My Teams Lab

The release of Skype for Business brings a new set of Powershell commands for controlling Address Book Normalisation rules. In previous versions of Lync, these rules were configured in the Company_Phone_Number_Normalization_Rules.txt file that was stored in the address book storage on the Lync share. This previous method was not particularly intuitive and prone to issues because of the text file format used.

So now in Skype for Business we have Powershell commands to make everything easier, right? Well, yes and no. I am not a big fan of having to memorise Powershell commands that will only be used rarely. Also, ideally it should be easy to see and change the priority order of the rules as well as test the rules with commands. However, the new commands don’t offer any testing facilities as yet; they require multiple list ups and are not intuitive for priority changes. So as Tim Allen used to say on Home Improvement: it’s Tool Time again…

Skype4B Address Book Normalisation Tool

Image may be NSFW.
Clik here to view.

Tool Features:

Import Existing “Company_Phone_Number_Normalization_Rules.txt” files into the system.
Add/Edit address book rules to the system. If the rule you are setting has a name that matches an existing rule, then the existing rule will be edited. If the rule’s name does not match an existing rule then it will be added as a new rule to the list.
Delete rules from the system.
Create new Site based Address Book Normalisation Rules policies.
Change the priority of rules.
Custom written rule testing code for testing pattern and translation matches as well as the resultant number.
Export rules back into a “Company_Phone_Number_Normalization_Rules.txt” file format.
Test the rules! Skype for Business currently (at the time of writing this) doesn’t have Address Book Normalisation testing capabilities. So I wrote a custom testing engine into the tool providing this feature. By entering a number into the Test textbox and pressing the Test Number button, the tool will highlight all of the rules that match in the currently selected Global/Site level Policy patterns in blue. The rule that has the highest priority and matches the tested number will be highlighted in red. The pattern and translation of the highest priority match (the one highlighted in red) will be used to do the translation on the Test Number and the resultant translated number will be displayed by the Test Result label.

Download Version 1.00:

Importing Company_Phone_Number_Normalization_Rules

The new Skype for Business address book normalisation Powershell commands offer a way to import previous Normalisation Rule files. The command is called Import-CsCompanyPhoneNormalizationRules and will import the Pattern and Translation Rule directly into the new Skype for Business commands. In doing so, the import process will create a random GUID to be used as a unique name for each normalisation rule.

Import File Example:

# Internal 13 Extension numbers

^13(\d{2})$

+6139999$1

# Internal 17 Extension numbers

^(17\d{2})$

+6139999$1

Get-CsAddressBookNormalizationRule after import:

Identity : Site:Melbourne/d8209928-5b07-44fa-9642-56285dbe72d1

Priority : 0

Description :

Pattern : ^13(\d{2})$

Translation : +6139999$1

Name : d8209928-5b07-44fa-9642-56285dbe72d1

Identity : Site:Melbourne/3cfd51ad-2be9-43ce-a87d-f223bdc755c6

Priority : 1

Description :

Pattern : ^(17\d{2})$

Translation : +6139999$1

Name : 3cfd51ad-2be9-43ce-a87d-f223bdc755c6

The Address Book Normalisation Tool uses this same command to import address book files. As a result, you can expect to see the same operation as shown above. When the rules are imported into an existing scope that already contains rules the new normalisation rules will be added in addition to the existing rules. No existing rules will be deleted by the import process.

Rule Testing

In previous versions of Lync you used to be able to test rules using the Abserver.exe using the testPhoneNorm flag. The output of this command would tell you which Pattern in the Normalisation Rules file would be used by the system for the test number you supplied. The Address Book Normalisation Tool has a similar testing feature that will highlight all of the rules that match the tested number in blue and highlight the highest priority (ie. the actual rule the system will use to do the normalisation) rule in red. It will also show you the Pattern, Translation Rule, and exactly what the resultant number will be after translation.

Test Example:

Image may be NSFW.
Clik here to view.

The Wrap Up

Now Skype for Business Address Book Normalisation couldn't be any easier! I hope you find this tool useful and continue normalising for many years to come. Enjoy!

Polycom’s VVX range of phones on Lync/Skype for Business have come a long way in the past few years. The release of version 5.4 has delivered further improvements and new features and moved them into a position of superiority over even Lync Phone Edition devices. As a result, the VVX range are now being taken much more seriously by businesses for large scale rollout. Version 5.4 of VVX software has now also brought about support for remote management features by way of a RESTful web service interface. This was music to my ears as my previous VVX Management Tool was built on a combination of hacked together legacy features of the phones and can now be replaced with a supported API. So with this new API at my disposal, I decided to rip the guts out of the old version of the tool and re-engineer it from the ground up for an all new version 2.0 release!

Polycom VVX Manager Version 2 Features

Image may be NSFW.
Clik here to view.

Polycom VVX Phone Manager 2

Phone discovery– Phones can be discovered either by automatically querying the Lync/Skype for Business Monitoring database (provided there is a monitoring role deployed in the environment) by pressing the “Discover from Monitoring DB” button. Alternatively, this can be done by entering IP Address ranges and “pinging” contiguous subnet ranges for phones using the “Discover from IP Range” button (format: "192.168.0.1-192.168.0.20" OR "192.168.0.0/24" OR add multiple with comma separation "192.168.0.0/24,192.168.1.0/24"). During the discovery process, phones that are logged in to user accounts will be listed in the users list. If the tool finds a VVX handset that is not signed in, it will be added to the user list under the name “VVXNot@LoggedIn_<index number>”. This allows you to use the tool to access these devices even though they are not signed into the system.

Important Note: The VVX Phone Manager Tool uses the registration database within the Lync/Skype for Business monitoring database to determine the IP addresses of phones. However, registrations are only added to this database at the time when a user manually signs in with a PIN or with Domain authentication details. If a user moves a phone to a new subnet or the IP Address changes without signing it out/back in then its new IP Address will not be written to the Monitoring database. So, in some cases, the Monitoring database may not produce a complete list of registered VVX devices. The "Monitoring DB Query Time" value in the "Settings" dialog can be used to extend how far back the Monitoring DB query will go to find VVX registrations. This can help to find phones that haven't been manually signed in for an extended period of time. Or alternatively, the "Discover from IP Range" option can be used to do an exhaustive scan of all subnets if required.

Export/Import Phone Info– This feature outputs a CSV file that contains all the Users, IPs, Firmware Version, Serial Numbers, Lync/Skype for Business Server, and MAC Address (if available) for all phones. If you select the "More" checkbox you will also get the additional Lync/Skype for Business policy settings for each user (this is slower).

Access Web Interface - Access the web interface of a VVX phone by selecting a user in the user list and clicking the “Web Config” button. This will automatically load the web browser to the phone's web interface.

Pin control– The “Pin…” button will load a dialog that will Set, Test, Lock, Unlock a user’s PIN number.

Image may be NSFW.
Clik here to view.

PIN Dialog

Send Text Messages - Send text messages to be displayed on a Polycom VVX phone. An example of this would be to send a message to warn before a system upgrade or a reboot. Messages are displayed on the screen for 30 seconds.

Image may be NSFW.
Clik here to view.

Example of Message Screen

Note: Sending messages relies on the PUSH interface being enabled on the phone in order to accept the message. See the VVX Requirements section for more detail of this configuration.

Get More Info– By pressing the “More Info” button you can get extended information about a VVX phone including: Device Info, Call Status, Presence Info, Network Info, Line Info, SIP Status, Network Statistics.

Reboot/Restart Phones– You have the choice of Rebooting or Restarting a single, multiple, or All phones.

Reset Config– You have the option to Reset the Config or Factory Reset the configuration with one or many phones.

Get/Set Config - You can Get or Set any setting in the phone configuration. You simply need to enter the configuration setting name (as you would find in the configuration file eg. log.level.change.hset) and click the Get or Set buttons to view or change the setting's value.

Dial / End Call– You can choose to remotely dial a SIP URI (eg. john.smith@domain.com or +61395551111@domain.com) on a phone by entering a URI and pressing the “Dial” button. If the phone is on a call you can also choose to end the call using the “End Call” button.

Test FTP Config Server - Test your FTP Configuration File server by simply entering the IP address of the FTP server and pressing the “Test FTP” button. The tool will attempt to connect to the FTP server and download information about key files associated with a Polycom configuration server deployment. These include the base configuration file (000000000000.cfg), configuration files in the CONFIG_FILES tag, any MAC address files associated directly with phones, and firmware files (*.sip.ld). The tool will give feedback as to the state of the FTP server.

View Screen– The “Screen…” button will open a dialog that will show you the user's screen. Before the user's screen can be viewed the user must first manually allow access to the Screen Capture feature (this is a security measure so that the user is aware that someone is viewing their screen). This setting within the Basic->Preferences screen will only be made available while the VVX screen dialog is displayed (the tool automatically makes the setting "up.screenCapture.enabled" in the device to turn on this preference setting). When the dialog first loads you will see a screen that looks like this:

Image may be NSFW.
Clik here to view.

VVX Screen Dialog

At this point the user will have to enable the following setting in their phone preferences:

Settings -> Basic -> Preferences -> Screen Capture -> Enabled

Note: The Screen Capture option is only available to the user once you have open the screen dialog with the VVX Manager Tool (so don’t close the dialog until the user has turned on the manual preference setting).

Now you will be able to see the user's screen and save screenshots of the screen as JPG files if you so desire:

Image may be NSFW.
Clik here to view.

VVX Screen Dialog

Command Line Settings – If you would like to load the script with your own specific settings to save time, you can specify these in the command line when loading the script. The format of the parameters are as follows:

Script command line settings:

.\Skype4B-Lync-PolycomVVXManager2.00.ps1 -WebPortInput 443 -UseHTTPSInput false -AdminUsernameInput AdminUsername-AdminPasswordInput AdminPassword-PushUsernameInput PUSHUsername-PushPasswordInput PUSHPassword-IPRangeInput 192.168.0.1-192.168.0.200

Settings Dialog – The “Settings…” button allows you to configure your own passwords, web service port and HTTPS settings for the tool.

Note: Continue reading for definitions of these settings.

Download Version 2.0:

Polycom VVX Manager Configuration Requirements

Firmware Requirements

The VVX phone must be at firmware version 5.4 in order to be controlled by the VVX Phone Manager Tool because this version is the first to support the new REST based management API. If you select a user that has a phone with an older version of software, the tool will display a warning in the Powershell window and give you limited access to features for that user.

VVX Web Server Settings

Since version 5.1 of VVX software, there have some increased security enhancements added to the phones. This increased security will affect your ability to connect to the web interface and web services interface of VVX devices when you are running them in an out-of-the-box configuration. So in order to use this tool you will need to edit some basic configuration settings on your phones (usually done via configuration files).

The following web server settings were added in version 5.1 VVX firmware:

Web Config Mode	httpd.cfg.enabled	httpd.cfg.secure TunnelEnabled	httpd.cfg.secure TunnelRequired
Disabled	0	0	0
HTTP Only	1	0	0
HTTPS Only	1	1	1
HTTP/HTTPS	1	1	0

Different combinations of these setting will give you access to either HTTP, HTTPS or both at the same time. Below are examples of how to achieve all of these settings:

Example settings:

HTTP Web access only:

HTTPS Web access only:

Both HTTP and HTTPS web access:

<!—HTTP and HTTPS Admin Settings -->

Note: If you would like to make the Web Admin harder for people to find, you can change the port number to something different from the default 80 or 443 settings. If you do this, you will need to change the Web Port setting in the settings screen of the tool to match your selected port.

In addition to enabling the web server in the phone you must also change the default password on the device as well. If you do not do this the phone will display errors/warnings on the phone display and web interface (“Default admin password is in use, please contact your administrator”). Passwords can be configured in the configuration file as follows:

Note: Make these passwords whatever you want them to be, however, they must be different than the default of 456 in order to avoid the warning message being displayed on the phone screen.

After you have changed these settings the web login and phone screen login passwords will be changed. So if your support staff have been trained to enter the default “456” password, don’t forget to tell them that it has changed.

Enable REST API:

Config File Setting:

The following REST API setting must be enabled in order to use the Polycom VVX Manager Tool:

Web Interface Setting:

Image may be NSFW.
Clik here to view.

Settings -> Applications -> REST API

Note: If this setting is not configured you will receive "(404) Not Found" errors when trying to send commands to the phone.

Text Messaging Settings

In order to send messages to VVX phones you need to enable the Push settings in the configuration. You can do this with the following settings:

Config File Settings:

<apps.push apps.push.alertSound="1" apps.push.messageType="5" apps.push.serverRootURL="push" apps.push.password="vvxmanager" apps.push.username="vvxmanager"></apps.push>

apps.push.messageType: This sets the level of messages that will be displayed for the phone. The VVX Manager always sets the messages as “critical” so they will always be received. The setting “5” means that all levels of messages will be displayed by the phone.
apps.push.serverRootURL: This setting needs to be set to "push". This is used as part of the URI for sending messages to the VVX.
apps.push.username: The phones use digest authentication for push connections. The username sent by the tool by default is “vvxmanager”. This can be changed in the Settings dialog in the tool.
apps.push.password: The phones use digest authentication for push connections. The password sent by the tool by default is “vvxmanager”. This can be changed in the Settings dialog in the tool.
apps.push.alertSound: Play a sound when the message is displayed. This is the standard Polycom sound that you hear when a phone reboots. This can help the user to see the message, as it will only be displayed for 30 seconds.

Web Interface Settings:

Image may be NSFW.
Clik here to view.

Settings -> Applications -> PUSH

Polycom VVX Manager Tool Settings

When connecting from the VVX Phone Manager you need to match the password that you configured in your phone with the tool. The settings can be entered into the tool by pressing the “Settings…” button:

Image may be NSFW.
Clik here to view.

REST Username: This setting is always set to “Polycom”.
REST Password: This setting needs to match the “device.auth.localAdminPassword” setting in your VVX phone. If the password is wrong and doesn't match your phone setting you will see "(401) Unauthorized" errors being returned from the phone when you try to send it commands.
PUSH Username: This setting needs to match the “apps.push.username” setting in your VVX phone.
PUSH Password: This setting needs to match the “apps.push.password” setting in your VVX phone.
HTTPS: This needs to match your phone's configuration settings for “httpd.cfg.secureTunnelEnabled”
Web Port: This needs to match your phone's configuration settings for either “httpd.cfg.port” for HTTP or “httpd.cfg.secureTunnelPort” for HTTPS.
Monitoring DB Query Time: This setting determines how many months back in the monitoring database the tool will look for VVX phone registrations. By default this setting is 6 months, meaning that the IP Address of any VVX phone registered in the past 6 months will be scanned to see if it is still located at that IP Address. This setting can be increased if your VVX phones have not been manually signed out/in for longer than 6 months. Or if you have a site where users are frequently signing in and out of their VVX phones you can reduce this value to save time scanning old IP Addresses for VVXs. The setting can be set between 1-48 months (ie. from 1 month up to 4 years).

SQL Requirements

In VVX Phone Manager 1.xx there was a requirement that SQL ports were opened on each Front End server for accessing information on phone IP Addresses (which work some of the time). This new version of the tool only requires access to the Monitoring database on the Lync / Skype for Business Backend SQL server in order to discover the IP Addresses of phones signed into the system.

