcompressionflag.exe
  • Chant, light the candles, and spatter the chicken blood.  Reboot
  • kb2919355

Oh joy.  Only 190 more to go.

image

 

YMMV

2017/02/16

SfB Persistent Chat ChannelService.exe high CPU

Twice in the last two weeks, I have seen an SfB Persistent Chat server go bonkers over a topology publish action.  Specifically, it would seem that the topology publish action caused channelservice.exe to peg the CPU at 100% with the predictable result of a very sluggish server.

Tangential input and possibly related data points:

The fix was easy enough, in one case I did a stop-cswindowsservice followed by start-cswindowsservice.  In the other case I had to boot the box because PowerShell opened but never responded to any input.

Such is life.

YMMV

2017/01/05

SfB Online and AudioCodes handsets

As part of another process, I was browsing through the Skype OIP and Lync OIP sites…and noticed that only the AudioCodes 440HD was qualified for SfB Online.

Odd, says I.  My 450HD just worked.  So, I commenced to testing with the 405 and the 420HD that I happened to have handy.  Here is my firmware load per phone:

image

I then proceeded to use the web interface on each handset to modify the login to the UPN of an SfB online user.

SfBO login with each model shown was successful. Note the firmware version per handset. Test calls worked.  Transfer worked.  Holds worked.  All the basic features that I use worked just fine.

While the 405,420HD, and 450HD do not show on the SfBO OIP, they clearly function as expected.

Nice to know, eh?

YMMV

YADR–AudioCodes 450HD

AudioCodes has a new phone, the 450HD – complete with a touch color screen. I have been using the 450HD as my desk handset now for a few weeks, and I like it a lot.  Form, fit, function, the 450HD has it all.  I am not sure if you can actually lay YOUR hands on one of these gems, but I am sure you will be able to soon.  In the meantime, let me present my opinion, so you can start salivating.

OOBE

What comes in the box?  I have an “optional” model number, because I got the AC adapter.  Other than that, this is what I got.

image

A wall mount?  Nice touch.  I did a project one time where the client had to go out and have all new wall mounts custom made for their new IP phones (different manufacturer).

Build Quality

As I have mentioned before, AudioCodes has great build quality.  The 450HD continues this tradition.  Very nice. The manual buttons feel good, and the touch screen responds well.  After I realized that I had to remove the screen protector thingy, the touch screen went from “responds well” to “most excellent.”

The Screen and Controls

image

Give it an extension + PIN or futz through getting your URI entered, and in you go. Once you are logged in you see this:

image

Notice the soft keys on the left.  There is four more available on the right side of the screen.  These soft keys are programmable via the web interface, the ini file for each phone, or right on the phone itself.  Using the phone itself also allows you to do a directory lookup and choose from that so no typing needed. choosing the BLF options gives you presence on the contact…

image

…works with SfBO users…Wiley Coyote is SfBO and offline, Martin Luther is SfBO and available, while Chicken Hawk is on-premises and has gone into away status.  Works with federated contacts also.

image

Oddly, or perhaps by design, the user cannot change the button assignments unless the admin gives them access to the web interface.  And if I was to logoff, give you the phone, and you login to your domain with your user, the soft key assignments are then available to you too.  That might be good, that might be bad.  Something to consider if you ever have to decommission one of these units. I have elevated this issue to AudioCodes as I feel that these soft-buttons should follow the user, not the phone itself.

Having said that, I like the soft keys.  One button dialing is right up my alley.

Skype Integration

We have to talk about Skype – that’s why we’re here!  SfB logins were totally painless.  Extension + PIN code flew right through. I already mentioned the programmable buttons that work so well – and clearly the 450HD is working in concert with SfB for presence, making calls, directory lookups, etc.

Login with username and PW forces using the keypad with multiple pushes of each number to scroll through letters and symbols, etc.  YUK.  Where is the QWERTY keyboard this unit is screaming for?  I am told that it is coming.  In the meantime, I suggest the web interface is mucho better if your organization does username login.  I always advise my customers to use ext= format in SfB/Lync for this very reason (Not workable if you are SfBO).

Other than that, the 450HD is ready for SfB right out of the box, logs right in, functions as expected in a totally flawless manner.  The 450HD picked up the DHCP options, discovered the environment, and asked for an extension and PIN.  And connected.  Perfect.

With the current firmware (3.0.0.575.140), the 450HD will also log straight into an O365 account with zero squabbles.   Martin.Luther@tsoorad.net is a synced account to O365 enabled for mail and SfBO with a PSTN number assigned from Microsoft.  Logs in. Perfect.

image

Note that the phone did not get calendar connected.  I am assured that this will be resolved by EOM Jan 2017.

