Windows Server 2012 Beta Essentials Post 3: The Client View

In two previous posts, I talked about the installation process for Windows Essentials Server 2012 Beta and some of the configuration process. In this post, I am going to show the same lab environment with configuring a pair of clients, a Windows 7 client and a Windows Server 2008 R2 server.

The Windows 7 Client

I started with the Windows 7 Client. When I set up the server, it configured a local IIS installation with three web sites:

image

The default, primary web site includes a virtual directory for connecting to the server, like the earlier product incarnations. I was able to connect to it from the Windows 7 client:

image

I clicked the Download link, and that gave me an EXE to run. Notice underneath the very large Windows link is a much smaller Mac link. I don’t have the ability to test this now (primarily because I can’t easily run an OS X VM), but at some point I hope to be at the office where a Mac Mini sits somewhat abandoned.

Moving on, I received the expected UAC prompt:

image

Notice it shows as “Downloaded from the Internet”. Out of curiosity, I clicked No, then enabled Intranet settings as I had be prompted to by Internet Explorer:

image

Then, I emptied the IE cache (to make sure the client really re-downloaded the connector), then clicked the Download link again. This time, UAC shows it as a local file:

image

I admit I had never tried this before, so I didn’t really know what to expect; this is somewhat interesting I think. Continuing, the Connector searched for the server:

image

The Getting Started wizard came up at that point:

image

In this case the client was fully patched with all optionally offered components from Windows Update, so the client had everything the Connector wanted:

image

That said, notice the Connector is going to install the recent .NET Framework 4.5, which in fact wasn’t even RTM’d until just a couple of weeks ago. Continuing:

image

While that ran, I went ahead and started the server also, just to keep things moving. I had not done much on the server, so it still had the Internet Explorer Enhanced Security Configuration enabled, causing a warning when connecting to the Connect virtual directory:

image

That gave an interesting prompt in the Connect site:

image

“How do I…” is a link, although that’s not at all clear from the page. Someone went a little overboard on the CSS. Because of IE ESC, and because the Download link uses JavaScript to invoke the download action, it didn’t work. This struck me as silly, even stupid. There’s no excuse for using ASP.NET to make this simple web site doing a simple act. But because it is, I was faced with the choice of turning off IE ESC or adding the site as a Trusted site. I did the latter, although in real life I think I’ve disabled the IE ESC on almost every, if not every, server I’ve ever had to do anything on. I know that would work, but the page tells me to do it a certain way, so I did. When I refreshed, the warning went away, and the download and run worked:

image

Same process, just without the client Aero/desktop experience UI touches.

At this point the client was ready for me, so I left the server going for the time being and went back to the client:

image

I put in my account credentials for an administrator and was told, basically, “don’t do that!”:

image

So I said Yes, and used a standard user account:

It would have been nice if the user login dialog made it clear that they would recommend a standard user account, perhaps saying something like “we recommend you do not use an administrator account for connecting…” but at least in this release it doesn’t.

At this point, I hit an error, and retrying didn’t help:

image

So I decided I’d let the client go for now, and switch back to the server, where I saw something very interesting:

image

So this was a surprising thing to see – server against server isn’t officially supported, but you can try it. Well, this is all about experimentation and learning, so of course I said “Continue anywhere”. At that point, I was told that I might need to have some server components added, which might require a reboot. I didn’t screen capture that because, well, I clicked “Next” like everyone normally does, so you don’t get to see that dialog here. But would I lie to you about what it said?

So that left the server doing the prerequisite work, so it was a chance to check the client out again. I put on my “normal person” hat again, and rebooted the client, because when in doubt, reboot, right? So I did that, and checked the server in the meantime to see that two automatic services had stopped – Software Protection and Remote Registry. I started them both and went back to the client. I logged back in to the client and restarted the Connector installation. The installation moved past the prerequisite check much quicker this time because there was no work for it to do, and then asked for credentials again. This time, there was a much longer wait, but again, the client couldn’t connect to the server. The troubleshooting link wanted to go online, which didn’t help me any as I had no Internet access. But looking at the server again, the Remote Registry service had stopped again! Software Protection had also, but I didn’t really care about that one. Remote Registry is a much bigger deal – lots of different weird remote connection scenarios fail without it. But still no dice.

So now, I had to figure out what happened there. I was able to ping the server by name through IPv6 but not IPv4, so I added the server as an IPv4 host to the local client HOSTS file. I have to do this with Windows Home Server, so I thought it might help here:

image

And that’s why I figured out that DHCP actually wasn’t working in the lab, so I had no IPv4 address. What an idiot I was! Well, that was easy to fix – I just gave the client an IPv4 address and ta da, it worked. So then I commented out the HOSTS entry as I shouldn’t have needed it, and ran the Connector yet again. I should point out how interesting it was that IPv6 automatic addressing worked completely to access the server at this point including accessing IIS, downloading the Connector installer, and doing the initial steps to here, all of which shows that IPv6 pretty much “just works” for a lot of stuff in this scenario, but not everything.

