Quantcast
Channel: My Teams Lab
Viewing all 63 articles
Browse latest View live

When Poodles Attack - Poodle Checker Tool

October 24, 2014, 12:03 am
$
0
0

It’s not too often you get to be excited about a security threat. However, the POODLE security threat seems to put a smile on my face every time I see it written somewhere… Poodles are just so innocent and ridiculous looking to take seriously as a major threat. So in a bid to take this security issue more seriously, I have built a Powershell tool for remotely checking servers for having either SSL 2.0 or SSL 3.0 enabled on them.


More Detail on the POODLE threat


Here are some links that explain the POODLE threat in a little more detail:


POODLE Checker Tool


  • The tool will try and connect using SSL 2.0 and SSL 3.0 to any server FQDN/IP and port (multiple ports can be entered with a comma separating them) you enter.
  • Press the Test button and it will check all the ports in the ports text box. The tool will report in the Powershell window which ports have SSL 2.0 and SSL 3.0 running on them.
  • The tool will also visually display the results…
  • Script is signed.

Update 1.01
  • Added additional checking of TLS (1.0, 1.1, 1.2) protocols so you can better understand all the TLS connection options available on the server before deciding to disable SSL. 
Update 1.02 (16/2/2015)
  • Added the ability to handle multiple comma separated IP Addresses/DNS Names.
  • Added Cancel button to stop testing.
  • Disabled text boxes during testing phase.
  • Textboxes now stretch when resized.

      Download Version 1.02:



      Standard SSL Port Numbers


      SSL can technically run on any port that you configure and application to use. However, the well-known port numbers for applications that use SSL (as defined by IANA, and IETF) are listed below:

      Protocol
      Port
      Description
      nsiiops
      261
      IIOP Name Service over TLS/SSL
      https
      443
      http protocol over TLS/SSL
      ddm-ssl
      448
      DDM-SSL
      smtps
      465
      smtp protocol over TLS/SSL
      nntps
      563
      nntp protocol over TLS/SSL
      sshell
      614
      SSLshell
      ldaps
      636
      ldap protocol over TLS/SSL
      ftps-data
      989
      ftp protocol, data, over TLS/SSL
      ftps
      990
      ftp, control, over TLS/SSL
      telnets
      992
      telnet protocol over TLS/SSL
      imaps
      993
      imap4 protocol over TLS/SSL
      ircs
      994
      irc protocol over TLS/SSL
      pop3s
      995
      pop3 protocol over TLS/SSL

      Note: A listing of all IANA port assignments can currently be found at: http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt

      I have made the tool load all of these ports into the port text field by default.

      Note: The documented attack vector for POODLE is described for HTTPS connections, and not necessarily for these other protocols. The tool checks all of these protocols to check if your server is still accepting SSL2/3 connections in order to determine if it's globally enabled (in Windows the registry key effects SSL across most applications). Also, additional attack vectors may be found for other protocols, so if your applications can support newer versions of TLS it is probably wise to turn these older versions of SSL anyway.

      The Wrap Up


      There you have it, short and sweet! I hope the tool is useful to you and helps you take security issues more seriously J

      Let me know if you find any bugs or have any issues.


      Search

      Sonus SBC 5k/SWe CDR Decoder

      December 2, 2014, 10:25 pm
      $
      0
      0
      I was on a training course recently learning about the SBC5000/SWe series SBCs from Sonus as these are now supported with Microsoft Lync 2013! This range of SBCs are completely different from the SBC1000/2000 range that you may be used to in your previous Lync deployments. The reason for this difference is that the SBC1000/2000 range were originally designed around a completely different code base by the NET company which was later acquired by Sonus. 

      The SBC5000 was  originally designed for large carrier deployments, however, a newer virtualised version of the SBC5000 called the SWe (Software Edition) starts to make these systems much more affordable and interesting for enterprise sized customers. During the training course we were introduced to an online tool that Sonus has for parsing individual Call Detail Records (CDR) to show you what each field in the record represents. This may not sound like much until you see the size of a SBC5000’s CDR record… Behold!


      STOP,PRGSBC51,0x000174D700000001,3955074504,GMT,10/22/2014,01:11:19.7,0,4,37,10/22/2014,01:11:40.8,3,2076,16,VoIP,IP-TO-IP,DEFAULT,,,6731234507,,0,,0,,0,,RL7,1,PRGSBC51:TG07,192.168.229.118,192.168.228.237,TG07,,192.168.229.117:1024/10.128.176.185:5062,,192.168.229.117:1026/192.168.228.237:5048,213416,1036,176476,1025,0,,,0x00800000,,,,,2,"SIP,009258DD-F957-E411-8C61-342F2AB2DB43@10.128.176.185,<sip:PhonerLite@10.128.176.185>;tag=3367902045,<sip:6731234507@192.168.229.118>;tag=gK0c816f95,0,,,,sip:6731234507@192.168.229.118,,,,sip:PhonerLite@10.128.176.185:5060,sip:6731234507@192.168.229.118:5060,,,,1,BYE,,0,0,,0,0,,,,,,,,1,0,0,0,,,,,,,,0,,",12,12,0,5,,,0x0a,6731234507,1,1,,1,0,0,0,TG07,"SIP,786432_119514912@192.168.229.118,<sip:PhonerLite@192.168.229.118:5060>;tag=gK0c0170af,<sip:+16731234507@192.168.228.237:5060;user=phone>;tag=4fbfd5e7e6e006f0,0,,,,sip:+16731234507@192.168.228.237:5060;user=phone,,,,sip:PhonerLite@192.168.229.118:5060,sip:+16731234507@192.168.228.237:5060;transport=udp,,,,,BYE,16,0,0,,0,0,,,,,,,,1,0,0,0,,,,,,,,0,,",,110,,,1,1,,,2,P:2:1,P:2:1,10,0x000C0000,,,0,,,,,,0,,,,1,,,,,,,6,,,,,,1,1,1,1,,0,,,1,7,0,2076,1,,,,,192.168.229.118,10.128.176.185,2,16,8,,,,,,,,,0,,,TANDEM,,,10,211150,1025,178192,1036,0,0,0,35,20,,,,,,,13,1,,,,,,,,,,,,,,,,,,,,,0,9,,,,,,,,,,,,,,,"3,39,0,42",0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"01,audio,1,G711S,192.168.229.117:1024,10.128.176.185:5062,0:0:0:0,56,G711S,192.168.229.117:1026,192.168.228.237:5048,0:0:0:0,124","01,audio,1,1036,1025,213416,176476,0,0,1025,1036,211150,178192,0,0",0,,,

      From this mess you might see how finding field 134 might take some time… So Sonus’ online tool is a very handy thing. The CDR records also contain a great deal of useful information about a call (kind of like Lync Monitoring Database records) such as Codecs Used, if transcoding took place, SBC routes used, reason for disconnection, etc. These records can be extremely useful when troubleshooting issues with the system.

      Sonus Online CDR Decoder

      I was thinking, though, that you don’t always have access to the internet when you’re working on a customer site, and often you might want to look through a whole file worth of records (instead of cutting and pasting individual records into the online tool). So I decided that it was time once again to get cracking on a Powershell tool for browsing SBC5000 CDR files … and after eleven thousand lines of parsing code I bring you:

      Sonus SBC 5k/SWe CDR Decoder



      Version 1.0:
      • Import SBC5000 or SWe CDR files (ACT files).
      • Left hand list view will display all of the records that are in the file.
      • Right hand list view displays all of the fields in the selected records.
      • Subfields (ie. fields that contain multiple pieces of information in them) are individually broken out and displayed in grey colour.
      • Fields are decoded where possible with the decoded value of the field shown in brackets next to the field entry.

      Version 1.01 (5/12/2014):
      • Added some more enumerations.
      • Fixed a few small parser bugs.
      • Added a show as text button.

      Download Version 1.01:



      How to access SBC5000/SWe CDR files


      CDR files are also called account files, and they can be easily downloaded from the system via Platform Manager. Simply access Platform Manager (ie. management interface IP on port 444) and go to the Logs -> Event Logs section and select ACT as the log type you wish to access. Then download the file with the Download button:



      Then open the Sonus SBC 5k/SWe CDR Decoder tool in Powershell and select the “Browse…“ button, select the ACT file, and click the “Load” button to import the contents of the file. Now you’ll be able to browse the records in the left hand listview and each record you open will be displayed in the right hand listview.


      The Wrap Up


      At this stage there may not be many deployments of the Sonus SBC5000 or SWe in Lync deployments around the world. However, I can see the SWe being a highly flexible and tenantable virtualised SIP Trunk SBC in the future. So even if this tool doesn’t seem immediately useful it may someday become handy for troubleshooting your future SWe deployments!


      Photos (Part 1) - Lync / Skype for Business Photo Editor

      February 17, 2015, 11:18 pm
      $
      0
      0
      Happy New Year! Hang on, it’s February… Time seems to have got away on me since I started this holiday project that turned out to be more complex than I had initially expected. What was originally going to be a simple photo resizer tool for Active Directory, Exchange and Lync/Skype for Business, turned into more of a complete photo editor including face recognition based cropping, image filtering and processing, written entirely in custom Powershell code… What can I say, sometimes I can’t help myself…

      So let’s begin by discussing the problem: Lync and Skype for Business clients are used for communicating, and the best experience for this is when you are able to easily see the people that you’re communicating with. So within the Lync and Skype for Business client UI there are many places where photos of users are shown. This is great because it makes the software much more personal and approachable to users... and ever since Bill Gates' mug shot silhouette was replaced as being the default missing photo image from Lync 2010 (yes, is really was, see below!) to the generic Lync 2013 oval head silhouette, a photoless client tends to look a bit boring.

      Image Reference

      So for the best user experience we really should be using profile photos for users in Lync and Skype for Business… but what does that mean for us Lync Administrators? Well, usually it means that you are going to get given thousands of random image files, in god knows what format, and at who knows what quality, that you will be expected to magic into the system and have displayed for all to see. So let us put our magicians' hats on and I will help you with Part 1 of this trick… Turning a mess of image files into something that will work when imported into Active Directory and/or Exchange for display within Lync or Skype for Business…

      Lync / Skype for Business Photo Editor


      You will know by now, if you’ve ever read my blog, that a custom written Powershell tool will always provide the solution to our problems! I give you the Lync / Skype for Business Photo Editor Tool!



      Features:
      • Zero installation.
      • Signed Powershell Script.
      • Bulk conversion of a folder full of images files.
      • Custom coded image processing!
      • Manual editing and cropping of individual files. Simply Drag and Drop an image into the Picture Box area and then start selecting the crop box size and position you would like your output files to be based on. Set filter options and preview their effects on the image using the “Preview Filter” button. The size of the image crop box is shown under the scaling tools to allow you to know if you are cropping to a size smaller than image you are wanting to output (to avoid accidently upwards rescaling of the images).
      • Accepts input files in the following formats: ".jpg", ".jpeg", ".gif", ".png", ".bmp" and ".tif”. All files get converted to “.jpg” format so they can be easily imported into Exchange/AD.
      • Smart Crop / Centre Crop modes – By ticking this box (default) my Smart Cropping algorithm will be used to discover the subject's face and crop appropriately. The Margin setting is used in conjunction with Smart Crop to determine how loose or tight the framing will be around the subject. If unticked, a simple Centre Crop Method will be used. See the Smart Crop section for more details.
      • Filters! Since Instagram became such a big hit, filters have become a must-have for all successful software projects. So why should this one be any different? Photo filters include: Colourise (Blue, Red, Green, Yellow, Orange, Pink, Purple), Contrast (Reduce Contrast, Light Contrast Boost, Medium Contrast Boost, Mega Contrast Boost, Ultra Contrast Boost), Brightness (Reduce Brightness, Light Brightness Boost, Medium Brightness Boost, Mega Brightness Boost, Ultra Contrast Boost), Effects (Old Film, Vignette, Light Leak, Vintage, and Slide Show).
      • Output sizes. By default the tool will output 96x96 and 648x648 sized photos. These can be turned on or off using the checkboxes in the “Image Output Settings” area of the GUI. There is also the option to create custom sized photos by ticking the custom checkbox and selecting the pixel width/height of the photos to be outputted. It is generally recommended that 96x96 files are used for uploading to Active Directory and the 648 x 648 images are uploaded to Exchange 2013.
      • Quality Control – The quality of the jpg images that the tool will output can be changed by reducing the Quality setting between 1-100. I suggest that you never actually reduce this in the process of creating the files that you are importing via Exchange, as the quality will be further reduced by Exchange as part of the import process.

      Requirements:

      • The script is supported on Powershell Version 3.0 and above. So if you're running Windows 7 you will need to make sure you've upgraded your Powershell version to at least Version 3.0.
      • Drag and Drop only works when the filesystem and Powershell session have the same security level. So if you're running Powershell with Administrator privledges (ie. Run as Administrator) the Drag and Drop function will not work. To fix this just run the Powershell with regular privileges and it should be okay.

      1.01 Update (23/4/2015):

      • Added policing of the folder name to accept ending with a "\" or ending without a "\".
      • Changed the output file name to use space ("") instead of a minus ("-") character between the name and the image size ("648x648") to work with new Photo Importer Tool.


      Download Version 1.01



      Features - Smart Crop


      One of the main problems with Exchange / AD / Lync images are that they must be square in shape, and digital cameras don’t usually take square photos (they are usually taken in a 4:3 or 3:2 ratio).  So as a result, after taking a photo it inevitably must be cropped before it can be used by Exchange or Active Directory as a Lync / Skype for Business photo. The way that Exchange handles this is to do (what I call) a Centre Crop on the image. This is where you crop to a square that is the width and height of the short side of the photo and then centre the square in the middle of the long edge of the photo (see the Centre Crop example image below). This works well when the image has been composed with the subject's face right in the centre of the frame. However, what if the person taking the photo decided to also include a large portion of the subject’s body in the frame? Or it’s one of the user’s favourite photos of them at the beach with the majority of frame consisting of landscape? Or what if, god forbid, the photographer decided to use their arts degree and frame the subject using the Golden Ratio or the Rule of Thirds… In these cases you can end up with a weird looking image if Centre Cropping is used.

      Centre Crop Example

      I realised all of this after starting this project and tried to think of a better way… like, what if I was to detect where the subject's face was within the image and then crop around it? That sounds like fun! So I started reading about facial recognition techniques and software. What I learnt was that there is no existing core Dot Net libraries that I could leverage in Powershell that would supply me with facial recognition. So I looked more broadly and discovered that there are a couple of open source projects that had Dot Net ports and could be used if imported and compiled into a Dot Net application… but I wanted this to be a pure Powershell implementation and not some bulky application! So I then dug deeper and started reading academic papers about different face and skin recognition methods that exist. After doing much prototyping and testing with these skin recognition concepts, I created my own skin thresholding algorithm in Powershell that was quite fast (something learned whilst doing this was that Powershell is slow at doing many mathematical operations, and especially slow when it comes to recasting variable types and object creation).

      The end result of this absurd amount of work was an unassuming checkbox in the Bulk Import section of the tool’s GUI called “Smart Crop”. Smart Crop is used in two places in the tool, the first is when Bulk converting images from a folder.  The tool will try and locate using my skin recognition algorithm where the majority of skin is on the screen and then try to appropriately frame the around this location. The (3:2 ratio) photo below shows an example of what a better alignment for a centre cropped image would look like as a result of recognising where the face is in the image.

      Face Aligned Centre Crop

      As you can see in the above photo, the image gets cropped around the more important part of image rather than the centre of the image as seen in the earlier Centre Crop example.
      So it’s pretty useful to be able to align a full width crop around the subject's face like this, however, Lync photos end up being reduced to very small sizes in most cases (96 x 96 pixels). So it would also be nice to be able to crop even tighter to the subject's face so that you can see it more clearly in your contacts list in Lync / Skype for Business. Below is an example of a better crop to use in Lync:  

      Ideal Smart Crop for Lync

      In order make the photo more usable with Lync/Skype for Business, I have tried to tune the algorithm to give a tight crop around the face of the subject in the photo. A pitfall of doing a tight crop like this, however, is that the cropping square should not be less than the size of the image that is being outputted (ie. the crop square being 200 x 200 in size and the output size being 648 x 648 in size). If this happens then the quality of the output photo will be significantly reduced due to the image being blown up. For this reason you should always try and use source images that are quite a bit larger than the largest size image you are trying to output. The tool has been designed to understand this issue and will always attempt to crop to at least the size of the output image file. This in some cases will result in a looser crop that you might expect around the subject's face, however, it is designed to maintain the quality of the output file.  

      The “Margin” setting in the tool can also be used to tighten or loosen the Smart Crop frame around the subject's face. This setting ranges between 1-50, with a default of 25. The lower the value, the tighter the crop will be around the subject.

      From the testing I've done so far I have found my Smart Crop detection algorithm works in the majority of cases (note: it does not work on greyscale images). However, it can have problems if there are background components in the image that fall into the same Luma and Chroma ranges as skin does. In these cases you can manually crop the individual files that were not detected accurately. In the end though I hope it saves you a bunch of time and effort!


      Features - Filters


      Photo filters are all the rage at the moment with every social media app in the world jumping on the bandwagon. However, the idea of filters in this application is not just a gimmick: it offers you the ability to do colour, brightness, and contrast correction to photos in order to give them more pop so they look their best when displayed in Lync/Skype for Business. When you are supplied photos by an organisation, it’s fairly likely that they were taken in a room somewhere with bad or at least uninspired lighting. As a result, all of the images can look washed out and flat.

      Below is an example of a washed out image of a technology company CEO you may recognise. As you may be able to see, the photo on the left does not look very vibrant and comes across as quite bland (especially when reduced to 96 x 96 pixels in size). However, after applying a contrast and brightness boost filter to the image (as can be seen in the picture on the right) it looks much more dynamic.

        


      The Lync / Skype for Business Photo Editor Tool gives you the option to Colourise, Contrast Reduce/Boost, and Brightness Reduce/Boost with various levels of intensity, and these settings can be chained to give you 175 different combinations to use!

      In addition to the more subtle image quality and dynamics filtering capabilities I decided that I too couldn’t resist the challenge of implementing some grungy Instagram style filters. So if you have been using Instagram too much and feel the need to make your images look a little more vintage, try the Effects filters drop down box. Here’s some examples of my custom effects filters:


      Will these filters ever be used for a Lync or Skype for Business deployment? Maybe not, but I had fun figuring out how to write the image processing code to generate them J


      The Wrap Up


      Well there you have it: my holiday project has finally made to a public release. You may have also noticed that this post is only Part 1 of a series. Indeed it is! Because now that you have a tool to easily create image files for Exchange and Active Directory, you will likely also need a tool for easily uploading those files to these systems. So Part 2 of this series will supply you with just such a tool… So keep an eye out for that one. Cheers, and enjoy!



      The Case of the Lync 2013 Edge Server Centralised Logging Ports

      March 13, 2015, 4:31 am
      $
      0
      0
      If you have ever done any port testing on a Lync 2013 Edge server you may have noticed that the external interface of the Edge server had ports in the 50001-50003 range open and listening for TCP connections. Usually this is not the case in the 50000-59999 media range because these ports are only opened for short periods of time when media ports have been allocated by the Edge server for active calls. The Media Relay Service on the Edge was designed this way for security purposes, so that the 50000 range could be opened on external firewalls without posing a significant security threat. So what are the undocumented 50001-50003 ports facing externally? Well, they are actually the Centralised Logging Service and they appear to be facing externally for no reason other than they are bound to port 0.0.0.0. The netstat command show this:

      ClsAgent.exe Ports


      The netstat output shown above shows that the ClsAgent.exe service is listening on the 50001, 50002 and 50003 ports on the IP Address “0.0.0.0”. This means that the service has not bound to any specific interface and as a result will listen on all interfaces. I image this is a design issue with the CLSAgent because it was originally designed to run on internal Lync servers that only had one interface and so binding to a specific port wasn’t a requirement at the time of designing the software. I’m happy to be told different by someone at Microsoft though…

      As mentioned earlier, the CLS port range falls into the TCP 50000-59999 range, which is also legitimately used for Edge Media Relay service. So it is included on the list of external port ranges that may be open on the external firewall. I say may be opened because this range of TCP ports does not need to be opened inbound (as per the guidance from Microsoft) unless you are federating to OCS 2007, or in the more complex scenario when you are using NATing with DNSLB on the external edge and your firewalls do not support hairpinning (ie. traffic coming from one Edge server’s NATed external public IP address back in to another Edge servers NATed External Public IP address) of media between multiple edge servers in the same pool. Another legitimate reason for this is when you want an optimised media path that does not require tunnelling via port 443/3478 to get to the required 50000 range media port. These scenarios were explained in a great amount of depth by Bryan Nyce and Thomas Binder at LyncConference 2014. I suggest you watch these videos several times if you don’t understand what I’m talking about here.

      'So what percentage of companies actually open the 50000 range of ports to the internet?' I hear you asking… Well, I also wondered this, so I decided that I might do some research and find out. I tested approximately 250 Edge servers of some of the largest organisations in the world and found that approximately a quarter of them have the 50000 range open (with CLS ports showing). So quite a large number of organisations currently have this issue.

      The actual security implications of having these ports open on the Internet is not fully known at this stage. The existing ClsController.exe application and CsCls Powershell commands supplied with Lync do not allow the user to connect to servers outside of the Lync pools within their installation. So it's certainly not the case that you can use them to randomly connect to other organisations' Edge servers and start logging service. It's my understanding that Microsoft is aware of this issue and have not yet done anything to change the behaviour, so they obviously have deemed it low risk. In my opinion though, the reduction of attack surface is always a good idea for internet facing services. So my recommendation is to block these ports because they serve no practical function externally.


      A Work Around


      I have written a Powershell script that will block the CLS service ports on selected interfaces of your Edge server. This will function as a work around until Microsoft decides to formally change this behaviour in the product.

      When you run the script it will display a list of IP Addresses on the server that you can choose to block the CLS service on. You simply need to enter the number of the interfaces in the list that you would like to block access to the CLS ports on. The script will then automatically create a new firewall rule to block TCP ports 50001-50003 inbound on the selected IP Address to the CLSAgent service on the machine. Follow this process for all externally facing Edge IP Addresses (ie. Access Edge, AV Edge and Conferencing Edge IP Addresses).

      BlockCLSExternalEdgePorts1.00

      The rules that are added can be seen in the Advanced settings of Windows Firewall in the system Control Panel:



      Once you have done this for all of your Internet facing Edge IP Addresses you can rest easy: your Edge is now as safe as you previously thought it was…

      Download Version 1.00:



      Note: Run Powershell as Administrator when running the script.

      The Wrap Up


      Security is important and we all need to try to understand what we are asking when we tell the firewall team to open internet facing firewall ports. Whether you are deploying a new Edge server or already have an Edge server out in the wild, then I suggest you implement my firewall work around. Enjoy and see you next time. Ciao!



      Photos (Part 2) - Exchange / Active Directory/ Office 365 Photo Importer

      April 23, 2015, 9:03 pm
      $
      0
      0

      With Part 1 of this series I introduced you to a tool that will allow you to convert photos into a format suitable for importing into Active Directory, Exchange, or Exchange Online. These photos are used across the whole Office product line, including Lync/Skype for Business, Exchange, Sharepoint, Office 365, etc. After creating these images, the next step is to import them into either Active Directory and/or Exchange 2013. The final outcome is having glorious photos appear in your Office applications!

      Look! Pretty Photos!

      So once again, to try and save everyone a lot of pain, I've made a tool that will hopefully make importing these images a breeze.


      Exchange / AD / O365 Photo Importer

      The aim of this tool is to be simple and flexible as possible to take the pain out of importing photos in any scenario.


      • View previously uploaded Exchange HD images, Active Directory images, and Office 365 Exchange Online HD images.
      • Import Exchange HD images, Active Directory images, and Office 365 Exchange Online HD images.
      • Remove images from Active Directory or Exchange HD photo for any user.
      • Downscale previously imported Exchange HD images to 96x96 sized images in Active Directory by pressing the “Use Existing HD” button. This replaces the 64x64 image that Exchange auto-uploads to AD when you do a HD image import. This button can be handy if you no longer have the source image on hand and want to quickly upgrade the resolution of your AD photos.
      • Automatic detection of On Premises or Office 365. The system type that is detected when the tool boots and the system type will be shown in the top right hand side of the interface. Note: The system type will affect the naming convention used for the user names in the tool. On Premises will use the SAMAccountName and Office 365 will use the Alias/Username of the user.
      • Automatic resizing of images to 96x96 before they are being imported into Active Directory. This stops you from uploading unnecessarily large images into Active Directory. (ie. if you open a 4MB picture into the tool and try to import it into AD, the tool will convert the image to 96x96 before uploading it)
      • The View Web Image button will open a browser connection to the 648x648 sized version of the image. This can be useful if you want to download a copy of the HD image as a backup.