Getting Started with a Polycom VVX Deployment

This article was written under the assumption that you already have VVX phones deployed, and you are now looking to manage them. If you need some more help with the initial deployment part of the process, I can point you to some useful resources:

Jeff Schertz' great post on the different ways to deploy Polycom phones is here: Provisioning Polycom SIP Phones. Greig Sheridan also has a nice post on Optimising the Polycom VVX for Lync that you might want to check out too.

If you would like to know more about what is supported on Lync with VVX phones and setting up a FTP server to support Polycom Configuration files on Lync, go to the Polycom VVX support page and grab a copy of the lovingly entitled: “Deploying Polycom® UC Software for use with Microsoft® Lync™ Server”.

An important recommendation that I can give you is to always test your configuration files on a real phone before deploying them into the wild, because subtle errors can cause things not to work as desired.

The Wrap Up

Well, that's it, my first version 2.0 script! Enjoy, and let me know if you have any issues, feedback or have any enhancement requests.

Put up your hand if you know how to configure DHCP for Skype for Business and Lync phone devices? Leave your hand raised if you enjoy this process? Okay, I thought so, read on…

When deploying Skype for Business/ Lync Optimized or Qualified phone devices you are required to make specific DHCP configuration settings in order for the devices to be able to authenticate and connect to the system. The settings that are required are some special Vendor Class Options and a standards-based Option 120 setting.

DHCP Vendor Class Options - Option 43

Option 43 is a special option type used in DHCP responses that encapsulates options for a specific Vendor Class. A DHCP server will respond with Vendor Class options only when a device specifically requests them. The method for requesting the Vendor Class options is normally achieved by the device putting a Vendor Class ID in Option 60 of its initial DHCP DISCOVER message. This method is usually used for settings that might be required by the device when it first boots.

Another method (which I’ve only ever seen used by Skype4B/Lync devices) is to send an INFORM message after the initial discovery process has completed to the DHCP server requesting additional information for a specific Vendor Class. The signalling for the Vendor Class request is the same as in the DISCOVER method however, in this case the Option 60 message is inserted in the INFORM message. It is important to note that the INFORM method is not supported by all DHCP servers, however, it is supported by Windows DHCP servers and Cisco switch/router DHCP servers. If you're using an different DHCP server you may need to check that it response to INFORM messages.

Skype for Business and Lync phone devices use Option 43 to pass information about the certificate provisioning service to the phones. The phones need this information in order to do PIN Authentication with the system. The options encapsulated within option 43 include the following:

Option Number	Option Name	ASCII Value	Setting Type
001	Vendor Class (UCIdentifier)	MS-UC-Client	Common setting
002	Protocol (URLScheme)	https	Common setting
003	Web FQDN (WebServerFQDN)	pool.domain.com	Variable - Set this to match your pool / domain
004	Web Port (WebServerPort)	443	Common setting
005	Cert Prov URL (CertProvRelPath)	/CertProv/CertProvisioningService.svc	Common setting

These settings combine to give the phone all the information it needs to contact the Certificate Provisioning service on the system. The phone will recombine these to be a URL as follows:

https://pool.domain.com:443/CertProv/CertProvisioningService.svc

DHCP Option 120

Option 120 is a specific option that is described as part of a RFC 3361. The option describes SIP server locations in the form of FQDNs or IP Addresses. Skype for Business and Lync devices have been designed to use this standard option to discover the location of the pool for SIP signalling (registration, authentication, call signalling, etc).

Option Number	Option Name	ASCII Value	Setting Type
120	SIP Pool FQDN (UCSipServer)	pool.domain.com	Variable - Set this to match your pool / domain

The encoding of Option 120 is not just a simple ASCII byte conversion for entry into the DHCP server. There are also framing bits around the FQDN that is described as part of RFC 3361. The RFC described two different types of encodings for Option 120 – the first is FQDN format, and the second is IP Address format. Only the FQDN formatting option is available for Skype for Business and Lync due to the fact that it uses TLS-based SIP which requires FQDN matching when creating the secure channel connection.

How Does DHCP Option 120 interact with DNS?

If you don’t specify anything for DHCP Option 120 the Skype4B/Lync Phone Edition devices will fall back to looking up the following DNS records:

_sipinternal._tls SRV record
_sip._tls SRV record
sipinternal.<user domain> (Be careful of this record. This is not included in the certificate SAN list by default so don’t enter it into DNS unless you have added it specifically to the SAN list)
sip.<user domain> (This record is included by default in the certificate SAN list. So it’s safe to use.)

During the process, if Option 120 is not discovered, the Skype4B/Lync Phone Edition devices will display “Registrar FQDN cannot be found. Please contact your support team” on the screen and then sign in using the fall back DNS lookups. This is not ideal because users might be confused by this message so it’s always recommended to configure Option 120.

Configuring the DHCP Server

The method of configuring the DHCP server supplied by Microsoft is to use a command line tool called DHCPUtil that will create the byte encoded output for each of the required Options. The output of the DHCPUtil command is then used in conjunction with a batch file to deploy the setting within your DHCP server. This process is multi-step and I have found it prone to errors, and difficult to troubleshoot once the options are deployed, because they are displayed as bytes in the interface. The DHCPUtil method also only supports configuring Server Options within the Windows DHCP server and does not support Scope Level options configuration. I figured I could build a tool in Powershell that would be easier to configure, more flexible, and help you in troubleshooting your DHCP deployments.

Skype4B / Lync DHCP Config Tool

Image may be NSFW.
Clik here to view.

Features:

Deploy Server and Scope level settings within your Windows DHCP server.
The tool will encode the settings as required to be deployed within the server.
The tool will download and display the current settings from the DHCP server.
Edit and remove individual settings as required.
Export to Cisco IOS Switch/Router DHCP configuration commands.

Note: The tool must be run on a Windows DHCP server!

Available on the TechNet Gallery:

DOWNLOAD HERE

The tool itself is fairly straightforward to use – when it loads, it will query for all the scopes configured in the DHCP server. The scopes are displayed in the drop down list at the top of the form. When you select a Scope from the list, the tool will query the Options available for that scope and show them in the settings text boxes (current settings are shown in green). If the scope has no options configured, the boxes will be empty. If you would like to auto fill the boxes with the common configuration settings you can click on the Defaults button. When you have filled in the settings with the desired configuration you can click the Upload Settings button and the Options will be configured on the server. If you would only like to upload specific Options, you can use the Check Boxes next to the settings to select the desired Options to upload. The Remove Settings button will remove any of the settings from the selected scope that has the check box ticked. If you only want to delete a specific option, then you tick only the check box of the specific item before clicking the Remove Settings button.

Your DHCP server may already have Option 120 or the Vendor Class options defined. If this is the case and any of these options are defined as anything other than the Binary type then the tool will display the setting as <UNSUPPORTED TYPE>. This looks like the following:

Image may be NSFW.
Clik here to view.

Unsupported Type of and Existing Option

If this happens you can choose to upload a new setting over the existing setting. If you do this the tool will display a dialog asking if you would like to delete and replace the existing option definition with a new one. The new definition that the tool will create will be Binary in type which it will be able to edit and display.

Image may be NSFW.
Clik here to view.

Option Definition Change Dialog

The tool also does checks on Option 120 when it reads it from the DHCP server to ensure that it is formatted correctly (as defined by RFC3361). If it determines that the setting is not in the correct format it will display <UNSUPPORTED FORMAT> in the text box. If this happens, then I suggest you upload a new setting over the top of the unsupported setting to ensure that your phones can parse the option properly.

Important Note: You must refresh the scopes within the Windows DHCP Server MMC console in order to see changes you have made with the DHCP Config Tool.

Cisco Router / Switch Configuration

If you do not have Windows DHCP server for the subnet that your devices are deployed on, you may choose to use a Cisco switch or Router to be the DHCP server. The "Export Cisco" button allows you to export Cisco IOS configuration commands for option 120 and 43 of a Cisco switch or router running as a DHCP server.

It should be noted that when you use this format in a router or switch there is a significant difference from a Windows DHCP server implementation. In the Cisco method you are hard coding the DHCP server to respond with these Option 43 settings for every device that requests Vendor Class options of any class. On a Windows DHCP server, it will only send Option 43 information to devices that have requested the specific Vendor Class of MS-UC-Client (the device does this by putting this Vendor Class info into Option 60 of its initial request message). This means that, per subnet, you can only have one Vendor Class deployed on a Cisco switch/router. In addition to this, you need to make sure that there are no other devices on the subnet that use Option 1-5 in their respective Vendor Classes because they will receive the settings you have deployed for Skype4B/Lync in their DHCP responses. This may have undesired results when they parse and use these settings instead of the ones they were expecting. So be sure you understand the risks of this where deploying using this method and try to limit the device on the subnet to be your Skype4B / Lync devices only (where possible).

The tool will output the format as shown below:

!OPTIONS FOR CISCO DHCP CONFIG

option 43 hex 010C4D532D55432D436C69656E7402056874747073031446453030312E6D79736B7970656C61622E636F6D040334343305252F4365727450726F762F4365727450726F766973696F6E696E67536572766963652E737663

option 120 hex 000546453030310A6D79736B7970656C616203636F6D00

These settings can be inputted directly into your DHCP pool settings in Cisco IOS!

An example of a basic configuration might look like this:

Router(config)# service dhcp

Router(config)# ip dhcp pool TEST-POOL

Router(dhcp-config)# network 10.20.2.0 255.255.255.0

Router(dhcp-config)# default-router 10.20.2.1

Router(dhcp-config)# dns-server 10.20.2.100

Router(dhcp-config)# lease 8

Router(config)# ip dhcp excluded-address 10.20.2.1 10.20.2.199

Router(config)# option 43 hex 010C4D532D55432D436C69656E7402056874747073031A32303133454E5446453030342E6D796C796E636C61622E636F6D040334343305252F4365727450726F762F4365727450726F766973696F6E696E67536572766963652E737663

Router(config)# option 120 hex 000C32303133454E544645303034096D796C796E636C616203636F6D00

Note: Other settings like NTP server, Time Offset, Config server, etc. may also be required depending on the device.

Server Scopes and Subnet Scopes

The tool allows you to access Server Scope or Subnet Scopes within the DHCP server. The server scope should be looked at as the fall-back settings for all scopes. If you apply settings to the server scope, then these will be used by default by all subnets in the DHCP server. If you apply Subnet level settings, then these will be used in preference to the Server Scope settings. Below is an example of Subnet level settings, however Option 120 in this case is a Server Scope level setting. Note the different icons used for the different scope types:

Image may be NSFW.
Clik here to view.

The Wrap Up

Congratulations, you are now an expert at configuring DHCP servers for Skype for Business and Lync phone devices! I hope you enjoy this new tool and that it brings you great joy and delight over the holiday season.

Event Viewer logs remain one of the best troubleshooting tools for Lync and Skype for Business servers. An enormous amount of useful information can be found in the Event Viewer Logs, which can then be used to either understand the current state of the system or do root cause analysis on prior issues.

So I decided to build a simple tool that centrally displays all of the Event Logs from Lync or Skype for Business servers or pools within an environment. This allows for a fast one-stop-shop for triaging issues across multiple Lync/Skype for Business servers in your environment. This can be especially handy for easily correlating problems that might have occurred across multiple servers in a pool.

Skype for Business and Lync Centralised Event Log Tool

Image may be NSFW.
Clik here to view.

Features:

Start and End Time – You can select Start and End date and time for events (yy/mm/dd hh:mm format). This can be particularly handy if you know the approximate time that an issue occurred on the system.
Server – Select specific servers or entire pools for which you would like to see the Events Logs. By default all Lync Front End servers are selected (ie. “ALL FRONTENDS”).
Event level selection – Select if you want to see Critical, Error, Warning, and Information event messages.
EventID Include/Exclude – By default, these fields can be left blank. However, you can select to either include or exclude specific event numbers when you get events. These fields accept Regular Expression formatting. For example, if you entered “^5”, you will get all events that start with “5”, or you could get specific multiple events using "|" like this “31147|31202”, or your could get a range of events using "[]" like this "620[0-9][0-9]".
Find Next / Previous – You can jump forward or backwards through the event list. The find feature checks all cells in each row against the text in the find text box (this is based on regular expression). If you don't put any text in the find textbox the find next and previous buttons can also be used to step through each event in the list.
The Get Events button will start the process of getting the specified events from the selected servers.
Web Search! – Often the easiest method to find more information on events is to search on the web for them. So the tool gives you the option to Google, Bing, Duck Duck Go or search TechNet Forums for more information.
View Event - This button will open a window with the event in larger text box. This helps in some cases when the event message text will not fit within a row in the main window.
The Copy button will copy the selected row to the clipboard so you can paste it somewhere, like an email for example.
Export Statistics to CSV – The Export Stats button will export per event counts to a CSV file. This will quickly allow you to see which events have been occurring more than others.
Export Events to CSV – You may want to have record of these 'momentous' events for future reference.

Available on the TechNet Gallery:

DOWNLOAD HERE

Tool Requirements

The Centralised Event Viewer Tool must be run on a server with the Lync / Skype for Business module installed on it (as it uses Powershell commands to find the Lync/Skype4B pool information). This would usually be a front end server in the pool. The tool is capable of listing large numbers of events (tens-of-thousands of events), however, getting large numbers of events can take a while to process. The tool will process 1000 events in 2 seconds (this scales fairly linearly). As a rule though it’s usually best to keep searches under a month in length so that the number of events don’t become problematic.

You must enable “Remote Event Log Management (RPC)” on all of your Lync/Skype for Business servers Windows firewalls in order to access these logs from the central server running the tool. This rule is already pre-populated in the Windows Firewall Advanced setting rules. So you simply need to Enabled the rule as shown below:

Open Firewall on all Lync / Skype for Business Servers:

Image may be NSFW.
Clik here to view.

This is a dynamic service rule that opens the required ports automatically. However, the ports that get used in practice are port TCP 135 (RPC) and port TCP 49153 (Remote Event Log). These firewall rules will become more important if you are trying to connect to Edge servers from an internal server, as the firewall between the servers will need to allow these ports.

Once this has been set on the servers that you are getting event logs from, you are set to go!

The Wrap Up

Why are you still reading? Go and get event log troubleshooting!!

I had an issue recently when using the VVX Music on Hold feature in conjunction with a Sonus SBC1000/2000. The problem was that the VVX phones could not put a trunk call on hold (in this case they were running 5.4.5 software) . The symptom of this issue was the following message being displayed on the VVX screen (“Hold Failed. Moving back to call”):

Image may be NSFW.
Clik here to view.

It should be noted here that the VVX in question had the new Music on Hold feature configured and MoH was working to internal Skype for Business clients and other phones. This was only happening on trunk calls on the Sonus gateway. This would happen for both Sonus based file hold music (ie. Sonus gateway based hold) or when the Sonus was not being used to supply the hold music (ie. hold passed through from the VVX to the outside party).