This time, things made it slightly further:

image

So I checked the date/time information and it was fine. But the server showed something more interesting:

image

Active Directory Certificate Services denied request 7 because The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613). The request was for CN=MIKEBAZ-PC. Additional information: Error Constructing or Publishing Certificate  Resubmitted by BLOGDEMO\BLOGDEMOSERVER$.

OK, well, let’s bounce Certificate Services. It is common for a VM save/restore cycle to break CS revocation checks, actually, and restarting AD CS solves it, so I did that.

And look, finally, more progress!

image

What was really going on here, although it wasn’t completely telling me, was that it was migrating local user profiles for domain user use, much like a tool like Quest Migration Manager’s VMover tool would do. I chose the simplest option of setting up for myself and letting it migrate. Note that I had placed the Connector installer on the desktop at this point, so that would be a way to see if the Desktop migrated correctly. At that point, it was time to reboot:

image

After the reboot, there was an automatic login, then a prompt for the computer’s description:

image

This is not that different than the previous product releases. This is also true of the backup wake prompt:

image

I was then asked about the CEIP:

image

The user profile was migrated:

image

There was a quick “configuring the computer” step I didn’t get a picture of, then a download of the full Connector software:

image

The computer was then “connected” to the server:

image

In the previous Windows Home Server releases this was a relatively light operation but in this case, it was a domain join operation. It then finalized:

image

And told me it was done:

image

I chose not to run the Dashboard at this time. I was logged off as promised, so I logged in with my domain credentials – noticing the machine was indeed now configured to log in to the domain as would be expected:

image

The login worked, and my Desktop came back correctly, with the new look of the Launchpad showing up:

image

The three complaints were about lacking virus and spyware protection and not having Windows Update configured, all of which is accurate:

image

But one interesting thing in the viewer that I didn’t expect was this:

image

This computer is not connected to the server.

This was a little odd. I clicked Shared Folders in the Connector, and I could connect fine:

image

So I don’t know what was up with “not connected” message. I’m thinking it’s a beta bug but I don’t know that for sure.

For now, that’s far enough – I’ll come back to it later in the post, but I want to get back to the server and finish it. When I went back, it was waiting for login credentials, which I gave it just like on the client machine. I then had to restart the server:

image

So I restarted, and again I got the screen for profile configuration:

image

Notice this time I did not get the “I do not need to migrate..” checkbox. I don’t know if that is because there was only the local Administrator on the server or because it was a server OS – there’s likely a good investigation point there – but in any event I chose just the one account again. The remaining steps were exactly the same as on the client, as you would expect.

That said, something odd next happened. Because the migrated account was Administrator, I couldn’t log in with it, because by default that account is disabled in the domain. It seems there’s a small edge case gap here; the Connector should probably warn about this edge case.

Anyway, the server was joined to the domain when it came up. So let’s look now at backing up a machine. I brought up the Dashboard, and was prompted for credentials:

image

Why was I prompted for credentials when I’m logged in to a domain account in the domain for the Essentials server? Well, after I entered credentials, I was told I wasn’t an administrator… so that’s why, it wanted administrative credentials. It didn’t say explicitly that’s what it wanted, but of course it makes perfect sense.

I closed the Dashboard because I just wanted to see it came up. What was not available though was Launchpad. It wasn’t in the Start Menu at all:

image

The executable was there, it just didn’t launch:

image

I tried Windows 7 Compatibility Mode but no go. So there’s an issue there – can’t run the Launchpad on a server. Doing it is not supported, so it’s not 100% surprising, but in a small business environment I can see it being a nice thing to have.

After seeing that, I launched the Dashboard again, to see if I could manually launch a backup, but I couldn’t, so I’m going to have to let it run long enough at some point to hit the scheduled window and see the backup work.

However, I could go back to the client, and try to back that up, and I did:that just to see that it worked, and it did. No screen shots here as it’s the same as it was before, so nothing remotely interesting here. Just enough to say that it works like it did and that’s that.

A coworker (hi, DNC) had asked me about backing up a server that was in another domain or a workgroup, but I haven’t run this test because he actually found this:

http://tinkertry.com/windows-server-2012-essentials-fine-with-pcs-in-domain-or-workgroup/

And that answers the question, for the odd edge cases where it matters, so that’s good. In real life (not lab or enthusiast environments) I would think this would only matter for integrating a new server for media/backup into an existing full environment, but even that is a bit of an edge case IMHO.

So at this point, I’ve covered all of the basic stuff except media and remote access. Unfortunately, I don’t know if I will have time to revisit this piece, but I will certainly try.

Thanks for reading!

Michael C. Bazarewsky
Principal Consultant, Server and Security

Random Thoughts from TechEd NA 2012

I attended TechEd NA this year, making this the seventh year in a row I attended.  This year, I was a paid attendee, rather than working the Hands-On Lab area, which meant I was able to interact with more booths and see more sessions than usual.  My various unstructured thoughts follow in the hope you will find them useful.