      Requirements:
      • The script is supported on Powershell Version 3.0 and above. So if you're running Windows 7 you will need to make sure you've upgraded your Powershell version to at least Version 3.0.
      • Drag and Drop only works when the filesystem and Powershell session have the same security level. So if you're running Powershell with Administrator privledges (ie. Run as Administrator), whilst you are logged into the machine as a different username, the Drag and Drop function will not work. To fix this just run the Powershell with the privileges of the user you logged in as (as long as you have the correct AD and Exchange permissions) and it will work.
      • In order to set Exchange HD photos for On Premises or O365 the user that is running the Powershell session will need to have permissions to run the Set-UserPhoto command. The build in RBAC roles that support this command include Organization Manager, Recipient Management and Help Desk. To set Active Directory photos the user will need permissions to run the Set-AdUser command.

      Version 1.01 Update (15/5/2015)
      • Corrected issue with the tool on Powershell version 4. Removed "-ErrorVariable" flag from script because it was causing "language mode" errors on Powershell Version 4 with Remote Powershell connections.
      Version 1.02 Update (1/7/2015)
      • Changed the command check messages to yellow instead of red and made the messages clearer so it doesn't appear as much like a fatal error. These are just information messages and not necessarily errors that will affect functionality.
      Version 1.03 Update (9/10/2015)
      • Fixed issue with O365 detection. O365 is now be more accurately detected.
      Version 1.04 Update (15/11/2015)
      • Fixed 1000 user limit on exchange user listup.
      • Replaced discovery logic for On Premises and O365 to include Hybrid configurations where On Prem AD and Exchange Online are available. This mode is displayed as HYBRID and a mode button will be displayed allowing you to change between listing the users in O365 on the users in AD On Prem. 
      • (19/7/2016) Reissued 1.04 with a typo affecting the bulk import feature.

      Download Version 1.04:




      Overview


      The tool is designed to gracefully fall back to support whatever level of Powershell commands that are available to it. So if you were to run it on a machine that only has access to Active Directory commands it would only allow you to import Active Directory photos, and so on. Ideally you should have access to both Active Directory and Exchange commands for an on premise deployment. For Office 365 you will need to remotely connect to Exchange Online (see the next section for details of how to do this).

      There are a few things that you should understand about how the Powershell import commands work before using the tool. The Exchange import command (Set-UserPhoto) supports the importing of any sized file JPG file into the system. If the file is not square in shape then Exchange will do a “centre crop” (as explained in my previous post) on the image and convert it to 648x648 in size then import it into the user’s mailbox. At the same time as doing this Exchange will also import a 64x64 sized image into Active Directory.

      The Active Directory import command (Set-ADUser -identity $name -Replace @{thumbnailPhoto=$photoBytes}) does not support the same fancy cropping and resizing capability as the Exchange command does. Instead it will import the raw bytes that it is presented into the thumbnailPhoto attribute in the Active Directory database. The thumbnailPhoto attribute will accept images of up to 100KB in size. However, it’s not recommended to import files that are that big into Active Directory as it can add a great deal of size to the database which can result in much larger amounts of replication traffic between Domain Controllers. If you import an image into Active Directory and there isn't currently a HD image in exchange, then the AD image will also be displayed by the Get-UserPhoto command in exchange as well.


      Tool Operation


      Now that you have an overview of how the commands work we can go into some depth about how the tool works. The tool displays three images, the left most image (Input Image) is a preview of the image that you are going to import into the system. You can select this image by either dragging and dropping the image from your PC (see requirements section for more details of this), or by selecting the browse button under the Import Image section. The middle photo is the current Active Directory photofor the user highlighted in the Select User dropdown box. The rightmost photo is the current Exchange HD photo for the user highlighted in the Select User dropdown box. If the user does not have images in either of these locations then a generic missing photo image will be displayed by the tool. If the tool has not been able to access the necessary commands to get to the photo a “Not Accessible” message will be displayed. If the user does not have a Mailbox a "No Mailbox" image will be displayed.

      When using the tool you may choose to import a single user photo or you might want to import a folder full of images. The tool will allow you to do both by selecting the Import Folder or Import Image checkboxes respectively. When the tool opens a file it will automatically select the import option appropriate for the image size. If the photo is 96x96 or smaller, then the Active Directory import check box (Replace 96x96) will be selected. However, if the image is larger than 96x96 then the Active Directory (Replace 96x96) and Exchange (Replace 648x648) import checkboxes will both be selected. In the case that both of the checkboxes are selected the tool will first import the image into Exchange (which will automatically import a 64x64 image into Active Directory) and then the tool will resize and import a 96x96 version of the image into Active Directory (ie. over the top of the smaller 64x64 image). 

      When you select to import a folder you have the choice of seeing each image as it is imported and selecting whether you want to import the image or not. This by default is the operation of the tool, however, you may wish to import all of the photos without confirming each file. This is done by unticking the Confirm Import checkbox. When importing folders, the files within the folder need to start with a name that matches the user name in Select User dropdown box (which is the user's SAMAccountName from Active Directory for On Premises, or the Alias/Username from Office 365). The tool will allow you to have extra information in the file name, however, additional information must be separated from the user's name by a space character (space is used because it can’t be used in a SAMAccount name or Alias/Usernames in Office 365). For example, you may have a file named “John.Smith 648x648.jpg” which the tool will import for a user with the SAMAccount name of “John.Smith”. However, you cannot have the name “John.Smith648x648.jpg” because it doesn't have a space character between the name and additional test which means it isn't an exact match for the John.Smith user in the dropdown box. The important point to take from this is that you need to be precise in the naming of your images for a Bulk import. In summary:

      On Premisis File Naming: SAMAccountName
      Office 365 File Naming: Alias/Username

      Note: Image file names must begin with the user's name following the convention above and must be divided from any other text in the file name by a space character.

      The file naming for a bulk import is your most important job! After doing this you can kick back and let the tool do its work.

      Importing Photos into Office 365


      The tool has been designed to support importing HD photos into Exchange Online. However, the commands used to connect to Office 365 via Powershell may be slightly different than what you usually use. So Office 365 admins - pay careful attention to this section!

      Create an O365 session:

      $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/?proxymethod=rps -Credential $cred -Authentication Basic -AllowRedirection

      Note: You must include the “?proxymethod=rps” part of the URI in order to import images into Exchange Online. If you don’t do this, the import will fail with a (413) Request Entity Too Large error.

      Enter O365 credentials:



      Import the session into Powershell:

      Import-PSSession $Session

      After you have done this, you can run the script in the same Powershell window and import photos.



      Limits of Office 365


      There does appear to be a maximum image file size that you can upload to O365. However, it seems to be more of a practical size limit rather than an enforced one. I have uploaded images up to about 6MB in size before, however this is a very slow process and you can run into random errors during the process. It can also take a long time (5-10 minutes) to import very large images directly into the Exchange Online server. When the photo has been uploaded the Exchange server will resize the image before saving it to the user’s mailbox. For the aforementioned reasons I would recommend reducing the size of this photo before trying to upload to Exchange Online. My suggestion is that you use my Image Creator Tool to reduce the size of your photos to 648x648 before you try to upload them.

      I have found that Office 365 doesn't like you uploading photos for the same user multiple times in a row (ie. a bulk import with many photos for the same user name). If you do this you will get errors back from O365. However, if you are bulk uploading to different users it seems to work fine. If you start experiencing random errors when trying to upload or get images from Office 365 try disconnecting the current session and open a fresh Powershell session.

      On occasion when uploading an image to O365 the upload process will work successfully (no errors in the PS window), however, the image will not be available to be viewed immediately after a successful upload. Majority of the time this is not the case but occasionally it will take about 10 seconds before the photo can be viewed. In this time the tool will display the generic no photo silhouette picture. If this happens, be patient and refresh the user photo by reselecting the user from the 'Select User' drop down box. 


      The Wrap Up


      Well, that’s photos in the bag! You should now be able to convert and create images as well as import them into an On Premises system or an Office 365 tenant. Hopefully this makes your life much easier. Let me know if you have feedback and enjoy!



      Skype for Business Address Book Normalisation Tool

      July 2, 2015, 5:01 am
      $
      0
      0
      The release of Skype for Business brings a new set of Powershell commands for controlling Address Book Normalisation rules. In previous versions of Lync, these rules were configured in the Company_Phone_Number_Normalization_Rules.txt file that was stored in the address book storage on the Lync share. This previous method was not particularly intuitive and prone to issues because of the text file format used.

      So now in Skype for Business we have Powershell commands to make everything easier, right? Well, yes and no. I am not a big fan of having to memorise Powershell commands that will only be used rarely. Also, ideally it should be easy to see and change the priority order of the rules as well as test the rules with commands. However, the new commands don’t offer any testing facilities as yet; they require multiple list ups and are not intuitive for priority changes. So as Tim Allen used to say on Home Improvement: it’s Tool Time again…

      Skype4B Address Book Normalisation Tool




      Tool Features:
      • Import Existing “Company_Phone_Number_Normalization_Rules.txt” files into the system.
      • Add/Edit address book rules to the system. If the rule you are setting has a name that matches an existing rule, then the existing rule will be edited. If the rule’s name does not match an existing rule then it will be added as a new rule to the list.
      • Delete rules from the system.
      • Create new Site based Address Book Normalisation Rules policies.
      • Change the priority of rules.
      • Custom written rule testing code for testing pattern and translation matches as well as the resultant number.
      • Export rules back into a “Company_Phone_Number_Normalization_Rules.txt” file format.
      • Test the rules! Skype for Business currently (at the time of writing this) doesn’t have Address Book Normalisation testing capabilities. So I wrote a custom testing engine into the tool providing this feature. By entering a number into the Test textbox and pressing the Test Number button, the tool will highlight all of the rules that match in the currently selected Global/Site level Policy patterns in blue. The rule that has the highest priority and matches the tested number will be highlighted in red. The pattern and translation of the highest priority match (the one highlighted in red) will be used to do the translation on the Test Number and the resultant translated number will be displayed by the Test Result label.
      Version 1.01 Update (13/10/2015):
      • Added warning message on the Remove policy button to save you from yourself :)
      • Removed second .txt from the export name.
      Version 1.02 Update (20/1/2015):
      • Script now doesn't strip ";" char before applying regex. (Thanks Daniel Appleby for reporting)

      Available on the TechNet Gallery:

      DOWNLOAD HERE



      Importing Company_Phone_Number_Normalization_Rules


      The new Skype for Business address book normalisation Powershell commands offer a way to import previous Normalisation Rule files.  The command is called Import-CsCompanyPhoneNormalizationRules and will import the Pattern and Translation Rule directly into the new Skype for Business commands. In doing so, the import process will create a random GUID to be used as a unique name for each normalisation rule.

      Import File Example:
      # Internal 13 Extension numbers
      ^13(\d{2})$
      +6139999$1
      # Internal 17 Extension numbers
      ^(17\d{2})$
      +6139999$1

      Get-CsAddressBookNormalizationRule after import:
      Identity    : Site:Melbourne/d8209928-5b07-44fa-9642-56285dbe72d1
      Priority    : 0
      Description :
      Pattern     : ^13(\d{2})$
      Translation : +6139999$1
      Name        : d8209928-5b07-44fa-9642-56285dbe72d1

      Identity    : Site:Melbourne/3cfd51ad-2be9-43ce-a87d-f223bdc755c6
      Priority    : 1
      Description :
      Pattern     : ^(17\d{2})$
      Translation : +6139999$1
      Name        : 3cfd51ad-2be9-43ce-a87d-f223bdc755c6

      The Address Book Normalisation Tool uses this same command to import address book files. As a result, you can expect to see the same operation as shown above. When the rules are imported into an existing scope that already contains rules the new normalisation rules will be added in addition to the existing rules. No existing rules will be deleted by the import process.


      Rule Testing


      In previous versions of Lync you used to be able to test rules using the Abserver.exe using the testPhoneNorm flag. The output of this command would tell you which Pattern in the Normalisation Rules file would be used by the system for the test number you supplied. The Address Book Normalisation Tool has a similar testing feature that will highlight all of the rules that match the tested number in blue and highlight the highest priority (ie. the actual rule the system will use to do the normalisation) rule in red. It will also show you the Pattern, Translation Rule, and exactly what the resultant number will be after translation.

      Test Example:



      The Wrap Up


      Now Skype for Business Address Book Normalisation couldn't be any easier! I hope you find this tool useful and continue normalising for many years to come. Enjoy!



      Skype for Business / Lync Polycom VVX Manager Version 3

      September 30, 2015, 10:37 pm
      $
      0
      0

      Polycom’s VVX range of phones on Lync/Skype for Business have come a long way in the past few years. The release of version 5.4 has delivered further improvements and new features and moved them into a position of superiority over even Lync Phone Edition devices. Since version 5.4 of VVX software there has been support for remote management features by way of a RESTful web service interface. The VVX Phone Manager takes advantage of this API and allows you to remotely execute various functions of the devices. As of version 3.0 there is also now support for phones that are directly registered to Skype for Business Online!

      Polycom VVX Manager Version 3 Features


      Polycom VVX Phone Manager 3

      Skype for Business Online Support - The VVX Phone Manager as of version 3.0 can now list up users from Skype for Business Online and discover their VVX/Trio devices using the Network IP Discover method (supports users with VVX's and Common Area Phone Devices). The "Connect SfBO" button will connect the PowerShell session to SfB Online. You will need to enter your Office 365 AAD username and credentials to connect. Once connected a green "Online" label will be displayed next to the button and the button’s text will change to "Disconnect SfBO" which you can click to disconnect from SfB Online.

      Phone discovery– Phones can be discovered either by automatically querying the Lync/Skype for Business Monitoring database (provided there is a monitoring role deployed in the environment) by pressing the “Discover from Monitoring DB” button. Alternatively, this can be done by entering IP Address ranges and “pinging” contiguous subnet ranges for phones using the “Discover from IP Range” button (format: "192.168.0.1-192.168.0.20" OR "192.168.0.0/24" OR add multiple with comma separation "192.168.0.0/24,192.168.1.0/24"). During the discovery process, phones that are logged in to user accounts will be listed in the users list. If the tool finds a VVX handset that is not signed in, it will be added to the user list under the name “VVXNot@LoggedIn_<index number>”. This allows you to use the tool to access these devices even though they are not signed into the system.

      Important Note: The VVX Phone Manager Tool uses the registration database within the Lync/Skype for Business monitoring database to determine the IP addresses of phones. However, registrations are only added to this database at the time when a user manually signs in with a PIN or with Domain authentication details. If a user moves a phone to a new subnet or the IP Address changes without signing it out/back in then its new IP Address will not be written to the Monitoring database. So, in some cases, the Monitoring database may not produce a complete list of registered VVX devices. The "Monitoring DB Query Time" value in the "Settings" dialog can be used to extend how far back the Monitoring DB query will go to find VVX registrations. This can help to find phones that haven't been manually signed in for an extended period of time. Or alternatively, the "Discover from IP Range" option can be used to do an exhaustive scan of all subnets if required. 

      Export/Import Phone Info– This feature outputs a CSV file that contains all the Users, IPs, Firmware Version, Serial Numbers, Lync/Skype for Business Server, and MAC Address (if available) for all phones. If you select the "More" checkbox you will also get the additional Lync/Skype for Business policy settings for each user (this is slower).

      Access Web Interface - Access the web interface of a VVX phone by selecting a user in the user list and clicking the “Web Config” button. This will automatically load the web browser to the phone's web interface.

      Pin control– The “Pin…” button will load a dialog that will Set, Test, Lock, Unlock a user’s PIN number.

      PIN Dialog


      Send Text Messages - Send text messages to be displayed on a Polycom VVX phone. An example of this would be to send a message to warn before a system upgrade or a reboot. Messages are displayed on the screen for 30 seconds.

      Example of Message Screen

      Note: Sending messages relies on the PUSH interface being enabled on the phone in order to accept the message. See the VVX Requirements section for more detail of this configuration. 

      Get More Info– By pressing the “More Info” button you can get extended information about a VVX phone including: Device Info, Call Status, Presence Info, Network Info, Line Info, SIP Status, Network Statistics.

      Reboot/Restart Phones– You have the choice of Rebooting or Restarting a single, multiple, or All phones.

      Reset Config– You have the option to Reset the Config or Factory Reset the configuration with one or many phones.

      Get/Set Config - You can Get or Set any setting in the phone configuration. You simply need to enter the configuration setting name (as you would find in the configuration file eg. log.level.change.hset) and click the Get or Set buttons to view or change the setting's value.

      Sign in / Sign out devices (5.7 software required on the phone) - Selecting sign in will open a dialog that allows for either AD Authentication or PIN Authentication. Selecting sign out will sign out the phone from Skype for Business.

      Dial / End Call– You can choose to remotely dial a SIP URI (eg. john.smith@domain.com or +61395551111@domain.com) on a phone by entering a URI and pressing the “Dial” button. If the phone is on a call you can also choose to end the call using the “End Call” button.

      Test FTP Config Server - Test your FTP Configuration File server by simply entering the IP address of the FTP server and pressing the “Test FTP” button. The tool will attempt to connect to the FTP server and download information about key files associated with a Polycom configuration server deployment. These include the base configuration file (000000000000.cfg), configuration files in the CONFIG_FILES tag, any MAC address files associated directly with phones, and firmware files (*.sip.ld). The tool will give feedback as to the state of the FTP server.

      View Screen– The “Screen…” button will open a dialog that will show you the user's screen. Before the user's screen can be viewed the user must first manually allow access to the Screen Capture feature (this is a security measure so that the user is aware that someone is viewing their screen). This setting within the Basic->Preferences screen will only be made available while the VVX screen dialog is displayed (the tool automatically makes the setting "up.screenCapture.enabled" in the device to turn on this preference setting). When the dialog first loads you will see a screen that looks like this:

      VVX Screen Dialog


      At this point the user will have to enable the following setting in their phone preferences:

      Settings -> Basic -> Preferences -> Screen Capture -> Enabled

      Note: In version 2.50 of the tool with Version 5.7 of VVX software this step is not required anymore. The tool will immediately be able to display the screen by using the REST interface to enable the feature.

      Now you will be able to see the user's screen and save screenshots of the screen as JPG files if you so desire:
      VVX Screen

      Command Line Settings – If you would like to load the script with your own specific settings to save time, you can specify these in the command line when loading the script. The format of the parameters are as follows:

      Script command line settings:
      .\Skype4B-Lync-PolycomVVXManager3.00.ps1 -WebPortInput 443-UseHTTPSInput false-AdminUsernameInput AdminUsername-AdminPasswordInput AdminPassword-PushUsernameInput PUSHUsername-PushPasswordInput PUSHPassword-IPRangeInput “192.168.0.1-192.168.0.200”-OnlineUsernameInput john.smith@tenant.onmicrosoft.com-OnlinePasswordInput "Password"

      Settings Dialog – The “Settings…” button allows you to configure your own passwords, web service port and HTTPS settings for the tool.

      Note: Continue reading for definitions of these settings.


      Bulk PIN Authentication (New in version 2.50)

      The bulk PIN authentication feature allows you to sign in multiple devices (that are currently signed out) using their respective extension and PIN numbers. This feature is useful for if you are deploying a site and require all the phones be logged in the day after the cutover before staff arrive at work. Another scenario might be that you want to sign in new starters phones at the time when you initially set their PIN number to allow them immediate access to their phone.

      Phones that are signed out will be displayed in the interface as “VVXNot@LoggedIn_<IPAddress>”. Any device that is in this state will be eligible to be displayed within the Bulk PIN Authentication window when it’s opened. Below is an example of what the Bulk PIN Authentication window looks like when it’s first opened:


      Note: You will need the REST API enabled on devices that you want to be displayed in the Bulk Authentication interface.

      Once the Bulk PIN Authentication window is open you need to assign Extension and PIN numbers to each device. To do this you can choose to import a CSV file with this information in it to fill in the table. Or you can manually do it with the Extension/PIN text fields and Update Row button. Once you have added Extension and PIN numbers to a row it will change colour to green. Lines that do not have an Extension and PIN will be ignored when you run the Bulk Authentication process.
      To use the CSV import you need to create CSV file with the following headers:

      MAC Address,Extension,PIN
      0004f28038f9,1006,1234
      64167f8023b1,1007,1234
      0004f280df8b,1008,1234

      You will need to know the MAC address of the phone devices to create the CSV file. So it’s important to have good records describing where devices are deployed within the organisation.


      After Extensions and PIN numbers have been added for the required devices you click the “Run All” button and the sign in process will begin. The sign in process runs in parallel for all devices. The tool will poll the devices to check if the sign in process has completed. Once finished the results will be reported back for each device in the Result column.


      The results can be exported with the “Export Results...” button in CSV format for future records.


      UPDATES



      2.01 Enhancements
      • Fixed issue with the Get Config function
      • Increased the timeout for discovery ping from 200ms to 350ms to handle sites that might be over a higher latency connection. Also added a setting called "Discovery Wait Time" which allows you to tune the time that the tool will wait for responses from discovery messages sent to phones (setting between 200ms-1000ms).

      2.02 Enhancements
      • Fixed issue with rescan on CSV import.
      • Included new Polycom MAC Address range 64:16:7F
      • Added a discovery summary at the end of IP Based discovery. This gives a useful summary when scanning multiple IP ranges.
      • The command line input for IPRangeInput now accepts muiltple ranges in comma separated format. eg. Skype4B-Lync-PolycomVVXManager2.02.ps1 -IPRangeInput "192.168.0.1-192.168.0.200,192.168.0.10/24"

      2.03 Bug Fix
      • There was an issue with detecting users when capital "SIP:" was used as part of their SIP URI. This has been fixed.
      2.04 Bug Fix
      • Fixed a couple of typos that affected operation on Powershell 5
      • Added more VVX types when discovering logged out phones
      2.05 Bug Fix
      • Added port number to screen viewing URL. Required when non-standard HTTP/HTTPS port is used.
      2.10 Fixes and Enhancement! (28/7/2017) 
      • Replaced Invoke-RestMethods with shiny new .net web requests to fix annoying connection issues found in previous versions.
      • Added option in Send Message dialog to select the theme/style of the message displayed on the VVX. Default is to send the new SfB dialog style, the original Polycom theme and red/alarm themes are also available.
      • Updated Icon to new MySkypeLab icon.
      • Added some more detail in blog post about Push configuration.
      2.20 More Fixes and Enhancements! (28/8/2017)
      • Fixed threading issue with discovery that could result in some devices not being listed.
      • Added support for RealPresence Trios.
      • Added support for VVXs and Trios configured as CsMeetingRoom devices.
      • Added Trio Filter checkbox to view only users with Trios.
      • When not logged in Trio is discovered it will be displayed as "TrioNot@LoggedIn"
      • Fixed discovery Instance name when default SQL instance is used.
      • Changed the "VVXNot@LoggedIn_<value>" name to end with the IP Address of the device rather than an incrementing number.
      • Fixed the IP Address discovery count text in Powershell window to make more sense
      • Fixed issue with listview scrolling and colored lines changing back to black. Clicking on the listview will refresh the colours.
      • Increased VVX and Trio list checkbox filter speed.
      • Fixed issues with setting and testing pins.
      2.21 Bug Fixes (8/11/2017)

      • Fixed issue with config Get and Set not working with https connections
      • Fixed issue with LineURI and DialPlan not being outputted in CSV for Common Area Phones and Meeting Room devices
      2.50 Fixes and 5.7 API Enhancements (24/1/2018)

      Note: The config setting httpd.ta.enabled="1" is required for the 5.7 features to work correctly
      • Added Touch Simulation (Tap/Swipe) when viewing screen on 5.7 software. This works on the range of VVX500, VVX600, VVX400, VVX300 and VVX200 devices (yes, even non-touch screen devices). Simply click on the screen where you would like to send a tap or click and drag to send a swipe command. Note: There is no support for hardware button presses (eg. home button) in the API yet so we will have to wait for full remote control of devices.
      • Viewing the screen now does not require user involvement to turn on Screen Capture within the phone preferences in version 5.7. This will automatically be set by the tool each time the screen button is clicked.
      • Added additional information when the “More” button is clicked for devices with 5.7 and above (CPU, Memory, Session Information, Additional Call Status info).
      • Added Sign in / Sign Out functions (in send command dropdown box) allowing AD Authentication and PIN Authentication - Supported on 5.7 and above. Not supported for Trios.
      • Bulk PIN Authentication Sign In. See the Bulk PIN Authentication section of the blog post for more details - Supported on 5.4 and above. Not supported for Trios.
      • Corrected issue with VVX Manager failing with virtual IPs from HyperV (Thanks to Ross Gernon for the feedback)
      • Added a retry when polling devices during discovery. Some VVXs don't respond to the first NOTIFY message so a second is sent to try and force a response.
      • Fixed issue that stopped connections to default MSSQLSERVER instances.
      • Many other smaller bug fixes...

