Automatic Root Certificates Update Insanity

I have no doubt that Microsoft was trying to solve a big problem when they came up with the Automatic Root Certificates Update solution. Ideally, with Automatic Root Certificates Update a PC/Server can keep the list of Root Certificate Authorities up to date on demand. Also, Automatic Root Certificate Update would allow for the addition of other Root Certificate Authorities that may not have been approved when the OS was first released.
Unfortunately, I have found that the Automatic Root Certificate Update solution creates some problems when there are customized properties on Trusted Root Certificates.

As an example, the proper installation of GoDaddy Intermediate Certificates requires the disabling or deletion of an existing Trusted Root Certificate.

NOTE: If the Go Daddy Class 2 Certification Authority root certificate is currently installed on your machine you will need to disable it from the Trusted Root Certification Authorities folder.

So now you have a properly installed GoDaddy certificate, right? You won't for long.

At some point in the future the server will query Windows Update and realize that the disabled GoDaddy certificate is no longer enabled and it will update the certificate and re-enable it. There will be an Event Viewer message from the source of CAPI2.

A simple update of the Trusted Root certificate will not break your server software component that has that certificate assigned. The services will have to be restarted. Which means, at some point in the future when someone reboots the server suddenly things do not work and you have no idea why. This has been observed with both Lync Edge servers and Front End servers that were using GoDaddy certificates. Now that is fun.

So... yes we can disable Automatic Root Certificate Update, but there is a downside I've noticed. Much like on Windows Server 2003, we now have to download and install Trusted Root Certificates manually that are not part of the original OS.

Now you are thinking I will never go with GoDaddy certificate because of this. Guess what, I've personally seen an issue with Digicert and I've seen mention of Entrust based certificates also having issues with Automatic Root Certificate Update.
So... I don't have any really great answers for making this a non-issue at this point. If you do, please send me an email or send me a message on twitter.

Here is the procedure to disable Automatic Root Certificate Update.

Turn off Automatic Root Certificates Update

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To turn off Automatic Root Certificates Update:

 Click Start, and then click Run. 

1. Type gpedit.msc and then click OK.
2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
3. Double-click Administrative Templates, double-click System, double-click Internet Communication Management and then click Internet Communication settings.
4. Double-click Turn off Automatic Root Certificates Update, click Enabled and then click OK.
5. Close the Local Group Policy Editor.

The Days of the Telephone Number are Dwindling

Dialing a number to reach a person or business will become the exception, rather than the rule.

Today if you wanted to reach Microsoft Sales by phone you would need to dial (800) 642-7676.

But, would it not be easier to remember sales@microsoft.com?

I came to this realization back in 2003 when I started working with SIP based Unified Communications products from Nortel.

That Nortel product had a number configured for a user, but the phone number was not required. A call could be placed to another person if you had their SIP URI (john@example.com). The number for the most part was so they could interact with the PSTN.

They had both PBX and Carrier version of their SIP product that were intended to work together to provide SIP trunking and Federation with other organizations. Some thought this vision was a bit early for the market to really understand the value, but Nortel also did not evangelize the vision. 

Fast forward a few years and now we have Unified Communications well evangelized from multiple vendors. Nortel lost the opportunity that came with being early to market with a revolutionary product idea.

Now others, like Microsoft can capitalize on those ideas and add their own. 

For years, Microsoft, has provided an efficient way to connect organizations together that use Microsoft based Unified Communications. These organizations can communicate seamlessly across the Public Internet without any VPN. This is done through the Edge Server role in Office Communications Server and now Lync Server 2010.

No PSTN involved.

No big SIP server in the sky.

No dialing of a phone number.

It is all simply done through the existing DNS system by calling a users SIP URI (john@example.com).

Much like an email address the SIP URI contains all the information needed to route the call to an organization (example.com) and which user or endpoint should receive the call once we reach that organization (john).

So today, if you use a Microsoft based Unified Communications system and communicate with partner organizations or vendors usig the Edge Server role you could potentially make a call to a SIP URI like sales@microsoft.com and have that reach a real person. Again...

No PSTN involved.

No big SIP server in the sky.

No dialing of a phone number.

But, what hasn't happened yet, is a way to fully Federate (IM, Presence, Voice, Video, Desktop Sharing etc.) between all the disparate UC/Communications systems.

Recently, Microsoft has made a historic acquisition of Skype. Microsoft, in one move, has the pieces to become a SIP trunking provider, but more importantly they now have the ability to provide Federation to other organizations that are not using Microsoft Unified Communications.

Consider this...

Work has been done on a Avaya solution to connect to Skype.

Although the agreement has not been renewed, work was also done with Asterisk. The agreement possibly lapsed because both Microsoft and Asterisk wanted to revisit the relationship and possibly might leverage the Skype for SIP interface instead. Just a theory of mine at this point.