Logging on the system showed that the RE-INVITE message being sent by the mediation server to initiate hold was getting rejected by the Sonus SBC. The INVITE message that was being sent looked like this:

RE-INVITE message sent by Mediation Server to Sonus Gateway:

INVITE sip:+61395821300@10.20.1.150:5066;transport=TCP SIP/2.0

FROM: <sip:+61395824500;ext=4500@myskypelab.com;user=phone>;epid=BB69FBB4BE;tag=45afae0d8

TO: <sip:+61395821300@SBC1000GW.myskypelab.com;user=phone>;tag=7b66d712-5fc

CSEQ: 83 INVITE

CALL-ID: a9adec59-5f57-4a9c-ac31-78836eb506a3

MAX-FORWARDS: 70

VIA: SIP/2.0/TCP 10.20.2.104:49796;branch=z9hG4bKbafabbee

CONTACT: <sip:2013ENTFE004.myskypelab.com:5068;transport=Tcp;maddr=10.20.2.104;ms-opaque=7b0cff35b7212cae>

CONTENT-LENGTH: 246

SUPPORTED: timer

SUPPORTED: 100rel

USER-AGENT: RTCC/5.0.0.0 MediationServer

CONTENT-TYPE: application/sdp

Session-Expires: 1800

Min-SE: 90

v=0o=- 1477456907 1477456908 IN IP4 10.22.0.23s=sessionc=IN IP4 10.22.0.23t=0 0a=sendonlym=audio 60034 RTP/AVP 0 101c=IN IP4 10.22.0.23a=rtcp:60035a=sendonlya=rtpmap:0 PCMU/8000a=rtpmap:101 telephone-event/8000a=ptime:80

You will notice in the above invite that the Mediation server is requesting a Payload Size of 80ms (“ptime:80”). The Sonus gateway doesn’t like this though, and rejects the call with a 488 message:

Call setup rejected:

SIP/2.0 488 Not Acceptable Here

FROM: <sip:+61395824500;ext=4500@myskypelab.com;user=phone>;epid=BB69FBB4BE;tag=45afae0d8

TO: <sip:+61395821300@SBC1000GW.myskypelab.com;user=phone>;tag=7b66d712-5fc

CSEQ: 83 INVITE

CALL-ID: a9adec59-5f57-4a9c-ac31-78836eb506a3

VIA: SIP/2.0/TCP 10.20.2.104:49796;branch=z9hG4bKbafabbee

CONTENT-LENGTH: 0

WARNING: 304 "Media type not available"

SERVER: SONUS SBC1000 5.0.4v415 Sonus SBC

When the 488 message gets fed back to the VVX, it displays the “Hold Failed. Moving back to call” message and everyone is very sad :(

Why is this happening?

The Sonus gateway supports a maximum payload sizes of 60ms. This can be seen in INVITE messages sent out of the Sonus like the one below:

v=0

o=SBC 79 1001 IN IP4 10.20.1.150

s=VoipCall

c=IN IP4 10.20.1.150

t=0 0

m=audio 20112 RTP/AVP 0 8 101 13

c=IN IP4 10.20.1.150

a=rtpmap:0 PCMU/8000/1

a=rtpmap:8 PCMA/8000/1

a=rtpmap:101 telephone-event/8000

a=fmtp:101 0-15

a=rtpmap:13 CN/8000

a=ptime:20

a=maxptime:60

a=sendrecv

As you can see in the SDP message above, the Sonus says that it will only handle a maximum payload size of 60ms. There is also a reference to this in the SBC1k/2k manuals, which state that “If the SBC receives a larger than configured payload size from the peer offer in the re-invite, the SBC rejects with a 488 'Not Acceptable Here' response. The call rolls back to the previous negotiated offer answer.” – Reference: https://support.sonus.net/display/UXDOC60/Creating+and+Modifying+Voice+Codec+Profiles

The Fix!

So the fix turns out to be a VVX phone setting. When initiating hold the VVX the phone doesn’t follow the regular payload size settings for the codec being used (which by default for PCMA/U is 20ms). Instead it has a setting called feature.moh.payload which defaults to 80ms. Fortunately for us, this setting can be changed within the configuration file (it’s not available in the web interface!). The setting for Music on Hold are shown below:

Setting	Default Value	Required Value
feature.moh.enabled	0	1
feature.moh.filename	NULL	Set this to the hold music file name. The file will be served off the config server. The default file is “Polycom-hold.wav”
feature.moh.payload	80	20 or 40 or 60
res.quotas.tone	600	600 – 1024

Note: The default moh file size is 600KB which works fine for the default hold music provided by Polycom. However, if you want to change this to your own file then you can expand the size up to 1024KB.

Polycom has made the payload setting 80ms by default to reduce the processor usage on the phone when it plays the hold file. So selecting 60ms may be the best option from a processor load perspective (which will work with the Sonus max payload size of 60). This way the hold music will work correctly, without putting too much load on the VVX's CPU.

Here is an example of how this might look in a config file:

The Wrap Up

Well there you go, another weird integration issue to add to the list… Hopefully it didn’t wreak too much havoc in your deployments before finding this article. Until next time, happy hacking.

If you’ve ever installed Skype for Business or Lync before, you will know that the system requires PKI Infrastructure and Certificates to function. The reason for this is that all SIP and Web communications within the Skype for Business environment is secure by design and uses certificates for encrypting data. These communications span between servers, clients, phones, PSTN Gateways, Third Party Video equipment and most other integrations you can think of. So without your certificates being deployed properly, you are going to have a lot of trouble getting your environment up and running.

Skype for Business/Lync Edge servers communicate with each other over Mutual Transport Layer Security (MTLS). When using MTLS connections the server originating a message and the server receiving it exchange certificates from mutually trusted Certificate Authorities. The public certificates presented in either direction prove the identity of each server by being signed by a trusted certificate authority. The main thing here to note here is that both servers need to have root certificates installed from each other’s trusted root certificate authority in order for TLS connections to negotiate successfully. This is also the case for federated connections to other organisations via the Skype for Business Edge server. These connections all rely on MTLS for the successful communication between the servers.

Encryption Used in Skype for Business

Traffic type	Protected by
Server-to-server	MTLS
Client-to-server	TLS
Instant messaging and presence	TLS
Audio and video and desktop sharing of media	SRTP (No Certificates Used)
Desktop sharing (signaling)	TLS
Web conferencing	TLS
Meeting content download, address book download, distribution group expansion	HTTPS
Mobile Clients (UCWA)	TLS

In many cases you may not have direct access to the other system you are connecting to in order to check whether the certificate it is using is valid, or has been signed by a trusted root certificate Authority. As a result, you may have issues connecting to the server and need to use complex tools like Wireshark to determine what the certificate being presented by the far end looks like. This can take time and involve installing software on servers, so I wanted to create a simple tool that doesn’t require any installation and can be run straight from a Powershell prompt. After doing some coding, that’s exactly what I created, introducing the Skype for Business Certificate Checker Tool…

Skype4B / Lync Certificate Checker Tool

Image may be NSFW.
Clik here to view.

Features:

Check the certificate being used by a server using the FQDN/IP and Port number of the server.
Check the certificate of a Federation SRV record (_sipfederationtls._tcp.domain.com) simply by entering the SIP domain name and ticking the “FED SRV” checkbox.
Check the SIP SRV record (_sip._tls.domain.com) by simply entering the SIP domain name and ticking the “SIP SRV” checkbox.
Check the SIP Internal SRV record (_sipinternaltls._tcp.domain.com) by simply entering the SIP domain name and ticking the “SIP INT SRV” checkbox.
Select the DNS server you would like to use to resolve DNS from by entering a DNS Server IP address in the “DNS Server” field.
“Show Advanced” checkbox will show all of the information in the certificate.
The “Show Root Chain” will display the root certificate and all of the intermediate certificates that are applicable in the trust chain for the certificate.
The “Test DNSLB Pool” checkbox is on by default and will instruct to the tool to test all of the IP Addresses that are resolved for a DNS Name. In the case of Skype for Business, we nearly always have multiple DNS records per A record for the purposes of DNS load balancing. Rather than having to look all of the servers yourself, the tool will do this for you. Other servers in pool will be displayed in the Information text box in blue colour and will be tested directly via their IP Address rather than the DNS name.
Import multiple DNS name records from a CSV file. This is useful if you want to check a lot of servers in one sitting. See the “Import File Format” section for more details.
Save certificate information out to a CSV file. This will save all of the certificate information out in table format that you can open in Excel for record keeping purposes. Note:This export format is different than the one used in conjunction with the “Import” button.
Comments section – The comments section will have information in it about things that may be wrong with the certificate to help you troubleshoot your issues.

Available on TechNet Gallery:

DOWNLOAD HERE

Import File Format

You can import a CSV file containing many domains and servers to test if you choose (for example, this may be useful for checking a large list of federated domains). To do this you will first need to create a CSV file with all of the servers and/or domains that you want to test in it. The format of the CSV for each of the record types will look like:

Header row: Domain,Type,Port

Example Federation Record:"microsoft.com","FED","",

Example SIP Record:"microsoft.com","SIP","",
Example SIP Record: "microsoft.com","SIPINT","",

Example direct Record:"sip.microsoft.com","DIR","5061",

Example file:

Domain,Type,Port

"microsoft.com","FED","",

"microsoft.com","SIP","",
"microsoft.com","SIPINT","",

"sip.microsoft.com","DIR","5061"

The Anatomy of a Certificate

The Certificate Checker Tool can display a few different levels of information about the certificate presented by the server. The default basic view of the certificate will be displayed in the tool as follows:

For a Skype for Business or Lync deployment the most important components here are the Subject name, the Not Before and Not After dates. The “Comments” section is provided by the tool to help you troubleshoot issues with the certificate being displayed. This section will automatically check things like the certificate being out of date, the common name/subject alternate names being correct, if there is a Server EKU, and if the certificate has a CLR list included. These comments should help speed up your troubleshooting of certificate issues. Note: the comments will actually be based on all the advanced certificate details, even though the Advanced checkbox is not ticked by default.

Advanced Settings

All certificate details are displayed when the “Advanced” check box is ticked. When you tick this check box and run the tool you will see information as shown below:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Checking FQDN: sipfed.microsoft.com:5061
Checking IP Address: 167.220.67.163:5061

Certificate Response:

Subject: CN=sipfed.microsoft.com, OU=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=WA, C=US
Issuer: CN=Microsoft IT SSL SHA2, OU=Microsoft IT, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Not Before: 30/04/2015 2:26:22 PM
Not After: 29/04/2017 2:26:22 PM
Serial Number: 5A0000F5B0C7CABB89E4624D1E00010000F5B0
Signature Algorithm: sha256RSA
Thumbprint: 9E1736ACA8C9731798E7FD3496E7D78454A02E80
Version: 3
HasPrivateKey: False
Archived: False

Extension Type: Certificate Policies
Oid Value: 2.5.29.32
Data:
[1]Certificate Policy:
     Policy Identifier=1.3.6.1.4.1.311.42.1
     [1,1]Policy Qualifier Info:
          Policy Qualifier Id=CPS
          Qualifier:
               http://www.microsoft.com/pki/mscorp/cps

Extension Type: Application Policies
Oid Value: 1.3.6.1.4.1.311.21.10
Data:
[1]Application Certificate Policy:
     Policy Identifier=Server Authentication
[2]Application Certificate Policy:
     Policy Identifier=Client Authentication

Extension Type: Key Usage
Oid Value: 2.5.29.15
Data:
Digital Signature, Key Encipherment, Data Encipherment (b0)

Extension Type: Enhanced Key Usage
Oid Value: 2.5.29.37
Data:
Server Authentication (1.3.6.1.5.5.7.3.1)
Client Authentication (1.3.6.1.5.5.7.3.2)

Extension Type: Subject Key Identifier
Oid Value: 2.5.29.14
Data:
df 62 d3 a8 ef 49 3d 2f ed 10 aa 6a 30 3a 6f f9 54 1b 33 39

Extension Type: Authority Key Identifier
Oid Value: 2.5.29.35
Data:
KeyID=51 af 24 26 9c f4 68 22 57 80 26 2b 3b 46 62 15 7b 1e cc a5

Extension Type: CRL Distribution Points
Oid Value: 2.5.29.31
Data:
[1]CRL Distribution Point
     Distribution Point Name:
          Full Name:
               URL=http://mscrl.microsoft.com/pki/mscorp/crl/msitwww2.crl
               URL=http://crl.microsoft.com/pki/mscorp/crl/msitwww2.crl

Extension Type: Authority Information Access
Oid Value: 1.3.6.1.5.5.7.1.1
Data:
[1]Authority Info Access
     Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
     Alternative Name:
          URL=http://www.microsoft.com/pki/mscorp/msitwww2.crt
[2]Authority Info Access
     Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1)
     Alternative Name:
          URL=http://ocsp.msocsp.com

Extension Type: Subject Alternative Name
Oid Value: 2.5.29.17
Data:
DNS Name=sipfed.microsoft.com
DNS Name=sipalt.microsoft.com
DNS Name=sip.microsoft.com
DNS Name=ra30.sbweb.microsoft.com
DNS Name=web3.sbweb.microsoft.com
DNS Name=web30.sbweb.microsoft.com
DNS Name=web31.sbweb.microsoft.com

----------------------------------------------------------------------------------
Comments:

- Common Name Match found
- FQDN is in SAN list.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

You will have a full view of all attributes contained within the certificate. Using this information you should be able to troubleshoot most certificate related issues. However, there is one more important piece of information that you might need and that is the certificate chain…

The Certificate Chain

The certificate chain is the hierarchy of Certificate Authority servers from the CA server that issued the certificate through the Intermediate Certificate Authorities to the Root Certificate Authority server. The tool will display the certificate chain as follows:

Certificate Chain:

Certificate Chain Item 1
Chain Subject Name: CN=sipfed.microsoft.com, OU=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=WA, C=US
Chain Issuer name: CN=Microsoft IT SSL SHA2, OU=Microsoft IT, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Chain Not Before: 11/12/2015 05:36:48
Chain Not After: 11/11/2017 05:36:48
Chain Serial Number: 5A000233C22F738FDBCE9CF8B50001000233C2
Chain Signature Algorithm: sha256RSA
Chain Thumbprint: A710B806065C2187E387635A9F8D7863A63D702A
Chain Version: 3
Chain is valid: True

Certificate Chain Item 2
Chain Subject Name: CN=Microsoft IT SSL SHA2, OU=Microsoft IT, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Chain Issuer name: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Chain Not Before: 05/08/2014 03:04:09
Chain Not After: 05/08/2018 03:03:30
Chain Serial Number: 0727AA47
Chain Signature Algorithm: sha256RSA
Chain Thumbprint: 97EFF3028677894BDD4F9AC53F789BEE5DF4AD86
Chain Version: 3
Chain is valid: True

Certificate Chain Item 3
Chain Subject Name: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Chain Issuer name: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Chain Not Before: 05/13/2000 04:46:00
Chain Not After: 05/13/2025 09:59:00
Chain Serial Number: 020000B9
Chain Signature Algorithm: sha1RSA
Chain Thumbprint: D4DE20D05E66FC53FE1A50882C78DB2852CAE474
Chain Version: 3
Chain is valid: True

----------------------------------------------------------------------------------
Root Certificates:

- Get Root Certs here: http://cybertrust.omniroot.com/support/sureserver/rootcert_iis.cfm
- Download Root Cert: http://cacert.omniroot.com/bc2025.crt

----------------------------------------------------------------------------------

The tool will show you the Subject Name, Issuer Name (which will be the next server in the list/chain), Element Signature Algorithm (can be important, see below), and whether or not the chain is valid.

In addition to displaying the certificate chain the tool will also, where possible, provide a link to a copy of the root certificate for the root CA being used. The tool knows about the major certificate authorities supported by Microsoft for use with Skype for Business and in most cases will give you a direct link to the root certificate for download.