      3.00 Bug Fixes - Added Skype for Business Online support (25/08/2018)

      • The VVX Phone Manager can now list up users from Skype for Business Online and discover their VVX devices using the Network IP Discovery method (supports users with VVXs/Trios and CAP Devices).
      • The "Connect SfBO" button will connect the PowerShell session to SfB Online. You will need to enter your Office 365 username and password to connect. Once connected a green "Online" label will be displayed next to the button and the button’s text will change to "Disconnect SfBO" which you can click to disconnect from SfB Online.
      • Two new command line attributes added for SfB Online Username and Password so you can connect without being prompted for credentials (example: .\Skype4B-Lync-PolycomVVXManager3.00.ps1 -OnlineUsernameInput john.smith@tenant.onmicrosoft.com -OnlinePasswordInput "Password")
      • Cleaned up the info display and changed font and added some colour. Now includes information about where a user is Homed (OnPrem or Online) and Hosted VM (HostedVoicemailPolicy) fields.
      • Added support for testing HTTP/HTTPS config servers (Test Server Button). Files are now downloaded into memory so no file has to be written to disk and checks for VVX250,350,450 firmware. Trio firmware and APP_FILE_PATH_Trio8800 path now supported.
      • Rewrote user information gathering code to be cleaner and work with SfB Online.
      • Removed exit button from messages sent to VVX400
      • Many other bug fixes :)

      3.01 Trio discovery and fix update (25/10/2018)
      • Trios in later versions do not support NOTIFY based discovery anymore. Added automatic REST based fall back for discovery of these devices.
      • If REST is disabled on a Trio that falls back to REST discovery, a device named TrioRestDisabled@<IP Address> will be added to the list and you can then use the "Web Config" button to enable REST (Settings > Applications > REST API > Enable).
      • When Visual+ is discovered it will be added to the list as TrioVisualPlus@<IP Address> and you will be able to access the web interface with the "Web Config" button.
      • Fixed Trio screen display size by halving the size to fit on regular screen resolutions.
      • Made updates to the Import CSV logic to properly handle Trios.
      3.02 O365 Connection Optimisations (6/2/2019)
      • Improvements with reconnecting to O365 after connection timeout. (Thanks to Greig Sheridan for helping with the testing of this release)
      3.03 MFA Support added for O365 (6/3/2019)

      • Added MFA support when signing into O365.


      Available on the TechNet Gallery:

      DOWNLOAD HERE



      Polycom VVX Manager Configuration Requirements


      Firmware Requirements


      The VVX phone must be at least firmware version 5.4 in order to be controlled by the VVX Phone Manager Tool because this version is the first to support the new REST based management API. If you select a user that has a phone with an older version of software, the tool will display a warning in the Powershell window and give you limited access to features for that user. Note: software version 5.4.0A is required for VVXs connecting to Skype for Business.

      VVX Web Server Settings


      Since version 5.1 of VVX software, there have some increased security enhancements added to the phones. This increased security will affect your ability to connect to the web interface and web services interface of VVX devices when you are running them in an out-of-the-box configuration. So in order to use this tool you will need to edit some basic configuration settings on your phones (usually done via configuration files).

      The following web server settings were added in version 5.1 VVX firmware:

      Web Config Mode
      httpd.cfg.enabled
      httpd.cfg.secure
      TunnelEnabled
      httpd.cfg.secure
      TunnelRequired
      Disabled
      0
      0
      0
      HTTP Only
      1
      0
      0
      HTTPS Only
      1
      1
      1
      HTTP/HTTPS
      1
      1
      0

      Different combinations of these setting will give you access to either HTTP, HTTPS or both at the same time. Below are examples of how to achieve all of these settings:

      Example settings:

      Note: The config setting httpd.ta.enabled="1" is also required for the 5.7 features to work correctly.

      HTTP Web access only:
      <!-- HTTP Admin Settings -->
      <httpd httpd.enabled="1" httpd.cfg.enabled="1" httpd.cfg.port="80" httpd.cfg.secureTunnelEnabled="0" />

      HTTPS Web access only:
      <!-- HTTPS Admin Settings -->
      <httpd httpd.enabled="1" httpd.cfg.enabled="1" httpd.cfg.secureTunnelPort="443" httpd.cfg.secureTunnelEnabled="1" httpd.cfg.secureTunnelRequired="1" />

      Both HTTP and HTTPS web access: 
      <!—HTTP and HTTPS Admin Settings -->
      <httpd httpd.enabled="1" httpd.cfg.enabled="1" httpd.cfg.port="80" httpd.cfg.secureTunnelEnabled="1" httpd.cfg.secureTunnelPort="443" httpd.cfg.secureTunnelRequired="0" />

      Note: If you would like to make the Web Admin harder for people to find, you can change the port number to something different from the default 80 or 443 settings. If you do this, you will need to change the Web Port setting in the settings screen of the tool to match your selected port.


      In addition to enabling the web server in the phone you must also change the default password on the device as well. If you do not do this the phone will display errors/warnings on the phone display and web interface (“Default admin password is in use, please contact your administrator”). Passwords can be configured in the configuration file as follows:

      <!-- Passwords and Security -->
      <device device.auth.localAdminPassword="12345" device.auth.localUserPassword="12345" />

      Note: Make these passwords whatever you want them to be, however, they must be different than the default of 456 in order to avoid the warning message being displayed on the phone screen.

      After you have changed these settings the web login and phone screen login passwords will be changed. So if your support staff have been trained to enter the default “456” password, don’t forget to tell them that it has changed.

      Enable REST API:


      Config File Setting:

      The following REST API setting must be enabled in order to use the Polycom VVX Manager Tool:

      <apps apps.restapi.enabled="1" />

      Web Interface Setting:

      Settings -> Applications -> REST API

      Note: If this setting is not configured you will receive "(404) Not Found" errors when trying to send commands to the phone.

      Text Messaging Settings


      In order to send messages to VVX phones you need to enable the Push settings in the configuration. You can do this with the following settings:

      Config File Settings:
      <apps.push apps.push.alertSound="1" apps.push.messageType="5" apps.push.serverRootURL="push" apps.push.password="vvxmanager" apps.push.username="vvxmanager" apps.push.secureTunnelEnabled="1" apps.push.secureTunnelPort="443" apps.push.secureTunnelRequired="0"></apps.push>

      • apps.push.messageType: This sets the level of messages that will be displayed for the phone. The VVX Manager always sets the messages as “critical” so they will always be received. The setting “5” means that all levels of messages will be displayed by the phone.
      • apps.push.serverRootURL: This setting needs to be set to "push". This is used as part of the URI for sending messages to the VVX.
      • apps.push.username: The phones use digest authentication for push connections. The username sent by the tool by default is “vvxmanager”. This can be changed in the Settings dialog in the tool.
      • apps.push.password: The phones use digest authentication for push connections. The password sent by the tool by default is “vvxmanager”. This can be changed in the Settings dialog in the tool.
      • apps.push.alertSound: Play a sound when the message is displayed. This is the standard Polycom sound that you hear when a phone reboots. This can help the user to see the message, as it will only be displayed for 30 seconds.
      • apps.push.secureTunnelEnabled: If 0, HTTPS is disabled for push. If 1, HTTPS is enabled for push.
      • apps.push.secureTunnelPort: Changes the HTTPS port number (default is 443).
      • apps.push.secureTunnelRequired: If 0, HTTPS is not required (ie. HTTP is also available). If 1, HTTPS is required for push (ie. HTTP connection is disabled). Note: if you try to connect using HTTP when this is set to 1 you will receive a "(405) Method Not Allowed" error.


      Web Interface Settings:

      Settings -> Applications -> PUSH



      MAC Address Display


      If you want to be able to remotely tell what the MAC address is of a phone (useful when building phone specific config files) from the VVX Phone Manager tool interface without having to open the web config, add the following setting:

      <device sec.tagSerialNo="1">
         <prov device.prov.tagSerialNo="1"/>
      </device>

      This will result in the MAC address being included in the device string, eg: “VVX Version: PolycomVVX-VVX_500-UA/5.0.0.6874_0004f28038f9”. If you do this, the tool will also check the FTP server for individual MAC address files and tell you which phones have these when the “Test FTP” button is pressed.


      Polycom VVX Manager Tool Settings


      When connecting from the VVX Phone Manager you need to match the password that you configured in your phone with the tool. The settings can be entered into the tool by pressing the “Settings…” button:
      • REST Username: This setting is always set to “Polycom”.
      • REST Password: This setting needs to match the “device.auth.localAdminPassword” setting in your VVX phone. If the password is wrong and doesn't match your phone setting you will see "(401) Unauthorized" errors being returned from the phone when you try to send it commands.
      • PUSH Username: This setting needs to  match the “apps.push.username” setting in your VVX phone.
      • PUSH Password: This setting needs to match the “apps.push.password” setting in your VVX phone.
      • HTTPS: This needs to match your phone's configuration settings for “httpd.cfg.secureTunnelEnabled”
      • Web Port: This needs to match your phone's configuration settings for either “httpd.cfg.port” for HTTP or “httpd.cfg.secureTunnelPort” for HTTPS.
      • Monitoring DB Query Time: This setting determines how many months back in the monitoring database the tool will look for VVX phone registrations. By default this setting is 6 months, meaning that the IP Address of any VVX phone registered in the past 6 months will be scanned to see if it is still located at that IP Address. This setting can be increased if your VVX phones have not been manually signed out/in for longer than 6 months. Or if you have a site where users are frequently signing in and out of their VVX phones you can reduce this value to save time scanning old IP Addresses for VVXs. The setting can be set between 1-48 months (ie. from 1 month up to 4 years).
      • Discovery Wait Time: This setting allows you to tune the time that the tool will wait for responses from discovery messages sent to phones (setting between 200ms-1000ms). This can be helpful if you are trying to discover phones on a distant subnet with a high levels of latency.


      SQL Requirements


      In VVX Phone Manager 1.xx there was a requirement that SQL ports were opened on each Front End server for accessing information on phone IP Addresses (which work some of the time). This new version of the tool only requires access to the Monitoring database on the Lync / Skype for Business Backend SQL server in order to discover the IP Addresses of phones signed into the system.

      Important Warning About Trio SkypeUSB Mode

      Note: Thanks to Greig Sheridan for providing testing of USB mode!

      The Trio devices can run in a special mode called SypeUSB mode whereby they basically become a dumb USB device that you connect to a USB port of a PC as an audio device. This mode is turned on using the base profile setting below:

      device.baseProfile="SkypeUSB"

      When in this mode the VVX turns off its SIP stack and will not respond to the VVX phone manager. This renders the device un-discoverable so you will not be able to see it in the tool. In addition to this, if you want to convert the device back to the Lync/Skype profile and have it talking SIP again you should do a full file system reset of the device first. It was found that factory defaulting the device sometimes isn’t enough to get the SIP Stack back firing on all cylinders and you might see 404 SIP errors coming back from Trios when trying to discover them with the VVX Phone Manager.

      The moral of the story here being that SkypeUSB mode does not work with the VVX Phone Manager. So don’t waste a whole bunch of time trying to figure out debug SkypeUSB mode!

      Getting Started with a Polycom VVX Deployment


      This article was written under the assumption that you already have VVX phones deployed, and you are now looking to manage them. If you need some more help with the initial deployment part of the process, I can point you to some useful resources:

      Jeff Schertz' great post on the different ways to deploy Polycom phones is here: Provisioning Polycom SIP Phones. Greig Sheridan also has a nice post on Optimising the Polycom VVX for Lync that you might want to check out too.

      If you would like to know more about what is supported on Lync with VVX phones and setting up a FTP server to support Polycom Configuration files on Lync, go to the Polycom VVX support page and grab a copy of the lovingly entitled: “Deploying Polycom® UC Software for use with Microsoft® Lync™ Server”.

      An important recommendation that I can give you is to always test your configuration files on a real phone before deploying them into the wild, because subtle errors can cause things not to work as desired.


      The Wrap Up


      Well, that's it, my first version 2.0 script! Enjoy, and let me know if you have any issues, feedback or have any enhancement requests.



      Skype4B / Lync DHCP Config Tool

      November 29, 2015, 2:57 am
      $
      0
      0
      Put up your hand if you know how to configure DHCP for Skype for Business and Lync phone devices? Leave your hand raised if you enjoy this process? Okay, I thought so, read on…

      When deploying Skype for Business/ Lync Optimized or Qualified phone devices you are required to make specific DHCP configuration settings in order for the devices to be able to authenticate and connect to the system. The settings that are required are some special Vendor Class Options and a standards-based Option 120 setting.


      DHCP Vendor Class Options - Option 43


      Option 43 is a special option type used in DHCP responses that encapsulates options for a specific Vendor Class. A DHCP server will respond with Vendor Class options only when a device specifically requests them. The method for requesting the Vendor Class options is normally achieved by the device putting a Vendor Class ID in Option 60 of its initial DHCP DISCOVER message. This method is usually used for settings that might be required by the device when it first boots.

      Another method (which I’ve only ever seen used by Skype4B/Lync devices) is to send an INFORM message after the initial discovery process has completed to the DHCP server requesting additional information for a specific Vendor Class. The signalling for the Vendor Class request is the same as in the DISCOVER method however, in this case the Option 60 message is inserted in the INFORM message. It is important to note that the INFORM method is not supported by all DHCP servers, however, it is supported by Windows DHCP servers and Cisco switch/router DHCP servers. If you're using an different DHCP server you may need to check that it response to INFORM messages. 

      Skype for Business and Lync phone devices use Option 43 to pass information about the certificate provisioning service to the phones. The phones need this information in order to do PIN Authentication with the system. The options encapsulated within option 43 include the following:

      Option Number
      Option Name
      ASCII Value
      Setting Type
      001
      Vendor Class
      (UCIdentifier)
      MS-UC-Client
      Common setting
      002
      Protocol
      (URLScheme)
      https
      Common setting
      003
      Web FQDN
      (WebServerFQDN)
      pool.domain.com
      Variable - Set this to match your pool / domain
      004
      Web Port
      (WebServerPort)
      443
      Common setting
      005
      Cert Prov URL
      (CertProvRelPath)
      /CertProv/CertProvisioningService.svc
      Common setting

      These settings combine to give the phone all the information it needs to contact the Certificate Provisioning service on the system. The phone will recombine these to be a URL as follows:

      https://pool.domain.com:443/CertProv/CertProvisioningService.svc


      DHCP Option 120


      Option 120 is a specific option that is described as part of a RFC 3361. The option describes SIP server locations in the form of FQDNs or IP Addresses. Skype for Business and Lync devices have been designed to use this standard option to discover the location of the pool for SIP signalling (registration, authentication, call signalling, etc).   

      Option Number
      Option Name
      ASCII Value
      Setting Type
      120
      SIP Pool FQDN
      (UCSipServer)
      pool.domain.com
      Variable - Set this to match your pool / domain

      The encoding of Option 120 is not just a simple ASCII byte conversion for entry into the DHCP server. There are also framing bits around the FQDN that is described as part of RFC 3361. The RFC described two different types of encodings for Option 120 –  the first is FQDN format, and the second is IP Address format. Only the FQDN formatting option is available for Skype for Business and Lync due to the fact that it uses TLS-based SIP which requires FQDN matching when creating the secure channel connection.


      How Does DHCP Option 120 interact with DNS?


      If you don’t specify anything for DHCP Option 120 the Skype4B/Lync Phone Edition devices will fall back to looking up the following DNS records:
      • _sipinternal._tls SRV record
      • _sip._tls SRV record
      • sipinternal.<user domain>  (Be careful of this record. This is not included in the certificate SAN list by default so don’t enter it into DNS unless you have added it specifically to the SAN list)
      • sip.<user domain> (This record is included by default in the certificate SAN list. So it’s safe to use.)

      During the process, if Option 120 is not discovered, the Skype4B/Lync Phone Edition devices will display “Registrar FQDN cannot be found. Please contact your support team” on the screen and then sign in using the fall back DNS lookups. This is not ideal because users might be confused by this message so it’s always recommended to configure Option 120.


      Configuring the DHCP Server


      The method of configuring the DHCP server supplied by Microsoft is to use a command line tool called DHCPUtil that will create the byte encoded output for each of the required Options. The output of the DHCPUtil command is then used in conjunction with a batch file to deploy the setting within your DHCP server. This process is multi-step and I have found it prone to errors, and difficult to troubleshoot once the options are deployed, because they are displayed as bytes in the interface. The DHCPUtil method also only supports configuring Server Options within the Windows DHCP server and does not support Scope Level options configuration. I figured I could build a tool in Powershell that would be easier to configure, more flexible, and help you in troubleshooting your DHCP deployments.


      Skype4B / Lync DHCP Config Tool




      Features:
      • Deploy Server and Scope level settings within your Windows DHCP server.
      • The tool will encode the settings as required to be deployed within the server.
      • The tool will download and display the current settings from the DHCP server.
      • Edit and remove individual settings as required.
      • Export to Cisco IOS Switch/Router DHCP configuration commands.
       Note: The tool must be run on a Windows DHCP server!

      Available on the TechNet Gallery:

      DOWNLOAD HERE


      The tool itself is fairly straightforward to use –  when it loads, it will query for all the scopes configured in the DHCP server. The scopes are displayed in the drop down list at the top of the form. When you select a Scope from the list, the tool will query the Options available for that scope and show them in the settings text boxes (current settings are shown in green). If the scope has no options configured, the boxes will be empty. If you would like to auto fill the boxes with the common configuration settings you can click on the Defaults button. When you have filled in the settings with the desired configuration you can click the Upload Settings button and the Options will be configured on the server. If you would only like to upload specific Options, you can use the Check Boxes next to the settings to select the desired Options to upload. The Remove Settings button will remove any of the settings from the selected scope that has the check box ticked. If you only want to delete a specific option, then you tick only the check box of the specific item before clicking the Remove Settings button.

      Your DHCP server may already have Option 120 or the Vendor Class options defined. If this is the case and any of these options are defined as anything other than the Binary type then the tool will display the setting as <UNSUPPORTED TYPE>. This looks like the following:

      Unsupported Type of and Existing Option

      If this happens you can choose to upload a new setting over the existing setting. If you do this the tool will display a dialog asking if you would like to delete and replace the existing option definition with a new one. The new definition that the tool will create will be Binary in type which it will be able to edit and display.

      Option Definition Change Dialog


      The tool also does checks on Option 120 when it reads it from the DHCP server to ensure that it is formatted correctly (as defined by RFC3361). If it determines that the setting is not in the correct format it will display <UNSUPPORTED FORMAT> in the text box. If this happens, then I suggest you upload a new setting over the top of the unsupported setting to ensure that your phones can parse the option properly.

      Important Note: You must refresh the scopes within the Windows DHCP Server MMC console in order to see changes you have made with the DHCP Config Tool. 


      Cisco Router / Switch Configuration


      If you do not have Windows DHCP server for the subnet that your devices are deployed on, you may choose to use a Cisco switch or Router to be the DHCP server. The "Export Cisco" button allows you to export Cisco IOS configuration commands for option 120 and 43 of a Cisco switch or router running as a DHCP server.

      It should be noted that when you use this format in a router or switch there is a significant difference from a Windows DHCP server implementation. In the Cisco method you are hard coding the DHCP server to respond with these Option 43 settings for every device that requests Vendor Class options of any class. On a Windows DHCP server, it will only send Option 43 information to devices that have requested the specific Vendor Class of MS-UC-Client (the device does this by putting this Vendor Class info into Option 60 of its initial request message). This means that, per subnet, you can only have one Vendor Class deployed on a Cisco switch/router. In addition to this, you need to make sure that there are no other devices on the subnet that use Option 1-5 in their respective Vendor Classes because they will receive the settings you have deployed for Skype4B/Lync in their DHCP responses. This may have undesired results when they parse and use these settings instead of the ones they were expecting. So be sure you understand the risks of this where deploying using this method and try to limit the device on the subnet to be your Skype4B / Lync devices only (where possible).

      The tool will output the format as shown below:

      !OPTIONS FOR CISCO DHCP CONFIG
      option 43 hex 010C4D532D55432D436C69656E7402056874747073031446453030312E6D79736B7970656C61622E636F6D040334343305252F4365727450726F762F4365727450726F766973696F6E696E67536572766963652E737663
      option 120 hex 000546453030310A6D79736B7970656C616203636F6D00

      These settings can be inputted directly into your DHCP pool settings in Cisco IOS!
      An example of a basic configuration might look like this:

      Router(config)# service dhcp
      Router(config)# ip dhcp pool TEST-POOL
      Router(dhcp-config)# network 10.20.2.0 255.255.255.0
      Router(dhcp-config)# default-router 10.20.2.1
      Router(dhcp-config)# dns-server 10.20.2.100
      Router(dhcp-config)# lease 8
      Router(config)# ip dhcp excluded-address 10.20.2.1 10.20.2.199
      Router(config)# option 43 hex 010C4D532D55432D436C69656E7402056874747073031A32303133454E5446453030342E6D796C796E636C61622E636F6D040334343305252F4365727450726F762F4365727450726F766973696F6E696E67536572766963652E737663
      Router(config)# option 120 hex 000C32303133454E544645303034096D796C796E636C616203636F6D00
      Note: Other settings like NTP server, Time Offset, Config server, etc. may also be required depending on the device.


      Server Scopes and Subnet Scopes


      The tool allows you to access Server Scope or Subnet Scopes within the DHCP server. The server scope should be looked at as the fall-back settings for all scopes. If you apply settings to the server scope, then these will be used by default by all subnets in the DHCP server. If you apply Subnet level settings, then these will be used in preference to the Server Scope settings. Below is an example of Subnet level settings, however Option 120 in this case is a Server Scope level setting. Note the different icons used for the different scope types:



      The Wrap Up


      Congratulations, you are now an expert at configuring DHCP servers for Skype for Business and Lync phone devices! I hope you enjoy this new tool and that it brings you great joy and delight over the holiday season.


      Search

      Skype for Business and Lync Centralised Event Viewer Tool

      July 14, 2016, 11:38 pm
      $
      0
      0
      Event Viewer logs remain one of the best troubleshooting tools for Lync and Skype for Business servers. An enormous amount of useful information can be found in the Event Viewer Logs, which can then be used to either understand the current state of the system or do root cause analysis on prior issues.

      So I decided to build a simple tool that centrally displays all of the Event Logs from Lync or Skype for Business servers or pools within an environment. This allows for a fast one-stop-shop for triaging issues across multiple Lync/Skype for Business servers in your environment. This can be especially handy for easily correlating problems that might have occurred across multiple servers in a pool.


      Skype for Business and Lync Centralised Event Log Tool



      Features:

      • Start and End Time – You can select Start and End date and time for events (yy/mm/dd hh:mm format). This can be particularly handy if you know the approximate time that an issue occurred on the system.
      • Server – Select specific servers or entire pools for which you would like to see the Events Logs. By default all Lync Front End servers are selected (ie. “ALL FRONTENDS”).
      • Event level selection – Select if you want to see Critical, Error, Warning, and Information event messages.
      • EventID Include/Exclude – By default, these fields can be left blank. However, you can select to either include or exclude specific event numbers when you get events. These fields accept Regular Expression formatting. For example, if you entered “^5”, you will get all events that start with “5”, or you could get specific multiple events using "|" like this “31147|31202”, or your could get a range of events using "[]" like this "620[0-9][0-9]".
      • Find Next / Previous – You can jump forward or backwards through the event list. The find feature checks all cells in each row against the text in the find text box (this is based on regular expression). If you don't put any text in the find textbox the find next and previous buttons can also be used to step through each event in the list.
      • The Get Events button will start the process of getting the specified events from the selected servers.
      • Web Search! – Often the easiest method to find more information on events is to search on the web for them. So the tool gives you the option to Google, Bing, Duck Duck Go or search TechNet Forums for more information.
      • View Event - This button will open a window with the event in larger text box. This helps in some cases when the event message text will not fit within a row in the main window.
      • The Copy button will copy the selected row to the clipboard so you can paste it somewhere, like an email for example.
      • Export Statistics to CSV – The Export Stats button will export per event counts to a CSV file. This will quickly allow you to see which events have been occurring more than others.
      • Export Events to CSV – You may want to have record of these 'momentous' events for future reference.
      1.01 Small Update
      • Added standalone mediation servers to the list.
      1.02 The Greig Request Update (15/7/2018)
      • Added options for searching "ALL FRONTENDS", "ALL FRONTENDS and SBAs", and "ALL SBAs".
      • Added improved performance (2x-3x improvement) of "Include Event ID" filtering when "41024,41033" format is used (Note, only works for Include and not Exclude Event ID). Using server side filtering for this improvement (also saves CPU cycles on client machine).


