End of Life for Lync Phone Edition (LPE) devices.


With the recent BEAST and POODLE attacks and having to support weak cryptography, Transport Layer Security (TLS) versions 1.0 and 1.0 are soon to be depicted and calling as End of Life and support from most of web based platforms within this year.

This will not going to be a major issue for most new platforms as they use “Modern” TLS protocol version 1.2. Once of those platforms that re deprecating older TLS versions are Microsoft 365.

Microsoft have announced deprecation of TLS 1.0 and 1.1 by 31st of October 2018. After that, anything connects to Microsoft 365 that only use TLS 1.0 and 1.1, will seize to function.

What’s that got to do with LPE devices?

Unfortunately, LPE devices only understands TLS 1.0 and nothing else. With the deprecation of older TLS versions from Microsoft 365, the organizations that use LPE devices with Skype for Business Online (SfBO) will eventually stop registering users in. This will be a major problem organizations and individuals who fell in love with those devices.

What classifies as LPE devices?

There are 2 versions of devices that can be used with Microsoft Lync\Skype for Business platforms.

  • Optimized devices
  • Certified devices

Ones that are called “Optimized” are the devices that contains Microsoft built firmware version. These devises also called Lync Phone Edition or LPE devices. Microsoft manage the operating system (Windows CE 6.0) goes in to these devices, even though it get built by 3rd party vendors. Classic examples of these are Polycom CX series, HP 41xx series and Aastra 672x series

Drawing1

imagesimage_thumb

On the other hand, the “Certified” ones are the devices that are built and supported by the 3rd party vendors them selves. In other words, they build the device and build the firmware that goes in to them. Since Microsoft have decided to deprecate old TLS versions, they will most probably not release a firmware update to these devices to allow TLS 1.2.

Not every device out here get endorsed as Microsoft Certified Device. These vendors\devices need to go through a certification process (3PIP) at Microsoft, which allows the devices to be certified to function with Microsoft Lync\Skype for Business platforms. So far, there is Polycom VVX series devices, Yealink, AudioCodes and Spectralink devices that carries the “Certified” banner. Certification information for these devices can be found here

What should i do?

Assuming that Microsoft will not come up with an update for their Windows CE 6.0 platform, you should think about replacing all LPE device with any of Certified devices. You can select any of devices that i mention above as a replacement for current LPE device. They are packed with features and more “configurable” than the LPE device.

I only have an on-premises deployment. Will this effect me?

Not really. TLS version control of on-premises server are up to local administrators to manage. As long as TLS 1.0 and 1.1 is not been disabled from Lync\Skype for Business Front End servers, the LPE devices will continue to work.

But, having those old TLS versioned enabled in servers are making them vulnerable to attacks. Also, Microsoft will not be releasing any new firmware updates for these devices and they will eventually be unsupported and end-of-life. It’s your best interest to get rid of these devices and replace with newer Certified devices.

There are some vendors like AudioCodes and Yealink have started to provides LPE replacement offers for organizations that has large number of LPE devices. It is a good opportunity to grab one of these offers and replace the old LPE fleet of devices.

I hope the message is clear, 31st October is the cutoff date to replace all LPE devices that are used with Skype for Business Online. Look for replacement and get it done soon. Clock is ticking 🙂

 

Advertisements

Fixing Line Label Display in Polycom VVX devices on Version 5.7.x


Polycom have recently (few months ago) introduced the firmware upgrade version 5.7 for their VVX range devices. This firmware includes few of most wanted features for Skype for Business. Some of them are;

  • Common Area Phone support
  • SILK Codec support

Also, they have introduced a change to the DID number display on the device. This was an enhancement feature put in to VVX devices, when used with Skype for Business. In Polycom’s words;

“On VVX 300, 400, 500, and 600 series business media phones with the Skype for Business Base Profile, the Direct Inward Dialing (DID) number assigned to the user on the Skype for Business server displays on the on the Lock, Home, and Incoming Call screens. This feature is enabled by default on supported phones with the Skype Base Profile or shipped with Skype for Business enabled. The following figure shows the DID number on the Locked screen of a VVX 500 series business media phone.”