  • Products Featured.  This show was all about two things:
    • 2012 releases – Windows 8, Windows Server 2012, System Center 2012, Visual Studio 2012, and SQL Server 2012
    • “The Cloud” – Office 365, cloud-based management including Windows Intune, and Windows Azure including the new Virtual Machine offerings.  In fact, the custom hotel room keys this year put The Cloud very clearly front and center:
      69e41244-7ea4-46c9-894f-4589fe5e37a0
    • Not really talked about much:
      • Windows Phone (although there was a large show floor presence, there was no track and only a few sessions; expect a lot more next year when Windows Phone 8 is released)
      • Windows 7/Windows Server 2008 R2 (some sessions but not a big push)
      • SharePoint 2010/Exchange 2010/Lync 2010 (sessions but not a big push; expect more next year for the new releases)
      • Office 2010 (again expect more next year when Office 2012 is the hot product)
  • Specific session notes for the ones I attended in person… because a lot of what falls under my “official” subject area was not new material for me (when you work for Bennett Adelson you’re required to be ahead of the curve in your area!) I went a bit out of scope for some of the sessions…
    • AAP313 | Scrum Under a Waterfall (Benjamin Day) – A good discussion of how to do agile (or should I say “Agile” – big “A” – since it was Scrum-focused) in an environment where old school waterfall planning is required.
    • AAP401 | Real World Developer Testing with Visual Studio 2012 (David Starr, Peter Provost) – Ultimately I had mixed feelings about this session. I was not convinced the idea of “submit your problems and we’ll solve them” really worked as only a few problems were gotten to, and my real-world question of “how do you expect developers who can’t afford Visual Studio Ultimate to do these things” wasn’t answered. Yes, it was snarky, but it is a real-life problem faced by many. Further, a lot of time was spent on “that’s the wrong way” coding.
    • DEV370 | Nokia with Windows Phone: Learning How to Tile (David Middleton, David Mason, Kalle Lehtinen) – Ultimately very disappointing as the practical content was virtually zero in my opinion. If this was “DEV170” that would have been okay…
    • VIR317 | Lessons from the Field: 22 VDI and RDS Mistakes You’ll Want to Avoid (Greg Shields) – A good, honest session about real-life implementation of VDI and RDS on Windows Server 2008 R2 and how changes/improvements in Windows Server 2012 help.  Highly recommended if you’re looking at these technologies or have already implemented them.
    • WCL290 | Microsoft Application Virtualization 5.0: Introduction (Andy Cerat, Matthijs Gates) – A very nice intro to App-V 5.0 (part of the upcoming MDOP release) showing some of the great changes and improvements. No more Q: drive? Apps can work with each other (think: Visio available from Word)? Updated, cleaner UI? Check, check, and check!
    • WSV325 | DNSSEC Deployment with Windows Server 2012 (Rob Kuehfus) – Presented by a member of the Wireless Networking and Services team and the owner of the DNS Server offering in Windows Server 2012, this is a nice overview of how DNSSEC works in general and how to use it in Windows Server 2012 (hint: it’s very easy), including practical guidance on the steps to implement in order. Highly recommended if secure DNS is important to you or if you work in an environment where it is mandatory (e. g. US Federal Government).
    • WSV331 | What’s New with Internet Information Services (IIS) 8: Open Web Platform for Cloud (Won Yoo) – A solid presentation on new expansion and control capabilities in IIS 8 including mention of features that have been or will be back-ported to IIS 7.5. Nice demos. Some amazing performance improvements demonstrated – for one case, the first GET on IIS 7.5 with SSL demo took 10.9 seconds and over 500 MB of RAM, while the same page first GET on IIS 8 with the new central file-based certificate store capability took 0.14 seconds (under 1/6 of a second is not a typo) with 44 KB of RAM (again KB not MB is not a typo) – and that was with with 20x as many instances of the site running under IIS 8!
    • WSV332 | What’s New with Internet Information Services (IIS) 8: Performance, Scalability, and Security (Robert McMurray) – A nice companion to the previous session.  Includes discussion of new dynamic security features in the web and FTP (yes, FTP!) service. Also discusses changes in warm-up functionality that can make it possible to show users a “I’m warming up, be with you soon” message while waiting for the ASP.NET hamsters to spin up.
  • Product/Exhibitor Booths – note that the “Attendee” badge gets you treated “seriously” – many exhibitors and Microsoft staff ignore a “Staff” badge holder or are even borderline hostile even at silly things like book signings (I won’t name names but I will say that it takes zero day-s for this to happen) so it’s nice to be treated appropriately for once… 
    • I visited the Windows Phone area to find out what was up with the Windows Phone Summit in San Francisco this week. They all made it sound like a press-only event, despite earlier talk of a two day developer event. The whole thing felt like a bit of a CF to be honest. At least the announcements – which world + dog expect to be all around Windows Phone 8 – will be streamed.
    • I visited the Office 365 area to discuss an issue a customer was having with their proof of concept where Lync Online refused to federate with anyone, even after everything was clearly configured right. It turned out to be some kind of Microsoft-side provisioning screw-up, although the Office 365 booth was not helpful figuring that out.
    • I visited the Windows 8 “Access Everywhere” booth to ask, essentially, “WTF is with Consumer Preview being Professional instead of Enterprise? You know we don’t get DirectAccess with that, right?” The answer was essentially:
      • “yes, we know it sucks, everyone is yelling at us [field people]”
      • “we hope to have some kind of resolution soon, maybe even in the next week, or at least an official acknowledgement that there will be no resolution”
      • “no one seems to know why that was the decision made by the client team”
      • “only TAP people have Enterprise right now.”
        So a major ball drop there.
    • I visited the System Center Enterprise Protection booth to ask, “why does SCEP turn off Security Center on Windows 8 every time the machine boots?” The answer was essentially “it won’t install on Windows 8 prior to CTP2 [note: that is wrong… speaking from office experience here], so do CTP2 and see what happens.” because going from CTP2 to the final Beta or RTM is painful we’re just leaving SCEP off Windows 8 machines right now and using the built-in Windows Defender instead, which gets us the same protection but loses us the management/reporting functionality.
  • Certification!  There were multiple free exams this year – specifically two Private Cloud exams and three beta exams (Windows Server 2012, Windows 8, and Developing with HTML5/CSS3).
    • The Private Cloud exams (70-246 and 70-247) felt tough but fair to me. That said, there were MANY 70-246 failures… so be warned. You really need to have worked with System Center 2012 as a suite and know how the pieces work together and individually to pass these!
    • The Installing and Configuring Windows Server 2012 exam had a nice mix of old and new. You will need to have worked with the product at least a bit, or have been exposed to it a lot without touching it, to have any chance of this one.
    • The Configuring Windows 8 exam also had a nice mix of old and new, and just like the server exam, you will need to have worked with the product at least a bit, or have been exposed to it a lot without touching it, to have any chance of this one.
    • The Programming in HTML5 with JavaScript and CSS3 exam had almost nothing Microsoft-specific on it, and did an okay job of covering the field, although I was surprised on some of what I was NOT tested on (although it’s a beta and I’m sure has a large pool so others may be different!). Of course I can’t tell you more details – test NDA and all 🙂

