Thoughts on the discontinuation of support for SBC’s in Exchange Online UM

July 19, 2017 Leave a comment

ICYMI: https://techcommunity.microsoft.com/t5/Exchange/Discontinuation-of-support-for-Session-Border-Controllers-in/m-p/88228#M1134

Well, this is something I had heard about but kept hoping Microsoft would change their minds on. I get (kinda) the business decision around this. I’m sure the SBC’s were costing a bunch of money, might have been having issues keeping the service quality where Microsoft wanted it, etc.

That said, I’ll be honest, I’m disappointed. I really feel like Microsoft is making a mistake here. Exchange UM always just “made sense” for many organizations. They already were using Exchange (whether Online or On-prem) so they essentially were paying double for any voicemail system. In recent years, I’ve moved solidly in to the “Online” camp and for most organizations I don’t see the value in an on-prem Exchange deployment.

For these organizations, they may not be ready for Skype for Business as a PBX (though, I do hope they all get there). Exchange UM was just a very nice solution that worked well and you could have one voicemail platform as you planned your move to Microsoft or was a money saver for organizations.

With that, I want to call out a few things that might not have been so obvious in the announcement:

  1. If you decide to try Microsoft’s Option #3 (see the post at the top of this article), you will have to deploy a Skype for Business environment (if you don’t already have one). This will require you to pay for the Skype for Business Server licenses, Windows licenses, etc. Or you could potentially purchase something like AudioCodes Cloudbond to drop in as an appliance.
  2. If you have Skype for Business/Lync 2013 deployed already or you choose to deploy it in order to support Microsoft’s Option #3, you will need to EV enable your users. This will make it look to the end user like they can dial out from their Skype for Business client. This could be a confusing situation for users.
  3. If you EV enable your users, you will need to make sure you license them correctly. This means you need to have the Standard and Plus CAL’s for on-prem or if you go hybrid with Online, you will need at least an E3 with Cloud PBX license.
  4. This last one is a gut feeling but my guess is that Exchange UM is just going to go away and this is the first step. Even moving towards Microsoft’s Option #3 without a plan to move to Skype for Business as a PBX is probably just throwing good money after bad and you will have to change again sometime in the near future (within 2-3 years). Microsoft has already moved away from Exchange UM for Cloud PBX users. Exchange UM hasn’t been developed on for quite some time. My feel is that it will go away and Cloud Voicemail will take it’s place.

These are all just my thoughts and reactions after taking a night to sleep on it. I could be wrong on some (or all) of the above statements so take this opinion piece as just that, opinion.

UPDATE:

Some good discussion about this post happened over on LinkedIn: https://www.linkedin.com/feed/update/urn:li:activity:6293444093079019520/?commentUrn=urn%3Ali%3Acomment%3A(activity%3A6293444093079019520%2C6293484439532027904)

Also, AudioCodes has released a solution for Option’s 3 and 4: http://online.audiocodes.com/exchange-online-unified-messaging-x-um

Categories: Uncategorized

Skype for Business Mac Client Released

October 27, 2016 Leave a comment

Hot of the presses, the new Skype for Business Mac Client was released today. You can get it here: https://www.microsoft.com/en-us/download/details.aspx?id=54108

You can read the FAQ here: https://support.office.com/en-us/article/FAQ-Skype-for-Business-on-Mac-878fff6e-fc22-4917-870a-584478cb55ef?ui=en-US&rs=en-US&ad=US&fromAR=1

A few key notes:

  • Need El Capitan or later
  • No support for Pchat
  • Works with Lync 2013, Skype for Business and Skype for Business Online

*UPDATE*

Known issues: https://support.office.com/en-us/article/Known-issues-Skype-for-Business-on-Mac-494ac5d5-50be-4aa7-8f5a-669c71c98c9a?ui=en-US&rs=en-US&ad=US

If you have been using the Preview Client, you will need to uninstall it before you install the GA client.

Client Comparison table: https://technet.microsoft.com/en-us/library/dn933896.aspx

Support: https://support.office.com/en-us/skype-for-business#OS_Type=Mac

If you are interested in hearing more about the new client and are in the Denver, CO area, come to the Colorado UC User Group on November 10th, 2016. You can get more details at http://www.coucug.org.