It looks like;

Capture13

But, that’s on the Lock Scree. When it installed on a VVX 3xx device, it was looking like this on an unlocked device;file-5

When a standard user SIP URI is like sip:+618xxxxxxxx;ext=xxxxx where only 4 digit extension configure, it would have been fine.

But when the extension get lengthier than that, the DID number starting to get disappear to make room for additional digits in the extension. This looks really bad and confusing for the users who are using the device.

After escalating this further, Polycom have came up with a solution for this in their new firmware version 5.7.1. They have introduced a configurable option to change the number display, the way that the administrator wants.

The down side for this, is that a Provisioning server is required to fix this. If a provisioning Server already exist, then setting the below code in a configuration file will fix the display of the number to just to display the DID number. And not the full URI with the extension.

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<!-- Generated features.cfg Configuration File -->
<polycomConfig xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="polycomConfig.xsd">
 <up up.DIDFormat="NumberOnly"></up>
 <reg reg.1.useTelUriAsLineLabel="false" />
</polycomConfig>

Once this is configured and pushed in to devices, the number display will change to set as below;file-6

The display is way better with proper E.164 formatted DID number.

It’s a fairly straight forward fix for the environments that already have Provisioning server deployed. For others, not so much 🙂

Configure Group Pickup in Skype for Business and Assign a “Pickup” Feature Key to Polycom VVX


When replacing a traditional TDM PBX with Skype for Business, one of the most common feature that users requests is, the group call pickup. In Microsoft Unified Communications platform, group call pickup was introduced in early Lync Server 2013 days. It was configured initially by using the Secondary Feature Activation Utility or (SEFA Util). SEFA Util was an add-on tool that needed to be configured on top of Lync server platform. Managing group pickup using the tool was not so user friendly.

In Skype for Business, Group pickup was included in to the existing Call Park feature. The pickup number for a group will be created as a one of the numbers that belongs to a parking orbit.

Below command need to be run on Skype for Business Front End server to configure a call park orbit, to be used for Pickup groups.

New CsCallParkOrbit -Identity “Call Pickup” -NumberRangeStart *200 -NumberRangeEnd *299 -CallParkService “Service: ApplicationServer:FEPOOL01.contoso.com” -Type GroupPickup

To assign users to a group, run the command;

New-CsGroupPickupUserOrbit -User sip:user1@contoso.com -Orbit “*200”
New-CsGroupPickupUserOrbit -User sip:user2@contoso.com -Orbit “*200”

Above user can now be able to pick each others calls by dialing *200 from Skype for Business client or IP Phone.

Looking at a soft key configuration within a Polycom VVX, it would require a Provisioning Server to manipulate the device configuration. Sometimes back, i wrote an article about setting up a Provisioning server for VVX. The same process can be used to configure soft keys for devices.

In the existing features.cfg configuration file, enable the EnhancedFeatureKeys option

In SoftKeys, configure either the Softkey.1 or Softkey.2 options. In my case, the Softkey.1 was used for some other feature. Configure the key as shown below in snapshot. 

Once it’s configured, the “Pickup” key will appear in Soft Key 1 position of the device. Once pressed, it will call *200, which is the ID to pickup calls. If this device\user is belongs to a pickup group and assign with *200 ID, then the device can pick calls that are meant for others within the group.

The downside of the configuration is that, Provisioning server will push the same ID to all devices and all devices might not belongs to the same pickup group. The way around is to have unique configuration files based on the MAC address of the device, instead f using 000000000000.cfg file. This will allow the devices to have different configuration file. But, it becomes difficult when there are lot of endpoints and lot of groups. This will work very well for a small scale deployment. Try it out and post and comments or issues below. Thanks.

Configure AudioCodes Mediant gateway for AD based Routing for Skype for Business


Usually, the AD Based Routing comes to mind when replacing a traditional PBX with Skype for Business. There will be a time where both platforms will run side-by-side and there should be seamless call routing between two systems, as users will be homed in both the side.