Also note that with a different user, the soft keys remain the same…

Calls out, calls in, audio quality with speaker or handset is most excellent.  I am about 1/2 deaf and I had no issues with volume or clarity. 

I just realized I used the word “perfect” twice in this section.  I was going to change that, but then I realized, it is the right word.  Live with it.

BToE

Download the BToE client from AudioCodes…extract and install..

image

…and then get your pairing code from the phone itself.

image

BToE integration went very smoothly, as expected.  In addition, I used a virtual machine that is guest on a VMware host that has no audio, but with BToE that VM cranked right up to using the 450HD as an audio source.  Mo’ perfect.

WebAdmin

The 450HD web interface is standard, totally functional AudioCodes fare.  You can probably figure it all out by just ratting through it without reading a thing.  AudioCodes has not yet published 450HD specific admin or user guides, but I am told that they are mere weeks away from providing a lovely document telling you just how to configure each and every nuance of this new product.

IPP Manager

The 450HD is fully supported by the IPP Manager.  If it works in the IPP Express version, then it will work in the full IPP version also.  So nice.

What’s Missing

I have already pointed out the QWERTY keyboard and the calendar connection to the O365 tenant account. On the phone, select the “MENU” button, select “settings” and then scroll down a bit, and the LCD Contrast and Backlight Timeout are “not implemented” (yet) – but other than that, the 450HD I have is ready for prime time.

And considering that I was shipped a preview beta unit, gees, only three things?  And I am told both are coming before GA.

Summary

AudioCodes has a color phone – with some very nice features – ready to go with SfB on-premises and also with SfB online.  Clean, functional, well-built, great audio.  POE or wall power, pass through switch for your desktop. USB for headset or hockey puck.Did I mention the color screen?  Did I mention it worked OOBE with me doing nothing?  Works with SfB Online (yes, I mention that twice in one paragraph).

Considering that this unit is not in GA yet – what was that word up above?  Oh yes, it starts with a “P”.

You can get one here.

YMMV

2016/12/27

Server and Client OID with Skype (Lync 2013) Edge

The following is firmly in the “unsupported” range of topics. Follow this line of thinking at your own risk. Don’t blame me or anyone else should this go sideways on you. If this does not bother you, read on.

Scenario

I am working a side project that involves connecting Jabber and Lync 2013 (SfB would work also I suspect) using a mix of the Cisco guidance and Lync 2013 documentation. The intent is to create an inter-domain federation using Lync 2013 Edge services on one side, with the Jabber organization presenting services via an ASA using an ASA feature that provides a TLS proxy. Interesting, yes? Notice that I did not invoke the phrase XMPP. As in the XMPP is not being used. And this is IM/P only.

Here is what we are doing:

image

 

Why are we here?

Without stepping too far out on the edge of the cliff, this article is going to concern itself with one element of this construction – namely the requirement to establish the TLS connection between the ASA doing TLS proxy, and the Lync 2013 Edge server (or servers). Basically, it works as you would expect, however, the ASA is looking for a certificate that has both client and server OID codes. And it needs to trust the issuing CA.

Using a certificate from a public authority – well from DigiCert at any rate – will fill this requirement for you (I don’t have a cert handy from another vendor)(oops, I spoke too soon. Entrust, GoDaddy, and Verisign all do it also, but you should check your vendor to make sure). If you are doing a one-off, then you might be using your internal Windows Certificate Authority, which does NOT issue this duality by default. Nor does the standard certificate request generated by the Lync (SfB) wizard prompt you for this requirement – basically because it has no clue as to what you are fixing on doing!

So, what to do? Well, If you have a Windows Enterprise CA, then you are in luck. If you have the standard version, some bright individual will have to figure out how to make a standard edition CA allow for templates. No, I am not that bright.

With your Windows Enterprise CA firmly in hand, open the template editor.

clip_image001

Then, copy the existing “Web Server” template…

clip_image002

Change things around as needed… I don’t know all the implications of making random changes – so tread carefully on some of these items….

But, on the General Tab, you will want to change the “Template display name”, and the “Template name” to something easy to remember. In the “Template name” I suggest using something with no spaces…maybe like this?

clip_image003

After that, head over to the “Extensions” tab…select the “Edit” button…

clip_image004

Select “Add”

clip_image005

Select Client Authentication, and click the obvious button marked “OK”

clip_image006

OK again…

clip_image007

And, one more time on the “OK” button…

clip_image008

So, close the template manager, then right click “Certificate Templates” and choose New | Certificate Template to Issue…

clip_image009

From the resulting list, choose whatever it is that you called your new template, and do the “OK” thing…

clip_image010

…and now we have our squeaky clean new template ready for you to use. Finally.

clip_image011

Skype

Let’s now turn to the real reason we are here, and use this new template to get a certificate for our Edge Server. Yes, usually we will do a public cert, and we have already proved that the major public CA issuers will give us what we want – but we do need to test this in lab first – or you may be doing a one-off, yes?