With the Skype for SIP interface, what is to stop Microsoft from making it interoperate with ANY communication system? If a communications system doesn't support SIP then a PRI SIP Gateway can be used.

Skype for SIP already supports the following PBX systems:

• 3CX
• Avaya
• Cisco
• Freetalk
• Grandstream
• LG Ericsson
• NEC
• ShoreTel
• Siemens
• SIPfoundry

and the following PRI SIP Gateways:

• Audiocodes
• Grandstream
• Net
• VoSKY

So, now ponder these final thoughts...

Disparate systems all talking SIP can connect to Skype and no longer have to make a connection through the PSTN.

The only real need for a phone number with this scenario is to provide backwards compatibility with the PSTN.

Dialing a number to reach a person or business will become the exception, rather than the rule.

SSL Cipher Order strikes again

Issue:

Lync Server 2010 would intermittently fail to communicate with AOL AIM clients via PIC.

But wait...

That's not all... At the same time I also noticed the edge failing to negotiate TLS with Federated Partners that had Entrust certificates (may affect other CAs, but I noticed Entrust in my eventlog)

Note that this would only be reproduciable if your Lync/OCS 2007 R2 Edge role is running Windows Server 2008 (x64) or Windows Server 2008 R2 (x64); not Windows Server 2003 (x64).

Resolution:

Modify the SSL cipher order so that the OCS/Lync Edge role will initially establish the SSL dialog using the TLS_RSA_WITH_RC4_128_MD5 cipher suite.

In order to change the cipher suite order, do the following on your Windows Server 2008 (x64) or Windows Server 2008 R2 Edge server (if the edge server is joined to a DMZ domain then the Group Policy on the Domain Contorller will need to be modified instead of the local machine):

1. Start -> Run -> regedit.exe -> OK
2. Within the Registry Editor, locate the following Key
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002

3. Right-click the key and select "Export"
4. Select the Desktop and type in an a filename to export the registry key to.
5. Right-click the file on the desktop and select “Edit”
6. The contents of the file should look like this if you have not set the cipher suite order yet:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]

7. If you have set the cipher suite order before then there may be a value for the key that looks similar to this:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]
"Functions"="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_RC4_128_MD5,SSL_CK_RC4_128_WITH_MD5,SSL_CK_DES_192_EDE3_CBC_WITH_MD5,TLS_RSA_WITH_NULL_MD5,TLS_RSA_WITH_NULL_SHA"

(Note there may be some truncation at the end because Group Policy Editor has a limit of 1023 characters) Thanks to Alex Lewis for pointing this out.

8. The goal is to move TLS_RSA_WITH_RC4_128_MD5 to be at the front of the list. So, in your exported registry key file, find TLS_RSA_WITH_RC4_128_MD5, cut it, navigate to the beginning of your long SSL cipher string, and paste TLS_RSA_WITH_RC4_128_MD5.. (Note: if your string was truncated before you might want to use the example below instead) The new order should look like the following:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]
"Functions"="TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_CK_RC4_128_WITH_MD5,SSL_CK_DES_192_EDE3_CBC_WITH_MD5,TLS_RSA_WITH_NULL_MD5,TLS_RSA_WITH_NULL_SHA"

9. Check the string for accuracy and make sure there are no line breaks within the SSL cipher string.
10. Save the file and then double-click the file to merge the changes with your current Registry.
11. To verify, in the Registry Editor, navigate to
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]
12. For the changes to take effect, restart your Windows Server.

Another way to do this is also via PowerShell take a look at this site for an example (Thanks to John A Cook for sending this along):

http://derek858.blogspot.com/2010/06/powershell-command-to-change-windows.html

Exchange 2007 UM on Server 2008 R2

This last week I was deploying Lync 2010 with Excahnge 2007 UM and I ran into the following error on the Exchange 2007 UM server.

The Unified Messaging server failed to exchange the required certificates with an IP gateway to enable Transport Layer Security (TLS) for an incoming call. Check that this is a configured TLS peer and that the correct certificates are being used. More information: A TLS failure occurred. The error code was "-2146893052" and the message was "The Local Security Authority cannot be contacted"..
After doing some research, I found out the problem was related to the Exchange 2007 UM role being deployed on Server 2008 R2.

Fortunately, Exchange 2007 SP3 adds support for Server 2008 R2 and once it was installed everything worked as expected.

Here is the Technet article that covers Exchange 2007 SP3.
     http://technet.microsoft.com/en-us/library/ff607226(EXCHG.80).aspx

Review: Plantronics Voyager Pro UC v2

I was sent a Plantronics Voyager Pro UC v2 to review with no strings attached. This review has had no influence from Plantronics or any of their partner companies.

