Protecting the Edge Server Against DoS and Password Brute Force Attacks in Office Communications Server

Some of my good OCS friends (Kjeld and Kenneth) pointed me to this great article from RUI Maximo on protecting your Edge/OCS from DoS.

In some company’s users will actually be looked out after 3-5 bad  login attempts, and stay looked out until they are unlocked, in most company's they will reopen automatically after 5-15 min and then they will have 3-5 login attempts again.

But no matter if it’s 5 min or 30 min that users are looked out, it’s could give load on the helpdesk, and loss of productivity .

DoS attacks can be done from self made applications/scripts . I have not heard of customers that have had attack yet, but if you have customers that have concerns on this topic, please read Rui Maximo great article and maybe use the filter on your Edge server.

Link : http://technet.microsoft.com/en-us/ff706687.aspx

Microsoft Office Communicator 2007 Hotfix KB 974599 (R1)

get it here

Hardware Load Balancing with Office Communications Server 2007 R2

Hardware load balancer in OCS can be complex, there is a new guide/document on this.

 

Get it here

Source for this information LCSKid

No excuse for not buying Certified devices

Okay with some of the last releases from certified device vendors there is no excuse for not buying certified devices.

And one of the reasons for not going on OCS with Voice (price on new device) is significant lower now than it was , and I think it might be even lower in 2010.    

Find all certified devices here

Example on price:

Plantronics .Audio 615M  http://www.voipsupply.com/plantronics-audio-615m-headset $37.70

 

Jabra Biz 620 Mono ttp://accessories.us.dell.com/sna/productdetail.aspx?sku=A3013871&cs=04&c=us&l=en&dgc=SS&cid=39888&lid=1022050  $44.99

 

And remember you can still give the “I need my old phone user” this “IPT look a like” usb phone and still get all the OCS features: http://www.polycom.com/products/voice/desktop_solutions/microsoft_optimized_devices/communicator_cx300.html

And while we wait for OCS wave 14 (the real replacement of the PBX/IPT)  have a look at Voipnorm opinion on UC devices here

Update to: Unified Communications Phones and Peripherals Datasheet

The datasheet provides the following information about each device:

• A thumbnail photo of the device
• Hardware type
• Name of the partner that produces the device
• Product name
• A brief description of the device
• URL for the partner's Unified Communications landing page

Whitepaper on Deploying Certificates in OCS 2007 and OCS 2007 R2

In this document, you will learn about the properties and attributes of certificates when working with Office Communications Server 2007 and Office Communications Server 2007 R2. This document contains a walkthrough of most of the common, and some optional, tasks that you need to perform to realize the full value of the system. All roles that require certificates for deployment and operation are discussed. The properties are presented along with information to describe what they are and how they are used. This document shows you how to request the right certificate with the right parameters to make sure that you are delivering value to your users, rather than just troubleshooting problems.

Source: http://msgoodies.blogspot.com/2009/08/whitepaper-on-deploying-certificates-in.html

New version of: Planning Tool for Microsoft Office Communications Server 2007 R2

What’s New in the Planning Tool for Office Communications Server 2007 R2?

· Now supported on Windows Server 2008 (32-bit and 64-bit)
· Exports the topology to the Microsoft Office Visio drawing and diagramming software
· Exports the hardware for all sites to Microsoft Office Excel
· Includes hardware requirements and port information on each server role as well as port information for your firewalls
· Includes Enterprise Voice
· Saves the topology to a location and file name of your choice so that you can reload it at your convenience
· Provides the ability to add, edit, and delete sites
· Provides the ability to print topologies, server information, and planning and deployment steps
· Allows customizing design of each site
· Allows to specify whether you have a perimeter network for a site
· Dynamically draws the topologies faster
· No longer need to run as administrator on Windows Vista
· Introduces new features and topology recommendations for Microsoft Office Communications Server 2007 R2
· Provides a way to bypass the interview questions if you already know what features you want
· The latest update of the Planning Tool includes corrections to ensure the screen can be viewed in the 1024x768 resolution, with the default dpi, on a 14’ and 15’ monitor.

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=fdf32585-c131-4832-8e27-67e70636c1e8

New device :OCS Device CX300 from Polycom

Okay new rumors :) in my old blog regarding this device and on this picture it has a display, to my knowledge the new CX300 won’t have a display but the number keypad is included and it will be USB connected.