I am sure I am leaving many things out, but I think this is a reasonably-complete high-level brain dump. Please feel free to comment with thoughts or questions!

— Michael C. Bazarewsky
Principal Consultant, Windows Server and Security

Using UDP-SIP with Exchange UM and Lync 2010

Attachment: https://bennettadelson.wordpress.com/2012/06/04/using-udp-sip-with-exchange-um-and-lync-2010/kamailio-cfg/ (remember to change extension)

Attachment: asterisk.tar.gz (remember to change extension)

I am working on and off with a client that is deploying Exchange 2010 Unified Messaging and Lync 2010 in their environment. They want to use Exchange UM with a hosted SIP-based VoIP system from a provider that I will refer to as “PhoneCo” for the sake of discussion. Furthermore, they want their Lync environment to work with the Exchange voicemail, and by the way, think it would be nice if they could experiment with Enterprise Voice functionality. Luckily, PhoneCo offers SIP trunks, and will trunk from the hosted VoIP environment to Exchange UM. So all is good, right?

The Problem Statement

Ha ha, of course I am joking. Because although Microsoft talks SIP, and PhoneCo talks SIP, we hit upon a long-standing issue. Microsoft refuses to support UDP SIP (they have their reasons, I won’t debate the point here) while PhoneCo refuses to support TCP SIP. Thus, we have an impasse.

Solution Overview

The official, standard answer to this is to use a Session Border Controller (SBC), which is essentially a SIP middleman box that can do UDP on one end and TCP on the other. A typical SBC also includes firewalling intelligence to prevent denial-of-service and other such nasty behavior. As a result, they generally start at thousands and quickly get into tens of thousands of dollars. In this customer’s case, the SIP trunk is going to be over a private MPLS connection directly between the hosted PBX and the on-premises Microsoft tools, so the customer didn’t want to pay for a lot of security they didn’t need just to deal with this issue.

The customer found a commercial product named Brekeke SIP Server that appears to be $500 to start. This is nice in that (1) it is commercial and (2) it can run on Windows, although it is Java-based so it’s a little messy and gives you one more thing to deal with patching every day or two.

We wanted to see if there was an open-source way to solve this problem. We found a way, and this post documented what we came up with. I have replicated the scenario in a lab, and have since actually simplified things a bit. I have also corrected something we had done to work around an Asterisk “bug” (in quotes because the bug states it’s not really an Asterisk bug) that came up while we were simulating the PhoneCo setup.

So first, here’s the list of VMs that are in the UC Lab:

Hostname IP Description
dc.uclab.local 172.30.1.10 Domain Controller
exchange.uclab.local 172.30.1.12 Exchange 2010
freepbx.uclab.local 172.30.1.11 PhoneCo stand-in
lync.uclab.local 172.30.1.13 Lync 2010
siprouter.uclab.local 172.30.1.14 SIP middleman
tmg.uclab.local 172.30.1.1 TMG 2010
internalclient.uclab.local 172.30.1.100 Test Lync/SIP client

The PhoneCo stand-in is a FreePBX installation using the FreePBX Linux distribution. I am not going to go into details on installing that into a VM because there are plenty of guides on getting that to work. For the purposes of this post I’m going to pretend Asterisk can’t do TCP SIP because that’s what we are looking at with PhoneCo. This also means ignoring all the online info about getting Asterisk to talk to Lync and Exchange using TCP SIP. (Note: Some of these guides assuming port 5065 for talking to Exchange, which is a partial solution. I’ll get into why that’s wrong later on.)