      Available on the TechNet Gallery:

      DOWNLOAD HERE


      Tool Requirements


      The Centralised Event Viewer Tool must be run on a server with the Lync / Skype for Business module installed on it (as it uses Powershell commands to find the Lync/Skype4B pool information). This would usually be a front end server in the pool. The tool is capable of listing large numbers of events (tens-of-thousands of events), however, getting large numbers of events can take a while to process. The tool will process 1000 events in 2 seconds (this scales fairly linearly). As a rule though it’s usually best to keep searches under a month in length so that the number of events don’t become problematic.

      You must enable “Remote Event Log Management (RPC)” on all of your Lync/Skype for Business servers Windows firewalls in order to access these logs from the central server running the tool. This rule is already pre-populated in the Windows Firewall Advanced setting rules. So you simply need to Enabled the rule as shown below:

      Open Firewall on all Lync / Skype for Business Servers:



      This is a dynamic service rule that opens the required ports automatically. However, the ports that get used in practice are port TCP 135 (RPC) and port TCP 49153 (Remote Event Log). These firewall rules will become more important if you are trying to connect to Edge servers from an internal server, as the firewall between the servers will need to allow these ports.

      Once this has been set on the servers that you are getting event logs from, you are set to go!

      The Wrap Up


      Why are you still reading? Go and get event log troubleshooting!!



      Polycom VVX Hold Issue with Sonus SBC1000/2000 Calls

      October 26, 2016, 8:37 pm
      $
      0
      0
      I had an issue recently when using the VVX Music on Hold feature in conjunction with a Sonus SBC1000/2000. The problem was that the VVX phones could not put a trunk call on hold (in this case they were running 5.4.5 software) . The symptom of this issue was the following message being displayed on the VVX screen (“Hold Failed. Moving back to call”):



      It should be noted here that the VVX in question had the new Music on Hold feature configured and MoH was working to internal Skype for Business clients and other phones. This was only happening on trunk calls on the Sonus gateway.  This would happen for both Sonus based file hold music (ie. Sonus gateway based hold) or when the Sonus was not being used to supply the hold music (ie. hold passed through from the VVX to the outside party).

      Logging on the system showed that the RE-INVITE message being sent by the mediation server to initiate hold was getting rejected by the Sonus SBC. The INVITE message that was being sent looked like this:

      RE-INVITE message sent by Mediation Server to Sonus Gateway:
      INVITE sip:+61395821300@10.20.1.150:5066;transport=TCP SIP/2.0
      FROM: <sip:+61395824500;ext=4500@myskypelab.com;user=phone>;epid=BB69FBB4BE;tag=45afae0d8
      TO: <sip:+61395821300@SBC1000GW.myskypelab.com;user=phone>;tag=7b66d712-5fc
      CSEQ: 83 INVITE
      CALL-ID: a9adec59-5f57-4a9c-ac31-78836eb506a3
      MAX-FORWARDS: 70
      VIA: SIP/2.0/TCP 10.20.2.104:49796;branch=z9hG4bKbafabbee
      CONTACT: <sip:2013ENTFE004.myskypelab.com:5068;transport=Tcp;maddr=10.20.2.104;ms-opaque=7b0cff35b7212cae>
      CONTENT-LENGTH: 246
      SUPPORTED: timer
      SUPPORTED: 100rel
      USER-AGENT: RTCC/5.0.0.0 MediationServer
      CONTENT-TYPE: application/sdp
      Session-Expires: 1800
      Min-SE: 90
      v=0o=- 1477456907 1477456908 IN IP4 10.22.0.23s=sessionc=IN IP4 10.22.0.23t=0 0a=sendonlym=audio 60034 RTP/AVP 0 101c=IN IP4 10.22.0.23a=rtcp:60035a=sendonlya=rtpmap:0 PCMU/8000a=rtpmap:101 telephone-event/8000a=ptime:80


      You will notice in the above invite that the Mediation server is requesting a Payload Size of 80ms (“ptime:80”). The Sonus gateway doesn’t like this though, and rejects the call with a 488 message:

      Call setup rejected:
      SIP/2.0 488 Not Acceptable Here
      FROM: <sip:+61395824500;ext=4500@myskypelab.com;user=phone>;epid=BB69FBB4BE;tag=45afae0d8
      TO: <sip:+61395821300@SBC1000GW.myskypelab.com;user=phone>;tag=7b66d712-5fc
      CSEQ: 83 INVITE
      CALL-ID: a9adec59-5f57-4a9c-ac31-78836eb506a3
      VIA: SIP/2.0/TCP 10.20.2.104:49796;branch=z9hG4bKbafabbee
      CONTENT-LENGTH: 0
      WARNING: 304 "Media type not available"
      SERVER: SONUS SBC1000 5.0.4v415 Sonus SBC

      When the 488 message gets fed back to the VVX, it displays the “Hold Failed. Moving back to call” message and everyone is very sad :(

      Why is this happening?


      The Sonus gateway supports a maximum payload sizes of 60ms. This can be seen in INVITE messages sent out of the Sonus like the one below:

      v=0
      o=SBC 79 1001 IN IP4 10.20.1.150
      s=VoipCall
      c=IN IP4 10.20.1.150
      t=0 0
      m=audio 20112 RTP/AVP 0 8 101 13
      c=IN IP4 10.20.1.150
      a=rtpmap:0 PCMU/8000/1
      a=rtpmap:8 PCMA/8000/1
      a=rtpmap:101 telephone-event/8000
      a=fmtp:101 0-15
      a=rtpmap:13 CN/8000
      a=ptime:20
      a=maxptime:60
      a=sendrecv

      As you can see in the SDP message above, the Sonus says that it will only handle a maximum payload size of 60ms. There is also a reference to this in the SBC1k/2k manuals, which state that “If the SBC receives a larger than configured payload size from the peer offer in the re-invite, the SBC rejects with a 488 'Not Acceptable Here' response. The call rolls back to the previous negotiated offer answer.” – Reference: https://support.sonus.net/display/UXDOC60/Creating+and+Modifying+Voice+Codec+Profiles

      The Fix!


      So the fix turns out to be a VVX phone setting. When initiating hold the VVX the phone doesn’t follow the regular payload size settings for the codec being used (which by default for PCMA/U is 20ms). Instead it has a setting called feature.moh.payload which defaults to 80ms. Fortunately for us, this setting can be changed within the configuration file (it’s not available in the web interface!). The setting for Music on Hold are shown below:

      Setting
      Default Value
      Required Value
      feature.moh.enabled
      0
      1
      feature.moh.filename
      NULL
      Set this to the hold music file name. The file will be served off the config server. The default file is “Polycom-hold.wav”
      feature.moh.payload
      80
      20 or 40 or 60
      res.quotas.tone
      600
      600 – 1024

      Note: The default moh file size is 600KB which works fine for the default hold music provided by Polycom. However, if you want to change this to your own file then you can expand the size up to 1024KB.

      Polycom has made the payload setting 80ms by default to reduce the processor usage on the phone when it plays the hold file. So selecting 60ms may be the best option from a processor load perspective (which will work with the Sonus max payload size of 60). This way the hold music will work correctly, without putting too much load on the VVX's CPU.

      Here is an example of how this might look in a config file:

      <feature feature.moh.enabled="1" feature.moh.filename="Polycom-hold.wav" feature.moh.payload="60" />
      <res res.quotas.tone="1000" />


      The Wrap Up 


      Well there you go, another weird integration issue to add to the list… Hopefully it didn’t wreak too much havoc in your deployments before finding this article. Until next time, happy hacking.



      Skype4B / Lync Certificate Checker Tool

      December 1, 2016, 3:09 am
      $
      0
      0
      If you’ve ever installed Skype for Business or Lync before, you will know that the system requires PKI Infrastructure and Certificates to function. The reason for this is that all SIP and Web communications within the Skype for Business environment is secure by design and uses certificates for encrypting data. These communications span between servers, clients, phones, PSTN Gateways, Third Party Video equipment and most other integrations you can think of. So without your certificates being deployed properly, you are going to have a lot of trouble getting your environment up and running.

      Skype for Business/Lync Edge servers communicate with each other over Mutual Transport Layer Security (MTLS). When using MTLS connections the server originating a message and the server receiving it exchange certificates from mutually trusted Certificate Authorities. The public certificates presented in either direction prove the identity of each server by being signed by a trusted certificate authority. The main thing here to note here is that both servers need to have root certificates installed from each other’s trusted root certificate authority in order for TLS connections to negotiate successfully. This is also the case for federated connections to other organisations via the Skype for Business Edge server. These connections all rely on MTLS for the successful communication between the servers.

      Encryption Used in Skype for Business
      Traffic type
      Protected by
      Server-to-server
      MTLS
      Client-to-server
      TLS
      Instant messaging and presence
      TLS
      Audio and video and desktop sharing of media
      SRTP
      (No Certificates Used)
      Desktop sharing (signaling)
      TLS
      Web conferencing
      TLS
      Meeting content download, address book download, distribution group expansion
      HTTPS
      Mobile Clients (UCWA)
      TLS

      In many cases you may not have direct access to the other system you are connecting to in order to check whether the certificate it is using is valid, or has been signed by a trusted root certificate Authority. As a result, you may have issues connecting to the server and need to use complex tools like Wireshark to determine what the certificate being presented by the far end looks like. This can take time and involve installing software on servers, so I wanted to create a simple tool that doesn’t require any installation and can be run straight from a Powershell prompt. After doing some coding, that’s exactly what I created, introducing the Skype for Business Certificate Checker Tool…


      Skype4B / Lync Certificate Checker Tool




      Features:
      • Check the certificate being used by a server using the FQDN/IP and Port number of the server.
      • Check the certificate of a Federation SRV record (_sipfederationtls._tcp.domain.com) simply by entering the SIP domain name and ticking the “FED SRV” checkbox.
      • Check the SIP SRV record (_sip._tls.domain.com) by simply entering the SIP domain name and ticking the “SIP SRV” checkbox.
      • Check the SIP Internal SRV record (_sipinternaltls._tcp.domain.com) by simply entering the SIP domain name and ticking the “SIP INT SRV” checkbox.
      • Select the DNS server you would like to use to resolve DNS from by entering a DNS Server IP address in the “DNS Server” field.
      • “Show Advanced” checkbox will show all of the information in the certificate.
      • The “Show Root Chain” will display the root certificate and all of the intermediate certificates that are applicable in the trust chain for the certificate.
      • The “Test DNSLB Pool” checkbox is on by default and will instruct to the tool to test all of the IP Addresses that are resolved for a DNS Name. In the case of Skype for Business, we nearly always have multiple DNS records per A record for the purposes of DNS load balancing.  Rather than having to look all of the servers yourself, the tool will do this for you. Other servers in pool will be displayed in the Information text box in blue colour and will be tested directly via their IP Address rather than the DNS name.
      • Import multiple DNS name records from a CSV file. This is useful if you want to check a lot of servers in one sitting. See the “Import File Format” section for more details.
      • Save certificate information out to a CSV file. This will save all of the certificate information out in table format that you can open in Excel for record keeping purposes. Note:This export format is different than the one used in conjunction with the “Import” button.
      • Comments section – The comments section will have information in it about things that may be wrong with the certificate to help you troubleshoot your issues.

      Available on TechNet Gallery:

      DOWNLOAD HERE



      Import File Format


      You can import a CSV file containing many domains and servers to test if you choose (for example, this may be useful for checking a large list of federated domains). To do this you will first need to create a CSV file with all of the servers and/or domains that you want to test in it. The format of the CSV for each of the record types will look like:
      ·        
      Header row: Domain,Type,Port
      Example Federation Record:"microsoft.com","FED","",
      Example SIP Record:"microsoft.com","SIP","",
      Example SIP Record: "microsoft.com","SIPINT","",
      Example direct Record:"sip.microsoft.com","DIR","5061",

      Example file:
      Domain,Type,Port
      "microsoft.com","FED","",
      "microsoft.com","SIP","",
      "microsoft.com","SIPINT","",
      "sip.microsoft.com","DIR","5061"


      The Anatomy of a Certificate


      The Certificate Checker Tool can display a few different levels of information about the certificate presented by the server. The default basic view of the certificate will be displayed in the tool as follows:


      ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
      Checking FQDN:  sipfed.microsoft.com:5061
      Checking IP Address: 167.220.67.163:5061

      Certificate Response:

      Subject: CN=sipfed.microsoft.com, OU=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=WA, C=US
      Issuer: CN=Microsoft IT SSL SHA2, OU=Microsoft IT, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
      Not Before: 30/04/2015 2:26:22 PM
      Not After: 29/04/2017 2:26:22 PM
      Serial Number: 5A0000F5B0C7CABB89E4624D1E00010000F5B0
      Signature Algorithm: sha256RSA
      Thumbprint: 9E1736ACA8C9731798E7FD3496E7D78454A02E80
      Version: 3
      HasPrivateKey: False

      ----------------------------------------------------------------------------------
      Comments:

      - Common Name Match found
      - FQDN is in SAN list.

      ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


      For a Skype for Business or Lync deployment the most important components here are the Subject name, the Not Before and Not After dates. The “Comments” section is provided by the tool to help you troubleshoot issues with the certificate being displayed. This section will automatically check things like the certificate being out of date, the common name/subject alternate names being correct, if there is a Server EKU, and if the certificate has a CLR list included. These comments should help speed up your troubleshooting of certificate issues. Note: the comments will actually be based on all the advanced certificate details, even though the Advanced checkbox is not ticked by default.

      Advanced Settings


      All certificate details are displayed when the “Advanced” check box is ticked. When you tick this check box and run the tool you will see information as shown below:


      ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
      Checking FQDN:  sipfed.microsoft.com:5061
      Checking IP Address: 167.220.67.163:5061

      Certificate Response:

      Subject: CN=sipfed.microsoft.com, OU=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=WA, C=US
      Issuer: CN=Microsoft IT SSL SHA2, OU=Microsoft IT, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
      Not Before: 30/04/2015 2:26:22 PM
      Not After: 29/04/2017 2:26:22 PM
      Serial Number: 5A0000F5B0C7CABB89E4624D1E00010000F5B0
      Signature Algorithm: sha256RSA
      Thumbprint: 9E1736ACA8C9731798E7FD3496E7D78454A02E80
      Version: 3
      HasPrivateKey: False
      Archived: False

      Extension Type: Certificate Policies
      Oid Value: 2.5.29.32
      Data:
      [1]Certificate Policy:
           Policy Identifier=1.3.6.1.4.1.311.42.1
           [1,1]Policy Qualifier Info:
                Policy Qualifier Id=CPS
                Qualifier:
                     http://www.microsoft.com/pki/mscorp/cps

      Extension Type: Application Policies
      Oid Value: 1.3.6.1.4.1.311.21.10
      Data:
      [1]Application Certificate Policy:
           Policy Identifier=Server Authentication
      [2]Application Certificate Policy:
           Policy Identifier=Client Authentication

      Extension Type: Key Usage
      Oid Value: 2.5.29.15
      Data:
      Digital Signature, Key Encipherment, Data Encipherment (b0)

      Extension Type: Enhanced Key Usage
      Oid Value: 2.5.29.37
      Data:
      Server Authentication (1.3.6.1.5.5.7.3.1)
      Client Authentication (1.3.6.1.5.5.7.3.2)

      Extension Type: Subject Key Identifier
      Oid Value: 2.5.29.14
      Data:
      df 62 d3 a8 ef 49 3d 2f ed 10 aa 6a 30 3a 6f f9 54 1b 33 39

      Extension Type: Authority Key Identifier
      Oid Value: 2.5.29.35
      Data:
      KeyID=51 af 24 26 9c f4 68 22 57 80 26 2b 3b 46 62 15 7b 1e cc a5

      Extension Type: CRL Distribution Points
      Oid Value: 2.5.29.31
      Data:
      [1]CRL Distribution Point
           Distribution Point Name:
                Full Name:
                     URL=http://mscrl.microsoft.com/pki/mscorp/crl/msitwww2.crl
                     URL=http://crl.microsoft.com/pki/mscorp/crl/msitwww2.crl

      Extension Type: Authority Information Access
      Oid Value: 1.3.6.1.5.5.7.1.1
      Data:
      [1]Authority Info Access
           Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
           Alternative Name:
                URL=http://www.microsoft.com/pki/mscorp/msitwww2.crt
      [2]Authority Info Access
           Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1)
           Alternative Name:
                URL=http://ocsp.msocsp.com

      Extension Type: Subject Alternative Name
      Oid Value: 2.5.29.17
      Data:
      DNS Name=sipfed.microsoft.com
      DNS Name=sipalt.microsoft.com
      DNS Name=sip.microsoft.com
      DNS Name=ra30.sbweb.microsoft.com
      DNS Name=web3.sbweb.microsoft.com
      DNS Name=web30.sbweb.microsoft.com
      DNS Name=web31.sbweb.microsoft.com


      ----------------------------------------------------------------------------------
      Comments:

      - Common Name Match found
      - FQDN is in SAN list.

      ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


      You will have a full view of all attributes contained within the certificate. Using this information you should be able to troubleshoot most certificate related issues. However, there is one more important piece of information that you might need and that is the certificate chain…

      The Certificate Chain


      The certificate chain is the hierarchy of Certificate Authority servers from the CA server that issued the certificate through the Intermediate Certificate Authorities to the Root Certificate Authority server. The tool will display the certificate chain as follows:


      Certificate Chain:

      Certificate Chain Item 1
      Chain Subject Name: CN=sipfed.microsoft.com, OU=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=WA, C=US
      Chain Issuer name: CN=Microsoft IT SSL SHA2, OU=Microsoft IT, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
      Chain Not Before: 11/12/2015 05:36:48
      Chain Not After: 11/11/2017 05:36:48
      Chain Serial Number: 5A000233C22F738FDBCE9CF8B50001000233C2
      Chain Signature Algorithm: sha256RSA
      Chain Thumbprint: A710B806065C2187E387635A9F8D7863A63D702A
      Chain Version: 3
      Chain is valid: True

      Certificate Chain Item 2
      Chain Subject Name: CN=Microsoft IT SSL SHA2, OU=Microsoft IT, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
      Chain Issuer name: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
      Chain Not Before: 05/08/2014 03:04:09
      Chain Not After: 05/08/2018 03:03:30
      Chain Serial Number: 0727AA47
      Chain Signature Algorithm: sha256RSA
      Chain Thumbprint: 97EFF3028677894BDD4F9AC53F789BEE5DF4AD86
      Chain Version: 3
      Chain is valid: True

      Certificate Chain Item 3
      Chain Subject Name: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
      Chain Issuer name: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
      Chain Not Before: 05/13/2000 04:46:00
      Chain Not After: 05/13/2025 09:59:00
      Chain Serial Number: 020000B9
      Chain Signature Algorithm: sha1RSA
      Chain Thumbprint: D4DE20D05E66FC53FE1A50882C78DB2852CAE474
      Chain Version: 3
      Chain is valid: True

      ----------------------------------------------------------------------------------
      Root Certificates:

      - Get Root Certs here: http://cybertrust.omniroot.com/support/sureserver/rootcert_iis.cfm
      - Download Root Cert: http://cacert.omniroot.com/bc2025.crt

      ----------------------------------------------------------------------------------


      The tool will show you the Subject Name, Issuer Name (which will be the next server in the list/chain), Element Signature Algorithm (can be important, see below), and whether or not the chain is valid.

      In addition to displaying the certificate chain the tool will also, where possible, provide a link to a copy of the root certificate for the root CA being used. The tool knows about the major certificate authorities supported by Microsoft for use with Skype for Business and in most cases will give you a direct link to the root certificate for download.

      Root Certificates


      One very important thing when configuring external federation with partners or public providers is that MTLS is used for these connections. This means that both ends of the connection need to trust the other’s root certificates. You need to ensure that your edge servers have the root certificates of your partners installed. Fortunately, the Cert Checker Tool has you covered here by showing you where you can download the root certificates for common public certificate authorities. This will appear like shown below:

      - Get Root Certs here: http://cybertrust.omniroot.com/support/sureserver/rootcert_iis.cfm
      - Download Root Cert: http://cacert.omniroot.com/bc2025.crt

      Before you configure a new partner for federation, you can you use the tool to check what certificate authority they are using for their certificates and as a result which root certificates you need installed on your edge servers.

      There is also neat trick you can do to automagically install root certificates on a Windows server or PC (post Windows Vista). Note there is a caveat with this process whereby the third party server must be using a Root Certificate Authority that is trusted by Microsoft as part of their Trusted Root Certificate Program (Microsoft supported root CAs can be confirmed on this list). If this is the case then you just need to browse to a web server that is signed by the root certificate authority of choice and Windows will automatically install the root certificate for you! These root certificates are pushed to Window through Windows Update and will be installed only when you try to connect to a website requiring a particular certificate. So connecting to a federated partner's "dialin.domain.com" web page from all of your Edge servers may be enough to download the root certificates for MTLS trust purposes. There is a lot of documentation about this process on TechNet if you would like to know more. A few Skype for Business community have also written about this phenomenon - Chris and Pat.

      The Wrap Up


      I hope that this new tool finds you well, and I hope that you have many long years of troubleshooting together. Remember, whilst the flame may flicker from time to time, you must stay strong and think fondly of those times in the early days when you hired the car, threw the work laptop in the boot, and drove to the cabin in the woods; not even one bar of 3G internet access could stop you from fixing that server certificate problem. It’s the memory of those times that will keep you on the straight and narrow when that younger and fancier tool with the sexy universal windows app GUI comes along. Your Powershell Certificate Checker will always be faithful, remember that… now get testing!



      Skype for Business Rate My Call Viewer Tool

      January 17, 2017, 2:14 am
      $
      0
      0
      Rate My Call is a feature in Skype for Business that provides enterprises a way of acquiring feedback from their end-users via a special dialog window that pops up after a specified number of calls. The Rate My Call dialog window offers a combination of star rating system, predefined feedback checkboxes for audio and video calls, as well as the option for custom text based feedback. This gives the administrator a method for adding real user feedback to the existing Quality of Experience statistics that have been available since Lync was first introduced.



      Rate My Call Prerequisites


      In order to use the Rate My Call feature you will need the following pre-requisites:
      • You must have Skype for Business Server installed;
      • Users need to have a client version 15.0.4711.1002 or later and using the Skype for Business UI;
      • The RateMyCallDisplayPercentage in Client Policy must be set to a value larger than 0;
      • Users must be homed on a Skype for Business Server front end pool; and
      • The Skype for Business environment must have a monitoring database deployed.

      Rate My Call Settings


      The Rate My Call feature has two settings within Client Policy: Display Percentage and Allow Custom User Feedback. The Display Percentage is the percentage of calls that the user will be asked to provide feedback on. The percentage number is very important because if you set this value too high it can result in user survey fatigue whereby users stop providing relevant feedback due to being asked too often. The Allow Custom feedback setting is used to give users the ability to offer specific text based feedback in addition to their star rating and standard checkbox responses. The custom feedback can be great for drilling deeper into what the actual issue may be that the user is experiencing, rather than trying to interpret checkboxes responses that may not exactly match the user's experience.

      There is no action required to enable the base feature, however custom feedback will need to be enabled separately if it is desired. The Rate My Call feature is automatically enabled in the Client Policy with the following defaults:
      • Rate My Call Display Percentage – 10%
      • Rate My Call Allow Custom User Feedback – disabled
      If you have deployed Skype for Business and not changed the defaults, you may already have some data saved within the Monitoring database that you can start analysing.

      The following Windows PowerShell cmdlet is an example of enabling custom end user feedback and changing the interval from 10% to 80%.

      Configuring Rate My Call:
      Set-CSClientPolicy -Identity <PolicyIdentity> -RateMyCallDisplayPercentage 80 - RateMyCallAllowCustomUserFeedback $true

      The feature can be completely turned off by setting the RateMyCallDisplayPercentage to 0%.


      Accessing Rate My Call Data


      When the Rate My Call feature was introduced in Skype for Business Server, there was no interface added to the in the Skype for Business Monitoring Reports interface (which is still true to this day). There was, however, access added in the Call Quality Dashboard product which often doesn’t get deployed due to the overhead of additional SQL server(s) infrustructure. Technet does offer a couple of SQL query examples for getting the basic data out of the system. However, this is not particularly user friendly, so I thought I might make a simple Powershell tool for pulling out data and visualizing it so you can start compiling the user feedback that you may already have stored in your Monitoring database.