Ideally, the gateway will be deployed “Upstream” to the PBX and Mediation Server and the task is to find a easier way to route calls to migrated uses in Skype for Business. If it’s just handful of users, static route can be configured based on the destination number in the gateway, to route calls to Skype for Business based users. But, this involves configuration in the gateway and usually, a person with required AudioCodes knowledge will need to involve and do the configuration.

But, with AD Based Routing, end customer can move users in to Skype for Business by just setting the Line URI for the user and no change in the Gateway will be needed to route calls to Skype for Business. As soon as the Line URI is set, the inbound PSTN calls will get routed to Skype for Business.

Mediant Gateway will use LDAP to look at the msRTCSIP-Line attribute for the user configured in AD, and try to match the inbound number with the configured value. If it find a match, based on the routing configuration, calls will be routed to the mediation Server. If no match found, it will fall back to the next route available, which is configured to send calls to the PBX.

To setup AD Based Routing, bit of configuration required within the Gateway. In a nutshell;

  • Enable LDAP Service.
  • Configure LDAP Server Groups.
  • Configure LDAP server and base DN for look up.
  • Configure Routing Policy.
  • Configure Call Setup Rules.
  • Configure Routing.

The LDAP related configuration is located in IP Network component.

 

 

 

 

 

 

 

 

 

 

 

 

Going in to the details of the configuration;

Enable LDAP Service

By default, LDAP services is set as disabled. This need to be enabled. Go to LDAP Settings and enable LDAP Service. Once enabled the setting, the gateway need to be restarted to apply the configuration.

Configure LDAP Server Groups.

Go to LDAP Server Groups and set “Server Search Method” as Sequential and “DN Search Method” as Parallel.

Configure LDAP server and base DN for look up.

In LDAP Servers, Set the LAN Interface in General settings. In Connection, set the IP address of the Domain Controller which the gateway will be connecting to, to query based on LDAP. In Query, set the “LDAP Bind DN” with the user account that has read access to the Active Directory. Check whether the “Connection Status” shows as “LDAP Connected”

The “LDAP Server Search Based DNs“, add the base DN as shown below.

We are done configuring LDAP settings. Go to Routes and Routing Policy, set the “LDAP Server Group Name” as shown below;

Capture12

Next step is to configure “Call Setup Rules”. This can be found in “SIP Definitions” section in the configuration. In total, there are 7 rules that need to be configured. The purpose of those rules are, to normalize the inbound destination ID to match with the Line URI, Match the destination number with the msRTCSip-Line attribute value, Normalize the Calling ID presentation.

Note that the below example rules have +618 added as a prefix. This will be different in each country and also, based on the Telco provider.  Check the source and destination number format offered by the Telco provider, before configuring the rules. Configure the rules as shown below, in mentioned order. Only change the prefix, based on the number presentation.

Rule #1

Capture3

Rule #2

Capture4

Rule #3

Capture5

Rule #4

Capture6

Rule #5

Capture7

Rule #6

Capture8

Rule #7

Capture9

Now, the rules are configured for AD lookups. But, the route is still not set to use these rules for call routing purpose. To enable this in the route, edit the route that’s configured to send calls from PSTN to Skype for Business. In “Advance”, “Call Setup Rule ID Set”, set the ID as 1.

Capture11

So looking at how the routing will function, an inbound call from PSTN will go through the AD base lookup to find if there’s any telephone number configured in msRTCSip-Line attribute, if any found, it will route the call to the destination set in the route, which is the Skype for Business Mediation Server.

If no match found, the it will fall back to the secondary route which is set to route calls to PBX. Give it a go and if there’s any issues, please post in the comments below. Thanks.

Microsoft .net 4.7 and Skype for Business Server


During last few weeks, there was lot of confusion going on whether the .net 4.7 is compatible with Skype for Business. When the .net 4.6 was released, it effected the Skype for Business web component which resulted in causing issues with online meetings. Then, there was few bug fixes came up to remedy the situation.