The SIP middleman – SIP router – is a Linux-based CentOS machine running the Kamailio open-source SIP router package. Kamailio is a mature, solid package that is quite amazing in some of what it can do, but I’m ignoring about 99% of it, I think. We may end up needing some of the NAT support eventually at the client, which I’m not getting into here and don’t need for the lab, but otherwise a lot of functionality is actually not in play here.

Preparing the CentOS Machine

So let’s get to it.

  1. I began with a basic minimal CentOS 6.2 installation. Note that I’ve had repeated issues with the Hyper-V Integration Components on this OS so far, so I didn’t bother with them – for a lab it’s not critical. For production you’d care a lot more – the customer uses VMware so this particular issue did not come up.
  2. Next, I logged in as root via SSH (PuTTY is your friend here) and accepted the key when prompted:
    image
    image
  3. I ran yum updateto get all of the current updates for the OS, and rebooted to get the updated kernel loaded.
  4. Using vi, I created /etc/yum.repos.d/kamailio.repowith:
    [kamailio]
    name=Kamailio
    baseurl=http://download.opensuse.org/repositories/home:/kamailio:/telephony/CentOS_CentOS-6/
    enabled=1
    gpgcheck=0

    This looks like this:

    clip_image001

  5. I confirmed that the new repository was visible with yum repolist:clip_image002
  6. I then confirmed that there was a package I could install in that repository with yum list kamailio:
    clip_image003
  7. After confirming the package, I installed it with yum install kamailio:
    clip_image004

    clip_image005
  8. So now I need to configure the beast. Kamailio comes with a very long sample configuration file. Most of it is noise for my use. I tried to trim it down as safely as possible, as well as better fit what I wanted. So using the following commands I saved the shipped file:
    cd /etc/kamailio
    mv kamailio.cfg kamailio.cfg.original
    vi /etc/kamailio.cfg

    And then made mine, which I will explain later after finishing the build instructions:

    #!KAMAILIO
    
    # Remote Hosts
    #!subst "/SIP_UDP_HOST/172.30.1.11/"
    #!subst "/EXCHANGE_UM/172.30.1.12/"
    #!subst "/LYNC_MEDIATION/172.30.1.13/"
    
    listen=172.30.1.14:5060
    listen=172.30.1.14:5065
    listen=172.30.1.14:5067
    
    ####### Global Parameters #########
    
    memdbg=5
    memlog=5
    
    debug=2
    
    log_facility=LOG_LOCAL0
    
    fork=yes
    children=4
    
    disable_tcp=no
    
    auto_aliases=no
    
    /* uncomment and configure the following line if you want Kamailio to
       bind on a specific interface/port/proto (default bind on all available) */
    #listen=udp:10.0.0.10:5060
    
    # life time of TCP connection when there is no traffic
    # - a bit higher than registration expires to cope with UA behind NAT
    tcp_connection_lifetime=3605
    
    ####### Modules Section ########
    
    mpath="/usr/lib/kamailio/modules_k/:/usr/lib/kamailio/modules/"
    
    loadmodule "kex.so"
    loadmodule "tm.so"
    loadmodule "tmx.so"
    loadmodule "sl.so"
    loadmodule "pv.so"
    loadmodule "maxfwd.so"
    loadmodule "usrloc.so"
    loadmodule "textops.so"
    loadmodule "siputils.so"
    loadmodule "xlog.so"
    loadmodule "sanity.so"
    loadmodule "ctl.so"
    loadmodule "cfg_rpc.so"
    loadmodule "mi_rpc.so"
    
    # ----- tm params -----
    # auto-discard branches from previous serial forking leg
    modparam("tm", "failure_reply_mode", 3)
    # default retransmission timeout: 30sec
    modparam("tm", "fr_timer", 30000)
    # default invite retransmission timeout after 1xx: 120sec
    modparam("tm", "fr_inv_timer", 120000)
    
    server_header="Server: PhoneCo Intransigence Coping Solution (PICS) 2.0";
    
    ####### Routing Logic ########
    route {
            if(is_method("OPTIONS")) {
                    xlog("L_INFO","OPTIONS from $si");
                    sl_send_reply("200", "Yes, Microsoft, I am alive");
                    exit();
            }
    
            xlog("L_INFO", "*** M=$rm RURI=$ru F=$fu T=$tu IP=$si ID=$ci");
    
            # Route Exchange extensions
            if((to_uri=~"sip:5992") || (to_uri=~"sip:5999")) {
                    xlog("L_NOTICE", "EXCHANGE UM call, $proto port $op, $ru, $fU");
                    t_on_reply("1");
    