      Rate My Call Viewer Tool




      Features:
      • Select your required start and end date, rating filter (above or below the selected rating), SIP URI filter, Reason filter, and Voice and/or Video to be listed up. Note: the filters use regex, so for example you could use it to filter for multiple reasons using the OR Operator like this “echo|backgroundnoise”.
      • Export all events into CSV format.
      • Create graphs (Stars Bar Graph, Stars Pie Graph, Reason Pie Graph, Reason Bar Graph, Type Pie Graph, Stars Stacked Bar Graph, Trend Over Time Line) of your Call Rating data.

      Version 1.01 Update:
      • Added the ability to select individual monitoring servers from a drop down box. This was added for large environments that have multiple monitoring databases and only want to retrieve statistics from one at a time. By default, all monitoring database will be queried.
      • Added a check for the database version. The tool only works on Skype for Business databases so the check makes sure the database is at least Version 7 (ie. Skype for Business level).
      Version 1.02 Update (20/04/2017)
      • Added date/time localisation checkbox. By default the monitoring server records time is in GMT. This update adds a checkbox to localise all the date/time values to be in the timezone of the server you are running it on (instead of GMT). This changes the date pickers as well as the date displayed in the list and graphs.
      • Added the ability to zoom in on the Trend Over Time chart. You do this by clicking and dragging the mouse on the area of the graph you want to zoom to, scroll bars will appear so you can scroll the zoomed in view.
      Version 1.03 Update (22/04/2017)
      • Fixed an issue with the SQL query used for Video / Audio. The query now gets all records.
      • Fixed issue with data grid view scroll bar refresh.
      • Fixed a sorting issue with the Stacked Bar and Trend Over Time Graphs that would cause an issue with the output.
      • More accurate graphs! When both video and voice are selected the rating data gets listed twice for each call because video calls contain both voice and video ratings. So in previous versions the star ratings were counted as separate calls which artificially inflated the star rating value given. In this version the double counting of this data has been removed from star rating graphs, with the voice and video star rating given by each user being combined. 
      Version 1.04 (15/5/2017) – C2R Update
      • Now Supports Skype for Business C2R 2016 client Rate My Call issue items. The C2R 2016 client has an entirely new set of rate my call feedback, so the tool has been updated to include these.
      • Re-worked the graphs again to handle new data
      • Voice and Video calls don't get listed twice in this version (as it did in the previous version), graph processing was updated from previous version to handle this.
      • Get Records processing speed was increased by limiting records by date range in SQL query.
      1.05 Update (16/3/2018)
      • Total Rows Counter added at the bottom
      • "Top 10 One Star Users" graph added. This can be used so you can follow up with these users about their bad experiences.
      • "Top 10 Zero Star Users (Lync 2013 Client)" graph added. This can be used to follow up on Lync 2013 client users that are not responding the Rate My Call dialog.


      The C2R release of Skype for Business 2016 client brought a new look to the UI and in the process also introduced new Rate My Call dialog with all new Issues selections. Whilst the Skype for Business on premises server doesn’t have definitions in the database for these values it does save the new TokenIDs when users rate calls. Which means I was able to add these new values to the Rate My Call Viewer Tool.

      Old and New Rate My Call dialogs

      I have had to abbreviate these sentences into values that can be easily displayed in the tool. I believe the abbreviated names are fairly self-explanatory, however, here’s a list of the names I’ve used:

      Type
      Issue Sentence
      Abbreviated Name
      Relation to old values
      Audio
      I could no hear any sound
      NoSpeechNearSide
      New
      Audio
      The other side could not hear any sound
      NoSpeechFarSide
      New
      Audio
      I heard echo in the call
      Echo
      Existed in original
      Audio
      I heard noise on the call
      IHeardNoise
      New
      Audio
      Volume was low
      VolumeLow
      New
      Audio
      Call ended unexpectedly
      VoiceCallCutOff
      New
      Audio
      Speech was not natural or sounded distorted
      DistortedSpeech
      New
      Audio
      We kept interrupting each other
      TalkingOverEachOther
      New
      Video
      I could not see any video
      NoVideoNearSide
      New
      Video
      The other side could not see my video
      NoVideoFarSide
      New
      Video
      Image quality was poor
      PoorQualityVideo
      New
      Video
      Video Kept Freezing
      FrozenVideo
      Existed in original
      Video
      Video stopped unexpectedly
      VideoCallCutOff
      New
      Video
      The other side was too dark
      DarkVideo
      Existed in original
      Video
      Video was ahead or behind audio
      VideoAudioOutOfSync
      New



      Prerequisites:
      •  This tool should be run on a machine that has the Skype for Business powershell module installed. This is required because the "Get-CSService" command is used to discover the location of the Montoring Database.
      • The user running the tool needs to have sufficient rights to run select queries on the "QoEMetrics" database and SELECT access on the following tables: Session, AudioStream, CallQualityFeedback, CallQualityFeedbackToken, CallQualityFeedbackTokenDef, User, MediaLine

      Download from Technet Gallery:

      DOWNLOAD



      Built-in Graphs


      The Stars Bar Graph is the simpliest way to quickly see the how the users are rating calls on the system. In general you can ignore 0 star ratings because they these will be non-rated calls.



      The Reason Bar Graph allows you to easily see trends in the number of each type of issue reported by users. This can be useful for picking out specific types of problems in your network.


        
      The Reason Pie graph give you a quick view of which types of issues are most prevalent within your environment.


        
      The Starts Pie Graph give you an idea of the how pleased your users are overall with the quality of calls within the environment.



      The Stars Stacked Bar Graph allows you to differentiate between the ratings of Video and Voice calls separately from each other. This will allow you to understand if the either of the modality types is having more issues than the other. This will allow you to make choices about what to focus your future troubleshooting on.



      The Type Pie Chart gives you an extremely simple depiction whether users are having more issues with Voice or Video calls within the environment.



      The Trend Over Time Line is useful for tracking over time how the call quality has been changing within the environment. Note: if you are graphing over a long period of time it can be useful to maximize the graph window to see more details in the graph.


      The “Top 10 One Star Responders” graph will show you the users that have responded with 1 star the most often. This can be useful to help you find users that are having issues with the system so you can contact them directly to follow up one-to-one to address their problems.



      The “Top 10 Zero Star Users (Lync 2013 Client)” shows the top 10 users that have not being responding to the Rate My Call dialog box. Some organisations set their feedback dialog percentage in the system to be 100% in order to get feedback from users during trials, etc. So this can be useful to find users that aren’t responding with feedback. Note, this only applies to the Lync 2013 client using the Skype for Business UI. The Skype for Business 2016 client does not log 0 stars anymore when user don't respond. In fact, when using the 2016 client the user must select a star value between 1-5 in order to log any feedback in the database.



      The Wrap Up


      Well there it is! Now listening to your users is as simple by turning on the Rate My Call feature (which by default is already on!) and using this tool to extract and graph your data. In addition to the standard QoE statistics that the system offers, the Call Rating System built into Skype for Business can be an invaluable tool to understand your network quality. Enjoy!



      AudioCodes Mediant Virtual SBC Transcoding Requirements

      February 27, 2017, 1:27 am
      $
      0
      0
      This blog post covers an interesting issue that I ran into the other day with AudioCodes Mediant Virtual Edition and getting transcoding capabilities working on VMWare. The AudioCodes Virtual Edition SBCs are very capable and are great for SIP Trunk deployments and routing calls between various SIP platforms. They can support a large number of non-transcoded calls as well as supporting transcoding for audio and DTMF streams. In a hardware SBC, transcoding is usually done with a DSP chip that is used to convert one codec to another codec. However, in a Virtual SBC this is done using the CPU cores provided to the virtual machine.

      The requirement for transcoding in a deployment can come up when connecting to carriers with mandatory codec requirements like G.729 (a low bandwidth codec) that are not supported by Skype for Business. In these cases, if the carrier decides to send a call inbound with only G.729 (or some other unsupported codec) as the only media type available in the INVITE SDP, rather than reject the call, we can have the SBC transcode between the two different codecs.

      So what is required for transcoding to work on the AudioCodes Virtual Edition SBC? Just CPU cores right? Well, not exactly… Continue on, intrepid reader…



      CPU Specifications


      The AudioCodes manuals are quite clear with their requirements for how many CPU Cores are required to support different numbers of sessions and transcoding capabilities. These range from low spec VMs with only 2 cores up to 8 cores (as of version 7.2). For details of the number of CPU Cores required for each scenario, I suggest you check out the latest Mediant Virtual Edition User Guide (the Channel Capacity section).

      In addition to the number of CPU Cores required, the 7.0 and 7.2 manuals for the AudioCodes Virtual Edition both state the following about CPU requirements:

      Specifications Resource
      Specifications
      Processor type
      64-bit Intel® CPU of at least 2.5 GHz, with support for hardware virtualization (Intel VT-x) enabled with Advanced Vector Extensions (AVX) and AES-NI support (Sandy-Bridge architecture or newer)

      Whilst usually the exact specifications of a CPU that an application vendor lists can be taken as a generic baseline for the systems that they may have done capacity testing on, in this case the CPU capabilities absolutely matter! It seems that when the Virtual Edition was designed, the code used for transcoding was specifically targeted for CPUs that support the AVX feature set introduced in Sandy Bridge CPUs. When the Virtual SBC boots, it checks the CPU capacities and if it is not at least Sandy Bridge level (with AVX support) then the SBC transcoding capabilities will not be available!
      This limitation has some additional flow-on effects depending on the hypervisor on which it is being deployed. See the following section for more details of these limitations.

      VMWare and CPU Capabilities


      In addition to the raw CPU capabilities in the host machines (ie. Sandy Bridge generation of processors with AVX support), a VMWare environment using vMotion also can be configured with a specific level of processor support across all hosts in a vMotion cluster. This is a feature within VMWare that is called Enhanced vMotion Compatibility (EVC) and controls the level of CPU capabilities being emulated at the VM level across multiple machines. This ensures that the same CPU capabilities are presented for all machines in a cluster, and protects against having differing CPU capabilites when VMs are migrated between hosts. This can mean that even if the host machine has a Sandy Bridge CPU, this capability set may not be passing through to the VM on which the SBC is running.

      The VMWare vMotion EVC level will be used when the host machines in a cluster have different levels of CPU capabilities. The lowest CPU capability will be the one that is emulated for all machines in the cluster. So, whilst many of the hosts may have Sandy Bridge or above CPUs, there may be lower capability machines included in the cluster that force the EVC baseline in VMWare to be configured to a lower CPU feature set. This setting can directly affect the Virtual Edition SBC's ability to support transcoding, because even if the host has Sandy Bridge capabilities the VMWare environment might be masking these capabilities and presenting a lower CPU level than is actually in the host.

      Below is a table that describes the various EVC levels that can be configured within VMWare:

      VMWare Description of Intel EVC Baselines:
      EVC Level
      EVC Baseline
      Description
      L0
      Intel® "Merom" Gen. (Intel® Xeon® Core™ 2)
      Applies baseline feature set of Intel® "Merom" Generation (Intel® Xeon® Core™ 2) processors to all hosts in the cluster.
      L1
      Intel® "Penryn" Gen. (formerly Intel® Xeon® 45nm Core™ 2)
      Applies baseline feature set of Intel® "Penryn" Generation (Intel® Xeon® 45nm Core™ 2) processors to all hosts in the cluster.
      Compared to the Intel® "Merom" Generation EVC mode, this EVC mode exposes additional CPU features including SSE4.1.
      L2
      Intel® "Nehalem" Gen. (formerly Intel® Xeon® Core™ i7)
      Applies baseline feature set of Intel® "Nehalem" Generation (Intel® Xeon® Core™ i7) processors to all hosts in the cluster.
      Compared to the Intel® "Penryn" Generation EVC mode, this EVC mode exposes additional CPU features including SSE4.2 and POPCOUNT.
      L3
      Intel® "Westmere" Gen. (formerly Intel® Xeon® 32nm Core™ i7)
      Applies baseline feature set of Intel® "Westmere" Generation (Intel® Xeon® 32nm Core™ i7) processors to all hosts in the cluster. Compared to the Intel® "Nehalem" Generation mode, this EVC mode exposes additional CPU features including AES and PCLMULQDQ.
      L4
      Intel® "Sandy Bridge" Generation
      Applies baseline feature set of Intel® "Sandy Bridge" Generation processors to all hosts in the cluster. Compared to the Intel® "Westmere" Generation mode, this EVC mode exposes additional CPU features including AVX and XSAVE.
      L5
      Intel® "Ivy Bridge" Generation
      Applies baseline feature set of Intel® "Ivy Bridge" Generation processors to all hosts in the cluster. Compared to the Intel® "Sandy Bridge" Generation EVC mode, this EVC mode exposes additional CPU features including RDRAND, ENFSTRG, FSGSBASE, SMEP, and F16C.
      L6
      Intel® "Haswell" Generation
      Applies baseline feature set of Intel® "Haswell" Generation processors to all hosts in the cluster. Compared to the Intel® "Ivy Bridge" Generation EVC mode, this EVC mode exposes additional CPU features including ABMX2, MOVBE, FMA, PERMD, RORX/MULX, INVPCID, VMFUNC. 


      In order for AVX to be supported in a large VMWare environment, the Processor Support needs to be configured at a minimum of L4 Sandy Bridge level. If EVC mode is not being used the EVC mode may display as "N/A" or "disabled", both of these modes will allow for the raw processor capabilities to be passed through to the SBC, which will also allow for transcoding to work if the CPU is Sandy Bridge or above.

      VMWare reference: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1003212


      The host EVC level can be viewed in the host summary page within vSphere. In the example below the current EVC level is set to Merom Generation or L0 level which would not support transcoding:



      Hyper-V Processor Compatibility Mode


      I haven’t actually tested this on Hyper-V because transcoding on Hyper-V has only been supported as of 7.2 software. However, Hyper-V also has a CPU Compatibility mode feature which allows for various features that involve moving VMs between machines (eg. Live Migration, Quick Migration and Save/Restore features). This feature is similar to VMWare EVC mode, however, the implementation is slightly different than VMWare. When the Processor Compatibility mode is enabled in Hyper-V the CPU (for Intel and AMD CPUs) feature set gets “normalised” by removing extended feature sets of the each CPU type to lower the capabilities to a baseline.

      For the Microsoft documentation, when a VM in processor compatibility mode is started, the following processor features are hidden from the VM:

      Host running Intel based processor
      SSSE3, SSE4.1, SSE4.2, POPCNT, Misaligned SSE, XSAVE, AVX


      You will note that AVX is one of the hidden features, which is one of the features required for the AudioCodes Virtual Edition SBC to work! Uh-oh…

      When this feature was released, the following Q&A was documented about this functionality:

      From the Hyper-V Compatibility Mode Q and A:

      Q: Can I individually select which features should be hidden from VM when put in processor compatibility mode?
      A:  No, once you put VM in a processor compatibility mode, Hyper-V will hide the necessary set of features from the VM to ensure a successful migration between Hyper-V enabled processors. 

      Q: What happens if a vendor has written an application that uses one of these features that isn’t visible with processor compatibility enabled?
      A: Since the feature isn’t exposed to the virtual machine, the application won’t “see it” and it’s up to the application to determine how to proceed; however, there are two likely paths.

      So presumably the CPU compatibility feature within Hyper-V is going to cause the AudioCodes Virtual Edition SBC to not be able to see the AVX capabilities of the CPU. As a result, transcoding will likely not work on Hyper-V if processor compatibility mode is enabled.


      Hyper-V Processor Compatibility References:
      http://download.microsoft.com/download/F/2/1/F2146213-4AC0-4C50-B69A-12428FF0B077/VM%20processor%20compatibility%20mode.doc

      https://blogs.technet.microsoft.com/virtualization/2009/05/13/tech-ed-windows-server-2008-r2-hyper-v-news/


      Checking CPU Capabilities after Installation


      If the Virtual Edition SBC has been installed within a virtual environment, you can tell if the hardware will support transcoding by checking the following CLI commands:

      Working Transcoding example:
      Mediant VE SBC> show system hardware
        CPU: Intel(R) Xeon(R) CPU E5-2650 0 @ 2.00GHz, total 4 cores avx support(avx)
        Memory: total RAM: 4096 MB
        Chassis: VMware Virtual Platform
        Network:
                VMware VMXNET3 Ethernet Controller (rev 01)
                VMware VMXNET3 Ethernet Controller (rev 01)
        Virtual env: vmware
      Mediant VE SBC>

      In the example above you can see that the CPU has “avx support (avx)”. Transcoding will work on this server.

      Non-supported hardware example:
      Mediant VE SBC# show system hardware
        CPU: Intel(R) Xeon(R) CPU           X5650  @ 2.67GHz, total 4 cores avx support(none)
        Memory: total RAM: 8192 MB
        Chassis: VMware Virtual Platform
        Network:
                VMware VMXNET3 Ethernet Controller (rev 01)
                VMware VMXNET3 Ethernet Controller (rev 01)
                VMware VMXNET3 Ethernet Controller (rev 01)
        Virtual env: vmware
      Mediant VE SBC#

      In the example above you can see that the CPU has “avx support (none)”. Transcoding will not work on this server.


      Web Interface Check


      The only way to tell from the web interface whether or not the current server hardware will support transcoding is to download the configuration file and check the following:

      Transcoding Working Example:
      ;Board: Mediant VE SBC
      ;HW Board Type: 73  FK Board Type: 79
      ;Product Key:
      ;Slot Number: 1
      ;Software Version: 7.00A.095.004
      ;DSP Software Version: SOFTDSP => 700.53
      ;Board IP Address: 10.20.1.168
      ;Board Subnet Mask: 255.255.255.0
      ;Board Default Gateway: 10.20.1.1
      ;Ram size: 3831M   Flash size: 0M
      ;Num of DSP Cores: 3  Num DSP Channels: 100
      ;Profile: NONE
      ;Client defaults file is being used (file length=352)

      In this working example the configuration file displays that it has discovered 3 DSP Cores and has 100 DSP channels available for transcoding.


      Transcoding Not Working Example:

      In this example, the configuration file displays that it has discovered 0 DSP Cores and has 0 DSP channels available for transcoding. In this case the SBC has detected that the CPU does not have AVX support and as a result will not support transcoding.

      ;Board: Mediant VE SBC
      ;HW Board Type: 73  FK Board Type: 79
      ;Product Key:
      ;Slot Number: 1
      ;Software Version: 7.00A.095.004
      ;DSP Software Version: SOFTDSP => 700.53
      ;Board IP Address: 10.20.1.165
      ;Board Subnet Mask: 255.255.255.0
      ;Board Default Gateway: 10.20.1.1
      ;Ram size: 7871M   Flash size: 0M
      ;Num of DSP Cores: 0  Num DSP Channels: 0
      ;Profile: NONE
      ;Client defaults file is being used (file length=352)


      Example of Transcoding Failure Errors


      When the transcoding resources are not available due to a lack of CPU support for AVX, you will see errors complaining about a lack of resources in the log at the time of the SBC trying to apply extension coders or setting up the call:
      22:41:25.812  147.76.26.84    local0.notice  [S=4742] [SID=a64ab9:33:279]  (      lgr_flow)(      4645)  #MediaResourcesConnector::AllocateMediaResources
      22:41:25.812  147.76.26.84    local0.notice  [S=4743] [SID=a64ab9:33:279]  ( media_connect)(      4646)  ConnectionData::CalculateResourcesForExtTranscoding Leading:DSP Opposite:CODERTRANSCODING MediationLevel:RTP
      22:41:25.812  147.76.26.84    local0.notice  [S=4744] [SID=a64ab9:33:279]  ( media_service)(      4647)  ServicesMngr: Allocate Coder Transcoding session. current active: 0 and max is: 250
      22:41:25.812  147.76.26.84    local0.notice  [S=4745] [SID=a64ab9:33:279]  ( media_service)(      4648)  ServicesMngr: Allocate Media channel. current active: 0 and max is: 0
      22:41:25.812  147.76.26.84    local0.warn    [S=4746] [SID=a64ab9:33:279]  ( media_service)(      4649) !! [ERROR] ServicesMngr: Cannot allocate more Media channel. current active: 0 and max is: 0
      22:41:25.812  147.76.26.84    local0.warn    [S=4747] [SID=a64ab9:33:279]  (      lgr_flow)(      4650) !! [ERROR] (#2198)RTPStreamResource::AllocateResource Allocate Resource - cannot allocate DSP. probably lack of resources
      22:41:25.812  147.76.26.84    local0.notice  [S=4748] [SID=a64ab9:33:279]  ( media_service)(      4651)  ServicesMngr: Deallocate Coder Transcoding session. current active: 1 and max is: 250
      22:41:25.812  147.76.26.84    local0.notice  [S=4749] [SID=a64ab9:33:279]  ( media_service)(      4652)  ServicesMngr: Allocate Coder Transcoding session. current active: 0 and max is: 250
      22:41:25.812  147.76.26.84    local0.notice  [S=4750] [SID=a64ab9:33:279]  ( media_service)(      4653)  ServicesMngr: Allocate Media channel. current active: 0 and max is: 0



      Licensing


      In addition to the CPU requirements, you will also need licensing for transcoding to work. The CODER-TRANSCODING, DspCh  and IPMediaDspCh licences must be available in the licence installed on the SBC. The CODER-TRANSCODING, DspCh and IPMediaDspCh licences will appear in the licence list as shown below:

      Key features:
      Board Type: Mediant VE SBC
      IP Media: VXML
      Coders: G723 G729 G728 NETCODER GSM-FR GSM-EFR AMR EVRC-QCELP G727 ILBC EVRC-B AMR-WB G722 EG711 MS_RTA_NB MS_RTA_WB SILK_NB SILK_WB SPEEX_NB SPEEX_WB OPUS_NB OPUS_WB
      Channel Type: DspCh=100 IPMediaDspCh=100
      HA
      Security: IPSEC MediaEncryption StrongEncryption EncryptControlProtocol
      DSP Voice features:
      DATA features:
      Control Protocols: MGCP SIP SBC=10 MSFT FEU=50 CODER-TRANSCODING=50
      Default features:
      Coders: G711 G726

      If you do not have the CODER-TRANSCODING, DspCh and IPMediaDspCh licences then the SBC will still run, however transcoding functionality will not be available (config will show "Num of DSP Cores: 0  Num DSP Channels: 0" as explained earlier).



      The Wrap Up


      So before jumping in to the Virtual Edition SBC world with your customers, be sure to understand the server and Hypervisor environment that you are deploying the SBC into. Some useful questions to ask up front are:
      • What hypervisor will the SBC be installed on?
      • Have you purchased CODER-TRANSCODING licences for the SBC?
      • Is the hypervisor server host CPU at least Sandy Bridge level and does it support AVX?
      • If vMotion is being used within VMWare: What is the VMWare vMotion EVC baseline of the host that the SBC is deployed on?
      • If Hyper-V is being used, is Processor Capability mode disabled?
      • Have you ensured that the hypervisor is going to have enough dedicated CPU Cores available for the SBC? Also, note that the CPU resource must be reserved for the SBC and not shared.

      Armed with this information, you will be able to make an informed assessment on whether or not transcoding is going to be supported on the Virtual Edition SBC! Hope this was helpful. Cheers!



      Network Assessor for Skype for Business Online and Microsoft Teams

      August 21, 2017, 6:41 am
      $
      0
      0
      Skype for Business Online and Skype Teams are both real time communications tools that rely heavily on the networking infrastructure that they run on top of. This has always been, and will remain, a challenge in cloud deployments for the foreseeable future. In order to prepare for deploying Skype for Business Online or Microsoft Teams, you need to first ensure that your networking infrastructure will be able to handle the real-time traffic that these applications produce.

      To help with this, Microsoft released a tool call the Skype for Business Network Assessment Tool. This tool runs via the command line and uses the same media stack that is used by the Skype for Business client to test Packet Loss, Jitter, Round Trip Latency and Reorder Packet Percentage on connections from your network into Microsoft’s Office 365. The audio stream created by the tool gets sent to Office 365 and then mirrored back from the closest Edge server location to your current physical location. Based on the return stream the tool is able to give accurate statistics on Packet Loss, Jitter, Round Trip Latency and Reorder Packet Percentage. This will give you an idea of the how congested the current network environment is and how well you might expect Skype for Business or Skype Teams conferences to function in your environment.