Root Certificates

One very important thing when configuring external federation with partners or public providers is that MTLS is used for these connections. This means that both ends of the connection need to trust the other’s root certificates. You need to ensure that your edge servers have the root certificates of your partners installed. Fortunately, the Cert Checker Tool has you covered here by showing you where you can download the root certificates for common public certificate authorities. This will appear like shown below:

- Get Root Certs here: http://cybertrust.omniroot.com/support/sureserver/rootcert_iis.cfm

- Download Root Cert: http://cacert.omniroot.com/bc2025.crt

Before you configure a new partner for federation, you can you use the tool to check what certificate authority they are using for their certificates and as a result which root certificates you need installed on your edge servers.

There is also neat trick you can do to automagically install root certificates on a Windows server or PC (post Windows Vista). Note there is a caveat with this process whereby the third party server must be using a Root Certificate Authority that is trusted by Microsoft as part of their Trusted Root Certificate Program (Microsoft supported root CAs can be confirmed on this list). If this is the case then you just need to browse to a web server that is signed by the root certificate authority of choice and Windows will automatically install the root certificate for you! These root certificates are pushed to Window through Windows Update and will be installed only when you try to connect to a website requiring a particular certificate. So connecting to a federated partner's "dialin.domain.com" web page from all of your Edge servers may be enough to download the root certificates for MTLS trust purposes. There is a lot of documentation about this process on TechNet if you would like to know more. A few Skype for Business community have also written about this phenomenon - Chris and Pat.

The Wrap Up

I hope that this new tool finds you well, and I hope that you have many long years of troubleshooting together. Remember, whilst the flame may flicker from time to time, you must stay strong and think fondly of those times in the early days when you hired the car, threw the work laptop in the boot, and drove to the cabin in the woods; not even one bar of 3G internet access could stop you from fixing that server certificate problem. It’s the memory of those times that will keep you on the straight and narrow when that younger and fancier tool with the sexy universal windows app GUI comes along. Your Powershell Certificate Checker will always be faithful, remember that… now get testing!

Rate My Call is a feature in Skype for Business that provides enterprises a way of acquiring feedback from their end-users via a special dialog window that pops up after a specified number of calls. The Rate My Call dialog window offers a combination of star rating system, predefined feedback checkboxes for audio and video calls, as well as the option for custom text based feedback. This gives the administrator a method for adding real user feedback to the existing Quality of Experience statistics that have been available since Lync was first introduced.

Image may be NSFW.
Clik here to view.

Rate My Call Prerequisites

In order to use the Rate My Call feature you will need the following pre-requisites:

You must have Skype for Business Server installed;
Users need to have a client version 15.0.4711.1002 or later and using the Skype for Business UI;
The RateMyCallDisplayPercentage in Client Policy must be set to a value larger than 0;
Users must be homed on a Skype for Business Server front end pool; and
The Skype for Business environment must have a monitoring database deployed.

Rate My Call Settings

The Rate My Call feature has two settings within Client Policy: Display Percentage and Allow Custom User Feedback. The Display Percentage is the percentage of calls that the user will be asked to provide feedback on. The percentage number is very important because if you set this value too high it can result in user survey fatigue whereby users stop providing relevant feedback due to being asked too often. The Allow Custom feedback setting is used to give users the ability to offer specific text based feedback in addition to their star rating and standard checkbox responses. The custom feedback can be great for drilling deeper into what the actual issue may be that the user is experiencing, rather than trying to interpret checkboxes responses that may not exactly match the user's experience.

There is no action required to enable the base feature, however custom feedback will need to be enabled separately if it is desired. The Rate My Call feature is automatically enabled in the Client Policy with the following defaults:

Rate My Call Display Percentage – 10%
Rate My Call Allow Custom User Feedback – disabled

If you have deployed Skype for Business and not changed the defaults, you may already have some data saved within the Monitoring database that you can start analysing.

The following Windows PowerShell cmdlet is an example of enabling custom end user feedback and changing the interval from 10% to 80%.

Configuring Rate My Call:

Set-CSClientPolicy -Identity <PolicyIdentity> -RateMyCallDisplayPercentage 80 - RateMyCallAllowCustomUserFeedback $true

The feature can be completely turned off by setting the RateMyCallDisplayPercentage to 0%.

Accessing Rate My Call Data

When the Rate My Call feature was introduced in Skype for Business Server, there was no interface added to the in the Skype for Business Monitoring Reports interface (which is still true to this day). There was, however, access added in the Call Quality Dashboard product which often doesn’t get deployed due to the overhead of additional SQL server(s) infrustructure. Technet does offer a couple of SQL query examples for getting the basic data out of the system. However, this is not particularly user friendly, so I thought I might make a simple Powershell tool for pulling out data and visualizing it so you can start compiling the user feedback that you may already have stored in your Monitoring database.

Rate My Call Viewer Tool

Image may be NSFW.
Clik here to view.

Features:

Select your required start and end date, rating filter (above or below the selected rating), SIP URI filter, Reason filter, and Voice and/or Video to be listed up. Note: the filters use regex, so for example you could use it to filter for multiple reasons using the OR Operator like this “echo|backgroundnoise”.
Export all events into CSV format.
Create graphs (Stars Bar Graph, Stars Pie Graph, Reason Pie Graph, Reason Bar Graph, Type Pie Graph, Stars Stacked Bar Graph, Trend Over Time Line) of your Call Rating data.

Prerequisites:

This tool should be run on a machine that has the Skype for Business powershell module installed. This is required because the "Get-CSService" command is used to discover the location of the Montoring Database.
The user running the tool needs to have sufficient rights to run select queries on the "QoEMetrics" database and SELECT access on the following tables: Session, AudioStream, CallQualityFeedback, CallQualityFeedbackToken, CallQualityFeedbackTokenDef, User, MediaLine

Download from Technet Gallery:

DOWNLOAD

Built-in Graphs

The Stars Bar Graph is the simpliest way to quickly see the how the users are rating calls on the system. In general you can ignore 0 star ratings because they these will be non-rated calls.

Image may be NSFW.
Clik here to view.

The Reason Bar Graph allows you to easily see trends in the number of each type of issue reported by users. This can be useful for picking out specific types of problems in your network.

Image may be NSFW.
Clik here to view.

The Reason Pie graph give you a quick view of which types of issues are most prevalent within your environment.

Image may be NSFW.
Clik here to view.

The Starts Pie Graph give you an idea of the how pleased your users are overall with the quality of calls within the environment.

Image may be NSFW.
Clik here to view.

The Stars Stacked Bar Graph allows you to differentiate between the ratings of Video and Voice calls separately from each other. This will allow you to understand if the either of the modality types is having more issues than the other. This will allow you to make choices about what to focus your future troubleshooting on.

Image may be NSFW.
Clik here to view.

The Type Pie Chart gives you an extremely simple depiction whether users are having more issues with Voice or Video calls within the environment.

Image may be NSFW.
Clik here to view.

The Trend Over Time Line is useful for tracking over time how the call quality has been changing within the environment. Note: if you are graphing over a long period of time it can be useful to maximize the graph window to see more details in the graph.

Image may be NSFW.
Clik here to view.

The Wrap Up

Well there it is! Now listening to your users is as simple by turning on the Rate My Call feature (which by default is already on!) and using this tool to extract and graph your data. In addition to the standard QoE statistics that the system offers, the Call Rating System built into Skype for Business can be an invaluable tool to understand your network quality. Enjoy!

This blog post covers an interesting issue that I ran into the other day with AudioCodes Mediant Virtual Edition and getting transcoding capabilities working on VMWare. The AudioCodes Virtual Edition SBCs are very capable and are great for SIP Trunk deployments and routing calls between various SIP platforms. They can support a large number of non-transcoded calls as well as supporting transcoding for audio and DTMF streams. In a hardware SBC, transcoding is usually done with a DSP chip that is used to convert one codec to another codec. However, in a Virtual SBC this is done using the CPU cores provided to the virtual machine.

The requirement for transcoding in a deployment can come up when connecting to carriers with mandatory codec requirements like G.729 (a low bandwidth codec) that are not supported by Skype for Business. In these cases, if the carrier decides to send a call inbound with only G.729 (or some other unsupported codec) as the only media type available in the INVITE SDP, rather than reject the call, we can have the SBC transcode between the two different codecs.

So what is required for transcoding to work on the AudioCodes Virtual Edition SBC? Just CPU cores right? Well, not exactly… Continue on, intrepid reader…

Image may be NSFW.
Clik here to view.

CPU Specifications

The AudioCodes manuals are quite clear with their requirements for how many CPU Cores are required to support different numbers of sessions and transcoding capabilities. These range from low spec VMs with only 2 cores up to 8 cores (as of version 7.2). For details of the number of CPU Cores required for each scenario, I suggest you check out the latest Mediant Virtual Edition User Guide (the Channel Capacity section).

In addition to the number of CPU Cores required, the 7.0 and 7.2 manuals for the AudioCodes Virtual Edition both state the following about CPU requirements:

Specifications Resource	Specifications
Processor type	64-bit Intel® CPU of at least 2.5 GHz, with support for hardware virtualization (Intel VT-x) enabled with Advanced Vector Extensions (AVX) and AES-NI support (Sandy-Bridge architecture or newer)

Whilst usually the exact specifications of a CPU that an application vendor lists can be taken as a generic baseline for the systems that they may have done capacity testing on, in this case the CPU capabilities absolutely matter! It seems that when the Virtual Edition was designed, the code used for transcoding was specifically targeted for CPUs that support the AVX feature set introduced in Sandy Bridge CPUs. When the Virtual SBC boots, it checks the CPU capacities and if it is not at least Sandy Bridge level (with AVX support) then the SBC transcoding capabilities will not be available!

This limitation has some additional flow-on effects depending on the hypervisor on which it is being deployed. See the following section for more details of these limitations.

VMWare and CPU Capabilities

In addition to the raw CPU capabilities in the host machines (ie. Sandy Bridge generation of processors with AVX support), a VMWare environment using vMotion also can be configured with a specific level of processor support across all hosts in a vMotion cluster. This is a feature within VMWare that is called Enhanced vMotion Compatibility (EVC) and controls the level of CPU capabilities being emulated at the VM level across multiple machines. This ensures that the same CPU capabilities are presented for all machines in a cluster, and protects against having differing CPU capabilites when VMs are migrated between hosts. This can mean that even if the host machine has a Sandy Bridge CPU, this capability set may not be passing through to the VM on which the SBC is running.

The VMWare vMotion EVC level will be used when the host machines in a cluster have different levels of CPU capabilities. The lowest CPU capability will be the one that is emulated for all machines in the cluster. So, whilst many of the hosts may have Sandy Bridge or above CPUs, there may be lower capability machines included in the cluster that force the EVC baseline in VMWare to be configured to a lower CPU feature set. This setting can directly affect the Virtual Edition SBC's ability to support transcoding, because even if the host has Sandy Bridge capabilities the VMWare environment might be masking these capabilities and presenting a lower CPU level than is actually in the host.

Below is a table that describes the various EVC levels that can be configured within VMWare:

VMWare Description of Intel EVC Baselines:

EVC Level	EVC Baseline	Description
L0	Intel® "Merom" Gen. (Intel® Xeon® Core™ 2)	Applies baseline feature set of Intel® "Merom" Generation (Intel® Xeon® Core™ 2) processors to all hosts in the cluster.
L1	Intel® "Penryn" Gen. (formerly Intel® Xeon® 45nm Core™ 2)	Applies baseline feature set of Intel® "Penryn" Generation (Intel® Xeon® 45nm Core™ 2) processors to all hosts in the cluster. Compared to the Intel® "Merom" Generation EVC mode, this EVC mode exposes additional CPU features including SSE4.1.
L2	Intel® "Nehalem" Gen. (formerly Intel® Xeon® Core™ i7)	Applies baseline feature set of Intel® "Nehalem" Generation (Intel® Xeon® Core™ i7) processors to all hosts in the cluster. Compared to the Intel® "Penryn" Generation EVC mode, this EVC mode exposes additional CPU features including SSE4.2 and POPCOUNT.
L3	Intel® "Westmere" Gen. (formerly Intel® Xeon® 32nm Core™ i7)	Applies baseline feature set of Intel® "Westmere" Generation (Intel® Xeon® 32nm Core™ i7) processors to all hosts in the cluster. Compared to the Intel® "Nehalem" Generation mode, this EVC mode exposes additional CPU features including AES and PCLMULQDQ.
L4	Intel® "Sandy Bridge" Generation	Applies baseline feature set of Intel® "Sandy Bridge" Generation processors to all hosts in the cluster. Compared to the Intel® "Westmere" Generation mode, this EVC mode exposes additional CPU features including AVX and XSAVE.
L5	Intel® "Ivy Bridge" Generation	Applies baseline feature set of Intel® "Ivy Bridge" Generation processors to all hosts in the cluster. Compared to the Intel® "Sandy Bridge" Generation EVC mode, this EVC mode exposes additional CPU features including RDRAND, ENFSTRG, FSGSBASE, SMEP, and F16C.
L6	Intel® "Haswell" Generation	Applies baseline feature set of Intel® "Haswell" Generation processors to all hosts in the cluster. Compared to the Intel® "Ivy Bridge" Generation EVC mode, this EVC mode exposes additional CPU features including ABMX2, MOVBE, FMA, PERMD, RORX/MULX, INVPCID, VMFUNC.

In order for AVX to be supported in a large VMWare environment, the Processor Support needs to be configured at a minimum of L4 Sandy Bridge level. If EVC mode is not being used the EVC mode may display as "N/A" or "disabled", both of these modes will allow for the raw processor capabilities to be passed through to the SBC, which will also allow for transcoding to work if the CPU is Sandy Bridge or above.

VMWare reference: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1003212

The host EVC level can be viewed in the host summary page within vSphere. In the example below the current EVC level is set to Merom Generation or L0 level which would not support transcoding:

Image may be NSFW.
Clik here to view.

Hyper-V Processor Compatibility Mode

I haven’t actually tested this on Hyper-V because transcoding on Hyper-V has only been supported as of 7.2 software. However, Hyper-V also has a CPU Compatibility mode feature which allows for various features that involve moving VMs between machines (eg. Live Migration, Quick Migration and Save/Restore features). This feature is similar to VMWare EVC mode, however, the implementation is slightly different than VMWare. When the Processor Compatibility mode is enabled in Hyper-V the CPU (for Intel and AMD CPUs) feature set gets “normalised” by removing extended feature sets of the each CPU type to lower the capabilities to a baseline.

For the Microsoft documentation, when a VM in processor compatibility mode is started, the following processor features are hidden from the VM:

Host running Intel based processor

SSSE3, SSE4.1, SSE4.2, POPCNT, Misaligned SSE, XSAVE, AVX

You will note that AVX is one of the hidden features, which is one of the features required for the AudioCodes Virtual Edition SBC to work! Uh-oh…

When this feature was released, the following Q&A was documented about this functionality:

From the Hyper-V Compatibility Mode Q and A:

Q: Can I individually select which features should be hidden from VM when put in processor compatibility mode?

A: No, once you put VM in a processor compatibility mode, Hyper-V will hide the necessary set of features from the VM to ensure a successful migration between Hyper-V enabled processors.

Q: What happens if a vendor has written an application that uses one of these features that isn’t visible with processor compatibility enabled?

A: Since the feature isn’t exposed to the virtual machine, the application won’t “see it” and it’s up to the application to determine how to proceed; however, there are two likely paths.

