How to integrate OCS 2007 R2 CWA with Lync Server 2010 without Merging Lync Topology

I would like to share a few scenarios where you may need to deploy the R2 version of Communicator Web Access with Lync Server 2010. The core reason here is that the Lync Server 2010 contains a feature on the front end called Lync Web App. Eventually, Lync Web App will become a full featured web client, and however, today it is only used for users to join online meetings from the web. There is no ability to access Lync Web App from a URL and sign-in, or use it as an instant messaging too. This is planned to be released SP1 of the product, that timeframe is unknown right now.

To fill this gap, customers will have to deploy the OCS 2007 R2 CWA role, which can register against a Lync Server 2010 Pool. This post will show you how to configure OCS 2007 R2 CWA to work in your Lync Server 2010 environment without backardcompatiblesite (that is without merging 2007 with Lync topology).

Preparing the Environment

The most important thing of information in this blog, is that the Schema Prep for OCS 2007 R2 must be run in the environment before the Lync Server 2010 Schema Prep, or you will not be able to install the R2 version of CWA. If this is a deployment where there have not been prior installs of OCS 2007 R2, you will need to obtain this media, and run that Schema Prep before your Lync deployment starts, so it is very important to plan for this in your design/planning phase of your project.

Also, to get straight to the point for this blog, I assume you have prepared the schema in the correct order, have your Lync Server 2010 environment online, and have already installed the CWA Role on a server. I will walk through creating the virtual directory, as well as integrating it with your Lync environment.

Use this Deployment Guide to install and configure the CWA role

Creating the OCS 2007 R2 Virtual Web Server

One you have the CWA role installed, and a valid certificate installed on the server, you must configure the virtual web server that clients will access.

I will walk you through the process for creating an Internal web server, however the same process applies for the External web server. The difference being the types of authentication allowed, external allows forms, whereas internal also allows NTLM authentication.

Login to your R2 CWA server, and open the Communicator Web Access Admin Console

Once in the admin console, right click on your server and choose Create Virtual Web Server

Navigate through the setup wizard; choose only your Web Server Type, in my case I am choosing Internal. Make sure to select a valid HTTPS certificate when prompted. You must install the Certificate based on your server name (CWA Server name) and have the SAN created (Server.domain.com, CWA.domain.com) and update it on the Communicator Web Application Server

When you get to this section, Specify IP Address and Port it is important to note that this is the IP and listening port for your web server, not the communication between Lync and your CWA server, we will get to that next.

After entering a description for your virtual web server, the most important part of this wizard is the Specify a Listening Port section. This port defines what this application will listen on, and communicate with your Lync front end on. Because of the change in ports between OCS R2 and Lync, previously used values like 5070, or 5071 as you will see in older blog posts of mine do not work. You must pick a port that is not being used by an application currently. For my example I am using 4790.This can be any port, as long as your Lync front end and this server can communicate on that port.

Next, define your next hop pool, choose the appropriate Lync pool as your next hop and leave the port to default 5061.

Complete the wizard and start the virtual server.

Your settings should look similar to this

Now that you have completed this, you will need to make Lync aware of this server.

As you will find in the OCS 2007 R2 to Lync Server 2010 Migration Guide, you must merge your Legacy (OCS 2007 R2 components in to your Lync Topology). Our Main agenda is not to merge the OCS 2007 R2 component in to Lync Topology

Configuring Lync Server 2010

Now that we have our CWA server configured, we must make the Lync topology aware of this server. To do so, we will create a Trusted Application Server in our Lync Topology. This is possible through PowerShell using the New-CSTrustedApplicationComputer cmdlet, however I will be using the GUI.

First, navigate to your Lync front end and open the Topology Builder.

In this case we have retired the OCS 2007 R2 environment (Redeploying Communicator Web Access). Topology looks like below.