Categories: Uncategorized

Skype for Business at VMworld 2016

July 27, 2016 Leave a comment

Are you going to VMworld? Do you work with Skype for Business? Are you planning a deployment of Skype for Business that you want to virtualize? Are all your first choice sessions full?

If you answered “Yes” to any of these questions, you should register for VIRT7620: Successfully Virtualize and Operate your Microsoft Skype for Business Infrastructure on the VMware vSphere Platform.

I will be speaking alongside VMware IT on how they deployed Skype for Business and the best practices that were implemented. We will highlight why latency, IOPs and other resources are important to Skype for Business and other Real Time Protocol products.

We will also talk through what happens to a virtual machine when you vMotion it from one host to another and how that would impact Skype for Business.

I hope you will join us to hear all about Skype for Business and virtualization!

Categories: UC

Centralized Logging Service not working in Skype for Business

July 26, 2016 4 comments

I haven’t written a new post in a while as I have not been doing as many deployments lately. I have been focused more on evangelism and speaking with different organizations that are thinking about deploying Skype for Business.

That said, recently I had the opportunity to get back in to the game and start a deployment for a large organization. We were experiencing some issues that necessitated us to do some logging on the Front-end servers. I turned to my favorite tool for this, the CLSLogger which takes advantage of the Centralized Logging Service (CLS).

I would start up CLSLogger and when I attempted to start the scenario, I would get an error like this:

WARNING: Failed on 1 agents
Agent - mediation1.domain.com, Reason - Error code - 20000, Message - Unknown error - 
Error calling agent mediation1.domain.com; Could not connect to 
net.tcp://mediation1.domain.com:50001/. The connection attempt lasted for 
a time span of 00:00:02.0228175. TCP error code 10061: 
No connection could be made because the target machine actively
 refused it 10.0.0.40:50001. . Please refer CLS logs for details.

When I went to the server and did a netstat, I saw that CLS was not actively listening. I should have seen the system listening on ports 50001-50003.

PS C:\Windows\system32> netstat -an | findstr 5000*
  UDP    0.0.0.0:500            *:*
  UDP    0.0.0.0:4500           *:*
  UDP    [::]:500               *:*
  UDP    [::]:4500              *:*

I went round and round with this and ultimately had to open a case with Microsoft on it. After doing some traces and pulling the ETL logs, the Microsoft Engineer got back with and asked how we had generated the certificate. He was seeing the following message in the ETL log (which us mere mortals don’t have the ability to read and the real reason I’m writing this blog article):

29 TL_ERROR(TF_COMPONENT) [3]14CC.1728::06/08/2016-16:53:00.193.00000010 
(CLSAgent,CommandProcessor.Initialize:commandprocessor.cs(247))Exception - 
[System.ArgumentException: It is likely that certificate 
'CN=mediation.domain.com, OU=IT, O=Domain, C=US' 
may not have a private key that is capable of key exchange or the process 
may not have access rights for the private key. 
Please see inner exception for detail. ---> System.Security.Cryptography.CryptographicException: 
Invalid provider type specified.

We then looked at the certificates installed on the machine by running “certutil -store my”. (I’ve purposfully deleted identifying information and highlighted in red the Provider which is the key piece of information.)

PS C:\Windows\system32> certutil -store my
my "Personal"
================ Certificate 0 ================
Serial Number: 5xxxxxx
Issuer: 
NotBefore: 4/15/2016 11:29 AM
NotAfter: 4/15/2019 11:59 AM
Subject: CN=, OU=IT, O=Domain, C=US
Non-root Certificate
Cert Hash(sha1): 39 2d..... 
  Key Container = le-360ab342
  Unique container name: 5d26bec417ed43b7840b7bf82c2fb363
  Provider = Microsoft Software Key Storage Provider
Encryption test passed
CertUtil: -store command completed successfully.

When we talked to the group that generated the certificate, we found that they used their own template instead of the Wizard in Skype for Business. While you certainly don’t have to use the Wizard, Skype for Business definitely has some requirements on the certs that will work with it. As an example, going to a key length longer that 256 usually doesn’t work out too well. In this case, the Provider was what was wrong.

I then turned to the Digicert Utility, one of our other favorite tools to generate the Certificate Request (CSR). This then utilized the correct Provider which is the Microsoft RSA SChannel Cryptographic Provider. After we issued the new cert and assigned it, we restarted the servers and checked the certs.