For me, the important qualities to have in a headset:

• Comfort
• Sound Quality
• Travelability
• Battery Life
• Ease of Setup

Comfort

As with the Savi 430, I previously reviewed, the comfort is amazing. I can wear the Voyager Pro all day long and hardly notice it is there.

I finally found out why Plantronics headsets are so comfortable. They test all their headsets on their wall of ears. In the video below, they actually show how the ears are made which can be kind of gross, but my point is that they put a lot of effort into testing their designs on lots of different ears.

http://www.youtube.com/watch?v=rx-oMIY2xMk

Sound Quality

Sound Quality is great as long as you are not a great distance away from your PC or cell phone. In my house, I can typically go at least 30 ft and sometimes further, which is pretty typical for Bluetooth devices.

Noise cancelation is also great! I drove around in my Diesel Excursion and the person I was talking to couldn't hear the engine noise. I also kept turning up the radio until the caller could hear it on the phone conversation. It was surprisingly louder than I expected before it came through.

I've also been testing around my home office and the Voyager Pro UC does a great job of eliminating the noises of my family (I have five kids).

Don't get the impression though that my kids are running around like wild animals... if they did that I'm not sure it could handle that amount of noise.

Travelability

Plantronics got it right on this headset. Not only does it fold flat, but they have provided a carrying case that is compact. The case is also stiff enough to throw into a laptop bag and not worry about it. The headset fits snugly in the case and there is an additional pocket for the USB Bluetooth dongle.

The case does have a belt clip, but I have yet to wear it on my belt because I hate having things attached to my belt.

Battery Life

The Voyager Pro UC v2 has a stated Battery Life of up to 6 hours. Although I would prefer more, I'm not sure I would trade the additional talk time for less comfort.

When recharging the headset, the charge time can take as long as 1.5 hours.

Charging is done by plugging in an AC charger or USB cable (both are provided). There is no headset charging stand like the Savi 430.

Ease of Setup

So many electronic gadgets take a fair degree of intelligence to get any real benefit from them. The new Voyager Pro UC worked with Microsoft Lync out of the box with no configuration needed whatsoever!

Again, a simple procedure to pair with my smart phone and it simply worked.

All the controls are easy to find on the headset by touch. Also, when you press a button, there is either an audible tone or a voice in your ear giving you feedback as to what you just did.

One of my favorite audible feedbacks is pressing the power button and the headset will tell you how much talk time is left.

Hold down both the volume up and volume down and your mic is muted or unmuted (with an audible confirmation).

I also have to make mention of the new sensors that actually detect when the headset is on the ear... Absolutely brilliant. With Microsoft Lync you can actually answer a call by simply putting the headset on. With a cell phone it will do the same, but will also switch back to the cell for audio if you were to take off the headset.

Would love to see an improvement with Microsoft Lync where a user could specify a default device for the headset to switch to when the headset is not worn. Also, have the ability to switch from any other Lync device to the headset when it is put on.

Conclusion

This is definitely a headset that should be considered for any information worker that spends a great deal of time on the phone.

Also, because of the bluetooth features and carrying case, this headset excels for those that are road warriors that need a headset for in the office and when traveling.

I wouldn't hesitate recommending this headset to any of my customers.

Polycom/Lync Remote Camera Control in Silverlight

I don't have much information on the technical side of this solution but I thought I'd share the video because Polycom is using contextual integration with a Silverlight extension.

 

I haven't seen many 3rd Party developers using this yet, but I expect this to be an exciting area to extend the UC experience.

 

http://www.youtube.com/watch?v=QR1k7AUwfuc

Lync 2010 NTLM Client Authentication Mismatch

I ran into a problem with NTLM Client Authentication Mismatch after I upgraded my Edge and Director to Lync Server 2010 from OCS 2007 R2. 

 

On my Lync Director I found the following error message in Snooper

 

TL_WARN(TF_DIAG) [0]06B8.0B20::01/29/2011-06:08:46.375.00018ce0 (SIPStack,SIPAdminLog::TraceDiagRecord:SIPAdminLog.cpp(145))$$begin_record
LogType: diagnostic
Severity: warning
Text: There is a mismatch between NTLM security settings on client and server computers.
Result-Code: 0xc3e93ee4 SIP_E_AUTH_NTLMMISMATCH
SIP-Start-Line: REGISTER sip:t2mdev.com SIP/2.0
SIP-Call-ID: 09774c9042d54469a7af4818e6364f95
SIP-CSeq: 5 REGISTER
$$end_record

 

A quick search of the net I found an article on Tin Cips and String blog that gave the key to solving the problem. Turns out the problem has more to do with the Operating System rather than Lync Server 2010.

 

I had to spend a little bit of time hunting for the group policy that the blog and technet article referenced. Here is where I found the group policy.