      The Microsoft Network Assessment Tool is useful because it allows you to test a network before an Office 365 tenant has even been deployed and it’s also free! What the tool does lack though is the ability to easily monitor the network over a period of time and produce nicely formatted output that you can show to a manager or customer. So, I thought I would take some time and try to rectify these limitations and build a new front end for the tool…

      Network Assessor


      Introducing Network Assessor for Skype for Business and Microsoft Teams:



      Version 1.00 Features
      • Graphs Packet Loss, Average Jitter, Latency and Reorder Ratio.
      • Zoom graphs in / out / forwards / backwards to view the data clearly.
      • Start / Stop and Pause the network tests at the click of a button.
      • Keep an eye on the status of testing using the tray icon colour by setting breach percentage thresholds. This will easily let you know that things are within your desired operating levels without having to open the interface. There are two levels of threshold breaches; one that changes the icon to orange in colour and the other that changes the icon to red in colour. These percentages are calculated on a per graph basis and if any graph breaches the percentage the colour will change.
      • Graphs will automatically highlight in red points in each of the graphs which are outside of Microsoft’s recommended bounds of operation. There are two levels for these thresholds: Client thresholds and Edge Thresholds. For more details see the Usage section below.
      • The status bar will display PASS/FAIL results for each graph. This calculation follows Microsoft's "ResultsAnalyzer.exe" PASS/FAIL calculation which is based on any graph having more than 10% of test attempts resulting in (Client or Edge) threshold breaches will equal a FAIL result.
      • You can select the frequency at which the tool will run tests. This ranges between 1 and 120 minutes (ie. Run a 17 second long test every 1 minute or up to every 2 hours).
      • Allows for graphs to be saved as PNG images for use in documentation/reports.
      • All the graphs can be shown at once or individual graphs can be selected using the “Window” menu item. Graphs are saved at the resolution that they are displayed, so opening individual graphs and then saving them can offer higher resolutions.
      • Every session that is created by the tool gets recorded in a CSV file for future reference. Sessions will “roll” to a new file based on the “Roll Time (hours)” setting in the Settings dialog. Logs can be rolled between 1 and 12 hours.
      • CSV files can be imported back in to the tool by using the File > Import CSV File menu or dragging and dropping the file onto the interface directly from Windows Explorer.
      • Supports automatic download (note: Internet connection is required for this to work) and installation of the Microsoft Network Assessment Tool and VC++ Redistributable pre-requisite by using the Help > Install Microsoft Tool menu item.
      Version 1.10 Features
      • Works with Microsoft tool version 1.1.0.0 released on 5/3/2018
      • Support Connectivity Check. Select "File > Connectivity Check"
      • Supports new Microsoft tool installation procedure
      • The Microsoft Tool in its latest incarnation doesn’t handle all exceptions that it throws. These seem to be mostly around when it does the initial lookup REST call where it gets a JSON list of the servers to connect to for testing. If DNS fails or there is no network interface available on the machine the Microsoft tool throws an unhandled exception. If this happens the Network Assessor GUI will report an error and stop running tests. 
      • Be careful when trying to manually install the new 5/3/2018 version of the Microsoft Command Line tool because it does not install properly over the top of previous version (i.e. it doesn't install over it and still says that installation was successful).


      Note: This tool is not intended for load/stress testing!

      Download Here!


      Prerequisites


      Tested with version 1.1.0.0 released on 5/3/2018 of the Microsoft Skype for Business Network Assessment Tool (LINK: https://www.microsoft.com/en-us/download/details.aspx?id=53885).

      Network Assessor requires the following:
      • At least .NET 4.5 must be installed on the PC to run the tool. (Windows 8 / Windows Server 2012 and above will support this by default. If you are using earlier operating systems the installer will download .net for you)
      • Do not run the tool on a machine with multiple interfaces. Microsoft’s Network Assessment Tool may fail due to sending traffic out the wrong interface.
      • When run on Windows Server, Microsoft’s command line tool needs “Media Foundation” (for Windows 2012, 2012 R2) or “Desktop Experience” (Windows 2008 R2) installed when running on Windows Server. These can be installed via the Server Manager interface or through Powershell:

      Windows Server 2008 R2 (Desktop Experience install):
      Import-Module ServerManager
      Add-WindowsFeature Desktop-Experience

      Windows Server 2012 or 2012 R2 (Media Foundation install):
      Add-WindowsFeature Server-Media-Foundation
      Note: This is not documented in Microsoft’s documentation but is required.

      Microsoft’s command line tool and pre-reqs can be can automatically downloaded and installed using the Help > Install Microsoft Tool…menu directly in the Network Assessor interface. For manual offline installation of Microsoft’s Tool, install the following:
      • Microsoft’s command line tool
      • You must uninstall any old version of the tool before installing a newer version. The installer does not warn about this and fails to install over the top of existing versions.
      Note: Microsoft’s tool should be left with all of the default settings in its config file.


      Firewall Requirements:

      The tool needs to be able to send traffic to Office 365 in order to work. The following ports are required to be allowed on firewalls between the Network Assessor tool and Office 365:
      • TCP Source Ports: 50000 - 50019
      • TCP Destination Port: 443
      • UDP Source Ports: 50000 - 50019
      • UDP Destination Port: 3478

      Network Assessment Procedures:

      For more procedural details on how to do Network Assessments, please refer to the Skype Operations Framework. There is a lot of useful documentation in the Determine Network Readiness section of Planning stage within this framework and should give you a good starting point for running Network Readiness assessments.


      Usage Details


      Walkthrough Video:



      Main Window Settings



      The “Run Every x Mins” setting controls how often the network assessment tool will be run and log results. This value can be set between 1 minute and 2 hours.

      The Thresolds setting refers to two levels of thresholds that are recommend by Microsoft for real time audio for the statistics that are generated by the Network Assessment Tool. The first is the “Edge” values which are recommended for when you are testing from your perimeter network into Office 365. The second is recommended thresholds when testing from a “Client” subnet. The Edge values are lower and more restrictive than the client subnet because is expected that the client subnet will have more hops to get to Office 365 than the Edge.

      Customer Edge to Microsoft Edge Thresholds:
      Metric
      Target
      Latency (RTT)
      < 60ms
      Packet loss
      <0.1% during any 15s interval
      Note: The value output by the Microsoft tool is not a percentage.
      Packet inter-arrival Jitter
      <15ms during any 15s interval
      Packet reorder
      <0.01% out-of-order packets
      Note: The value output by the Microsoft tool is not a percentage.

      Client to Microsoft Edge Thresholds:
      Metric
      Target
      Latency (RTT or Round-trip Time)
      < 100ms
      Packet loss
      <1% during any 15s interval
      Note: The value output by the Microsoft tool is not a percentage.
      Packet inter-arrival Jitter
      <30ms during any 15s interval
      Packet reorder
      <0.05% out-of-order packets
      Note: The value output by the Microsoft tool is not a percentage.


      Settings Window:


      The tool has the following settings:



      Network Assessment Tool Location: This is the location of the Skype for Business Network Assessment Command Line Tool on the system. If you have manually downloaded the tool and unzipped it to a folder on the system you can enter the location via the Browse button.
      Session Log Folder: The Session Logs by default are placed on the system in the “C:\Users\<Username>\AppData\Roaming\NetworkAssessor\SessionLogs” folder. If for some reason you would like to change this folder (perhaps for centralizing the logs on a file share) you can select a new folder here.
      Red Level Breach Percentage: This is the percentage of breaches (on a per graph basis) that has to occur for the task bar icon to change to red colour.
      Orange Level Breach Percentage: This is the number of breaches (on a per graph basis) that has to occur for the task bar icon to change to orange colour.
      Turn Off Minimise Notification: When this check box is ticked it will turn off the task bar notifications.
      Auto Scroll Graph: When this check box is ticked it means that the graphs will automatically scroll when new points are added to it graph.
      Roll Time (Hours): This is the number of hours of testing that will be logged to CSV until a new session log file is created. When the file rolls the graphs will also be cleared. This is to try and maintain the performance of the graphs. Also, when the graph is cleared the breach counters will also be cleared.

      The Wrap Up


      Hopefully this post will give you another tool in the toolbox to help you in your preparation for deploying Skype for Business Online or Microsoft Teams in your environment. If you have any comments or issues with the tool please provide feedback below.



      Deploying Powershell Scripts with Group Policy

      November 15, 2017, 2:15 am
      $
      0
      0
      I have written quite a few Powershell tools for Skype for Business and some of these might be tools that people want to use on a regular basis across their Front End servers. People may want to deploy so that others within the administrative team can also use them in a simple and centrally managed way. So I thought I would write a blog post that explains a simple way to centrally deploy scripts out to multiple servers so they are easily accessible to yourself and other team members.
      The method described below uses Active Directory Group Policy to control the deployment Powershell scripts across a number of Skype for Business Front End servers.

      Step 1: Create a central file share where you will be storing the script files that you would like to have available on your Front End servers. In this case I created a folder named Scripts where I placed a Powershell script.



      Step 2: Share the folder (Right Click on Folder-> Properties -> Sharing Tab -> Sharing…). In this case I have given Read access to everyone.

      Step 3: In Active Directory Users and Computers create an OU for your Skype for Business servers. In this case I have created an OU called SfBServers and have moved all of the Skype for Business Front Ends Computer Objects to this OU.


      Step 4: Open Active Directory Group Policy Management(gpmc.msc) and Right Click the SfBServersOU and “Create a GPO in this domain, and Link it here…”.



      Step 5: Give the New GPO a name. In this case I have called the GPO “PowershellScripts”.

      Step 6: Right Click the PowershellScripts GPO and select “Edit…”.


      Step 7: Open Computer Configuration -> Preferences -> Windows Settings, Right Click Shortcuts and select New -> Shortcut.


      Step 8: Fill in the shortcut properties as described below.

      Action: Update
      Name: VVX Manager
      Target type: File System Object
      Location: All Users Desktop
      Target path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Arguments: -WindowStyle Hidden -nologo -executionpolicy bypass -command "& \\ServerHostName\Scripts\Skype4B-Lync-PolycomVVXManager2.21.ps1"
      Icon file path: %SystemRoot%\system32\SHELL32.dll
      Icon index: 24

      Powershell Arguments Breakdown:
      -WindowStyle: This argument is being used to supress the Powershell window from being displayed when the script is run. I am using this deliberately because the script I am using this for has its own Windows Forms GUI that will be displayed and the Powershell window is not required. This will give the script the feeling of being more like an application.
      -NoLogo: Tells the Powershell window to not show the Copyright banner - to make it that little bit quicker (or maybe not… but you never know…).
      -ExecutionpPolicy: This is set to “bypass” in order to avoid the Windows server execution policy defaults that may block the script from running on the server.
      -Command: Specifies the command text to execute as though it were typed at the PowerShell command prompt. In this case we are selecting to open the script file from the share that we created in Steps 1-2. You can also include any arguments for the script here if they are required.

      For the Icon selection, when you click the ellipse you will get an Icon picker with  many icons to choose from. Choose the one that makes most sense for the script you are using.


      Step 9: Now on the Front End server run “gpupdate /force” to get the new Group Policy pushed down to the server:


      You should now get a new shortcut on the Desktop of the server that matches the one that you made in Group Policy. When you double click it you will see a command window for a second (if you chose the Window Style as Hidden like in this example) and then the Powershell GUI will be displayed:


      It’s that easy! Now you can package your favourite scripts and centrally manage the version used by all users across all your servers.

      The Wrap Up


      I hope you found this post useful and that it allows you a better experience in using and managing your favourite Powershell scripts on your servers. Enjoy!




      Search

      Spectralink 8400 Edge Issue

      December 7, 2017, 3:24 am
      $
      0
      0
      I found an interesting issue when testing some Spectralink 8440 handsets the other day and I didn’t see the answer documented anywhere, so I thought I'd change that situation by blogging about it.

      Note: The firmware that I was using when I ran into this issue was 5.4.4.1156. I also rolled back to a 5.3 and 5.2 version and had the same issue, so this problem may have existed for a while.

      The Symptom


      Outbound Call
      After setting the phones up and logging in using PIN Authentication successfully when making an outbound call, the call would hang after the number was dialled. The screen would sit at the calling screen forever and nothing would happen (i.e. the dialled phone wouldn’t ring).

      Outbound Call


      Inbound Call
      For an inbound call, the calling party (i.e. a Skype for Business client) would receive ringback tone and the call would not get displayed on the Spectralink handset. After the call forwarded timeout was reached, the call forwarded to voicemail and a missed call would appear on the Spectralink screen.
        
      Inbound Call

      Troubleshooting


      The symptoms described above were consistent and it was clear that the SIP Signalling was working well enough to allow the device to sign in and receive information from the system. However, both inbound and outbound calls were not setting up correctly. The next port of call was to look into the logs. For an outbound call there wasn’t much information in the logs to dig into. However, for an inbound call I could see the inbound INVITE message arrive and the phone would respond with a TRYING message. At this point I could see that the inbound call was not progressing past the point of parsing the candidates from the inbound INVITE message. From this, I suspected that this was something to do with the Spectralink not being about to process the candidates correctly. I then realised that the lab system I was testing the phone on didn’t actually have an Edge server associated with it. This, of course, meant that the phone would not be getting or receiving any reflexive or relay candidates… Hhhhmmmm, interesting...

      Inbound Call Log
      1205143558|sip  |0|00|<<< Data received TLS
      1205143558|sip  |0|00|    INVITE sip:Terry.Adams@10.22.2.11:33207;transport=tls;ms-received-cid=781300 SIP/2.0
      1205143558|sip  |0|00|    Record-Route: <sip:SFB001.sfbdomain.com:5061;transport=tls;opaque=state:T:F:Ci.R781300:Ieh.Lvw6TSBMlsUoTJbFhkstQInxeS6wHgXRHMHiO5ioDln-fhNvUO1qLucUD4gO1tXpzhB_8cegAA;lr;ms-route-sig=hkx-TWiKYeik4c0hYMHXqBiJ4op9gbnpuTatBwsuD7moptXpzhB_8cegAA>;tag=B12630CFFCD2C61F74BDE5EB8A4C611A
      1205143558|sip  |0|00|    Via: SIP/2.0/TLS 10.20.1.223:5061;branch=z9hG4bK8BA0D60F.E19C5E6D7DAA886D;branched=TRUE;ms-internal-info="dgFJqKHJ0AXHZY0sy2IaYnenMPK5auGe9rVA0q4_Ro3qxtXpzhVO8OYQAA"
      1205143558|sip  |0|00|    Authentication-Info: TLS-DSK qop="auth", opaque="4E02C6ED", srand="4D31E5BD", snum="17", rspauth="420755234a2dbcecd21a249213ceb92d8ba9cfc5", targetname="SFB001.sfbdomain.com", realm="SIP Communications Service", version=4
      1205143558|sip  |0|00|    Max-Forwards: 69
      1205143558|sip  |0|00|    Content-Length: 890
      1205143558|sip  |0|00|    Via: SIP/2.0/TLS 10.22.0.22:42727;branch=z9hG4bK1d5487849DAF07;ms-received-port=42727;ms-received-cid=77D300
      1205143558|sip  |0|00|    P-Asserted-Identity: "Terry Adams"<sip:Terry.Adams@sfbdomain.com>,<tel:+61266591007;ext=1007>
      1205143558|sip  |0|00|    From: "Terry Adams"<sip:Terry.Adams@sfbdomain.com>;tag=5C30CCBE-7E228105;epid=64167f23b38c
      1205143558|sip  |0|00|    To: <sip:+61266591007@sfbdomain.com;user=phone>;epid=00907a0f09d8
      1205143558|sip  |0|00|    CSeq: 1 INVITE
      1205143558|sip  |0|00|    Call-ID: 0888c5534fafd0fc37bc94f7a523b38c
      1205143558|sip  |0|00|    Contact: <sip:Terry.Adams@sfbdomain.com;opaque=user:epid:F5iF87H531yKmJ1oYYBMjwAA;gruu>
      1205143558|sip  |0|00|    Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, INFO, MESSAGE, SUBSCRIBE, NOTIFY, PRACK, UPDATE, REFER
      1205143558|sip  |0|00|    User-Agent: Polycom/5.6.0.17325 PolycomVVX-VVX_311-UA/5.6.0.17325_64167f23b38c
      1205143558|sip  |0|00|    Accept-Language: en
      1205143558|sip  |0|00|    ms-subnet: 10.22.0.0
      1205143558|sip  |0|00|    Allow-Events: conference,talk,hold
      1205143558|sip  |0|00|    Supported: replaces
      1205143558|sip  |0|00|    Supported: ms-safe-transfer
      1205143558|sip  |0|00|    Supported: ms-bypass
      1205143558|sip  |0|00|    Supported: ms-dialog-route-set-update
      1205143558|sip  |0|00|    Supported: timer
      1205143558|sip  |0|00|    Supported: 100rel
      1205143558|sip  |0|00|    Supported: gruu-10
      1205143558|sip  |0|00|    MS-Conversation-ID: AdNteidtM2YxYWFkN2ZiZjM0ODVhZQ==
      1205143558|sip  |0|00|    Content-Type: application/sdp
      1205143558|sip  |0|00|    history-info: <sip:Terry.Adams@sfbdomain.com>;index=1;ms-target-phone="tel:+61266591007;ext=1007"
      1205143558|sip  |0|00|   
      1205143558|sip  |0|00|    v=0
      1205143558|sip  |0|00|    o=- 1512444953 1512444953 IN IP4 10.22.0.22
      1205143558|sip  |0|00|    s=Polycom IP Phone
      1205143558|sip  |0|00|    c=IN IP4 10.22.0.22
      1205143558|sip  |0|00|    t=0 0
      1205143558|sip  |0|00|    a=sendrecv
      1205143558|sip  |0|00|    m=audio 5350 RTP/S
      1205143558|sip  |0|00|<<< Data received TLS
      1205143558|sip  |0|00|    AVP 9 112 8 0 18 101
      1205143558|sip  |0|00|    a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:/u2wztfJizjOcLml2T1uN/3qiNEZpAiiPqCcyOhn|2^31|1:1
      1205143558|sip  |0|00|    a=crypto:2 AES_CM_128_HMAC_SHA1_80 inline:gXAfAu4Z6VZ/1ZQYLJe3g4HAGcgwY9w4vDdlLSkJ|2^31
      1205143558|sip  |0|00|    a=rtpmap:9 G722/8000
      1205143558|sip  |0|00|    a=rtpmap:112 G7221/16000
      1205143558|sip  |0|00|    a=fmtp:112 bitrate=24000
      1205143558|sip  |0|00|    a=rtpmap:8 PCMA/8000
      1205143558|sip  |0|00|    a=rtpmap:0 PCMU/8000
      1205143558|sip  |0|00|    a=rtpmap:18 G729/8000
      1205143558|sip  |0|00|    a=fmtp:18 annexb=no
      1205143558|sip  |0|00|    a=rtpmap:101 telephone-event/8000
      1205143558|sip  |0|00|    a=ice-pwd:EK5jmhsUk5xntwoCmEIEAmfT
      1205143558|sip  |0|00|    a=ice-ufrag:pbdW
      1205143558|sip  |0|00|    a=rtcp:5351
      1205143558|sip  |0|00|    a=candidate:1 1 UDP 2130706431 10.22.0.22 5350 typ host
      1205143558|sip  |0|00|    a=candidate:1 2 UDP 2130706430 10.22.0.22 5351 typ host
      1205143558|sip  |0|00|    a=candidate:2 1 TCP-ACT 1684733951 10.22.0.22 5350 typ srflx raddr 10.22.0.22 rport 5350
      1205143558|sip  |0|00|    a=candidate:2 2 TCP-ACT 1684733950 10.22.0.22 5350 typ srflx raddr 10.22.0.22 rport 5350
      1205143558|sip  |1|00|MsgSipTcpPacket
      1205143558|sip  |1|00|MsgSipTcpPacket
      1205143558|sip  |3|00|CStkDialog::CreateRouteSet: transport set to top route 'TLS'
      1205143558|sip  |3|00|CStkDialog::SetAddressLocal localTag set to ''
      1205143558|sip  |3|00|CStkDialog::SetAddressLocal new address added of 1
      1205143558|sip  |2|00|CStkDialog::CStkDialog SetAddressLocal from pRequest To: 'Terry Adams'<+61266591007@sfbdomain.com:0>
      1205143558|sip  |2|00|CStkDialog::CStkDialog SetAddressLocal Config 'Terry Adams'<Terry.Adams@sfbdomain.com:0>
      1205143558|sip  |2|00|CStkDialog::CStkDialog TAG 'B640E4F5-9C530CE' generated
      1205143558|sip  |2|00|CStkDialog::CStkDialog local addr 'Terry Adams'<+61266591007@sfbdomain.com:0> Tag 'B640E4F5-9C530CE'
      1205143558|sip  |2|00|CStkDialog::CStkDialog exit 0x9d5bf0 local list size 1
      1205143558|sip  |2|00|CCallBase::IsChallenged COPIED Dialog Tag to pRequest 'B640E4F5-9C530CE'
      1205143558|sip  |2|00|CCallBase::IsChallenged 'INVITE' Dialog Tag 'B640E4F5-9C530CE' pRequest Tag 'B640E4F5-9C530CE' state 'Trying'
      1205143558|sip  |2|00|new UA Server INVITE trans state 'proceeding', timeout=0 (0x40d40ea8)
      1205143558|sip  |3|00|CStateInviteServer::CStateInviteServer
      1205143558|sip  |3|00|CStateInviteServer::CStateInviteServerHandler
      1205143558|sip  |3|00|CStateInviteServer::CStateInviteServerHandler - pReplace (0x0)
      1205143558|sip  |*|00|CSdp::operator << - setting m_bIsSecured == true
      1205143558|sip  |3|00|CStateInviteServer::CStateInviteServerHandler - calling RemoteSdpOffer
      1205143558|sip  |3|00|CStkCall::RemoteSdpOffer m_nMediaRTPPort=0
      1205143558|sip  |1|00|Dialog 'id9cd7e4d4' State 'Trying'->'Early'
      1205143558|sip  |1|00|signatureBuffer: <TLS-DSK><D0E0949F><11><SIP Communications Service><SFB001.sfbdomain.com><0888c5534fafd0fc37bc94f7a523b38c><1><INVITE><sip:Terry.Adams@sfbdomain.com><5C30CCBE-7E228105><sip:+61266591007@sfbdomain.com;user=phone><B640E4F5-9C530CE><sip:Terry.Adams@sfbdomain.com><tel:+61266591007;ext=1007><><100>
      1205143558|sip  |1|00|doDnsListLookup(tls): doDnsSrvLookupForARecordList for '10.20.1.223' port 5061 returned 1 results
      1205143558|sip  |1|00|doDnsListLookup(tls): result 0 host '' IP '10.20.1.223' port 5061 isInBound 0
      1205143558|sip  |1|00|CTcp::Send(TLS) entry for address 10.20.1.223 port 5061 can Connect 0 canFailOver 1
      1205143558|sip  |0|00|>>> Data Send TLS 10.20.1.223:5061
      1205143558|sip  |0|00|    SIP/2.0 100 Trying
      1205143558|sip  |0|00|    Via: SIP/2.0/TLS 10.20.1.223:5061;branch=z9hG4bK8BA0D60F.E19C5E6D7DAA886D;branched=TRUE;ms-internal-info="dgFJqKHJ0AXHZY0sy2IaYnenMPK5auGe9rVA0q4_Ro3qxtXpzhVO8OYQAA"
      1205143558|sip  |0|00|    Via: SIP/2.0/TLS 10.22.0.22:42727;branch=z9hG4bK1d5487849DAF07;ms-received-port=42727;ms-received-cid=77D300
      1205143558|sip  |0|00|    From: "Terry Adams"<sip:Terry.Adams@sfbdomain.com>;tag=5C30CCBE-7E228105;epid=64167f23b38c
      1205143558|sip  |0|00|    To: "Terry Adams"<sip:+61266591007@sfbdomain.com;user=phone>;epid=00907a0f09d8;tag=B640E4F5-9C530CE
      1205143558|sip  |0|00|    CSeq: 1 INVITE
      1205143558|sip  |0|00|    Call-ID: 0888c5534fafd0fc37bc94f7a523b38c
      1205143558|sip  |0|00|    Contact: <sip:Terry.Adams@sfbdomain.com;opaque=user:epid:x5jsdoUew1a9jiDyam965gAA;gruu>
      1205143558|sip  |0|00|    Record-Route: <sip:SFB001.sfbdomain.com:5061;transport=tls;opaque=state:T:F:Ci.R781300:Ieh.Lvw6TSBMlsUoTJbFhkstQInxeS6wHgXRHMHiO5ioDln-fhNvUO1qLucUD4gO1tXpzhB_8cegAA;lr;ms-route-sig=hkx-TWiKYeik4c0hYMHXqBiJ4op9gbnpuTatBwsuD7moptXpzhB_8cegAA>;tag=B12630CFFCD2C61F74BDE5EB8A4C611A
      1205143558|sip  |0|00|    User-Agent: Spectralink-SL_8440-UA/5.4.4.1156
      1205143558|sip  |0|00|    Accept-Language: en
      1205143558|sip  |0|00|    P-Preferred-Identity: "Terry Adams"<sip:Terry.Adams@sfbdomain.com>,<tel:+61266591007;ext=1007>
      1205143558|sip  |0|00|    Authorization: TLS-DSK qop="auth", realm="SIP Communications Service", opaque="4E02C6ED", crand="D0E0949F", cnum="11", targetname="SFB001.sfbdomain.com", response="bf39acaf3c91ff5826574895f209520c0507fe35"
      1205143558|sip  |0|00|    Content-Length: 0
      1205143558|sip  |0|00|   
      1205143558|sip  |1|00|CTcpSocket::SendData TLS queuedTxData = 0 TotalLen 1313 loop count 1 maxQueueDepth 40000
      1205143558|sip  |1|00|CTcpSocket::SendData TLS Sent 1313 loop count 1
      1205143558|sip  |3|00|CStkCall::NewCallState 'Unknown'->'Offering' (0x9b9b48)
      1205143558|sip  |3|00|GetRemotePartyAddress from 'P-Asserted-Identity'
      1205143558|sip  |3|00|CStkCall::NewCallState - BEFORE call to SipOnEvNewCall m_nMediaRTPPort=0
      1205143558|ice  |0|00|soIceChannelCreate: channelId=-1 category=1 chanType=0 udpPort=2226 portTurn=2726 tcpPort=-1
      1205143558|ice  |0|00|soIceRtpChanList.count=1
      1205143558|ice  |2|00|soIceChannelCreate: allocated channelId 5
      1205143558|ice  |0|00|soIceChannelCreate: channelId=-1 category=1 chanType=1 udpPort=2227 portTurn=2727 tcpPort=-1
      1205143558|ice  |0|00|soIceRtpChanList.count=2
      1205143558|ice  |2|00|soIceChannelCreate: allocated channelId 6
      1205143558|ice  |0|00|soIceSessionCreate start
      1205143558|ice  |0|00|    channelIdAudioRtp=5
      1205143558|ice  |0|00|    enableBWManagement=0
      1205143558|ice  |0|00|    bwAudioMin=64
      1205143558|ice  |0|00|    bwAudioMax=64
      1205143558|ice  |0|00|soIceSessionCreate - full functionality so set gatheringStunReqMaxRetransmit = 4
      1205143558|ice  |0|00|soIceSessionListRemove: soIceSessionList.count=0
      1205143558|ice  |0|00|soIceSessionCreate: sessEntryP (0x426d0f60) - set bInitialInvite true
      1205143558|ice  |0|00|soIceSessionList.count=1
      1205143558|ice  |1|00|soIceSessionCreate: linked channel (5) with session (3)
      1205143558|ice  |1|00|soIceSessionCreate: linked channel (6) with session (3)
      1205143558|ice  |2|00|soIceSessionCreate: allocated hSpiSession 0xb1f9d8 sessionId 3 for audio 5 6
      1205143558|ice  |0|00|soIceSessionSdpGetCallAnswer
      1205143558|ice  |0|00|soIceSessionSdpGetCallAnswer: len=890 pSdpInvite=
      1205143558|ice  |0|00|v=0
      1205143558|ice  |0|00|o=- 1512444953 1512444953 IN IP4 10.22.0.22
      1205143558|ice  |0|00|s=Polycom IP Phone
      1205143558|ice  |0|00|c=IN IP4 10.22.0.22
      1205143558|ice  |0|00|t=0 0
      1205143558|ice  |0|00|a=sendrecv
      1205143558|ice  |0|00|m=audio 5350 RTP/SAVP 9 112 8 0 18 101
      1205143558|ice  |0|00|a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:/u2wztfJizjOcLml2T1uN/3qiNEZpAiiPqCcyOhn|2^31|1:1
      1205143558|ice  |0|00|a=crypto:2 AES_CM_128_HMAC_SHA1_80 inline:gXAfAu4Z6VZ/1ZQYLJe3g4HAGcgwY9w4vDdlLSkJ|2^31
      1205143558|ice  |0|00|a=rtpmap:9 G722/8000
      1205143558|ice  |0|00|a=rtpmap:112 G7221/16000
      1205143558|ice  |0|00|a=fmtp:112 bitrate=24000
      1205143558|ice  |0|00|a=rtpmap:8 PCMA/8000
      1205143558|ice  |0|00|a=rtpmap:0 PCMU/8000
      1205143558|ice  |0|00|a=rtpmap:18 G729/8000
      1205143558|ice  |0|00|a=fmtp:18 annexb=no
      1205143558|ice  |0|00|a=rtpmap:101 telephone-event/8000
      1205143558|ice  |0|00|a=ice-pwd:EK5jmhsUk5xntwoCmEIEAmfT
      1205143558|ice  |0|00|a=ice-ufrag:pbdW
      1205143558|ice  |0|00|a=rtcp:5351
      1205143558|ice  |0|00|a=candidate:1 1 UDP 2130706431 10.22.0.22 5350 typ host
      1205143558|ice  |0|00|a=candidate:1 2 UDP 2130706430 10.22.0.22 5351 typ host
      1205143558|ice  |0|00|a=candidate:2 1 TCP-ACT 1684733951 10.22.0.22 5350 typ srflx raddr 10.22.0.22 rport 5350
      1205143558|ice  |0|00|a=candidate:2 2 TCP-ACT 1684733950 10.22.0.22 5350 typ srflx raddr 10.22.0.22 rport 5350
      1205143558|ice  |0|00|soIceSessionSdpGetCallAnswer: RvIceSessionSDPIn returned 0
      1205143558|ice  |0|00|*** sdpInpRes.eIceSupport 0
      1205143558|ice  |0|00|soIceSessionSdpGetCallAnswer: entryP (0x426d0f60) bInitialInvite=1
      1205143558|ice  |0|00|soIceSetLocalHostCandidates - local rtp port 2226
      1205143558|ice  |0|00|soIceSetLocalHostCandidates: RvIceSessionSetLocalRtpCandidatesToAllMediaStreams returned 0
      1205143558|ice  |0|00|soIceSessionSdpGetCallAnswer: RvIceSessionGatherReflexiveCandidatesEx returned=-1
      1205143558|sip  |2|00|SipOnEvNewCall new call appearnce 1 SRTP key È Ô@¨ Ô@
      1205143558|sip  |3|00|CStkCall::NewCallState - after call to SipOnEvNewCall m_nMediaRTPPort=2226
      1205143558|sip  |2|00|SipOnEvCallNewState 9b9b48,bdb4a0 1,(null)
      1205143558|sip  |3|00|CStkCall::NewCallState update held and hold flags, state 1
      1205143558|sip  |3|00|CStkCall::NewCallState held 0 hold 0