So presumably the CPU compatibility feature within Hyper-V is going to cause the AudioCodes Virtual Edition SBC to not be able to see the AVX capabilities of the CPU. As a result, transcoding will likely not work on Hyper-V if processor compatibility mode is enabled.

Hyper-V Processor Compatibility References:

http://download.microsoft.com/download/F/2/1/F2146213-4AC0-4C50-B69A-12428FF0B077/VM%20processor%20compatibility%20mode.doc

https://blogs.technet.microsoft.com/virtualization/2009/05/13/tech-ed-windows-server-2008-r2-hyper-v-news/

Checking CPU Capabilities after Installation

If the Virtual Edition SBC has been installed within a virtual environment, you can tell if the hardware will support transcoding by checking the following CLI commands:

Working Transcoding example:

Mediant VE SBC> show system hardware

CPU: Intel(R) Xeon(R) CPU E5-2650 0 @ 2.00GHz, total 4 cores avx support(avx)

Memory: total RAM: 4096 MB

Chassis: VMware Virtual Platform

Network:

VMware VMXNET3 Ethernet Controller (rev 01)

Virtual env: vmware

Mediant VE SBC>

In the example above you can see that the CPU has “avx support (avx)”. Transcoding will work on this server.

Non-supported hardware example:

Mediant VE SBC# show system hardware

CPU: Intel(R) Xeon(R) CPU X5650 @ 2.67GHz, total 4 cores avx support(none)

Memory: total RAM: 8192 MB

Chassis: VMware Virtual Platform

Network:

VMware VMXNET3 Ethernet Controller (rev 01)

Virtual env: vmware

Mediant VE SBC#

In the example above you can see that the CPU has “avx support (none)”. Transcoding will not work on this server.

Web Interface Check

The only way to tell from the web interface whether or not the current server hardware will support transcoding is to download the configuration file and check the following:

Transcoding Working Example:

;Board: Mediant VE SBC

;HW Board Type: 73 FK Board Type: 79

;Product Key:

;Slot Number: 1

;Software Version: 7.00A.095.004

;DSP Software Version: SOFTDSP => 700.53

;Board IP Address: 10.20.1.168

;Board Subnet Mask: 255.255.255.0

;Board Default Gateway: 10.20.1.1

;Ram size: 3831M Flash size: 0M

;Num of DSP Cores: 3 Num DSP Channels: 100

;Profile: NONE

;Client defaults file is being used (file length=352)

In this working example the configuration file displays that it has discovered 3 DSP Cores and has 100 DSP channels available for transcoding.

Transcoding Not Working Example:

In this example, the configuration file displays that it has discovered 0 DSP Cores and has 0 DSP channels available for transcoding. In this case the SBC has detected that the CPU does not have AVX support and as a result will not support transcoding.

;Board: Mediant VE SBC

;HW Board Type: 73 FK Board Type: 79

;Product Key:

;Slot Number: 1

;Software Version: 7.00A.095.004

;DSP Software Version: SOFTDSP => 700.53

;Board IP Address: 10.20.1.165

;Board Subnet Mask: 255.255.255.0

;Board Default Gateway: 10.20.1.1

;Ram size: 7871M Flash size: 0M

;Num of DSP Cores: 0 Num DSP Channels: 0

;Profile: NONE

;Client defaults file is being used (file length=352)

Example of Transcoding Failure Errors

When the transcoding resources are not available due to a lack of CPU support for AVX, you will see errors complaining about a lack of resources in the log at the time of the SBC trying to apply extension coders or setting up the call:

22:41:25.812 147.76.26.84 local0.notice [S=4742] [SID=a64ab9:33:279] ( lgr_flow)( 4645) #MediaResourcesConnector::AllocateMediaResources

22:41:25.812 147.76.26.84 local0.notice [S=4743] [SID=a64ab9:33:279] ( media_connect)( 4646) ConnectionData::CalculateResourcesForExtTranscoding Leading:DSP Opposite:CODERTRANSCODING MediationLevel:RTP

22:41:25.812 147.76.26.84 local0.notice [S=4744] [SID=a64ab9:33:279] ( media_service)( 4647) ServicesMngr: Allocate Coder Transcoding session. current active: 0 and max is: 250

22:41:25.812 147.76.26.84 local0.notice [S=4745] [SID=a64ab9:33:279] ( media_service)( 4648) ServicesMngr: Allocate Media channel. current active: 0 and max is: 0

22:41:25.812 147.76.26.84 local0.warn [S=4746] [SID=a64ab9:33:279] ( media_service)( 4649) !! [ERROR] ServicesMngr: Cannot allocate more Media channel. current active: 0 and max is: 0

22:41:25.812 147.76.26.84 local0.warn [S=4747] [SID=a64ab9:33:279] ( lgr_flow)( 4650) !! [ERROR] (#2198)RTPStreamResource::AllocateResource Allocate Resource - cannot allocate DSP. probably lack of resources

22:41:25.812 147.76.26.84 local0.notice [S=4748] [SID=a64ab9:33:279] ( media_service)( 4651) ServicesMngr: Deallocate Coder Transcoding session. current active: 1 and max is: 250

22:41:25.812 147.76.26.84 local0.notice [S=4749] [SID=a64ab9:33:279] ( media_service)( 4652) ServicesMngr: Allocate Coder Transcoding session. current active: 0 and max is: 250

22:41:25.812 147.76.26.84 local0.notice [S=4750] [SID=a64ab9:33:279] ( media_service)( 4653) ServicesMngr: Allocate Media channel. current active: 0 and max is: 0

Licensing

In addition to the CPU requirements, you will also need licensing for transcoding to work. The CODER-TRANSCODING licence must be available in the licence installed on the SBC. The CODER-TRANSCODING licence will appear in the licence as shown below:

Key features:

Board Type: Mediant VE SBC

IP Media: VXML

Coders: G723 G729 G728 NETCODER GSM-FR GSM-EFR AMR EVRC-QCELP G727 ILBC EVRC-B AMR-WB G722 EG711 MS_RTA_NB MS_RTA_WB SILK_NB SILK_WB SPEEX_NB SPEEX_WB OPUS_NB OPUS_WB

Channel Type: DspCh=100 IPMediaDspCh=100

Security: IPSEC MediaEncryption StrongEncryption EncryptControlProtocol

DSP Voice features:

DATA features:

Control Protocols: MGCP SIP SBC=10 MSFT FEU=50 CODER-TRANSCODING=50

Default features:

Coders: G711 G726

If you do not have the CODER-TRANSCODING licence then the SBC will still run, however transcoding functionality will not be available.

The Wrap Up

So before jumping in to the Virtual Edition SBC world with your customers, be sure to understand the server and Hypervisor environment that you are deploying the SBC into. Some useful questions to ask up front are:

What hypervisor will the SBC be installed on?
Have you purchased CODER-TRANSCODING licences for the SBC?
Is the hypervisor server host CPU at least Sandy Bridge level and does it support AVX?
If vMotion is being used within VMWare: What is the VMWare vMotion EVC baseline of the host that the SBC is deployed on?
If Hyper-V is being used, is Processor Capability mode disabled?
Have you ensured that the hypervisor is going to have enough dedicated CPU Cores available for the SBC? Also, note that the CPU resource must be reserved for the SBC and not shared.

Armed with this information, you will be able to make an informed assessment on whether or not transcoding is going to be supported on the Virtual Edition SBC! Hope this was helpful. Cheers!

Skype for Business Online and Skype Teams are both real time communications tools that rely heavily on the networking infrastructure that they run on top of. This has always been, and will remain, a challenge in cloud deployments for the foreseeable future. In order to prepare for deploying Skype for Business Online or Microsoft Teams, you need to first ensure that your networking infrastructure will be able to handle the real-time traffic that these applications produce.

To help with this, Microsoft released a tool call the Skype for Business Network Assessment Tool. This tool runs via the command line and uses the same media stack that is used by the Skype for Business client to test Packet Loss, Jitter, Round Trip Latency and Reorder Packet Percentage on connections from your network into Microsoft’s Office 365. The audio stream created by the tool gets sent to Office 365 and then mirrored back from the closest Edge server location to your current physical location. Based on the return stream the tool is able to give accurate statistics on Packet Loss, Jitter, Round Trip Latency and Reorder Packet Percentage. This will give you an idea of the how congested the current network environment is and how well you might expect Skype for Business or Skype Teams conferences to function in your environment.

The Microsoft Network Assessment Tool is useful because it allows you to test a network before an Office 365 tenant has even been deployed and it’s also free! What the tool does lack though is the ability to easily monitor the network over a period of time and produce nicely formatted output that you can show to a manager or customer. So, I thought I would take some time and try to rectify these limitations and build a new front end for the tool…

Network Assessor

Introducing Network Assessor for Skype for Business and Microsoft Teams:

Image may be NSFW.
Clik here to view.

Version 1.00 Features

Graphs Packet Loss, Average Jitter, Latency and Reorder Ratio.
Zoom graphs in / out / forwards / backwards to view the data clearly.
Start / Stop and Pause the network tests at the click of a button.
Keep an eye on the status of testing using the tray icon colour by setting breach percentage thresholds. This will easily let you know that things are within your desired operating levels without having to open the interface. There are two levels of threshold breaches; one that changes the icon to orange in colour and the other that changes the icon to red in colour. These percentages are calculated on a per graph basis and if any graph breaches the percentage the colour will change.
Graphs will automatically highlight in red points in each of the graphs which are outside of Microsoft’s recommended bounds of operation. There are two levels for these thresholds: Client thresholds and Edge Thresholds. For more details see the Usage section below.
The status bar will display PASS/FAIL results for each graph. This calculation follows Microsoft's "ResultsAnalyzer.exe" PASS/FAIL calculation which is based on any graph having more than 10% of test attempts resulting in (Client or Edge) threshold breaches will equal a FAIL result.
You can select the frequency at which the tool will run tests. This ranges between 1 and 120 minutes (ie. Run a 17 second long test every 1 minute or up to every 2 hours).
Allows for graphs to be saved as PNG images for use in documentation/reports.
All the graphs can be shown at once or individual graphs can be selected using the “Window” menu item. Graphs are saved at the resolution that they are displayed, so opening individual graphs and then saving them can offer higher resolutions.
Every session that is created by the tool gets recorded in a CSV file for future reference. Sessions will “roll” to a new file based on the “Roll Time (hours)” setting in the Settings dialog. Logs can be rolled between 1 and 12 hours.
CSV files can be imported back in to the tool by using the File > Import CSV File menu or dragging and dropping the file onto the interface directly from Windows Explorer.
Supports automatic download (note: Internet connection is required for this to work) and installation of the Microsoft Network Assessment Tool and VC++ Redistributable pre-requisite by using the Help > Install Microsoft Tool menu item.

Note: This tool is not intended for load/stress testing!

Download Here!

Prerequisites

Tested with version 6.0.8969.164 (12/14/2016) of the Microsoft Skype for Business Network Assessment Tool (LINK: https://www.microsoft.com/en-us/download/details.aspx?id=53885).

Network Assessor requires the following:

At least .NET 4.5 must be installed on the PC to run the tool. (Windows 8 / Windows Server 2012 and above will support this by default. If you are using earlier operating systems the installer will download .net for you)
Do not run the tool on a machine with multiple interfaces. Microsoft’s Network Assessment Tool may fail due to sending traffic out the wrong interface.
When run on Windows Server, Microsoft’s command line tool needs “Media Foundation” (for Windows 2012, 2012 R2) or “Desktop Experience” (Windows 2008 R2) installed when running on Windows Server. These can be installed via the Server Manager interface or through Powershell:

Windows Server 2008 R2 (Desktop Experience install):

Import-Module ServerManager

Add-WindowsFeature Desktop-Experience

Windows Server 2012 or 2012 R2 (Media Foundation install):

Add-WindowsFeature Server-Media-Foundation

Note: This is not documented in Microsoft’s documentation but is required.

Microsoft’s command line tool and pre-reqs can be can automatically downloaded and installed using the Help > Install Microsoft Tool…menu directly in the Network Assessor interface. For manual offline installation of Microsoft’s Tool, install the following:

Note: Microsoft’s tool should be left with all of the default settings in its config file.

Firewall Requirements:

The tool needs to be able to send traffic to Office 365 in order to work. The following ports are required to be allowed on firewalls between the Network Assessor tool and Office 365:

TCP Source Ports: 50000 - 50019
TCP Destination Port: 443
UDP Source Ports: 50000 - 50019
UDP Destination Port: 3478

Network Assessment Procedures:

For more procedural details on how to do Network Assessments, please refer to the Skype Operations Framework. There is a lot of useful documentation in the Determine Network Readiness section of Planning stage within this framework and should give you a good starting point for running Network Readiness assessments.

Usage Details

Walkthrough Video:

Main Window Settings

Image may be NSFW.
Clik here to view.

The “Run Every x Mins” setting controls how often the network assessment tool will be run and log results. This value can be set between 1 minute and 2 hours.

The Thresolds setting refers to two levels of thresholds that are recommend by Microsoft for real time audio for the statistics that are generated by the Network Assessment Tool. The first is the “Edge” values which are recommended for when you are testing from your perimeter network into Office 365. The second is recommended thresholds when testing from a “Client” subnet. The Edge values are lower and more restrictive than the client subnet because is expected that the client subnet will have more hops to get to Office 365 than the Edge.

Customer Edge to Microsoft Edge Thresholds:

Metric	Target
Latency (RTT)	< 60ms
Packet loss	<0.1% during any 15s interval Note: The value output by the Microsoft tool is not a percentage.
Packet inter-arrival Jitter	<15ms during any 15s interval
Packet reorder	<0.01% out-of-order packets Note: The value output by the Microsoft tool is not a percentage.

Client to Microsoft Edge Thresholds:

Metric	Target
Latency (RTT or Round-trip Time)	< 100ms
Packet loss	<1% during any 15s interval Note: The value output by the Microsoft tool is not a percentage.
Packet inter-arrival Jitter	<30ms during any 15s interval
Packet reorder	<0.05% out-of-order packets Note: The value output by the Microsoft tool is not a percentage.

Settings Window:

The tool has the following settings:

Image may be NSFW.
Clik here to view.

Network Assessment Tool Location: This is the location of the Skype for Business Network Assessment Command Line Tool on the system. If you have manually downloaded the tool and unzipped it to a folder on the system you can enter the location via the Browse button.

Session Log Folder: The Session Logs by default are placed on the system in the “C:\Users\<Username>\AppData\Roaming\NetworkAssessor\SessionLogs” folder. If for some reason you would like to change this folder (perhaps for centralizing the logs on a file share) you can select a new folder here.

Red Level Breach Percentage: This is the percentage of breaches (on a per graph basis) that has to occur for the task bar icon to change to red colour.

Orange Level Breach Percentage: This is the number of breaches (on a per graph basis) that has to occur for the task bar icon to change to orange colour.

Turn Off Minimise Notification: When this check box is ticked it will turn off the task bar notifications.

Auto Scroll Graph: When this check box is ticked it means that the graphs will automatically scroll when new points are added to it graph.

Roll Time (Hours): This is the number of hours of testing that will be logged to CSV until a new session log file is created. When the file rolls the graphs will also be cleared. This is to try and maintain the performance of the graphs. Also, when the graph is cleared the breach counters will also be cleared.