                    # https://issues.asterisk.org/jira/browse/ASTERISK-16862
                    # http://imaucblog.com/archive/2009/10/03/part-1-how-to-integrate-exchange-2010-or-2007-with-trixbox-2-8/
                    replace("Diversion: <sip:5999@SIP_UDP_HOST>;reason=unconditional","MCB-Stripped-Header: Diversion");
    
                    switch($op) {
                            case 5060:
                                    xlog("L_NOTICE", "Redirecting to TCP 5060");
                                    t_relay_to("tcp:EXCHANGE_UM:5060");
                                    exit();
                                    break;
                            case 5065:
                                    xlog("L_NOTICE", "Redirecting to TCP 5065");
                                    t_relay_to("tcp:EXCHANGE_UM:5065");
                                    exit();
                                    break;
                            case 5067:
                                    xlog("L_NOTICE", "Redirecting to TCP 5067");
                                    t_relay_to("tcp:EXCHANGE_UM:5067");
                                    exit();
                                    break;
                    }
            }
    
            # Route Lync extensions
            if(to_uri=~"sip:5...") {
                    replace("To: <sip:", "To: <sip:+");
                    xlog("L_NOTICE", "LYNC call to $tu");
                    t_relay_to("tcp:LYNC_MEDIATION:5068");
                    exit();
            }
    
            # Route the rest to Asterisk
            xlog("L_NOTICE", "Asterisk call to $tu");
            forward_udp("SIP_UDP_HOST", 5060);
    }
    
    onreply_route[1] {
            xlog("L_NOTICE", "Handling reply from Exchange relay, status $rs");
            switch($rs) {
                    case 302:
                            xlog("L_NOTICE", "Saw 302 Redirect response, checking details...");
                            if(search(";transport=Tcp")) {
                                    xlog("L_NOTICE", "Saw TCP redirection, changing redirection to UDP");
                                    replace(";transport=Tcp", ";transport=Udp");
                            } else {
                                    xlog("L_NOTICE", "302 was not matched (!)");
                            }
                            exit();
                            break;
                    case 100:
                            xlog("L_NOTICE", "Saw 100, leaving alone...");
                            exit();
                            break;
            }
    
    }

     

  9. I stared the daemon (read: service) with /etc/rc.d/init.d/kamailio start and confirmed that it started  with /etc/rc.d/init.d/kamailio status:clip_image001
  10. I confirmed it was listening (netstat –an | grep 506):clip_image002
  11. I then opened up the firewall to allow those ports in (okay, thats a lie – I floundered a bit before remembering I had to do this) by editing /etc/sysconfig/iptables and adding after the --dport 22line:
    		-A INPUT -p tcp -m state --state NEW -m tcp --dport 5060 -j ACCEPT
    		-A INPUT -p tcp -m state --state NEW -m tcp --dport 5065 -j ACCEPT
    		-A INPUT -p tcp -m state --state NEW -m tcp --dport 5067 -j ACCEPT
    		-A INPUT -p udp -m state --state NEW -m udp --dport 5060 -j ACCEPT
    		-A INPUT -p udp -m state --state NEW -m udp --dport 5065 -j ACCEPT
    		-A INPUT -p udp -m state --state NEW -m udp --dport 5067 -j ACCEPT

    This looks like this when it’s done:
    image

  12. I then made this kick in by restarting the firewall with /etc/rc.d/init.d/iptables restart.
  13. I next added system logger support for the configured log source by editing /etc/rsyslog.confand adding:
    local0.*                                                 /var/log/kamailio.log

    image

  14. I then made this kick in by reloading the logger configuration with /etc/rc.d/init.d/syslog reload.
    image
  15. I don’t want this log to grow uncontrollably so I configured the logrotate daemon to make a new log every day and save seven of them by creating /etc/logrotate.d/kamailiowith:
    /var/log/kamailio.log {
    	rotate 7
    	missingok
    	daily
    }

    image

Preparing Exchange 2010 and Lync 2010

This is normal Exchange and Lync SIP configuration so I’m not going to get into great detail here. The following are the key points:

  • Make sure Lync has a TCP listener on port 5068 on the mediation server of your choice. There’s no high availability here so pick one and go. As quick hints of where this is done in Topology Builder:
    clip_image001[7]
    clip_image002[8]
    After publishing and running Bootstrapper (Lync Setup) on the Mediation Server as instructed by Topology Builder I ran into (what I consider to be) a bug in Lync shown via the event log – there were LS Mediation Server messages 25075 and 25031 indicating no TCP port is enabled, then that the TCP port was requested but ignored. Restarting the Mediation Server service sorted it out. The Kamailio log will show this working (e. g. tail /var/log/kamailio.log):
    image
  • For Exchange, make sure you have TCP enabled on the UM server (requires a service restart to kick in) and that you have an appropriate IP gateway and unsecured telephone extension dial plan configured against that gateway:
    clip_image001[9]
    clip_image002[10]

And that’s it!

So What Does the Configuration Mean?

OK, so what the heck does the configuration I gave you above mean?  Let’s go through it:

#!KAMAILIO

This is a signature for the configuration file.