Right click on the Trusted Application server and choose New Trusted application pool

Select Single Computer pool on the Wizard

Select the next hop pool on the Wizard, click Finish

On the Topology builder you will see the Trusted Application Pool which has been Created

Right click where it says Lync Server 2010 and choose Publish Topology

Once you have published your topology, Open the Lync Server Management Shell and run the following command: New-CSTrustedApplication –ApplicationID server.domain.com –Port 4790 –TrustedApplicationPoolFqdn Server.domain.com

This will create a trusted application to communicate with the trusted Application pool

To check execute: Get-CSTrustedApplication

You should now be able to login to CWA as a Lync Server 2010 user

Advertisements

How to Integrate Lync 2010 with Blackberry 5.0 SP3

Lync 2010 BES 5.0 SP3 Integration Guide

 
Now that RIM has released Service Pack 3 for the Blackberry Enterprise Server (BES) 5 we can now have Lync connectivity on our Blackberries. Let me tell you it works well. It took awhile to get it functioning properly but it was worth it. So if you don’t already have the Service Pack, go hereand get it.Lync integration with the BES requires the the UCAPI 2.0 (package 1, package 2) SQL Native Client, and OCS Core components (Available in OCS 2007 R2 Setup package in i386, do not install Lync 2010 core component which will not work) to be installed. That’s right RIM uses the OCS 2007 R2 components to accomplish the connectivity. If you ask me, this is very smart since the Lync has backward compatibility for OCS 2007 R2 components. This is a two for one deal for RIM. They can support OCS 2007 R2 and Lync using same interfaces.

Once you have the prerequisite packages installed (the installer will tell you it needs them) you can then make a decision on which provisioning method you wish to use. There are two methods and they are described in detail here. I choose to use the automatic method which worked perfectly.

Now go ahead and install the BES or upgrade it. This is out of the scope of this blog; follow the RIM documentation on how to do this.

Next, you’ll have to generate a certificate for the BES. More information can be found in RIM’s knowledge base. Here is the article you’ll want to review. Now you’re probably thinking great. I know what I need in the certificate but how do I create the request? I have a standalone CA in my environment it was quite simple once you know the syntax to use in the certificate request inf file. Here is a sample certificate request inf file for the BES.

[Version] 
Signature=”$Windows NT$”

[NewRequest]
Subject = “CN=lyncpool.example.com” 
Exportable = TRUE
KeyLength = 1024  
KeySpec = 1
KeyUsage = 0xA0
MachineKeySet = True
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
RequestType = CMC

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1

[RequestAttributes]
SAN=”dns=lyncserver.example.com&dns=besserver.example.com”

A few notes on the above inf file:

  1. Subject must be set to the FQDN of the Lync pool that you will be connecting to in the same format as above.
  2. Setting Exportable to TRUE allows you to export and transport the certificate with the private key to another server later if required or to export it and back it up. Set it to FALSE to disallow this.
  3. SAN must contain the FQDNs of the servers hosting the Lync pool and of the BES server that is providing the Collaboration service. The format must be the same as above.
  4. The sample file is for a standalone or external Certificate Authority. If you are using an Enterprise CA or need more information in general, take a look at this Microsoft knowledge base article. 
Once you have your inf file ready and are ready to submit the request to your CA run the following command the server hosting your BES:
certreq -new “path to your inf file” “path to the request file to generate” If you are running this on a 2008 or 2008 R2 server you will need to run this as an administrator. This should now generate the request file. You can then send that to your CA to have a certificate issued. 
Once you get the certificate back from your CA. You can install it. The easiest way to do this is to open up the MMC and add in the Certificates snap-in, select “Computer account”  and point it the “Local Computer” or another computer so long as it is the server hosting the BES. Now, open Personal, right click and select “All Tasks” and then “Import…” and follow the wizard through and be sure to select the file your CA gave you when prompted. Once the certificate has been imported, click on Certificates under Personal and then right click on the certificate you just imported and hit properties. Now, enter in OCSConnector as the “Friendly Name”. Click OK and you’re done with the certificate set up. The friendly name is essential, the BES seems to look for this so it knows which certificate to use.

Now here is where things went awry for me. I could log into Lync with the Enterprise IM client on my Blackberry and I could send messages but could I receive them or updated presence information? The answer was a resounding no. People that tried to send me messages got a 504 error reported to them in their Lync clients. To begin troubleshooting this, after covering all the basics, I fired up the Lync Logger and logged everything for SIP Stack. The SIP Stack log quickly showed there was a problem communicating with the BES Collaboration Service. The error I was seeing in the Log Analyzer was SIPPROXY_E_CONNECTION_FAILED.