The Wrap Up

Hopefully this post will give you another tool in the toolbox to help you in your preparation for deploying Skype for Business Online or Microsoft Teams in your environment. If you have any comments or issues with the tool please provide feedback below.

I have written quite a few Powershell tools for Skype for Business and some of these might be tools that people want to use on a regular basis across their Front End servers. People may want to deploy so that others within the administrative team can also use them in a simple and centrally managed way. So I thought I would write a blog post that explains a simple way to centrally deploy scripts out to multiple servers so they are easily accessible to yourself and other team members.

The method described below uses Active Directory Group Policy to control the deployment Powershell scripts across a number of Skype for Business Front End servers.

Step 1: Create a central file share where you will be storing the script files that you would like to have available on your Front End servers. In this case I created a folder named Scripts where I placed a Powershell script.

Image may be NSFW.
Clik here to view.

Step 2: Share the folder (Right Click on Folder-> Properties -> Sharing Tab -> Sharing…). In this case I have given Read access to everyone.

Image may be NSFW.
Clik here to view.

Step 3: In Active Directory Users and Computers create an OU for your Skype for Business servers. In this case I have created an OU called SfBServers and have moved all of the Skype for Business Front Ends Computer Objects to this OU.

Image may be NSFW.
Clik here to view.

Step 4: Open Active Directory Group Policy Management(gpmc.msc) and Right Click the SfBServersOU and “Create a GPO in this domain, and Link it here…”.

Image may be NSFW.
Clik here to view.

Step 5: Give the New GPO a name. In this case I have called the GPO “PowershellScripts”.

Image may be NSFW.
Clik here to view.

Step 6: Right Click the PowershellScripts GPO and select “Edit…”.

Image may be NSFW.
Clik here to view.

Step 7: Open Computer Configuration -> Preferences -> Windows Settings, Right Click Shortcuts and select New -> Shortcut.

Image may be NSFW.
Clik here to view.

Step 8: Fill in the shortcut properties as described below.

Image may be NSFW.
Clik here to view.

Action: Update

Name: VVX Manager

Target type: File System Object

Location: All Users Desktop

Target path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Arguments: -WindowStyle Hidden -nologo -executionpolicy bypass -command "& \\ServerHostName\Scripts\Skype4B-Lync-PolycomVVXManager2.21.ps1"

Icon file path: %SystemRoot%\system32\SHELL32.dll

Icon index: 24

Powershell Arguments Breakdown:

-WindowStyle: This argument is being used to supress the Powershell window from being displayed when the script is run. I am using this deliberately because the script I am using this for has its own Windows Forms GUI that will be displayed and the Powershell window is not required. This will give the script the feeling of being more like an application.

-NoLogo: Tells the Powershell window to not show the Copyright banner - to make it that little bit quicker (or maybe not… but you never know…).

-ExecutionpPolicy: This is set to “bypass” in order to avoid the Windows server execution policy defaults that may block the script from running on the server.

-Command: Specifies the command text to execute as though it were typed at the PowerShell command prompt. In this case we are selecting to open the script file from the share that we created in Steps 1-2. You can also include any arguments for the script here if they are required.

For the Icon selection, when you click the ellipse you will get an Icon picker with many icons to choose from. Choose the one that makes most sense for the script you are using.

Image may be NSFW.
Clik here to view.

Step 9: Now on the Front End server run “gpupdate /force” to get the new Group Policy pushed down to the server:

Image may be NSFW.
Clik here to view.

You should now get a new shortcut on the Desktop of the server that matches the one that you made in Group Policy. When you double click it you will see a command window for a second (if you chose the Window Style as Hidden like in this example) and then the Powershell GUI will be displayed:

Image may be NSFW.
Clik here to view.

It’s that easy! Now you can package your favourite scripts and centrally manage the version used by all users across all your servers.

The Wrap Up

I hope you found this post useful and that it allows you a better experience in using and managing your favourite Powershell scripts on your servers. Enjoy!

I found an interesting issue when testing some Spectralink 8440 handsets the other day and I didn’t see the answer documented anywhere, so I thought I'd change that situation by blogging about it.

Note: The firmware that I was using when I ran into this issue was 5.4.4.1156. I also rolled back to a 5.3 and 5.2 version and had the same issue, so this problem may have existed for a while.

The Symptom

Outbound Call

After setting the phones up and logging in using PIN Authentication successfully when making an outbound call, the call would hang after the number was dialled. The screen would sit at the calling screen forever and nothing would happen (i.e. the dialled phone wouldn’t ring).

Image may be NSFW.
Clik here to view.

Outbound Call

Inbound Call

For an inbound call, the calling party (i.e. a Skype for Business client) would receive ringback tone and the call would not get displayed on the Spectralink handset. After the call forwarded timeout was reached, the call forwarded to voicemail and a missed call would appear on the Spectralink screen.

Image may be NSFW.
Clik here to view.

Inbound Call

Troubleshooting

The symptoms described above were consistent and it was clear that the SIP Signalling was working well enough to allow the device to sign in and receive information from the system. However, both inbound and outbound calls were not setting up correctly. The next port of call was to look into the logs. For an outbound call there wasn’t much information in the logs to dig into. However, for an inbound call I could see the inbound INVITE message arrive and the phone would respond with a TRYING message. At this point I could see that the inbound call was not progressing past the point of parsing the candidates from the inbound INVITE message. From this, I suspected that this was something to do with the Spectralink not being about to process the candidates correctly. I then realised that the lab system I was testing the phone on didn’t actually have an Edge server associated with it. This, of course, meant that the phone would not be getting or receiving any reflexive or relay candidates… Hhhhmmmm, interesting...

Inbound Call Log

1205143558|sip |0|00|<<< Data received TLS

1205143558|sip |0|00| INVITE sip:Terry.Adams@10.22.2.11:33207;transport=tls;ms-received-cid=781300 SIP/2.0

1205143558|sip |0|00| Record-Route: <sip:SFB001.sfbdomain.com:5061;transport=tls;opaque=state:T:F:Ci.R781300:Ieh.Lvw6TSBMlsUoTJbFhkstQInxeS6wHgXRHMHiO5ioDln-fhNvUO1qLucUD4gO1tXpzhB_8cegAA;lr;ms-route-sig=hkx-TWiKYeik4c0hYMHXqBiJ4op9gbnpuTatBwsuD7moptXpzhB_8cegAA>;tag=B12630CFFCD2C61F74BDE5EB8A4C611A

1205143558|sip |0|00| Via: SIP/2.0/TLS 10.20.1.223:5061;branch=z9hG4bK8BA0D60F.E19C5E6D7DAA886D;branched=TRUE;ms-internal-info="dgFJqKHJ0AXHZY0sy2IaYnenMPK5auGe9rVA0q4_Ro3qxtXpzhVO8OYQAA"

1205143558|sip |0|00| Authentication-Info: TLS-DSK qop="auth", opaque="4E02C6ED", srand="4D31E5BD", snum="17", rspauth="420755234a2dbcecd21a249213ceb92d8ba9cfc5", targetname="SFB001.sfbdomain.com", realm="SIP Communications Service", version=4

1205143558|sip |0|00| Max-Forwards: 69

1205143558|sip |0|00| Content-Length: 890

1205143558|sip |0|00| Via: SIP/2.0/TLS 10.22.0.22:42727;branch=z9hG4bK1d5487849DAF07;ms-received-port=42727;ms-received-cid=77D300

1205143558|sip |0|00| P-Asserted-Identity: "Terry Adams"<sip:Terry.Adams@sfbdomain.com>,<tel:+61266591007;ext=1007>

1205143558|sip |0|00| From: "Terry Adams"<sip:Terry.Adams@sfbdomain.com>;tag=5C30CCBE-7E228105;epid=64167f23b38c

1205143558|sip |0|00| To: <sip:+61266591007@sfbdomain.com;user=phone>;epid=00907a0f09d8

1205143558|sip |0|00| CSeq: 1 INVITE

1205143558|sip |0|00| Call-ID: 0888c5534fafd0fc37bc94f7a523b38c

1205143558|sip |0|00| Contact: <sip:Terry.Adams@sfbdomain.com;opaque=user:epid:F5iF87H531yKmJ1oYYBMjwAA;gruu>

1205143558|sip |0|00| Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, INFO, MESSAGE, SUBSCRIBE, NOTIFY, PRACK, UPDATE, REFER

1205143558|sip |0|00| User-Agent: Polycom/5.6.0.17325 PolycomVVX-VVX_311-UA/5.6.0.17325_64167f23b38c

1205143558|sip |0|00| Accept-Language: en

1205143558|sip |0|00| ms-subnet: 10.22.0.0

1205143558|sip |0|00| Allow-Events: conference,talk,hold

1205143558|sip |0|00| Supported: replaces

1205143558|sip |0|00| Supported: ms-safe-transfer

1205143558|sip |0|00| Supported: ms-bypass

1205143558|sip |0|00| Supported: ms-dialog-route-set-update

1205143558|sip |0|00| Supported: timer

1205143558|sip |0|00| Supported: 100rel

1205143558|sip |0|00| Supported: gruu-10

1205143558|sip |0|00| MS-Conversation-ID: AdNteidtM2YxYWFkN2ZiZjM0ODVhZQ==

1205143558|sip |0|00| Content-Type: application/sdp

1205143558|sip |0|00| history-info: <sip:Terry.Adams@sfbdomain.com>;index=1;ms-target-phone="tel:+61266591007;ext=1007"

1205143558|sip |0|00|

1205143558|sip |0|00| v=0

1205143558|sip |0|00| o=- 1512444953 1512444953 IN IP4 10.22.0.22

1205143558|sip |0|00| s=Polycom IP Phone

1205143558|sip |0|00| c=IN IP4 10.22.0.22

1205143558|sip |0|00| t=0 0

1205143558|sip |0|00| a=sendrecv

1205143558|sip |0|00| m=audio 5350 RTP/S

1205143558|sip |0|00|<<< Data received TLS

1205143558|sip |0|00| AVP 9 112 8 0 18 101

1205143558|sip |0|00| a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:/u2wztfJizjOcLml2T1uN/3qiNEZpAiiPqCcyOhn|2^31|1:1

1205143558|sip |0|00| a=crypto:2 AES_CM_128_HMAC_SHA1_80 inline:gXAfAu4Z6VZ/1ZQYLJe3g4HAGcgwY9w4vDdlLSkJ|2^31

1205143558|sip |0|00| a=rtpmap:9 G722/8000

1205143558|sip |0|00| a=rtpmap:112 G7221/16000

1205143558|sip |0|00| a=fmtp:112 bitrate=24000

1205143558|sip |0|00| a=rtpmap:8 PCMA/8000

1205143558|sip |0|00| a=rtpmap:0 PCMU/8000

1205143558|sip |0|00| a=rtpmap:18 G729/8000

1205143558|sip |0|00| a=fmtp:18 annexb=no

1205143558|sip |0|00| a=rtpmap:101 telephone-event/8000

1205143558|sip |0|00| a=ice-pwd:EK5jmhsUk5xntwoCmEIEAmfT

1205143558|sip |0|00| a=ice-ufrag:pbdW

1205143558|sip |0|00| a=rtcp:5351

1205143558|sip |0|00| a=candidate:1 1 UDP 2130706431 10.22.0.22 5350 typ host

1205143558|sip |0|00| a=candidate:1 2 UDP 2130706430 10.22.0.22 5351 typ host

1205143558|sip |0|00| a=candidate:2 1 TCP-ACT 1684733951 10.22.0.22 5350 typ srflx raddr 10.22.0.22 rport 5350

1205143558|sip |0|00| a=candidate:2 2 TCP-ACT 1684733950 10.22.0.22 5350 typ srflx raddr 10.22.0.22 rport 5350

1205143558|sip |1|00|MsgSipTcpPacket

1205143558|sip |3|00|CStkDialog::CreateRouteSet: transport set to top route 'TLS'

1205143558|sip |3|00|CStkDialog::SetAddressLocal localTag set to ''

1205143558|sip |3|00|CStkDialog::SetAddressLocal new address added of 1

1205143558|sip |2|00|CStkDialog::CStkDialog SetAddressLocal from pRequest To: 'Terry Adams'<+61266591007@sfbdomain.com:0>

1205143558|sip |2|00|CStkDialog::CStkDialog SetAddressLocal Config 'Terry Adams'<Terry.Adams@sfbdomain.com:0>

1205143558|sip |2|00|CStkDialog::CStkDialog TAG 'B640E4F5-9C530CE' generated

1205143558|sip |2|00|CStkDialog::CStkDialog local addr 'Terry Adams'<+61266591007@sfbdomain.com:0> Tag 'B640E4F5-9C530CE'

1205143558|sip |2|00|CStkDialog::CStkDialog exit 0x9d5bf0 local list size 1

1205143558|sip |2|00|CCallBase::IsChallenged COPIED Dialog Tag to pRequest 'B640E4F5-9C530CE'

1205143558|sip |2|00|CCallBase::IsChallenged 'INVITE' Dialog Tag 'B640E4F5-9C530CE' pRequest Tag 'B640E4F5-9C530CE' state 'Trying'

1205143558|sip |2|00|new UA Server INVITE trans state 'proceeding', timeout=0 (0x40d40ea8)

1205143558|sip |3|00|CStateInviteServer::CStateInviteServer

1205143558|sip |3|00|CStateInviteServer::CStateInviteServerHandler

1205143558|sip |3|00|CStateInviteServer::CStateInviteServerHandler - pReplace (0x0)

1205143558|sip |*|00|CSdp::operator << - setting m_bIsSecured == true

1205143558|sip |3|00|CStateInviteServer::CStateInviteServerHandler - calling RemoteSdpOffer

1205143558|sip |3|00|CStkCall::RemoteSdpOffer m_nMediaRTPPort=0

1205143558|sip |1|00|Dialog 'id9cd7e4d4' State 'Trying'->'Early'

1205143558|sip |1|00|signatureBuffer: <TLS-DSK><D0E0949F><11><SIP Communications Service><SFB001.sfbdomain.com><0888c5534fafd0fc37bc94f7a523b38c><1><INVITE><sip:Terry.Adams@sfbdomain.com><5C30CCBE-7E228105><sip:+61266591007@sfbdomain.com;user=phone><B640E4F5-9C530CE><sip:Terry.Adams@sfbdomain.com><tel:+61266591007;ext=1007><><100>

1205143558|sip |1|00|doDnsListLookup(tls): doDnsSrvLookupForARecordList for '10.20.1.223' port 5061 returned 1 results

1205143558|sip |1|00|doDnsListLookup(tls): result 0 host '' IP '10.20.1.223' port 5061 isInBound 0

1205143558|sip |1|00|CTcp::Send(TLS) entry for address 10.20.1.223 port 5061 can Connect 0 canFailOver 1

1205143558|sip |0|00|>>> Data Send TLS 10.20.1.223:5061

1205143558|sip |0|00| SIP/2.0 100 Trying

1205143558|sip |0|00| Via: SIP/2.0/TLS 10.20.1.223:5061;branch=z9hG4bK8BA0D60F.E19C5E6D7DAA886D;branched=TRUE;ms-internal-info="dgFJqKHJ0AXHZY0sy2IaYnenMPK5auGe9rVA0q4_Ro3qxtXpzhVO8OYQAA"

1205143558|sip |0|00| Via: SIP/2.0/TLS 10.22.0.22:42727;branch=z9hG4bK1d5487849DAF07;ms-received-port=42727;ms-received-cid=77D300