 

Default Domain Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Network security: Minumum session security for NTLM SSP based (including secure RPC) clients

 

Default Domain Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Network security: Minumum session security for NTLM SSP based (including secure RPC) servers

 

I changed the Default Domain Policy from Not Configured to Configured with the "Require 128-bit encryption" unchecked.

Plantronics new Calisto 800 series and Voyager PRO UC

I have been deeply involved with Unified Communications since 2003 and there is ultimately only one thing that can make or break a deployment.

The users experience.

Along with having a well-designed user interface, the audio device and quality of the call should be of utmost concern. If the user has consistently bad calls and problems configuring and using an audio device, then it makes no difference how great the rest of the features are. I've also found that users who have bad experiences remember those bad experiences for a very long time.

Today, Plantronics has announced some products that have some features that promise to improve the user experience and in some cases make using an audio device nearly effortless.

Calisto 800 Series

All three of the Calisto 800 series speakerphones blur the line between home, mobile, and office communications. There are options to connect to a PC, mobile phone, and even a standard analog line. A headset can be connected corded or cordless with Bluetooth.

Along with the usual features of full-duplex, HD audio, Plantronics has added an intuitive visual display that allows a user to control many aspects of the call from the speakerphone.

Users also have the option to use a wireless lapel microphone that gives the ability to move around freely.

How many times has someone done some white boarding and people on a speakerphone have a hard time hearing what is being said?

How many executives like to walk around their office while discussing their next big strategy to take over the world, but don't want to be bothered with a headset?

Voyager PRO UC Headset

Plantronics is trying to make using a wireless headset completely painless and they just might have succeeded.

They have now included smart sensor technology to detect when the user is actually wearing the headset.

Now, I thought with the release of the Lync client and the crazy simple ability to switch between devices was pure genius. But now, Plantronics even does the devices switching for you as you place the headset on your ear or if it is not on your ear it will send the call to your phone.

Brilliant!

I can't tell you how many times I've answered a call and forgot that the last time I made a call I was using a headset. All of a sudden, I'm hunting around for the call window so I can switch my device back to my desk phone.

This headset will even set your presence in Lync to busy if you have answered a call from your mobile phone using the headset.

Brilliant!

I simply can't wait to get my hands on a new Calisto speakerphone and Voyager PRO UC.

Plantronics product launch

Plantronics is launching some new products on January 26th at 12pm Eastern...

 

http://www.plantronics.com/launch/

How to replicate Remote Call Control (RCC) in a pure Lync environment

This morning I came across the article of how to "convert" RCC from OCS 2007 to Lync Server 2010.

http://blogs.technet.com/b/nexthop/archive/2011/01/19/enable-remote-call-control-office-communications-server-2007.aspx?utm_source=twitterfeed&utm_medium=twitter

Although you can indeed enable RCC on Lync, it still blows my mind as to how many pieces there are to this solution and how complex it is to troubleshoot.

I understand the desire to utilize an existing PBX investment. After all I used to work for a PBX manufacturer. For some customers they may be required to keep the PBX for tax reasons.

But, for those that just simply do not want to let go of their phone because they like how a real phone feels, I have an alternative that is a pure OCS/Lync solution...
Are you ready for this?

A USB cable

That's right… A USB cable.
When Enterprise Voice is enabled on OCS/Lync there is an option to deploy an IP Phone or USB audio device. Both options, when connected with a USB port on your PC, automatically are detected and start to behave like an RCC solution.

You can make a call from your PC or your phone and if you put a call on hold using your phone you can pick up using your PC. Same goes for mute and anything else the phone can do. The PC client can even sign in the IP phone for you, saving you from that annoying LCD touch screen.

It is seamless, and easy.

Because it is so easy, I think a case could be made to justify the replacement of the PBX phones just in the cost of installing and maintaining RCC.

Total Cost of Ownership is a big deal with RCC because it either costs a lot to hire a professional that can understand both telephony and data, or you have a to pay a systems integrator that understands both telephony and data.

I have done a lot of RCC systems and none of them have gone smoothly. There is always some little issue that takes an enormous effort to resolve.
Nortel/Avaya Converged Office for the CS 1000 was probably the best solution for RCC, but once a customer had it installed they were disappointed by the lack of some features in OCS that a pure Enterprise Voice client would have (Simultaneous Ring for example)

With a USB cable, you have all the OCS/Lync features available and you can control a real phone on the desk. If it is an IP phone, then when the PC is gone or shutdown it will still operate as a stand-alone phone just like the PBX phone did.

So what do you say? Weeks and possibly months of troubleshooting or a USB cable.

Feel free to contact me (at jmckinney at time2marketllc.com) if you would like to talk more about this solution or to setup a demo so you can experience what this solution looks like.