Then I remembered, OCS 2007 R2 has problems running on Server 2008 R2! Our brand new BES was running on Server 2008 R2 no less. I quickly searched my bookmarks for all those KB articles I had saved knowing I would need them again one day. The first one that everyone should review is the OCS 2007 R2 on Server 2008 R2 Supportability document. In there it makes reference to requiring a hot fix for Windows. This is not required if you’re running Server 2008 R2 with Service Pack 1 on your BES server. Next, you need to update the OCS 2007 R2 components on the server. I suggest using the ServerUpdateInstaller package which can be found here. It will automatically detect which updates you need, download them and install them.

After all this, Lync/Enterprise IM on the Blackberry connectivity worked flawlessly. One last thing, if you need the Enterprise IM client for your Blackberry, grab it from RIM here. Enjoy your brand new Lync connectivity!

How to Integrate Office Communications Server 2007 R2 with Exchange 2010

One of the new features of Outlook Web App (OWA) in Exchange 2010 is the ability for OWA to act as an IM client if you have Office Communications Server (OCS) in your environment. Once configured, you’ll be able to see and manage your buddy list, manage presence, as well as participate in IM conversations while logged in to OWA. Configuring this integration requires a number of steps on each of your Exchange 2010 Client Access Servers (CAS’). Many of the changes discussed in this blog post will cause brief service interruptions so it is highly recommended that you perform this work during a maintenance window where these interruptions are tolerable.

You’ll need to download two packages in order to proceed:

You can simply run the first download on one machine as it will extract the contents to C:\WebService Provider Installer Package (by default). Inside of this folder will be a number of installers which you’ll need to execute (in order) on each of your CAS servers:

  1. Visual C++ Redistributable (vcredist_x64.exe)
  2. Unified Communications Managed API (ucmaredist.msi)
  3. OCS Service Provider (cwaowassp.msi)

Finally, you’ll need to patch the UC Managed API by installing ucmaredist.msp

Note: If you have User Account Control (UAC) enabled on your CAS servers, you should execute all of these packages from an elevated command prompt

Once these packages are installed, you are ready to configure OWA for integration with OCS. You’ll need to have the name of the OCS Pool which you plan to have your CAS servers connect to on hand as well as some information about the certificate on each CAS server which will be used to secure communications between the CAS server and OCS. Specifically, you’ll need to collect the certificate issuer string as well as the certificate’s serial number. You can do this using the following PowerShell command:

Get-ExchangeCertificate | fl Subject,Issuer,SerialNumber

You should get text returned back similar to the following:

Subject : CN=mail.domain.com, OU=IT, O=“Some Company name Corporation”, L=Greenbay, S= Wisconsin, C=US

Issuer : CN=”DigiCert Global CA”, OU=www.digicert.com, O=DigiCert Inc, C=US

SerialNumber : 478C52B6B53E467F9331BB8CB4B2BDB8

Note: If you are using different certificates on each CAS server in your array, you’ll need to collect this data individually on a per CAS server basis

Make note of the issuer and serial number values for the certificate. You’ll need to tell OWA to use this certificate for communications with OCS. To do this, browse to C:\Program Files\Microsoft\Exchange\V14\ClientAccess\Owa and open the web.config file with notepad. Scroll down and find the following section:

add key=”IMPoolName” value=”” />

add key=”IMCertificateIssuer” value=”” />

add key=”IMCertificateSerialNumber” value=”” />

These are the three values you’ll need to populate for OWA to make the connection to OCS. The first value should be the FQDN of the OCS pool you want to connect to, and the following two values should be copied out of the Get-ExchangeCertificate spew collected earlier as shown below:

add key=”IMPoolName” value=”ocspool01.domain.com” />

add key=”IMCertificateIssuer” value=’CN=”DigiCert Global CA”, OU=www.digicert.com, O=DigiCert Inc, C=US ‘ />

add key=”IMCertificateSerialNumber” value=”47 8C 52 B6 B5 3E 46 7F 93 31 BB 8C B4 B2 BD B8″ />

Warning: There are three extremely important things you need to do when customizing the configuration settings shown above:

  1. If your certificate’s issuer includes any double quotes (as mine does), you must enclose the data in single quotes instead of the default double quotes as shown above.
  2. You must insert the spaces in between each octet in the serial number as shown above.
  3. You must remember to update these values when you renew or replace the certificate on a CAS server.