1205143558|sip |0|00| From: "Terry Adams"<sip:Terry.Adams@sfbdomain.com>;tag=5C30CCBE-7E228105;epid=64167f23b38c

1205143558|sip |0|00| To: "Terry Adams"<sip:+61266591007@sfbdomain.com;user=phone>;epid=00907a0f09d8;tag=B640E4F5-9C530CE

1205143558|sip |0|00| CSeq: 1 INVITE

1205143558|sip |0|00| Call-ID: 0888c5534fafd0fc37bc94f7a523b38c

1205143558|sip |0|00| Contact: <sip:Terry.Adams@sfbdomain.com;opaque=user:epid:x5jsdoUew1a9jiDyam965gAA;gruu>

1205143558|sip |0|00| User-Agent: Spectralink-SL_8440-UA/5.4.4.1156

1205143558|sip |0|00| Accept-Language: en

1205143558|sip |0|00| P-Preferred-Identity: "Terry Adams"<sip:Terry.Adams@sfbdomain.com>,<tel:+61266591007;ext=1007>

1205143558|sip |0|00| Authorization: TLS-DSK qop="auth", realm="SIP Communications Service", opaque="4E02C6ED", crand="D0E0949F", cnum="11", targetname="SFB001.sfbdomain.com", response="bf39acaf3c91ff5826574895f209520c0507fe35"

1205143558|sip |0|00| Content-Length: 0

1205143558|sip |0|00|

1205143558|sip |1|00|CTcpSocket::SendData TLS queuedTxData = 0 TotalLen 1313 loop count 1 maxQueueDepth 40000

1205143558|sip |1|00|CTcpSocket::SendData TLS Sent 1313 loop count 1

1205143558|sip |3|00|CStkCall::NewCallState 'Unknown'->'Offering' (0x9b9b48)

1205143558|sip |3|00|GetRemotePartyAddress from 'P-Asserted-Identity'

1205143558|sip |3|00|CStkCall::NewCallState - BEFORE call to SipOnEvNewCall m_nMediaRTPPort=0

1205143558|ice |0|00|soIceChannelCreate: channelId=-1 category=1 chanType=0 udpPort=2226 portTurn=2726 tcpPort=-1

1205143558|ice |0|00|soIceRtpChanList.count=1

1205143558|ice |2|00|soIceChannelCreate: allocated channelId 5

1205143558|ice |0|00|soIceChannelCreate: channelId=-1 category=1 chanType=1 udpPort=2227 portTurn=2727 tcpPort=-1

1205143558|ice |0|00|soIceRtpChanList.count=2

1205143558|ice |2|00|soIceChannelCreate: allocated channelId 6

1205143558|ice |0|00|soIceSessionCreate start

1205143558|ice |0|00| channelIdAudioRtp=5

1205143558|ice |0|00| enableBWManagement=0

1205143558|ice |0|00| bwAudioMin=64

1205143558|ice |0|00| bwAudioMax=64

1205143558|ice |0|00|soIceSessionCreate - full functionality so set gatheringStunReqMaxRetransmit = 4

1205143558|ice |0|00|soIceSessionListRemove: soIceSessionList.count=0

1205143558|ice |0|00|soIceSessionCreate: sessEntryP (0x426d0f60) - set bInitialInvite true

1205143558|ice |0|00|soIceSessionList.count=1

1205143558|ice |1|00|soIceSessionCreate: linked channel (5) with session (3)

1205143558|ice |1|00|soIceSessionCreate: linked channel (6) with session (3)

1205143558|ice |2|00|soIceSessionCreate: allocated hSpiSession 0xb1f9d8 sessionId 3 for audio 5 6

1205143558|ice |0|00|soIceSessionSdpGetCallAnswer

1205143558|ice |0|00|soIceSessionSdpGetCallAnswer: len=890 pSdpInvite=

1205143558|ice |0|00|v=0

1205143558|ice |0|00|o=- 1512444953 1512444953 IN IP4 10.22.0.22

1205143558|ice |0|00|s=Polycom IP Phone

1205143558|ice |0|00|c=IN IP4 10.22.0.22

1205143558|ice |0|00|t=0 0

1205143558|ice |0|00|a=sendrecv

1205143558|ice |0|00|m=audio 5350 RTP/SAVP 9 112 8 0 18 101

1205143558|ice |0|00|a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:/u2wztfJizjOcLml2T1uN/3qiNEZpAiiPqCcyOhn|2^31|1:1

1205143558|ice |0|00|a=crypto:2 AES_CM_128_HMAC_SHA1_80 inline:gXAfAu4Z6VZ/1ZQYLJe3g4HAGcgwY9w4vDdlLSkJ|2^31

1205143558|ice |0|00|a=rtpmap:9 G722/8000

1205143558|ice |0|00|a=rtpmap:112 G7221/16000

1205143558|ice |0|00|a=fmtp:112 bitrate=24000

1205143558|ice |0|00|a=rtpmap:8 PCMA/8000

1205143558|ice |0|00|a=rtpmap:0 PCMU/8000

1205143558|ice |0|00|a=rtpmap:18 G729/8000

1205143558|ice |0|00|a=fmtp:18 annexb=no

1205143558|ice |0|00|a=rtpmap:101 telephone-event/8000

1205143558|ice |0|00|a=ice-pwd:EK5jmhsUk5xntwoCmEIEAmfT

1205143558|ice |0|00|a=ice-ufrag:pbdW

1205143558|ice |0|00|a=rtcp:5351

1205143558|ice |0|00|a=candidate:1 1 UDP 2130706431 10.22.0.22 5350 typ host

1205143558|ice |0|00|a=candidate:1 2 UDP 2130706430 10.22.0.22 5351 typ host

1205143558|ice |0|00|a=candidate:2 1 TCP-ACT 1684733951 10.22.0.22 5350 typ srflx raddr 10.22.0.22 rport 5350

1205143558|ice |0|00|a=candidate:2 2 TCP-ACT 1684733950 10.22.0.22 5350 typ srflx raddr 10.22.0.22 rport 5350

1205143558|ice |0|00|soIceSessionSdpGetCallAnswer: RvIceSessionSDPIn returned 0

1205143558|ice |0|00|*** sdpInpRes.eIceSupport 0

1205143558|ice |0|00|soIceSessionSdpGetCallAnswer: entryP (0x426d0f60) bInitialInvite=1

1205143558|ice |0|00|soIceSetLocalHostCandidates - local rtp port 2226

1205143558|ice |0|00|soIceSetLocalHostCandidates: RvIceSessionSetLocalRtpCandidatesToAllMediaStreams returned 0

1205143558|ice |0|00|soIceSessionSdpGetCallAnswer: RvIceSessionGatherReflexiveCandidatesEx returned=-1

1205143558|sip |2|00|SipOnEvNewCall new call appearnce 1 SRTP key È Ô@¨ Ô@

1205143558|sip |3|00|CStkCall::NewCallState - after call to SipOnEvNewCall m_nMediaRTPPort=2226

1205143558|sip |2|00|SipOnEvCallNewState 9b9b48,bdb4a0 1,(null)

1205143558|sip |3|00|CStkCall::NewCallState update held and hold flags, state 1

1205143558|sip |3|00|CStkCall::NewCallState held 0 hold 0

The Fix!

After realising that this probably had something to do with not having an Edge server deployed on the lab system I was using, I moved the Spectralink over to another system that did have an Edge… and what do you know, the phone started working perfectly. Not having an Edge was in fact the issue. The next question was, is there any configuration that could be done on the Spectralink to make it work without an Edge? (Spoiler: Yes)

As you may or may not know, one of the main configuration items on a Spectralink (or Polycom phones which have basically the same software) is to configure the baseProfile setting to make it run in "Lync" mode. This makes a whole raft of settings in the background on your behalf, to make your life easier. What are these settings that get made when the base profile is set to Lync mode? Well, I did a comparison on the Polycom VVX running 5.6 firmware to find out exactly what the Lync profile settings were:

Lync Base Profile settings (in comparison to Generic mode):

call.defaultTransferType="Blind"

call.enableOnNotRegistered="0"

callLists.collapseDuplicates="0"

callLists.logConsultationCalls="1"

device.baseProfile="Lync"

dialplan.1.applyToCallListDial="0"

dialplan.1.applyToDirectoryDial="1"

dialplan.1.applyToForward="1"

dialplan.1.conflictMatchHandling="1"

dialplan.1.digitmap="x.T"

dialplan.1.digitmap.timeOut="4"

dialplan.1.impossibleMatchHandling="3"

dialplan.1.lyncDigitmap.timeOut="4"

dialplan.applyToDirectoryDial="1"

dialplan.applyToForward="1"

dialplan.applyToPstnDialing="1"

dialplan.applyToRemoteDialing="1"

dialplan.conflictMatchHandling="1"

dialplan.digitmap=""

dialplan.impossibleMatchHandling="3"

dialplan.routing.emergency.1.description=""

dialplan.routing.emergency.1.value=""

dialplan.TranslationInAutoComp="1"

dialplan.userDial.timeOut="4"

feature.btoe.enabled="1"

feature.deviceLock.enable="1"

feature.EWSAutodiscover.enabled="1"

feature.exchangeCalendar.enabled="1"

feature.exchangeCallLog.enabled="1"

feature.exchangeContacts.enabled="1"

feature.exchangeVoiceMail.enabled="1"

feature.logUpload.enabled="1"

feature.lync.abs.enabled="1"

feature.LyncCCCP2010AudioWorkaround.enabled="1"

feature.lyncSafeTransfer.enabled="1"

feature.messaging.enabled="1"

feature.moh.enabled="1"

feature.presence.enabled="1"

locInfo.source="MS_E911_LIS"

reg.1.applyServerDigitMapLocally="1"

reg.1.auth.useLoginCredentials="1"

reg.1.auth.usePinCredentials="1"

reg.1.offerFullCodecListUponResume="0"

reg.1.server.1.registerRetry.baseTimeOut="10"

reg.1.server.1.registerRetry.maxTimeOut="180"

reg.1.server.1.specialInterop="lync2010"

reg.1.server.1.transport="TLS"

reg.1.serverFeatureControl.signalingMethod="serviceMsForwardContact"

reg.1.useTelUriAsLineLabel="0"

roaming_buddies.reg="1"

sec.srtp.holdWithNewKey="0"

sec.srtp.key.lifetime="2^31"

sec.srtp.mki.enabled="1"

sec.srtp.mki.length="1"

sec.srtp.mki.startSessionAtOne="1"

sec.srtp.resumeWithNewKey="0"

sec.TLS.profileSelection.SIP="ApplicationProfile1"

server.log.setting.enabled="1"

softkey.feature.MeetNow="1"

softkey.feature.simplifiedSignIn="1"

tcpIpApp.ice.mode="MSOCS"

tcpIpApp.keepalive.tcp.sip.tls.enable="1"

tcpIpApp.port.rtp.videoPortRange.enable="1"

tcpIpApp.sntp.address="time.windows.com"

tone.dtmf.rfc2833Payload="101"

up.numOfDisplayColumns="2"

up.oneTouchDirectory="1"

up.oneTouchVoiceMail="1"

video.iFrame.delay="2"

video.iFrame.onPacketLoss="1"

voice.codecPref.G7221.24kbps="5"

voice.codecPref.G7221.32kbps="0"

voice.qualityMonitoring.rtcpxr.enable="1"

voIpProt.SIP.allowTransferOnProceeding="0"

voIpProt.SIP.considerTlsDnsEntriesOnly="1"

voIpProt.SIP.failoverOn503Response="0"

voIpProt.SIP.header.diversion.enable="1"

voIpProt.SIP.IM.autoAnswerDelay="40"

voIpProt.SIP.mtls.enable="0"

voIpProt.SIP.serverFeatureControl.cf="1"

voIpProt.SIP.serverFeatureControl.dnd="1"

voIpProt.SIP.serverFeatureControl.localProcessing.cf="0"

voIpProt.SIP.serverFeatureControl.localProcessing.dnd="0"

Based on my earlier assumption that the issue has something to do with the Edge reflexive and relay candidates, the fault was likely caused by something to do with the Microsoft specific ICE interaction. There was one setting this this sizable list that stood out to me - the tcpIpApp.ice.mode="MSOCS" setting. This setting was made specifically to handle the candidate negotiations required by Microsoft Lync/Skype for Business. After disabling this setting, guess what happened? Inbound and outbound calls started working…

TLDR Answer

When you have no Edge server deployed within your Lync/Skype for Business environment and you are deploying Spectralink phones, set the tcpIpApp.ice.mode setting to “disabled”. In a config file this might look something like this:

<LyncBaseProfile

device.baseProfile.set="1"

device.baseProfile="Lync"

tcpIpApp.ice.mode="disabled"

</LyncBaseProfile>

The Wrap Up

Well, another day another crazy config setting. There always seems to be an endless supply of gotchas in this business and this is another one to add to your list. Till next time!

For this blog series I thought I would branch out a bit and take my Powershell scripting to the next level using Azure Function Apps. What on earth is an Azure Function App, I hear you asking? Well, come in closer around the camp fire and I’ll explain. An Azure Function App is a Serverless application platform. I know that sounds like an oxymoron… An application platform that is serverless! Well, yes, you are correct, there are in fact servers that are running these Function Apps in a nameless data centre somewhere. However, the reason that they are referred to as being “serverless” is that you never have to administer any part of the server hardware or software yourself. You simply write your code and paste it into the Azure Portal and then click the run button…. aannnndd bam! You end up with a very useful application that runs all day, every day, on hardware in a distant land that you never have think about. You just kick back and once a month pay the very reasonable rates offered by Azure. Brilliant!

As a means to teach myself about the Azure Functions platform I decided to give myself a challenge to design a useful application that could run using only Powershell as the programming language. The application I decided to design was an Skype for Business Edge Server port monitoring service. The idea of this application is that it would monitor all the important ports on any number of remote Edge servers and report to me if any of them went down. Due to the number of steps involved in doing this I will be breaking this into 3 separate blog posts.

For part 1 the requirements of the application are as follows:

Allow for multiple far end server ports to be monitored.
Allow for multiple far end servers to be monitored.
Allow for tests to be run on an ongoing basis at configurable intervals.
If a port is found to be inaccessible, then the application must email me with details of what is down.

In part 2 (Coming Soon) of the series I will expand on the application to do the following:

Allow for coalescing of emails so that multiple errors result in only one email being sent instead of many emails.
Allow for the application to have a memory so it can only send me an email after seeing a configurable number of errors. This is to guard against flapping type scenarios and only to update in the case of a fair dinkum outage.
In addition to sending an email when ports are down, it will also send an email to inform me that the ports have come back up - so I can rest easy in the knowledge that the server recovered without logging in to check.
Use Azure Storage Tables to store state about the Edge servers current status.

In part 3 (Coming Soon) of the series I will expand the application to do even more:

Save all port test results to Azure Storage tables for later analysis.
Use Power Bi to connect to Azure Storage Tables and create nice graphs showing information about the Edge servers over a period of time.

By the end of the series there will be a feature-rich service that allows for the monitoring of remote servers and analyses results in a relatively comprehensive way. This should highlight how powerful Azure Function Apps can be!