# Remote Hosts

#!subst "/SIP_UDP_HOST/172.30.1.11/"
#!subst "/EXCHANGE_UM/172.30.1.12/"
#!subst "/LYNC_MEDIATION/172.30.1.13/" 

listen=172.30.1.14:5060
listen=172.30.1.14:5065
listen=172.30.1.14:5067

This is the super important customization part. The three subst lines replace all references to those text strings with the appropriate IP addresses, while the listen lines allow the router to accept traffic on its IP on three ports – 5060, 5065, and 5067. The latter two are because Exchange – for reasons known to Microsoft but not me – takes UM connections on port 5060 but then redirects them to 5065 or 5067. Remember how above I said that some sites use 5065 and that’s wrong?  That’s because they are assuming all redirects are to 5065, but Exchange might want 5067.

Anyway, the next lines are some configuration stuff that is from the default that I left alone mainly because either the settings were fine (e. g. the syslog facility used) or because I didn’t know the implications in changing them (e. g. the children process count); there’s also the enabling of TCP (normally disabled):

####### Global Parameters ######### 
memdbg=5

memlog=5 
debug=2
log_facility=LOG_LOCAL0 
fork=yes

children=4 
disable_tcp=no 
auto_aliases=no 

# life time of TCP connection when there is no traffic
# - a bit higher than registration expires to cope with UA behind NAT
tcp_connection_lifetime=3605

Next are the modules that I am loading. I know I need some of these for sure – there are others I don’t know about so I left well-enough alone and kept them there:

####### Modules Section ######## 
mpath="/usr/lib/kamailio/modules_k/:/usr/lib/kamailio/modules/" 
loadmodule "kex.so"
loadmodule "tm.so"
loadmodule "tmx.so"
loadmodule "sl.so"
loadmodule "pv.so"
loadmodule "maxfwd.so"
loadmodule "usrloc.so"
loadmodule "textops.so"
loadmodule "siputils.so"
loadmodule "xlog.so"
loadmodule "sanity.so"
loadmodule "ctl.so"
loadmodule "cfg_rpc.so"
loadmodule "mi_rpc.so" 

# ----- tm params -----
# auto-discard branches from previous serial forking leg
modparam("tm", "failure_reply_mode", 3)
# default retransmission timeout: 30sec
modparam("tm", "fr_timer", 30000)
# default invite retransmission timeout after 1xx: 120sec
modparam("tm", "fr_inv_timer", 120000)

The next line sets a server header seen in the SIP headers. It is a fun way to point out that PhoneCo was annoying me as well as to hide the actual software being used:

server_header="Server: PhoneCo Intransigence Coping Solution (PICS) 2.0"

Now comes the real meat. It starts the routing logic for incoming SIP calls looking for the OPTIONS call that Lync and Exchange make every nanosecond (approximately) to check to see if their SIP peers are alive. Hence the status text – the code is all that really matters:

####### Routing Logic ########

route {
        if(is_method("OPTIONS")) {
                xlog("L_INFO","OPTIONS from $si");
                sl_send_reply("200", "Yes, Microsoft, I am alive");
                exit();
        }

The next line just acts as a debugging log showing what came in:

        xlog("L_INFO", "*** M=$rm RURI=$ru F=$fu T=$tu IP=$si ID=$ci");

The dollar-sign pseudo-variables are documented here, should you care: http://www.kamailio.org/wiki/cookbooks/3.2.x/pseudovariables

Anyway, moving on, we have the Exchange routing. Looking at this now, I probably want the two extensions (one for the auto-attendant and one for subscriber access) to be substituted variables, but that will be 2.1 I guess:

# Route Exchange extensions
        if((to_uri=~"sip:5992") || (to_uri=~"sip:5999")) {
                xlog("L_NOTICE", "EXCHANGE UM call, $proto port $op, $ru, $fU");
                t_on_reply("1");

This basically says “if a SIP call is made to extension 5992 or extension 5999, then do this…” and starts by indicating that we are going to do a transactional SIP redirect that, when we see a reply, should go to reply handler “1“, which will come later. After that, we have:

        # https://issues.asterisk.org/jira/browse/ASTERISK-16862
        # http://imaucblog.com/archive/2009/10/03/part-1-how-to-integrate-exchange-2010-or-2007-with-trixbox-2-8/
        replace("Diversion: <sip:5999@SIP_UDP_HOST>;reason=unconditional","MCB-Stripped-Header: Diversion");

Why is this here? Basically, Asterisk does something we don’t want it to do on the Exchange redirect – adds an extra SIP Diversion header – and we want that extra header to go away. I need to replace it with something though, so I just made up a vendor header and used that. This is safe as SIP agents – like HTTP server and clients – ignore headers that they don’t know. Next, we take the UDP session and do a transactional redirect to TCP:

        switch($op) {
                case 5060:
                        xlog("L_NOTICE", "Redirecting to TCP 5060");
                        t_relay_to("tcp:EXCHANGE_UM:5060");
                        exit();
                        break;
                case 5065:
                        xlog("L_NOTICE", "Redirecting to TCP 5065");
                        t_relay_to("tcp:EXCHANGE_UM:5065");
                        exit();
                        break;
                case 5067:
                        xlog("L_NOTICE", "Redirecting to TCP 5067");
                        t_relay_to("tcp:EXCHANGE_UM:5067");
                        exit();
                        break;
                }
        }