PS C:\Windows\system32> certutil -store my
my "Personal"
================ Certificate 0 ================
Serial Number: 5xxxxxx
Issuer: 
 NotBefore: 6/9/2016 12:02 PM
 NotAfter: 6/9/2019 12:32 PM
Subject: CN=, OU=IT, O=Domain, C=US
Non-root Certificate
Cert Hash(sha1): 3c e2....
  Key Container = 70C232....
  Unique container name: 9ed77....
  Provider = Microsoft RSA SChannel Cryptographic Provider
Encryption test passed

We also started seeing CLS listening as expected:

PS C:\Windows\system32> netstat -an | findstr 5000*
  TCP    0.0.0.0:50001          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:50002          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:50003          0.0.0.0:0              LISTENING
  TCP    [::]:50001             [::]:0                 LISTENING
  TCP    [::]:50002             [::]:0                 LISTENING
  TCP    [::]:50003             [::]:0                 LISTENING
  UDP    0.0.0.0:500            *:*
  UDP    0.0.0.0:4500           *:*
  UDP    [::]:500               *:*
  UDP    [::]:4500              *:*

I hope this helps someone else who might end up in this situation.

Categories: Lync, UC

Skype4B In-place Upgrade and LRS Admin Portal

May 11, 2015 1 comment

While reading through the In-place Upgrade docs, I spied this little nugget:

Be sure to uninstall LRS Admin tool for Lync Server 2013 before running In-Place Upgrade. The LRS Admin Tool for Lync Server 2013 cannot coexist with Skype for Business Server 2015. After running In-Place Upgrade install the new LRS Admin tool, see Microsoft Lync Room System Administrative Web Portal for Skype for Business Server 2015

I haven’t tested this but the fact that they say to Uninstall the Lync Server 2013 LRS Admin Portal was the big catch. Make sure you read all of the docs a few times before you start the upgrade process.

Categories: Uncategorized

Lync Edge Server Port Ranges and QoS

March 30, 2015 4 comments

Ran into this and felt like until the documentation is updated, I should call this out.  On this Technet article, it shows you how to configure port ranges for Edge Servers in Lync Server 2013. In the hopeful case that this page is updated, here is a static image:

EdgeServerPortConfig

The issue with this article is that it appears to tie the port ranges for the Edge server to QoS which is not the case. You need to read the article very carefully. The first sentence in it tells you that you do not need to configure separate port ranges for Audio/Video/Application Sharing on the Edge. It then goes on to tell you how to change the port ranges to match up with what you may have set for your front-end servers.

The problem with this is that you are changing the ports that the Edge will/can communicate on. If you are following Microsoft’s firewall guidance on ports, you should be allowing the 50,000-59,999 port range (TCP and UDP) outbound. If you follow this example, you would need to allow the range 40,803-65,533 (TCP and UDP) outbound.

The article claims you might do this to make administration easier but I will claim just the opposite. Based on what most Lync admins know and what Microsoft states are the default ports, without some really good documentation and knowledge transfer, you are probably setting up a future admin to fail.

If you are wondering what happens when you set this like this but only allow the 50k port range outbound from the Edge servers, here is your answer. When an outside user attempts to call a user who is inside or join a conference, the client will send an Invite that contains SDP candidates. Those candidates will have ports associated with them based on the configuration. The external client will attempt to connect on ports outside of the 50k range that is being allowed on the firewall (i.e. 40,080-49,999 or 60,000-65,533). These connections will fail and the call will fail to establish. On a conference call, this can be seen as the user connecting and disconnecting from the conference several times in just a few seconds.

Many kudos to @tompacyk for helping me see what was happening here.

Categories: Uncategorized

Thinking vs Hope

March 5, 2015 Leave a comment

The most dangerous words that come from my mouth are usually “I’ve been thinking.” When I think, my thoughts go everywhere. Most of the time they go to good places but when things get serious, when big decisions are on the line, my thoughts usually betray me. They go to the dark places of my mind. Fear creeps in and takes over.

I recently had a moment like this. It took a bit to recognize it but once I did, I knew that I had to refocus my thoughts. What I found was hope. We hope for things to come, things we don’t yet have. By focusing on hope, it becomes easier to see good outcomes. Hope for a better a situation, a better future. Hope.

Categories: Uncategorized