Limitations of Powershell Functions

Upfront I should say that Azure Function Apps using Powershell is still considered an “Experimental” language. Whilst I was writing this application I found there are some limitations when coding in Powershell using Function Apps. This list is by no means complete - it’s just some interesting things I noticed:

I couldn’t call any commands that requested access to the networking stack. By this I mean commands to query the IP Address of the machine or ports in use, etc. This seems fair given that Function Apps run on shared machines and there is some level of abstraction between the code and the machine it’s running on.
I noticed that Invoke-WebRequest would give a warning that requested the use of Basic Parsing due to “The response content cannot be parsed because the Internet Explorer engine is not available, or Internet Explorer's first-launch configuration is not complete. Specify the UseBasicParsing parameter and try again.” This is not a limitation for the functionality in this application but may be something to keep in mind for your future apps.
I had a weird issue where function (ie. “function ConnectTCP”) returns would include all of the text from Write-Output commands that executed in the function. I’m not sure if this was a bug or a limitation... Something to look out for though.
You need to manually upload additional external powershell modules into the Azure backend. There is no basic “Install-Module” command that can grab code from the Powershell Gallery yet. This can also be problematic if the module attempts to access something that’s not supported by Azure Functions (for example access the networking stack like mentioned earlier).
“Write-Host” is not a supported output method like it is in server based Powershell. In order to get output from your script you need to use “Write-Output” which will be written to the Function App log.
When sending out port queries I tried to also specify the source port being used, however, it appears that the source port gets NATed on the way out of Azure. So the source port will be random in this case.

Creating the Function App

Step 1

Open up the Azure Portal and Select “App Services” from the left menu. Then select the “Add” button:

Image may be NSFW.
Clik here to view.

Step 2

Select “Function App” as the type of service app that you would like to create:

Image may be NSFW.
Clik here to view.

Step 3

Click the create button:

Image may be NSFW.
Clik here to view.

Step 4

Fill in the details of the function application. The important parts here are to give your app a unique name, select Windows as the OS and select a Location nearest the servers you would like to be testing.

Image may be NSFW.
Clik here to view.

Step 5

You will need to wait a few minutes for the Function App to be provisioned for you. During this time you will see a “Deploying Function App” icon on the dashboard:

Image may be NSFW.
Clik here to view.

Step 6

Once the Function App has finished deploying, open the app to the Overview tab. Then select “Application settings”:

Image may be NSFW.
Clik here to view.

Step 7

In order for your application to output the correct time information in emails, you need to set the timezone within the “Application settings” to your local timezone. To do this add a row in the “Application settings” called “WEBSITE_TIME_ZONE” and then enter the name of the timezone (eg. “AUS Eastern Standard Time”). You can get a full list of timezones from here: https://msdn.microsoft.com/en-us/library/gg154758.aspx

Image may be NSFW.
Clik here to view.

Don’t forget to click the save button on the Application settings page after making the change:

Image may be NSFW.
Clik here to view.

Step 8

In the main page of the Function App select the “Functions” tab on the left-hand tree. Then click the “New function” button:

Image may be NSFW.
Clik here to view.

Step 9

You will now be presented with a screen that allows you to select the type of Function App that you would like to create. In order to be able to create a Powershell based Function App you need to click the “Experimental Language Support” switch in the top right corner of the screen:

Image may be NSFW.
Clik here to view.

Step 10

Once “Experimental Language Support” has been selected you can choose to create a “Timer trigger” app using Powershell as the language:

Image may be NSFW.
Clik here to view.

Step 11

The timer trigger type of application uses a CRON type format for representing when the application will execute. You will be presented with a dialog that allows you to enter the “Name” and “Schedule” for your application to run. The schedule expression is a CRON expression that includes 6 fields. These are:

{second} {minute} {hour} {day} {month} {day of the week}

Note: This is slightly different to CRON that is used on Linux that doesn’t have the seconds value. You need to be careful when borrowing CRON syntax off the Internet. For more information on the CRON format refer to this page: https://docs.microsoft.com/en-us/azure/azure-functions/functions-bindings-timer

Image may be NSFW.
Clik here to view.

Note: The important thing to know about this CRON Schedule is that the “*/5” means to run once every 5 minutes.

Step 12

Now that you have created your Trigger Timer, it will appear under the Functions tree in the left side of the Function App. When you select the trigger timer it will open up a code window that is pre-filled with a single “Write-Output” statement. This is the window in which you will be pasting in the Powershell code. You will also see on the right hand side the actual Powershell file called “run.ps1” and a function.json manifest file. At the bottom of the screen there is a Logs window where all the “Write-Output” logging will be sent to. Note that Function Apps use Write-Output instead of Write-Host like you see in most Powershell script running on servers.

Image may be NSFW.
Clik here to view.

Step 13 - Sign up for Mailjet

The script uses a web service called Mailjet in order to send emails. In order for the Function Application to send the email it needs to send a REST call out to Mailjet with the correct Account Keys in it. The free level of Mailjet lets you send up to 6000 emails per month, which is plenty for this kind of scenario.

After signing up for the Mailjet web site go to the following location to get your API username and password:

My Account > REST API > Master API Key & Sub API key management

Image may be NSFW.
Clik here to view.

In your Mailjet account you will also need to set up the mail account that you wish to be allowed to send emails:

Accounts > Sender Addresses

Image may be NSFW.
Clik here to view.

Step 14

Insert the following Powershell script into your Function App code window (run.ps1) and make the edits required in Step 15:

Like this:

Image may be NSFW.
Clik here to view.

Step 15

Edit the script as necessary for your Mailjet account and Edge servers.

Enter your Mailjet API Key (Username) and Secret Key (Password) and paste them into the following section of the script. Also update the sender email address to your email account that is configured in the "Sender Addresses" in Mailjet and the recipent email address you want to send to:

#MAIL JET USERNAME/PASSWORD#######

$emailUsername="kjh3k23h4kjhkj37573f8f020879dff7"

$emailPassword="9898f98fhdjkkdjh46cd418100075a3b"

#EMAIL ADDRESS TO SEND ERRORS FROM

$SENDEREMAIL="YourRealEmailAddress@domain.com"

#EMAIL ADDRESS TO SEND ERRORS TO

$RECIPIENTEMAIL="YourRealEmailAddress@domamin.com"

##################################

Edit the Skype for Business Edge server details as required. These are entered as an array of hash tables. The sections highlighted in yellow can be changed. In this case the application is monitoring 2 Edge servers, one in Melbourne and one in Sydney.

Location	ServerName	ServerRole	DestinationPort	Protocol
Melbourne	147.70.50.10	Federation	5061	TCP
Melbourne	147.70.50.10	Access Edge	443	TCP
Melbourne	147.70.50.11	Web Conferencing	443	TCP
Melbourne	147.70.50.12	AV Edge	443	TCP
Sydney	147.70.60.20	Federation	5061	TCP
Sydney	147.70.60.20	Access Edge	443	TCP
Sydney	147.70.60.21	Web Conferencing	443	TCP
Sydney	147.70.60.22	AV Edge	443	TCP

Note: The script only supports testing TCP ports at this time.

#SETUP EACH SERVER

$Records= @(@{"Location"="Melbourne"; "ServerName"="147.70.50.10"; "ServerRole"="Federation"; "DestinationPort"="5061"; "Protocol"="TCP"})

$Records+= @(@{"Location"="Melbourne"; "ServerName"="147.70.50.10"; "ServerRole"="Access Edge"; "DestinationPort"="443"; "Protocol"="TCP"})

$Records+= @(@{"Location"="Melbourne"; "ServerName"="147.70.50.11"; "ServerRole"="Web Conferencing"; "DestinationPort"="443"; "Protocol"="TCP"})

$Records+= @(@{"Location"="Melbourne"; "ServerName"="147.70.50.12"; "ServerRole"="AV Edge"; "DestinationPort"="443"; "Protocol"="TCP"})

$Records+= @(@{"Location"="Sydney"; "ServerName"="147.70.60.20"; "ServerRole"="Federation"; "DestinationPort"="5061"; "Protocol"="TCP"})

$Records+= @(@{"Location"="Sydney"; "ServerName"="147.70.60.20"; "ServerRole"="Access Edge"; "DestinationPort"="443"; "Protocol"="TCP"})

$Records+= @(@{"Location"="Sydney"; "ServerName"="147.70.60.21"; "ServerRole"="Web Conferencing"; "DestinationPort"="443"; "Protocol"="TCP"})

$Records+= @(@{"Location"="Sydney"; "ServerName"="147.70.60.22"; "ServerRole"="AV Edge"; "DestinationPort"="443"; "Protocol"="TCP"})

Step 16

By default your Function App will be running at the CRON trigger interval. However, you can stop your Function App from running by switching off the trigger function in under the “Functions” tree item on the left hand side:

Image may be NSFW.
Clik here to view.

Step 17

Start receiving emails when your Edge servers are offline!

Image may be NSFW.
Clik here to view.

The Wrap Up

Well, this has been fun! Hasn’t it?! I hope that in addition to helping you monitor your edge servers, this has been informative and taught you some new skills that might help in the future when making your own Function Apps. Enjoy!

This blog is an expansion on the previous Part 1 post here. The process of setting up the Function App for this part 2 section is the same as was documented in Part 1. I suggest reading part 1 first before moving ahead.

In part 1 we created a Function App that did the following:

Port monitor a selection of server ports.
Allow monitoring of several servers.
Allow for tests to be run on an ongoing basis at configurable intervals.
If a port was found to be inaccessible then the application must email with details of what is down.

In Part 2 of the series we will expand on the application to do the following:

Allow for coalescing of emails so that multiple errors result in only one email being sent instead of many emails.
Allow for the application to have a memory so it can only send an email after seeing a configurable number of errors. This is to guard against flapping type scenarios and only to update in the case of a fair dinkum outage.
In addition to sending an email when ports are down, the app will also send an email to inform that the ports have come back up - we can rest easy in the knowledge that the server recovered without logging in to check.
Use Azure Storage Tables to store state about the Edge servers.

In order to give the application a “memory” we need to add some kind of storage to the application. Fortunately, Azure is very good at offering a bunch of storage options. We also need to also take into account that we are using Powershell in this case for the application and need a storage scenario that will work with Powershell. In this case we only need a fairly basic storage model. The good news is that there is a nice Powershell module that exists for connecting to Azure Storage Tables.

Step 1

Download a copy of the Azure Storage Table module for Powershell. In order to connect Powershell into the Azure Storage Table datastore, a Powershell module needs to be used. The module is available on the Powershell Gallery from this link:

https://www.powershellgallery.com/packages/AzureRmStorageTable/1.0.0.21

Save a copy of the module to your PC using the following command:

Save-Module -Name AzureRmStorageTable -Path “C:\temp\”

This should have downloaded the following folder structure:

C:\temp\AzureRmStorageTable\1.0.0.21\

Image may be NSFW.
Clik here to view.

Step 2

Get the function app's FTP details from Azure. Now that the Powershell Module is installed, upload it into a Modules folder in the Azure Function Applications file storage. To do this use FTP or sFTP. In this case we will use FTP with the Filezilla client. Some information will be required out of your function applications properties screen.

Settings are found under the “Platform Features” tab -> Properties

Image may be NSFW.
Clik here to view.

Host = FTP HOST NAME

FTP Username = FTP/DEPLOYMENT USER

Image may be NSFW.
Clik here to view.

Step 3 – Configure FTP client

Connect to the addresses provided using the Function Application Domain formatted username and Azure Password:

Host: FTP HOST NAME

FTP Username = FTP/DEPLOYMENT USER

Example: “EdgePortTester-Part002\joeb”

FTP Password = <Azure Password>

Enter this information into the Filezilla Site Manager:

Image may be NSFW.
Clik here to view.

Step 4 – Connect to Azure and Upload Powershell Module

Now connect into Azure using the FTP client:

Image may be NSFW.
Clik here to view.

Open the following folders:

/site/wwwroot/TimerTriggerPart002

Create a folder called “Modules”:

/Site/wwwroot/TimerTriggerPart002/Modules

Now, from the temp folder where the AzureRmStorageTable module was downloaded, copy this into the Modules folder. There should be a structure that looks like this:

/Site/wwwroot/TimerTriggerPart002/Modules/AzureRmStorageTable/1.0.0.20

The Storage Table module for Powershell should now be successfully installed. The next step is to get the Table Storage connection information out of Azure to allow for the Powershell module to connect and read/write to the storage that was automatically created when the Function Application was created.

Step 5 – Get Storage Account Settings

The Powershell script provided in this post has some variables that need to be filled out with your own Function App's storage details. These details can be obtained from the Azure Portal.

In the Overview screen note down the “Subscription” and “Resource Group” names:

Image may be NSFW.
Clik here to view.

From the Overview Tab of the Function Application open the “Resource group” link:

Image may be NSFW.
Clik here to view.

Then open the storage Resource Group that was created automatically for the Function Application:

Image may be NSFW.
Clik here to view.

Once in the storage Resource Group, the Access Keys for the application can be seen:

Image may be NSFW.
Clik here to view.

Select Key 1 or Key 2 for use in the script.

Step 6 - Get a copy of the Powershell script

Download a copy of the Powershell Script.

You can grab a copy of the script I wrote for doing the port monitoring from here:

Step 7 - Update script parameters

Update the Storage Account details in the Powershell Script.

Using the setting found in Step 5 you can fill in the Powershell script variables:

#AZURE STORAGE VARIABLES######

#SETTINGS ARE FOUND UNDER PLATFORM FEATURES TAB -> PROPERTIES

$subscriptionName="Visual Studio Premium with MSDN" #SUBSCRIPTION NAME

$resourceGroup="EdgePortTester-Part002" #RESOURCE GROUP

$storageAccount="edgeporttesterp8dbf" #STORAGE ACCOUNT NAME

$tableName="EdgeTesterTablePart2" #CHOOSE A NAME

$partitionKey="EdgeTesterStoragePart2" #CHOOSE A NAME

$storageAccountKey="7asdkjhasd7KHDKJHAS0dsflasdnnlasd099asdpncsdlknclLJSDLjbadksdjbfa9su9duhoasivRqXA615jQ==" #STORAGE ACCOUNT > ACCESS KEYS

#AZURE STORAGE VARIABLE END######

Don’t forget, as in Part 1, to fill in your Mail Jet (see Step 13 from Part 1) email account information. Enter your Mail Jet API Key (Username) and Secret Key (Password) and paste them into the following section of the script:

#MAIL JET USERNAME/PASSWORD#######

$emailUsername="kjh3k23h4kjhkj37573f8f020879dff7"

$emailPassword="9898f98fhdjkkdjh46cd418100075a3b"

#EMAIL ADDRESS TO SEND ERRORS TO

$SENDEREMAIL="YourRealEmailAddress@domain.com"

$RECIPIENTEMAIL="YourRealEmailAddress@domain.com"

##################################

Note: Remember to configure the Sender Addresses in Mailjet as detailed in Step 13 of Part 1.

Location	ServerName	ServerRole	DestinationPort	Protocol
Melbourne	147.70.50.10	Federation	5061	TCP
Melbourne	147.70.50.10	Access Edge	443	TCP
Melbourne	147.70.50.11	Web Conferencing	443	TCP
Melbourne	147.70.50.12	AV Edge	443	TCP
Sydney	147.70.60.20	Federation	5061	TCP
Sydney	147.70.60.20	Access Edge	443	TCP
Sydney	147.70.60.21	Web Conferencing	443	TCP
Sydney	147.70.60.22	AV Edge	443	TCP