Open the SfB Deployment Wizard… get yourself over to step three of “Install or Update Skype for Business Server System” and lean on the “Run Again” or “Run” option…

clip_image013

Select the external group, and do “request”…

clip_image015

Adjust the parameters to meet some common-sense items – like shorten up that friendly name – holy crap – but remember that you need the “Advanced” button down at the bottom…

clip_image016

Prepare request now, but…

clip_image017

Specify a file name…

clip_image018

Gees. Finally we are where all this has lead up to!

Specify your alternate template name now. And if you did not heed the advice to use a name with no spaces, my guess is going to be caps count, and don’t use the spaces. Cleverly, having run into this before, I know not to use long certificate template names and long CA names. Adelante! If you have been reading along (or not) you will see that my modified template name is WebServerAndClient…

clip_image019

…which plugs into the SfB Deployment Wizard thusly:

clip_image020

At this point, you can proceed normally. At last.

 

Clean it up

If you do use an internal certificate source for the outside of your edge server, you will need to provide a copy of the trusted root that issued your Edge certificate to anyone who is wanting to connect – hence the reason we use public certificates.  But, for our scenario, we placed the issuing root cert onto the ASA and wala!

 

Summary:

For whatever reason, you want to get a certificate for your SfB/Lync Edge Server that has both server and client OID authentication. We can fairly certain that public CA providers provide certificates with both by default. Windows Enterprise Certificate Authorities do not provide both OID’s by default – you must create and publish a custom certificate template. And we showed how to use that custom template with the SfB deployment wizard.

YMMV

2016/11/02

Microsoft Teams goes Preview

For the past few months, I have had the privilege of participating in the testing of the Microsoft Teams offering that went public preview today.

I am not Mr. Persistent Chat. If nothing else, Persistent Chat was not going to make the jump to Office 365 – too many hurdles there.  Most of my projects have deployed Persistent Chat, and customers that need the feature set really get into it.  With that said, *I* don’t use it to any great extent – but I can see where the history of the conversation between many users can be very helpful – see IT projects, financial folks, etc.

So into the Office 365 breach steps the intrepid group responsible for Microsoft Teams.  IMHO, they have created a very nice application – one that I will use, if for nothing else, for each and every project I am on.  The meeting space alone is worth whatever the price of admission is.  I have tried the web app from IE, FireFox, and Chrome, and it works so well, it is almost scary.  Excellent work.  The desktop app is slick, and all content is homed in the cloud – so swapping between web-based and desktop is, as far as I can tell, seamless.

clip_image002

For those interested in some technical detail, here are the primary features:

  • Threaded, persistent chat organized by teams and channels (topics)
  • A team work space organized around tabs including conversation, files (integrated with SharePoint) and notes (integrated with OneNote), Office files, Power BI reports, and web sites
  • Private 1:1 and group messaging
  • Built-in voice, video and MeetUp capabilities
  • Emoji, stickers, giphys and custom memes
  • @mentions
  • Native integration to SharePoint, OneNote, and Office apps 
  • Over 65 out-of-the box 3rd party Connectors

Note the fourth item down.  Ooooh.  Aaaaah.  Nice beyond further comment.

clip_image002[5]

Interested?  Here are some links to get you going.

Introduction to Microsoft Teams:  This session will explain why Microsoft Teams is the chat-based workspace in Office 365.  With Microsoft Teams, all your team conversations and context - all the related files, notes and content - are kept together in one place and easily accessible by everyone on the team, with everything tightly integrated with the other Office 365 apps you use.  Learn how Microsoft Teams will help your team to communicate more effectively http://aka.ms/microsoft-teams-introduction

Deploy and manage Microsoft Teams:  This session will go into detail what IT Pros need to consider when enabling Microsoft Teams for their users. We will go walk through the process for rolling out Microsoft Teams and configuring the infrastructure, as well as taking a closer look at the supporting technologies for Microsoft Teams. http://aka.ms/microsoft-teams-deployment

https://products.office.com/en-US/microsoft-teams/group-chat-software

https://mva.microsoft.com/en-US/training-courses/introducing-microsoft-teams-in-preview-16877?l=1VQruH2AD_4001937548

How do I get this in my tenant?

Well, as you might expect, login to your tenant portal… and then go to Settings | Services & add-ins.  Scroll down a bit to “Microsoft Teams”  click.

image

Turn Teams on!

image

 

Select the features you want.  You want all of them.

image

All set!  Watch the vids!

Usually, I end with YMMV… but seriously, you are going to love this.