Released (Q3 2009), hope I can get one for test :)

Polycom is planning to release more OCS devices ethernet-connected CXxxx in Q1 2010.

OCS Connectivity test tool

I my blog on Exchange Connectivity test tool  I mentioned that it would be smart for such a tool for OCS.

So here it is: https://www.testocsconnectivity.com/

My recommendation is to not use your normal account, but perhaps make a test account that you can use to test on this site.

The site is still in Beta !

The Exchange connectivity test tool link is here

Microsoft Office Communicator 2007 Hotfix KB 969694

Get it here

File Name:
communicator.msp

Version:
2.0.6362.137

Knowledge Base (KB) Articles:
KB969694

Date Published:
7/28/2009

Language:
English

Download Size:
5.8 MB

Mobile Communicator vs Communicator

I often get this questions why isn’t it the same phone numbers that I see on my Company contact on my Mobil Communicator and my Communicator.
Or questions like this: on my Mobile Communicator I can’t see any phone number at all on company contact, but in my Communicator I can see Work-Mobile-Privat.

My quick answer is: The Mobile Communicator doesn’t have a Global adresse list locally. and the “publish this phone number” in Communicator isn’t set.

Conclusion: If you like other users to see your phone number, you must use the “Publish this phone number” and the “level of access” to choose what number they can see in Mobile Communicator, regardless of they are users from your AD/organization/OCS system.
This is not like the way “PC” Communicator normaly interact!

The way that the Mobile Communicator get phone number is when it’s gets the contactcard in the Presence XML document on its contacts, at logon or update.

This table show what you see and don’t see when numbers are publish in Active Directory, and have set the “publish this phone number” in communicator, in combination with access level.

This behavior is like when one of you contact is a Federated contact and you like them to be able to see your phone numbers.

In the presence XML Document that users publish to the front-end server is all the information on what the Mobile Communicator can see and can’t see.

Use Snooper to trace:

SIP Snooper trace of a posted presence XML document from client where no numbers have set the “publish this phone number” (notes the <publish>FALSE</publish> )

<userInformation xmlns="http://schemas.microsoft.com/2006/09/sip/options/userInformation"><phones>

<phonetype="work"><publish>false</publish><readOnly>true</readOnly><displayString>+4589490123</displayString><uri>tel:+4589490123</uri></phone>

<phonetype="mobile"><publish>false</publish><readOnly>true</readOnly><displayString>+4747474747</displayString><uri>tel:+4747474747</uri></phone>

<phonetype="home"><publish>false</publish><readOnly>true</readOnly><displayString>+4646464646</displayString><uri>tel:+4646464646</uri></phone>

<phonetype="other"><publish>false</publish></phone></phones><callHandlingList><lastPhone><displayString>90138</displayString><uri>tel:+4589490138;ext=90138</uri></lastPhone></callHandlingList></userInformation>

******************************************************************************

Snooper trace: this XML post is when work number is set to “publish this phone number” (notes the missing <publish>FALSE</publish> on work number)

<userInformation

xmlns="http://schemas.microsoft.com/2006/09/sip/options/userInformation">

<phones><phonetype="work"><readOnly>true</readOnly><displayString>+4589490123</displayString><uri>tel:+4589490123</uri></phone>

<phonetype="mobile"><publish>false</publish><readOnly>true</readOnly><displayString>+4747474747</displayString><uri>tel:+4747474747</uri></phone>

<phonetype="home"><publish>false</publish><readOnly>true</readOnly><displayString>+4646464646</displayString><uri>tel:+4646464646</uri></phone>

<phonetype="other"><publish>false</publish></phone></phones><callHandlingList><lastPhone><displayString>90138</displayString><uri>tel:+4589490138;ext=90138</uri></lastPhone></callHandlingList></userInformation>
</category>

Snooper trace: This part of the contactcard is what mobile Communicator get from the front-end server (notes the work number is in this)

</contactCard>
</category>
<category name="contactCard" instance="3" publishTime="2009-07-24T14:22:00.127">
<contactCard xmlns="http://schemas.microsoft.com/2006/09/sip/contactcard">
                <phone type="work">
                    <uri>tel:+4589490123</uri>
                </phone>
            </contactCard>

Here you can read a bit more on setting phone option.