Once OWA is configured, you’ll need to configure your OCS pool to trust the CAS servers. To do this, access the OCS Administration Pool, and open the Front End Properties of the pool (right click the pool, Properties>Front End Properties). On the Host Authorization tab, add an entry reflecting the certificate you configured in the web.config file in the previous step. You’ll also want to check the “Treat As Authenticated” and “Throttle As Server” checkboxes.

In order for this change to take effect immediately, you may need to restart the services on your OCS Front Ends. Doing this will disconnect any currently connected clients so it may instead be advantageous to wait for caches to refresh. The final step is to enable OCS IM integration for the OWA virtual directory. To do this, run the following PowerShell command:

1.Get-OwaVirtualDirectory -Server YourCasServer | Set-OwaVirtualDirectory -InstantMessagingType OCS

Users who are enabled for OCS should see their buddy list as well as a jelly bean to manage presence next time they login:

In summary, there are four key steps you’ll need to take in order to enable OCS integration with Outlook Web App in Exchange 2010. First, you’ll need to download the service provider and latest rollup for the components in the service provider download. Next, you’ll need to install the components downloaded on each Client Access Server. You’ll then collect certificate information from each CAS server and configure that information along with your OCS pool information in the OWA web.config file. Finally, you’ll add the CAS certificate to the list of trusted hosts in OCS and enable OCS integration on the OWA virtual directory

OCS R2 Training Materials

Earlier this year, Microsoft released an OCS R2 learning Portal – you can find this at: http://www.microsoft.com/learning/ocs2007/r2/default.mspx. It contains some training resources for OCS R2. However, the page is both out of date, and is short on links. I have some more details to add to this page:

As noted, the OCS R2 Resource Kit is available. This is a must have book! The book is excellent, but it appears rushed and needed a better technical editing. Hopefully that will happen in the next release of the book!
The Portal discusses the OCS 2007 R2 exam. The exam number is the same exam number as for the RTM exam, although the contents have been updated to reflect the new features in R2. If you have already passed the earlier RTM exam there’s no need to re-sit it. There is also a voice exam,but it’s not listed in the OCS Learning Portal (yet).
The portal describes the training available for OCS (on a linked page). This page lists 5177/8/9 (and clinic 6447A) which was RTM courseware (and fairly poor) and should probably be avoided. An updated version of the official courseware, released as CWL course 50214, was released, but the quality was so poor it has been withdrawn until remediation can be completed and properly tested. When this updated course is available, I’ll post here! I am anxious to see the updated courseware. The updated labs look good.
The portal also lists the OCS Ignite course (50024A), but this material is both RTM only and not being run very often (although I can certainly offer it if clients really want it). A much better course is the OCS 2007 R2 Ignite content – course 50232A. This focuses on the R2 release, although it can be used to teach new to product folks. I teach this a lot and love it – but beware trying to do it in 3 days. With the right instructor, this course can easily fill 4 days and 5 (if the delegates are new to OCS). The labs are great too.
Finally, the page does not mention the updated Voice Ignite workshop. Voice Ignite for OCS 2007 R2 has bee been created and is available.
Note that all the courseware discussed here is Courseware Library content, content authored by a 3rd party with MS just acting as a reseller. Quality of CWL material has been variable, but MSL and the UC team are ensuring that all the courseware is good and fit for purpose. So you can book this training with confidence that the material is good.
OCS 2007 R2 is now in the field and customers should start to evaluate it for your organisation. If you have not yet deployed OCS at all, R2 is a natural next step. A new version of OCS, OCS “wave 14’ will be going into beta some time in the new year and is scheduled for release later in 2010 – dates are not yet firm on either the beta or RTM. Once I get more information, I’ll post it here.

OCS is a rich and complex application – if you are planning on deploying it, you could usefully do with some training. But before booking on the course, make sure you get a good trainer – someone who has been working with the product for a while and can explain the product and it’s values and can dive deep into deployment, configuration and support. Investing in some training would be a good thing!

By msexchangeanywhere Posted in OCS R2