      The Fix!


      After realising that this probably had something to do with not having an Edge server deployed on the lab system I was using, I moved the Spectralink over to another system that did have an Edge… and what do you know, the phone started working perfectly. Not having an Edge was in fact the issue. The next question was, is there any configuration that could be done on the Spectralink to make it work without an Edge? (Spoiler: Yes)

      As you may or may not know, one of the main configuration items on a Spectralink (or Polycom phones which have basically the same software software forked from the same original base code) is to configure the baseProfile setting to make it run in "Lync" mode. Lync mode makes a whole raft of settings in the background on your behalf, to make your life easier. What are these settings that get made when the base profile is set to Lync mode? Well, to try and make a comparison I used a Polycom VVX running 5.6 firmware (because it was easier to get access to the settings than Spectralink) as a comparison point to see what settings the Lync profile changed in the config:

      Lync Base Profile settings (in comparison to Generic mode):
      call.defaultTransferType="Blind"
      call.enableOnNotRegistered="0"
      callLists.collapseDuplicates="0"
      callLists.logConsultationCalls="1"
      device.baseProfile="Lync"
      dialplan.1.applyToCallListDial="0"
      dialplan.1.applyToDirectoryDial="1"
      dialplan.1.applyToForward="1"
      dialplan.1.conflictMatchHandling="1"
      dialplan.1.digitmap="x.T"
      dialplan.1.digitmap.timeOut="4"
      dialplan.1.impossibleMatchHandling="3"
      dialplan.1.lyncDigitmap.timeOut="4"
      dialplan.applyToDirectoryDial="1"
      dialplan.applyToForward="1"
      dialplan.applyToPstnDialing="1"
      dialplan.applyToRemoteDialing="1"
      dialplan.conflictMatchHandling="1"
      dialplan.digitmap=""
      dialplan.impossibleMatchHandling="3"
      dialplan.routing.emergency.1.description=""
      dialplan.routing.emergency.1.value=""
      dialplan.TranslationInAutoComp="1"
      dialplan.userDial.timeOut="4"
      feature.btoe.enabled="1"
      feature.deviceLock.enable="1"
      feature.EWSAutodiscover.enabled="1"
      feature.exchangeCalendar.enabled="1"
      feature.exchangeCallLog.enabled="1"
      feature.exchangeContacts.enabled="1"
      feature.exchangeVoiceMail.enabled="1"
      feature.logUpload.enabled="1"
      feature.lync.abs.enabled="1"
      feature.LyncCCCP2010AudioWorkaround.enabled="1"
      feature.lyncSafeTransfer.enabled="1"
      feature.messaging.enabled="1"
      feature.moh.enabled="1"
      feature.presence.enabled="1"
      locInfo.source="MS_E911_LIS"
      reg.1.applyServerDigitMapLocally="1"
      reg.1.auth.useLoginCredentials="1"
      reg.1.auth.usePinCredentials="1"
      reg.1.offerFullCodecListUponResume="0"
      reg.1.server.1.registerRetry.baseTimeOut="10"
      reg.1.server.1.registerRetry.maxTimeOut="180"
      reg.1.server.1.specialInterop="lync2010"
      reg.1.server.1.transport="TLS"
      reg.1.serverFeatureControl.signalingMethod="serviceMsForwardContact"
      reg.1.useTelUriAsLineLabel="0"
      roaming_buddies.reg="1"
      sec.srtp.holdWithNewKey="0"
      sec.srtp.key.lifetime="2^31"
      sec.srtp.mki.enabled="1"
      sec.srtp.mki.length="1"
      sec.srtp.mki.startSessionAtOne="1"
      sec.srtp.resumeWithNewKey="0"
      sec.TLS.profileSelection.SIP="ApplicationProfile1"
      server.log.setting.enabled="1"
      softkey.feature.MeetNow="1"
      softkey.feature.simplifiedSignIn="1"
      tcpIpApp.ice.mode="MSOCS"
      tcpIpApp.keepalive.tcp.sip.tls.enable="1"
      tcpIpApp.port.rtp.videoPortRange.enable="1"
      tcpIpApp.sntp.address="time.windows.com"
      tone.dtmf.rfc2833Payload="101"
      up.numOfDisplayColumns="2"
      up.oneTouchDirectory="1"
      up.oneTouchVoiceMail="1"
      video.iFrame.delay="2"
      video.iFrame.onPacketLoss="1"
      voice.codecPref.G7221.24kbps="5"
      voice.codecPref.G7221.32kbps="0"
      voice.qualityMonitoring.rtcpxr.enable="1"
      voIpProt.SIP.allowTransferOnProceeding="0"
      voIpProt.SIP.considerTlsDnsEntriesOnly="1"
      voIpProt.SIP.failoverOn503Response="0"
      voIpProt.SIP.header.diversion.enable="1"
      voIpProt.SIP.IM.autoAnswerDelay="40"
      voIpProt.SIP.mtls.enable="0"
      voIpProt.SIP.serverFeatureControl.cf="1"
      voIpProt.SIP.serverFeatureControl.dnd="1"
      voIpProt.SIP.serverFeatureControl.localProcessing.cf="0"
      voIpProt.SIP.serverFeatureControl.localProcessing.dnd="0"

      Based on my earlier assumption that the issue has something to do with the Edge reflexive and relay candidates, the fault was likely caused by something to do with the Microsoft specific ICE interaction. There was one setting this this sizable list that stood out to me - the tcpIpApp.ice.mode="MSOCS" setting. This setting was made specifically to handle the candidate negotiations required by Microsoft Lync/Skype for Business. After disabling this setting, guess what happened? Inbound and outbound calls started working…

      TLDR Answer

      When you have no Edge server deployed within your Lync/Skype for Business environment and you are deploying Spectralink phones, set the tcpIpApp.ice.mode setting to “disabled”. In a config file this might look something like this:

      <!-- If there is an Edge then tcpIpApp.ice.mode="MSOCS" if there is no Edge then tcpIpApp.ice.mode="disabled" -->
      <LyncBaseProfile
      device.baseProfile.set="1"
      device.baseProfile="Lync"
      tcpIpApp.ice.mode="disabled"             
      > 
      </LyncBaseProfile>


      The Wrap Up


      Well, another day another crazy config setting. There always seems to be an endless supply of gotchas in this business and this is another one to add to your list. Till next time!





      Building an Edge Server Port Monitor with Azure Function Apps – Part 1

      March 1, 2018, 1:48 am
      $
      0
      0
      For this blog series I thought I would branch out a bit and take my Powershell scripting to the next level using Azure Function Apps. What on earth is an Azure Function App, I hear you asking? Well, come in closer around the camp fire and I’ll explain. An Azure Function App is a Serverless application platform. I know that sounds like an oxymoron… An application platform that is serverless! Well, yes, you are correct, there are in fact servers that are running these Function Apps in a nameless data centre somewhere. However, the reason that they are referred to as being “serverless” is that you never have to administer any part of the server hardware or software yourself. You simply write your code and paste it into the Azure Portal and then click the run button….  aannnndd bam! You end up with a very useful application that runs all day, every day, on hardware in a distant land that you never have think about. You just kick back and once a month pay the very reasonable rates offered by Azure. Brilliant!

      As a means to teach myself about the Azure Functions platform I decided to give myself a challenge to design a useful application that could run using only Powershell as the programming language. The application I decided to design was an Skype for Business Edge Server port monitoring service. The idea of this application is that it would monitor all the important ports on any number of remote Edge servers and report to me if any of them went down. Due to the number of steps involved in doing this I will be breaking this into 3 separate blog posts.

      For part 1 the requirements of the application are as follows:
      • Allow for multiple far end server ports to be monitored.
      • Allow for multiple far end servers to be monitored.
      • Allow for tests to be run on an ongoing basis at configurable intervals.
      • If a port is found to be inaccessible, then the application must email me with details of what is down.
      In part 2 of the series I will expand on the application to do the following:
      • Allow for coalescing of emails so that multiple errors result in only one email being sent instead of many emails.
      • Allow for the application to have a memory so it can only send me an email after seeing a configurable number of errors. This is to guard against flapping type scenarios and only to update in the case of a fair dinkum outage.
      • In addition to sending an email when ports are down, it will also send an email to inform me that the ports have come back up - so I can rest easy in the knowledge that the server recovered without logging in to check. 
      • Use Azure Storage Tables to store state about the Edge servers current status.
      In part 3 (Coming Soon) of the series I will expand the application to do even more:
      • Save all port test results to Azure Storage tables for later analysis.
      • Use Power Bi to connect to Azure Storage Tables and create nice graphs showing information about the Edge servers over a period of time.

      By the end of the series there will be a feature-rich service that allows for the monitoring of remote servers and analyses results in a relatively comprehensive way. This should highlight how powerful Azure Function Apps can be!

      Limitations of Powershell Functions


      Upfront I should say that Azure Function Apps using Powershell is still considered an “Experimental” language. Whilst I was writing this application I found there are some limitations when coding in Powershell using Function Apps. This list is by no means complete - it’s just some interesting things I noticed:
      • I couldn’t call any commands that requested access to the networking stack. By this I mean commands to query the IP Address of the machine or ports in use, etc. This seems fair given that Function Apps run on shared machines and there is some level of abstraction between the code and the machine it’s running on.
      • I noticed that Invoke-WebRequest would give a warning that requested the use of Basic Parsing due to “The response content cannot be parsed because the Internet Explorer engine is not available, or Internet Explorer's first-launch configuration is not complete. Specify the UseBasicParsing parameter and try again.” This is not a limitation for the functionality in this application but may be something to keep in mind for your future apps.
      • I had a weird issue where function (ie. “function ConnectTCP”) returns would include all of the text from Write-Output commands that executed in the function. I’m not sure if this was a bug or a limitation... Something to look out for though.
      • You need to manually upload additional external powershell modules into the Azure backend. There is no basic “Install-Module” command that can grab code from the Powershell Gallery yet. This can also be problematic if the module attempts to access something that’s not supported by Azure Functions (for example access the networking stack like mentioned earlier).
      • “Write-Host” is not a supported output method like it is in server based Powershell. In order to get output from your script you need to use “Write-Output” which will be written to the Function App log.
      • When sending out port queries I tried to also specify the source port being used, however, it appears that the source port gets NATed on the way out of Azure. So the source port will be random in this case.

      Creating the Function App


       Step 1
      Open up the Azure Portal and Select “App Services” from the left menu. Then select the “Add” button:



      Step 2
      Select “Function App” as the type of service app that you would like to create:



      Step 3
      Click the create button:




      Step 4
      Fill in the details of the function application. The important parts here are to give your app a unique name, select Windows as the OS and select a Location nearest the servers you would like to be testing.




      Step 5
      You will need to wait a few minutes for the Function App to be provisioned for you. During this time you will see a “Deploying Function App” icon on the dashboard:



      Step 6
      Once the Function App has finished deploying, open the app to the Overview tab. Then select “Application settings”:



      Step 7
      In order for your application to output the correct time information in emails, you need to set the timezone within the “Application settings” to your local timezone. To do this add a row in the “Application settings” called “WEBSITE_TIME_ZONE” and then enter the name of the timezone (eg. “AUS Eastern Standard Time”). You can get a full list of timezones from here: https://msdn.microsoft.com/en-us/library/gg154758.aspx



      Don’t forget to click the save button on the Application settings page after making the change:



      Step 8
      In the main page of the Function App select the “Functions” tab on the left-hand tree. Then click the “New function” button:



      Step 9
      You will now be presented with a screen that allows you to select the type of Function App that you would like to create. In order to be able to create a Powershell based Function App you need to click the “Experimental Language Support” switch in the top right corner of the screen:



      Step 10
      Once “Experimental Language Support” has been selected you can choose to create a “Timer trigger” app using Powershell as the language:



      Step 11
      The timer trigger type of application uses a CRON type format for representing when the application will execute. You will be presented with a dialog that allows you to enter the “Name” and “Schedule” for your application to run. The schedule expression is a CRON expression that includes 6 fields. These are:

      {second} {minute} {hour} {day} {month} {day of the week}

      Note: This is slightly different to CRON that is used on Linux that doesn’t have the seconds value. You need to be careful when borrowing CRON syntax off the Internet. For more information on the CRON format refer to this page: https://docs.microsoft.com/en-us/azure/azure-functions/functions-bindings-timer



      Note: The important thing to know about this CRON Schedule is that the “*/5” means to run once every 5 minutes.

      Step 12
      Now that you have created your Trigger Timer, it will appear under the Functions tree in the left side of the Function App. When you select the trigger timer it will open up a code window that is pre-filled with a single “Write-Output” statement. This is the window in which you will be pasting in the Powershell code. You will also see on the right hand side the actual Powershell file called “run.ps1” and a function.json manifest file. At the bottom of the screen there is a Logs window where all the “Write-Output” logging will be sent to. Note that Function Apps use Write-Output instead of Write-Host like you see in most Powershell script running on servers.




      Step 13 - Sign up for Mailjet
      The script uses a web service called Mailjet in order to send emails. In order for the Function Application to send the email it needs to send a REST call out to Mailjet with the correct Account Keys in it. The free level of Mailjet lets you send up to 6000 emails per month, which is plenty for this kind of scenario.

      After signing up for the Mailjet web site go to the following location to get your API username and password:

      My Account > REST API > Master API Key & Sub API key management

      In your Mailjet account you will also need to set up the mail account that you wish to be allowed to send emails: 

      Accounts > Sender Addresses



      Step 14
      Insert the following Powershell script into your Function App code window (run.ps1) and make the edits required in Step 15:




      Like this:




      Step 15
      Edit the script as necessary for your Mailjet account and Edge servers.

      Enter your Mailjet API Key (Username) and Secret Key (Password) and paste them into the following section of the script. Also update the sender email address to your email account that is configured in the "Sender Addresses" in Mailjet and the recipent email address you want to send to:


      #MAIL JET USERNAME/PASSWORD#######
      $emailUsername="kjh3k23h4kjhkj37573f8f020879dff7"     
      $emailPassword="9898f98fhdjkkdjh46cd418100075a3b"
      #EMAIL ADDRESS TO SEND ERRORS FROM
      $SENDEREMAIL="YourRealEmailAddress@domain.com"
      #EMAIL ADDRESS TO SEND ERRORS TO
      $RECIPIENTEMAIL="YourRealEmailAddress@domamin.com"
      ################################## 

      Edit the Skype for Business Edge server details as required. These are entered as an array of hash tables. The sections highlighted in yellow can be changed. In this case the application is monitoring 2 Edge servers, one in Melbourne and one in Sydney.

      Location
      ServerName
      ServerRole
      DestinationPort
      Protocol
      Melbourne
      147.70.50.10
      Federation
      5061
      TCP
      Melbourne
      147.70.50.10
      Access Edge
      443
      TCP
      Melbourne
      147.70.50.11
      Web Conferencing
      443
      TCP
      Melbourne
      147.70.50.12
      AV Edge
      443
      TCP
      Sydney
      147.70.60.20
      Federation
      5061
      TCP
      Sydney
      147.70.60.20
      Access Edge
      443
      TCP
      Sydney
      147.70.60.21
      Web Conferencing
      443
      TCP
      Sydney
      147.70.60.22
      AV Edge
      443
      TCP
      Note: The script only supports testing TCP ports at this time.

      #SETUP EACH SERVER
      $Records= @(@{"Location"="Melbourne"; "ServerName"="147.70.50.10"; "ServerRole"="Federation"; "DestinationPort"="5061"; "Protocol"="TCP"})
      $Records+= @(@{"Location"="Melbourne"; "ServerName"="147.70.50.10"; "ServerRole"="Access Edge"; "DestinationPort"="443"; "Protocol"="TCP"})
      $Records+= @(@{"Location"="Melbourne"; "ServerName"="147.70.50.11"; "ServerRole"="Web Conferencing"; "DestinationPort"="443"; "Protocol"="TCP"})
      $Records+= @(@{"Location"="Melbourne"; "ServerName"="147.70.50.12"; "ServerRole"="AV Edge"; "DestinationPort"="443"; "Protocol"="TCP"})

      $Records+= @(@{"Location"="Sydney"; "ServerName"="147.70.60.20"; "ServerRole"="Federation"; "DestinationPort"="5061"; "Protocol"="TCP"})
      $Records+= @(@{"Location"="Sydney"; "ServerName"="147.70.60.20"; "ServerRole"="Access Edge"; "DestinationPort"="443"; "Protocol"="TCP"})
      $Records+= @(@{"Location"="Sydney"; "ServerName"="147.70.60.21"; "ServerRole"="Web Conferencing"; "DestinationPort"="443"; "Protocol"="TCP"})
      $Records+= @(@{"Location"="Sydney"; "ServerName"="147.70.60.22"; "ServerRole"="AV Edge"; "DestinationPort"="443"; "Protocol"="TCP"})



      Step 16
      By default your Function App will be running at the CRON trigger interval. However, you can stop your Function App from running by switching off the trigger function in under the “Functions” tree item on the left hand side:



      Step 17
      Start receiving emails when your Edge servers are offline!




      The Wrap Up


      Well, this has been fun! Hasn’t it?! I hope that in addition to helping you monitor your edge servers, this has been informative and taught you some new skills that might help in the future when making your own Function Apps. Enjoy!




      Building an Edge Server Port Monitor with Azure Function Apps – Part 2

      March 19, 2018, 4:04 am
      $
      0
      0
      This blog is an expansion on the previous Part 1 post here. The process of setting up the Function App for this part 2 section is the same as was documented in Part 1. I suggest reading part 1 first before moving ahead.

      In part 1 we created a Function App that did the following:
      • Port monitor a selection of server ports.
      • Allow monitoring of several servers.
      • Allow for tests to be run on an ongoing basis at configurable intervals.
      • If a port was found to be inaccessible then the application must email with details of what is down.
      In Part 2 of the series we will expand on the application to do the following:
      • Allow for coalescing of emails so that multiple errors result in only one email being sent instead of many emails.
      • Allow for the application to have a memory so it can only send an email after seeing a configurable number of errors. This is to guard against flapping type scenarios and only to update in the case of a fair dinkum outage.
      • In addition to sending an email when ports are down, the app will also send an email to inform that the ports have come back up - we can rest easy in the knowledge that the server recovered without logging in to check. 
      • Use Azure Storage Tables to store state about the Edge servers.