In the text below from this link, it says that you can’t unpublish this number when its provided from Activ directory, thats not the case when you are using Mobil communicator, only when using “PC”Communicator, On Mobile Communicator you can’t see any numbers on your contacts if they haven’t set this “publish”

Text from link *********
About Active Directory and why some phone numbers cannot be modified or unpublished

Phone numbers that are provided to Communicator from Active Directory will appear in the Phones tab as inactive fields and cannot be edited. Additionally, these numbers cannot be unpublished. Clearing the Publish check box for numbers provided from Active Directory will not unpublish the number.

Setting access level

Snooper trace where a user set's access level for jan@ocsblogs.eu to Personal

Message-Body: <setContainerMembers xmlns="http://schemas.microsoft.com/2006/09/sip/container-management"><container id="400" version="8"><member action="add" type="user" value="jan@ocsblogs.eu"/></container></setContainerMembers>
$$end_record

Container ID Description 
100 Presence is accessible by all federated users.

200 Users from the same company can access the presence data of the publisher.

300 The team members of the publisher can access the presence data of the publisher.

400 Specified subscribers have unrestricted access to the presence data, including sending a potentially interruptive IM invitation when the publisher's status is displayed as Do Not Disturb.

32000 The specified members are blocked to view the presence data. The category instances should be empty category elements.

Office Communications Server Public IM Connectivity Provisioning Guide

Information Required for Provisioning

To provision Office Communications Server public IM connectivity, you need the following information:

· Microsoft Agreement Number

· Access Edge service fully qualified domain name (FQDN)

· Primary Session Initiation Protocol (SIP) domain

· Any additional SIP domains

· Any additional Access Edge service FQDNs

· Contact information

get it here

OCS: MSN PIC for free :)

Windows Live: Customers with Office Communications Server 2007 R2 Standard Client Access License or Office Communications Server 2007/ Live Communications Server 2005 SP1 Standard CAL license with active Software Assurance (SA) qualify for federation with Windows Live Messenger without additional licensing requirements. Customers who do not meet the qualifying requirement should buy the Office Communications Server Public IM Connectivity license for federation with Windows Live Messenger.

AOL/Yahoo!: Federation with AOL and Yahoo! requires the Office Communications Server Public IM Connectivity (PIC) per user subscription license. The PIC License provides connectivity to both IM service providers. There are no license options for connectivity to only one provider, but administrators can choose which service provider they provision.

Get more info here

http://www.microsoft.com/communicationsserver/en/us/public-im-connectivity.aspx

http://blogs.technet.com/mikkelbn/default.aspx

http://www.microsoft.com/communicationsserver/en/us/public-im-connectivity.aspx

OCS and CS1000 integrations problem (no SIP-GW-ID)

When connecting OCS and Nortel CS1000 you can run in to problem regarding your patch level on the CS1000.

Please be sure that your Cs1000 has installed all the right Patches, use the “dep list” from Nortel

I had a problem here regarding a customer that’s has a running OCS/CS1000 enviroment, but suddenly some problem started accruing after CS1000 patch install.

The MCM log had stuff like this:
MediationServer 503/504 handler: there is no "sip-gw-id" parameter in the stored INVITE
”504 server time out” and ”no sip-gw-id”.
ProcessRequestFromGateway: there is no "sip-gw-id" parameter in the incoming INVITE

The problem is no/missing sip-gw-id in the invite.

Working (incl sip-gw-id):
x-nt-ocn-id: <sip:8987;phone-context=cdp.udp@doamin.org;user=phone>;sip-gw-id=CS1000

Not working:
x-nt-ocn-id: <sip:8987;phone-context=cdp.udp@doamin.org;user=phone>

To fix this, you need the SigServer patch p25226_1.spm it was disabled after installing and other patch.

IT Manager: Platform Solution Blueprint – Unified Communications

What stage are your deployment in ?

get more information here

Running Microsoft Office Communications Server 2007 R2 in a Virtualized Topology

This document describes the results of a series of configurations that were run in a Hyper-V environment to validate that Office Communications Server on Hyper-V provides stable performance and scalability for production use.