But, Exchange team was first to confirm that the new .net 4.7 is not compatible with Exchange 2013\2016 platforms. But, there were no official recommendation from Microsoft, with regards to the compatibility with Skype for Business.

Few days ago, Microsoft have advised to follow the guidelines that put in by Exchange team, with regards to the compatibility between .net 4.7 and Skype for Business. So the bottom line is, it’s not supported with Skype for Business. If the automatic updates enabled in Skype for Business servers (they definitely should not), use the below method to block the .net updates form being applied

  1. Back up the registry.
  2. Start Registry Editor. To do this, click Start, type regedit in the Start Search box, and then press Enter.
  3. Locate and click the following subkey:
    HKEY_LOCAL_MACHINE\Software\Microsoft\NET Framework Setup\NDP
  4. After you select this subkey, point to New on the Edit menu, and then click Key.
  5. Type WU, and then press Enter.
  6. Right-click WU, point to New, and then click DWORD Value.
  7. Type BlockNetFramework47, and then press Enter.
  8. Right-click BlockNetFramework47, and then click Modify.
  9. In the Value data box, type 1, and then click OK.
  10. On the File menu, click Exit to exit Registry Editor.

If the update is already applied, use the guidelines that was put in by Exchange team to uninstall the update and repair the .net 4.6.x version on all servers.

I hope this helps 🙂

Skype for Business\ Exchange Hybrid and Polycom VVX calendar integration


I’ve been deploying lot of Polycom VVX devices with different types of Skype for Business typologies. I have never had issues with calendar integration when both Skype for Business and Exchange are in O365 (Skype for Business and Exchange Online).

But, when one of them becomes on-premises, as in users having either Skype for Business or Exchange services in O365 and the other is On-Premises (Hybrid topology), there will be issues with Exchange integration, when try to sign in to the device using the extension and PIN..

So consider Skype for Business Hybrid and Exchange online (most common scenario), to get the exchange integration working between two platforms (OWA integration, UCS), Modern Auth (oAuth) need to be configured between Skype for Business server and Exchange Online. This will allow the Skype for Business users to seamlessly authenticate with Exchange server to get the calendar information and based on the configuration, contact list (UCS).

When VVX device sign in to Skype for Business servers with an extension and PIN, VVX doesn’t do oAuth with Exchange online. As in, the seamless authentication to Exchange online does not work. It will always prompt to enter credentials to connect to exchange. There is no way around this.

Only possible workaround available is, use domain credentials to sign in to the device. Given that the credentials are based on UPN and not SPN, the device will use the same credentials to sign in to Exchange and pull Calendar, Recent calls and Voicemail information for that user.

The easiest way to sign in to the VVX will be using the web portal. By using the “User” credentials, users will be able to sign in to the device and not be able to change any configuration of the device, that been pushed by the Provisioning server. It’s a long winded and not a desired process. But, that’s the way around it for the time being.

Skype for Business Storage Service Event 32054


The well known and annoying Lync\Skype for Business event “Storage Service had an EWS Autodiscovery failure” error event. This event comes up in Skype for business server. 

There are 2 reasons this could happen.

  1. Does not have Partner Applications configured with Exchange server 2013
  2. Having Exchange 2010 with Lync Server 2013\Skype for Business server

The 1st one is relatively easy. Use this Technet article to configure partner applications with Exchange Server. This will allow the features like Unified Contact Store and Exchange end Archiving to be enabled.

If the Exchange is Exchange Online, then it gets little tricky. To get rid of this event, it requires to configure oAuth between Skype for Business server and Exchange Online. This one is little difficult compare to what mentioned above. Luckily, there’s a script written by Aaron Marks to simplify this.

Now, for the reason 2, which is the main reason i’m writing this article. Till last November, there was no cure for this error. As Exchange 2010 does not support partner applications, there was no such integration possible. And the error keep on piling up.

Luckily, this issue is now fixed with Skype for Business Server CU4 update, along with fixes for some other issues. Process to install this CU is exactly the same as before. Follow the steps mentioned the official article and it will be fine. The most important part is that, now we can get rid on this annoying error once and for all.