      In order to give the application a “memory” we need to add some kind of storage to the application. Fortunately, Azure is very good at offering a bunch of storage options. We also need to also take into account that we are using Powershell in this case for the application and need a storage scenario that will work with Powershell. In this case we only need a fairly basic storage model. The good news is that there is a nice Powershell module that exists for connecting to Azure Storage Tables.


      Step 1
      Download a copy of the Azure Storage Table module for Powershell. In order to connect Powershell into the Azure Storage Table datastore, a Powershell module needs to be used. The module is available on the Powershell Gallery from this link:

      https://www.powershellgallery.com/packages/AzureRmStorageTable/1.0.0.21

      Save a copy of the module to your PC using the following command:
      Save-Module -Name AzureRmStorageTable -Path “C:\temp\”

      This should have downloaded the following folder structure:
      C:\temp\AzureRmStorageTable\1.0.0.21\



      Step 2

      Get the function app's FTP details from Azure. Now that the Powershell Module is installed, upload it into a Modules folder in the Azure Function Applications file storage. To do this  use FTP or sFTP. In this case we will use FTP with the Filezilla client. Some information will be required out of your function applications properties screen.

      Settings are found under the “Platform Features” tab -> Properties



      Host = FTP HOST NAME
      FTP Username = FTP/DEPLOYMENT USER




      Step 3 – Configure FTP client
      Connect to the addresses provided using the Function Application Domain formatted username and Azure Password:

      Host: FTP HOST NAME
      FTP Username = FTP/DEPLOYMENT USER
      Example: “EdgePortTester-Part002\joeb”
      FTP Password = <Azure Password>

      Enter this information into the Filezilla Site Manager:


      Step 4 – Connect to Azure and Upload Powershell Module
      Now connect into Azure using the FTP client:


      Open the following folders:
      /site/wwwroot/TimerTriggerPart002

      Create a folder called “Modules”:
      /Site/wwwroot/TimerTriggerPart002/Modules

      Now, from the temp folder where the AzureRmStorageTable module was downloaded, copy this into the Modules folder. There should be a structure that looks like this:
      /Site/wwwroot/TimerTriggerPart002/Modules/AzureRmStorageTable/1.0.0.20

      The Storage Table module for Powershell should now be successfully installed. The next step is to get the Table Storage connection information out of Azure to allow for the Powershell module to connect and read/write to the storage that was automatically created when the Function Application was created.


      Step 5 – Get  Storage Account Settings
      The Powershell script provided in this post has some variables that need to be filled out with your own Function App's storage details. These details can be obtained from the Azure Portal.  
      In the Overview screen note down the “Subscription” and “Resource Group” names:


      From the Overview Tab of the Function Application open the “Resource group” link:


      Then open the storage Resource Group that was created automatically for the Function Application:


      Once in the storage Resource Group, the Access Keys for the application can be seen:

      Select Key 1 or Key 2 for use in the script.


      Step 6 - Get a copy of the Powershell script
      Download a copy of the Powershell Script.

      You can grab a copy of the script I wrote for doing the port monitoring from here: 



      Step 7 - Update script parameters
      Update the Storage Account details in the Powershell Script.

      Using the setting found in Step 5 you can fill in the Powershell script variables:
      #AZURE STORAGE VARIABLES######
      #SETTINGS ARE FOUND UNDER PLATFORM FEATURES TAB -> PROPERTIES
      $subscriptionName="Visual Studio Premium with MSDN"  #SUBSCRIPTION NAME
      $resourceGroup="EdgePortTester-Part002"      #RESOURCE GROUP
      $storageAccount="edgeporttesterp8dbf"      #STORAGE ACCOUNT NAME
      $tableName="EdgeTesterTablePart2"           #CHOOSE A NAME
      $partitionKey="EdgeTesterStoragePart2"      #CHOOSE A NAME
      $storageAccountKey="7asdkjhasd7KHDKJHAS0dsflasdnnlasd099asdpncsdlknclLJSDLjbadksdjbfa9su9duhoasivRqXA615jQ=="             #STORAGE ACCOUNT > ACCESS KEYS
      #AZURE STORAGE VARIABLE END######  


      Don’t forget, as in Part 1, to fill in your Mail Jet (see Step 13 from Part 1) email account information. Enter your Mail Jet API Key (Username) and Secret Key (Password) and paste them into the following section of the script:
      #MAIL JET USERNAME/PASSWORD#######
      $emailUsername="kjh3k23h4kjhkj37573f8f020879dff7"     
      $emailPassword="9898f98fhdjkkdjh46cd418100075a3b"
      #EMAIL ADDRESS TO SEND ERRORS TO
      $SENDEREMAIL="YourRealEmailAddress@domain.com"
      $RECIPIENTEMAIL="YourRealEmailAddress@domain.com"
      ##################################
      Note: Remember to configure the Sender Addresses in Mailjet as detailed in Step 13 of Part 1.

      Edit the Skype for Business Edge server details as required. These are entered as an array of hash tables. The sections highlighted in yellow can be changed. In this case the application is monitoring 2 Edge servers, one in Melbourne and one in Sydney.
      Location
      ServerName
      ServerRole
      DestinationPort
      Protocol
      Melbourne
      147.70.50.10
      Federation
      5061
      TCP
      Melbourne
      147.70.50.10
      Access Edge
      443
      TCP
      Melbourne
      147.70.50.11
      Web Conferencing
      443
      TCP
      Melbourne
      147.70.50.12
      AV Edge
      443
      TCP
      Sydney
      147.70.60.20
      Federation
      5061
      TCP
      Sydney
      147.70.60.20
      Access Edge
      443
      TCP
      Sydney
      147.70.60.21
      Web Conferencing
      443
      TCP
      Sydney
      147.70.60.22
      AV Edge
      443
      TCP
      Note: The script only supports testing TCP ports at this time.

      #SETUP EACH SERVER
      $Records= @(@{"Location"="Melbourne"; "ServerName"="147.70.50.10"; "ServerRole"="Federation"; "DestinationPort"="5061"; "Protocol"="TCP"})
      $Records+= @(@{"Location"="Melbourne"; "ServerName"="147.70.50.10"; "ServerRole"="Access Edge"; "DestinationPort"="443"; "Protocol"="TCP"})
      $Records+= @(@{"Location"="Melbourne"; "ServerName"="147.70.50.11"; "ServerRole"="Web Conferencing"; "DestinationPort"="443"; "Protocol"="TCP"})
      $Records+= @(@{"Location"="Melbourne"; "ServerName"="147.70.50.12"; "ServerRole"="AV Edge"; "DestinationPort"="443"; "Protocol"="TCP"})

      $Records+= @(@{"Location"="Sydney"; "ServerName"="147.70.60.20"; "ServerRole"="Federation"; "DestinationPort"="5061"; "Protocol"="TCP"})
      $Records+= @(@{"Location"="Sydney"; "ServerName"="147.70.60.20"; "ServerRole"="Access Edge"; "DestinationPort"="443"; "Protocol"="TCP"})
      $Records+= @(@{"Location"="Sydney"; "ServerName"="147.70.60.21"; "ServerRole"="Web Conferencing"; "DestinationPort"="443"; "Protocol"="TCP"})
      $Records+= @(@{"Location"="Sydney"; "ServerName"="147.70.60.22"; "ServerRole"="AV Edge"; "DestinationPort"="443"; "Protocol"="TCP"})


      Step 8 – Parameter Tweaking
      This version of the script has a few settings that can be tweaked. These are how many failures on each port is required before an email gets sent ($RequiredNumberOfFailuresBeforeEmail). There is also a setting for consolidating multiple errors or recoveries into a single email ($consolidateEmailsOnError and $consolidateEmailsOnError). Set these as you like:

      #This is the number of required port check failures before an email is sent out
      $RequiredNumberOfFailuresBeforeEmail=3

      #Send 1 email rather than one per record
      $consolidateEmailsOnError=$true
      $consolidateEmailsOnRecover=$true


      Step 9 - Paste the edited script into the Timer Trigger (run.ps1)
      Insert the Powershell script containing your variables into your Function App code window (run.ps1):


      Step 10 - Start receiving emails about your server being down
      Now kick back and enjoy your own personal Edge monitoring service! Emails should arrive at your inbox informing you of when Edge ports became unreachable.

      Note: It may take the script running a couple of times before all the table storage gets setup by the script. So you may see some error the first few times it runs.



      The Wrap Up

      There is Part 2 in the bag. I hope that in addition to helping you monitor your edge servers, this has been informative and taught you some new skills that might help in the future when making your own Function Apps.




      Building an Edge Server Port Monitor with Azure Function Apps – Part 3

      March 26, 2018, 4:48 am
      $
      0
      0
      This blog is an expansion on the previous Part 1 and Part 2 posts found here and here. The process of setting up the Function App for this part 3 section is the same as was documented in Part 1 and 2.  I suggest you head over to the first two parts and give them a good read before moving onto this post.

      In part 3 we will be adding to the Function App so it can save data over time that we can use to graph and manipulate in Power Bi. To do this we will expand the application to do the following:
      • Save all port test results to Azure Storage tables for analysis.
      • Use Power Bi to connect to Azure Storage Tables and create nice graphs showing the status of Edge servers over a period of time.

      Just like in Part 2 we will use the Azure Storage Tables module for Powershell to allow our application to keep both a short term memory for logging errors as well as a long term memory for logging all port testing attempts.

      Step 1
      To begin with follow Steps 1 through 5 of Part 2.

      Step 2 – Download a copy of the script
      You can grab a copy of the script I wrote for part 3 from here:



      Step 3 - Update variables

      Update the Storage Account details in the Powershell Script.

      IMPORTANT: These settings are slightly different than in Part 2. In this case we have 2 different storage tables: one of them stores the current state of edge servers (same as part 2) and the other one stores all attempts into a separate table (which we will use for analysis in Power Bi):
      #AZURE STORAGE VARIABLES######
      #SETTINGS ARE FOUND UNDER PLATFORM FEATURES TAB -> PROPERTIES
      $subscriptionName="Visual Studio Premium with MSDN"  #SUBSCRIPTION NAME
      $resourceGroup="EdgePortTester-Part003"      #RESOURCE GROUP
      $storageAccount="edgeporttesterp8dbf"#STORAGE ACCOUNT NAME
      $tableName="EdgeTesterTablePart3Current"      #CHOOSE A NAME 1
      $tableName2="EdgeTesterTablePart3Results"      #CHOOSE A NAME 2
      $partitionKey="EdgeTesterStoragePart3Current"      #CHOOSE A NAME 1
      $partitionKey2="EdgeTesterStoragePart3Results"      #CHOOSE A NAME 2
      $storageAccountKey="7asdkjhasd7KHDKJHAS0dsflasdnnlasd099asdpncsdlknclLJSDLjbadksdjbfa9su9duhoasivRqXA615jQ=="             #STORAGE ACCOUNT > ACCESS KEYS
      #AZURE STORAGE VARIABLE END######

      Don’t forget to fill in your Mail Jet email account information (as you did in Part 1) and add your Skype for Business Edge server's details. See Part 1 for more details. Enter your Mail Jet API Key (Username) and Secret Key (Password) and paste them into the following section of the script:

      #MAIL JET USERNAME/PASSWORD#######
      $emailUsername="kjh3k23h4kjhkj37573f8f020879dff7"     
      $emailPassword="9898f98fhdjkkdjh46cd418100075a3b"
      #EMAIL ADDRESS TO SEND ERRORS FROM
      $SENDEREMAIL="YourRealEmailAddress@domain.com"
      #EMAIL ADDRESS TO SEND ERRORS TO
      $RECIPIENTEMAIL="YourRealEmailAddress@domain.com"
      ################################## 

      Edit the Skype for Business Edge server details as required. These are entered as an array of hash tables. The sections highlighted in yellow can be changed. In this case the application is monitoring 2 Edge servers, one in Melbourne and one in Sydney.

      Location
      ServerName
      ServerRole
      DestinationPort
      Protocol
      Melbourne
      147.70.50.10
      Federation
      5061
      TCP
      Melbourne
      147.70.50.10
      Access Edge
      443
      TCP
      Melbourne
      147.70.50.11
      Web Conferencing
      443
      TCP
      Melbourne
      147.70.50.12
      AV Edge
      443
      TCP
      Sydney
      147.70.60.20
      Federation
      5061
      TCP
      Sydney
      147.70.60.20
      Access Edge
      443
      TCP
      Sydney
      147.70.60.21
      Web Conferencing
      443
      TCP
      Sydney
      147.70.60.22
      AV Edge
      443
      TCP
      Note: The script only supports testing TCP ports at this time.

      #SETUP EACH SERVER
      $Records= @(@{"Location"="Melbourne"; "ServerName"="147.70.50.10"; "ServerRole"="Federation"; "DestinationPort"="5061"; "Protocol"="TCP"})
      $Records+= @(@{"Location"="Melbourne"; "ServerName"="147.70.50.10"; "ServerRole"="Access Edge"; "DestinationPort"="443"; "Protocol"="TCP"})
      $Records+= @(@{"Location"="Melbourne"; "ServerName"="147.70.50.11"; "ServerRole"="Web Conferencing"; "DestinationPort"="443"; "Protocol"="TCP"})
      $Records+= @(@{"Location"="Melbourne"; "ServerName"="147.70.50.12"; "ServerRole"="AV Edge"; "DestinationPort"="443"; "Protocol"="TCP"})

      $Records+= @(@{"Location"="Sydney"; "ServerName"="147.70.60.20"; "ServerRole"="Federation"; "DestinationPort"="5061"; "Protocol"="TCP"})
      $Records+= @(@{"Location"="Sydney"; "ServerName"="147.70.60.20"; "ServerRole"="Access Edge"; "DestinationPort"="443"; "Protocol"="TCP"})
      $Records+= @(@{"Location"="Sydney"; "ServerName"="147.70.60.21"; "ServerRole"="Web Conferencing"; "DestinationPort"="443"; "Protocol"="TCP"})
      $Records+= @(@{"Location"="Sydney"; "ServerName"="147.70.60.22"; "ServerRole"="AV Edge"; "DestinationPort"="443"; "Protocol"="TCP"})


      Step 4 – Parameter Tweaking
      This version of the script like part 2 has a few settings that you can tweak. These are how many failures on each port is required before an email gets sent ($RequiredNumberOfFailuresBeforeEmail). There is also a setting for consolidating multiple errors or recoveries into a single email ($consolidateEmailsOnError and $consolidateEmailsOnError). Set these as you like:

      #This is the number of required port check failures before an email is sent out
      $RequiredNumberOfFailuresBeforeEmail=3

      #Send 1 email rather than one per record
      $consolidateEmailsOnError=$true
      $consolidateEmailsOnRecover=$true

      Step 5 - Download Azure Storage Explorer
      Now let your Function Application run for a while and gather some data. At any time you can look into your Function Apps Table Storage using Azure Storage Explorer. This application will show you all of the rows in your storage tables and allow you to see and edit as you see fit. You can download your free copy from here:

      https://azure.microsoft.com/en-us/features/storage-explorer/



      Once you have logged into your Azure Account within Azure Storage Explorer you can dig into your storage tables by selecting Storage Accounts > (Storage Resource Group Name) > Tables to see your table data. Note, there will be no table or data until you actually start running the Function App.

      Step 6 - Download Power Bi
      Now download a copy of Power BI for desktop:

      https://powerbi.microsoft.com/en-us/desktop/



      Install the downloaded Power Bi on your PC.

      Step 7 - Open Power Bi
      Open Power Bi Desktop and you will be greeted with a splash screen and dialog. Click on the “Get Data” button:




      Step 8 - Import Data
      The Get Data dialog will then be displayed. Select “Azure Table Storage” from the list and click the “Connect” button:



      Step 8 - Account URL dialog
      Power Bi will now request an Account Name or URL to connect to:



      Step 9 - Find Account URL
      The account name for the dialog above can be found in the Azure Portal under the storage account Overview > Tables section:



      The “Table service endpoint” is the value you will need to fill in the dialog with:



      Step 10 - Paste in URL
      Enter the Table service endpoint into the “Azure Table Storage” dialog and click “OK”:



      Step 11 - Enter Account Key
      You will now be asked to enter your “Account Key”:



      This can be found under the Storage Account > Access Keys section in the Azure Portal:



      Enter the Account Key and click “Connect”:



      Step 12 - Load Data
      Power Bi will now connect to your Table Storage and list up all of the Tables in there. Select the Results table and click “Load”:



      Step 13 - Not all data is displayed
      Power Bi will now download your data into the application. You may notice though that all of the columns that you can see in Azure Storage Explorer will not be displayed:



      Step 14 - Edit Query
      To be able to see all of the columns you need to do a little extra work. On the right hand side of the screen, Right Click on Table name at the top of the top of the column names listed and select “Edit Query”:



      Step 15 - Expand content column
      You will now see an extended view of the data that includes a “Content” Column:



      On the top right of the Column click on the double arrow “expand” button:




      You will now get a full list of all of the additional columns available that are stored in Table Storage as a Json blob. Tick the Columns that you want to include in your graphs and data analysis and click OK:



      Step 16 - All columns are now available
      You will now see the extra data columns:



       Click the “Close and Apply” button from the Home Tab:



      The full array of data is now available for you to do as you please with:



      Step 18 - Make charts
      Back on the "Report" tab you can now put together some nice looking graphs of your data. Here is an example of a Pie Chart and a Bar Chart showing information about the number of errors for each role:



      To create these graphs you use the following settings:




      From here you can play with the data in Power Bi and make whatever graph you like (I included location in the data so you can even plot your Edge servers on a map). This is what makes Power Bi so powerful!

      The Wrap Up

      This post ends my series on creating an Edge port monitor with Azure Function Apps. I hope that in addition to helping you monitor your edge servers, this has been informative and taught you some new skills that might help in the future when making your own Function Apps.



      Polycom VVX Not Displaying PIN Authentication Option

      August 12, 2018, 4:15 am
      $
      0
      0
      I had an interesting issue with a Polycom VVX deployment recently that I thought I would share in case others run into the same issue.


      The Issue

      The symptom of the problem was that after the Polycom VVX had completed booting, including getting an IP Address and downloading software/config files, the PIN Authentication option did not appear on the sign-in options screen. This meant that I was unable to use PIN Authentication at all for signing in the devices which was a problem because we planned on using it for all the phones. Below is an example of what the screen looked like:

      Sign-in Screen without PIN Auth option

      Troubleshooting

      There was a series of steps that I went through in troubleshooting this issue. I will take you through all of them so you too can check whether your issue might be solved with some of the earlier steps that I tried before reaching a resolution.

      STEP 1
      I first confirmed that PIN Authentication was in fact turned on in the configuration file(s) of the phone. To do this I checked that the following setting was not in the configuration files:

      <!-- Disable PIN Auth by setting "0" -->
      <reg reg.1.auth.usePinCredentials="0" />
      Note: The phone can have multiple configuration files that are both manually added by administrators and automatically created by the phone (ie. <MAC>-phone.cfg, <MAC>-web.cfg, etc). You need to check all of the files associated with the phone's MAC address to ensure it’s not being overridden by another file.

      I also checked the setting directly in the phone using my VVX Phone Manager Tool to get the active setting out of the phone using the REST interface. In my case this setting was not configured in the config file and it defaults to being on (ie. set to "1"). So this wasn't the problem.

      STEP 2
      I checked that PIN Authentication was actually enabled on the Skype for Business server. This can be done in the Control Panel > Security > Web Services > Pin Authentication Enabled:


      This was also enabled - so in this case it wasn't the problem.


      STEP 3
      I tested the PIN Authentication process on the server by running Test-CsPhoneBootstrap PowerShell command on the system. This worked just fine:

      PS C:\ > Test-CsPhoneBootstrap -PhoneOrExtension 4500 -PIN 12345 -TargetFqdn 2015ENTFE004.myskypelab.com -TargetUri https://2015ENTFE004.myskypelab.com:443/CertProv/CertProvisioningService.svc

      Target Fqdn   : 2015ENTFE004.myskypelab.com
      Target Uri    : https://2015ENTFE004.myskypelab.com:443/CertProv/CertProvisioningService.svc
      Result        : Success
      Latency       : 00:00:01.2333041
      Error Message :
      Diagnosis     :

      STEP 4
      In this deployment there was a centralised Windows Server that was serving DHCP to all the client subnets. On the central DHCP server I confirmed that all of the DHCP options were correct using my Skype4B/Lync DHCP Config Tool. This tool parses the byte format Vendor Options and displays them as readable text, and if it is unable to parse the byte format it will display an error:

      This is an example image from my lab

      In this case, all settings were displayed and no encoding issues were detected by the tool, which means this wasn’t the issue. So I checked that there was no DHCP server on a closer subnet (ie. a switch or router) that was responding to DHCP before the central Window DHCP server. This also wasn’t the case as I could see that the central DHCP server had logged the address lease for the Polycom VVX with the particular MAC Address of the test device.

      STEP 5
      At this point this was starting to look like a more complex problem so I took to the lab to see if I could reproduce such behaviour.  I noticed that after a factory default the phone initially didn’t display the Pin Authentication option for a couple of seconds - it appeared belatedly. This indicated to me that there was some additional check that was being done by the VVX before it would display this option. So this begged the question: what is required for PIN Authentication to function on the VVX? The most important thing that is required is that the phone gets the DHCP Options which tell it where the Cert Provisioning services resides, so it can communicate with the web services required for PIN Authentication.

      Given that the VVX phones were being issued IP Addresses via DHCP, it didn’t seem likely to be a connectivity issue between the VVX and the DHCP server. However, I looked into the traffic flows to confirm this and found something interesting. In this Wireshark capture, you can see that the DHCP Options get sent out in response to an INFORM message that the VVX sends. The INFORM message is a special DHCP message that is outside of the initial DHCP IP Address discover process (DISCOVER > OFFER > REQUEST > ACK). The interesting thing about the INFORM message is that the ACK for this message from the DHCP server gets sent as a Unicast response directly back VVX itself rather than to the DHCP Relay IP Address, unlike all the other messages. The screen shot below also shows this from the DHCP server perspective - you can see the final ACK message has a Destination IP Address of the VVX instead of the DHCP relay IP Address:


      The highlighted INFORM ACK message in Wireshark shows that it contains all the additional Microsoft specific Vendor Class Options (Certificate Provisioning Service details). It’s the packet that has the information that the VVX needs to get PIN Authentication working.

      In this case, because a centralised DHCP was being used, the broadcast DHCP messages on the local subnet were being changed into unicast messages by the local router and sent over to the central DHCP server. There was also a firewall in between this local router and the centralised DHCP server. This meant that because the returning INFORM ACK message was sent directly back to the phone (which is part of the DHCP specification and is correct operation) the firewall had not created a UDP flow for it and the packet gets blocked. The diagram below shows how the DHCP traffic flow works with a DHCP Relay in place and where the issue resides:


      As you can see from the diagram above, the firewall appears to be allowing traffic from the DCHP relay through to the DHCP server. After transiting the DCHP relay, the DHCP traffic flows from source port 67 to destination port 67. Then the INFORM ACK message then gets sent back from source port 67 on the DHCP server to destination port 68 on the VVX -  which the firewall did not have an existing flow for and it dropped the packet. As a result, the VVX didn’t receive its required Cert provisioning service URL and because of this didn't display the PIN Authentication sign-in button.

      The Solution

      So the solution here, as it often is, is firewall related. In this case we had to allow port 68 from the DHCP server IP Address to all the VVX phone subnets. After this was done the INFORM ACK messages could flow as required for the VVX to get its Vendor Class options.


      If you don’t have access to the firewall or you need a quick solution to the problem, you can hard code the data contained in the Vendor Class options into the phone. This was added as a config option in software version 5.3. The configuration item is shown below:

      <dhcp dhcp.option43.override.stsUri="https://s4bwebint.domain.com:443/CertProv/CertProvisioningService.svc" />

      This can also be set in the web interface of the phone in the Settings > Provisioning Server > DHCP Menu > DHCP Option 43 Override STS-URI:



      The Wrap Up

      For all the old-school UC people out there, let's finish with a Haiku in the style of the old Lync 2010 powershell blog:

      Firewalls drop packets,
      This causes many issues,
      Switch off all firewalls.

      Till next time, see ya! 
      Viewing all 63 articles
      Browse latest View live
      Search