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=0a45d921-3b48-44e4-b42b-19704a2b81b0

Enterprise Voice, Remote Call Control (RCC), Response Group Service, dial-In conferencing, audio/video conferencing, Web conferencing, and Communicator Web Access desktop sharing workloads are not supported in a virtualized Office Communications Server 2007 R2 deployment. This occurs because of several factors, including packet loss, delay, jitter, and clock skew. These factors impact the quality and performance of real-time media when virtualized. However, these factors do not impact other workloads such as instant messaging and presence because these workloads are less susceptible to delay and can use the natural retry mechanisms in the SIP protocol and the underlying TCP transport.

 

Role	Supported	Supported features	Unsupported features
Enterprise front-end server	Yes	Presence, IM	Enterprise Voice, audio/video
Standard Edition Server	No
IM Conferencing Server	Yes	IM Conferencing
Access Edge Server	Yes	Remote Access Federation, Public IM Connectivity
SQL Server back-end server	Yes	Office Communications Server Backend
Group Chat Channel Server	Yes	Channel Server
Group Chat Look-up Server	Yes	Channel and Load balancing management
Group Chat back-end server	Yes	Group Chat database
Group Chat Compliance Server	Yes	Compliance
Group Chat Compliance back-end server	Yes	Compliance database
Director	No
Audio/Video Conferencing Server	No
Application Sharing Conferencing Server	No
Web Conferencing Server	No
Telephony Conferencing Server	No
Archiving Server	No(1)
Monitoring	No(2)
Web Conferencing Edge Server	No
A/V Edge Server	No
Mediation Server	No
Outside Voice Control Service	No
Conferencing Attendant Service	No
Response Group Service	No
Conferencing Announcement Service	No
Update Server	No
Communicator Web Access	No

List of available updates for Communications Server 2007 R2: April 2, 2009

http://support.microsoft.com/kb/968802

Updates that are released for Communications Server 2007 R2

• Update for Application Host

  967832 (http://support.microsoft.com/kb/967832/ ) Description of the update package for Communications Server 2007 R2 Application Host: April 2009

• Update for Application Sharing Server

  967833 (http://support.microsoft.com/kb/967833/ ) Description of the update package for Communications Server 2007 R2, Application Sharing Server: April 2009

• Update for Administration Tools

  968280 (http://support.microsoft.com/kb/968280/ ) Description of the update package for Communications Server 2007 R2, Administration Tools: April 2009

• Update for Core Components

  967827 (http://support.microsoft.com/kb/967827/ ) Description of the update package for Communications Server 2007 R2 Core Components: April 2009

• Update for Communicator Web Access

  967836 (http://support.microsoft.com/kb/967836/ ) Description of the update package for Communications Server 2007 R2, Communicator Web Access: April 2009

• Update for Conferencing Attendant

  968913 (http://support.microsoft.com/kb/968913/ ) Description of the update package for Communications Server 2007 R2, Conferencing Attendant: April 2009

• Update for Monitoring Server

  967837 (http://support.microsoft.com/kb/967837/ ) Description of the update package for Communications Server 2007 R2, Monitoring Server: April 2009

• Update for Mediation Server

  967675 (http://support.microsoft.com/kb/967675/ ) Description of the update package for Communications Server 2007 R2, Mediation Server: April 2009

• Update for Outside Voice Control

  967835 (http://support.microsoft.com/kb/967835/ ) Description of the update package for Communications Server 2007 R2, Outside Voice Control: April 2009

• Update for Response Group Service

  967829 (http://support.microsoft.com/kb/967829/ ) Description of the update package for Communications Server 2007 R2, Response Group Service: April 2009

• Update for Enterprise Edition Server

  967831 (http://support.microsoft.com/kb/967831/ ) Description of the update package for Communications Server 2007 R2: April 2009

• Update for Unified Communications Manager API 2.0 Core Redist 64-bit

  967674 (http://support.microsoft.com/kb/967674/ ) Description of the update package for Communications Server 2007 R2, Unified Communications Manager API 2.0 Core Redist 64-bit: April 2009

• Update for Web Components Server

  967830 (http://support.microsoft.com/kb/967830/ ) Description of the update package for Communications Server 2007 R2, Web Components: April 2009

Cisco Communicator plug-in

Cisco has just released a Communicator plug-in, with this plug-in you can do clik to call. it’s a TAB plup-in.

This is a Cisco softphone intergration and by using this you will move all your voice Communication to the “Cisco world”. (there must be some pro/cons when doing that ;) )

I haven’t testet it jet, but if I get the chance, I will post a new blog about it