I couldn’t come up with a “smart” way to do this better; this is a little wordy but it is clear what is happening. I next route the Lync calls (adding the E.164 “+” sign along the way) based on extension pattern (all other 5xxx extensions besides the two special case ones above), with all others going to the Asterisk side:

        # Route Lync extensions
        if(to_uri=~"sip:5...") {
                replace("To: <sip:", "To: <sip:+");
                xlog("L_NOTICE", "LYNC call to $tu");
                t_relay_to("tcp:LYNC_MEDIATION:5068");
                exit();
        }

        # Route the rest to Asterisk
        xlog("L_NOTICE", "Asterisk call to $tu");
        forward_udp("SIP_UDP_HOST", 5060);
}

Notice that I do forward_udpinstead of t_relay_to because I don’t care about maintaining transactional state in the case of going back to Asterisk, so there’s no reason to waste resources on it. I just tell Kamailio to throw it over the wall and forget about it.

Finally, I handle the reply from Exchange. This is why I made the Exchange piece transactional:

onreply_route[1] {
        xlog("L_NOTICE", "Handling reply from Exchange relay, status $rs");
        switch($rs) {
                case 302:
                        xlog("L_NOTICE", "Saw 302 Redirect response, checking details...");
                        if(search(";transport=Tcp")) {
                                xlog("L_NOTICE", "Saw TCP redirection, changing redirection to UDP");
                                replace(";transport=Tcp", ";transport=Udp");
                        } else {
                                xlog("L_NOTICE", "302 was not matched (!)");
                        }
                        exit();
                        break;
                case 100:
                        xlog("L_NOTICE", "Saw 100, leaving alone...");
                        exit();
                        break;
        }

Notice if I get a redirect from Exchange (which I will for port 5060) I change that from a Tcp redirect to a Udp redirect, then send it on its way.

So, this is what is in the lab right now. I think this works – until PhoneCo gets the line in place we won’t know 100% but I think this is close if it isn’t completely right. We’ll see.

Hope this helps you in your integration scenarios!

— Michael C. Bazarewsky
Principal Consultant, Windows Server and Security

Office 365 E-Mail Migration Performance

Last month Microsoft released a document outlining Exchange Online Migration Performance.  You can find the article here. While it’s not a bad read at 26 pages, I will highlight some of the important pieces.

It’s always important to keep in mind the data and how it will get to Office 365 when considering moving to Exchange Online.  Depending on the size of your total email data, the source mail platform, and the tool you will be using to migrate the data the time per user can vary drastically.

Let’s take a look at the following chart provided by Microsoft that highlights some of the throttling.

Migration tool Migration   method User   throttling Migration-service   throttling Office 365   resource health-based throttling Observed   average throughput per hour and per client (if applicable)
Native   O365/Simple Migration IMAP4   migration

No

Yes

Yes

5-10 gigabyte (GB) (50 concurrency)

Native   O365/Simple Migration Cutover   Exchange migration

No

Yes

Yes

5-10 GB (50 concurrency)

Native   O365/Simple Migration Staged   Exchange migration

No

Yes

Yes

5-10 GB (50 concurrency)

Native O365 Hybrid   migration

No

Yes

Yes

10-15 GB (per On-premise Exchange 2010   CAS)

Third Party MAPI

Yes

No

Yes

0.5-1 GB

Third Party EWS

No

Yes

Yes

5-10 GB

Client   Uploading Outlook

Yes

No

Yes

0.5 GB

As you can see there are a few different caps depending on what type of migration you are performing and what type of tool you are using.  For example, the native Office 365 tools in the Exchange Control Panel can perform either a Simple(think IMAP), Cutover(from Exchange on Prem) and Staged(Also from On prem).  Hybrid migration, in which a 2010 Client Access Server where Hybrid mode has been configured, is the fastest means to migrate which makes sense given Microsofts subtle push to have people with Exchange on prem migrate in this fashion.  If you’re using a 3rd party tool be sure it can use Exchange web services to connect to Office 365.

By far the slowest method of migration is 3rd party MAPI and Client uploading.  Keep these in mind because if your migration plan was export/import .PST files using either in house methods or some of the *free* migration tools out there you need to understand just how slow they will be.  Typically this type of method should only really be used in which the number of users is very small.

Looking over these #s that they’ve listed and I would say this is somewhat what I’ve observed performing migrations in the field.  For me though, the biggest factor is what platform you are migrating off of and the performance of that server and your network.  Some IMAP migrations from older systems or on servers that have been around for years can take much longer than you would see from other IMAP migrations such as Gmail.  I’ve seen 10 user mailboxes averaging 3gb each take 12 hours to complete in total with max concurrency set to 5(which according to the chart should take 3-4 hours).  It’s always important to pilot and test your migration to get expectations before planning production schedules and dates.

As I mentioned earlier Hybrid Migrations do seem to be the direction Microsoft is pushing companies to if they have Exchange on-premise.  My only concern with this is that it can be extremely complicated for Administrators who do not have a lot of experience with Exchange 2007+ and how web services and autodiscover work.  Putting in Exchange 2010 CAS with hybrid in an Exchange 2003 environment can be complex for a seasoned Exchange administrator, much less one that’s only experience is in Exchange 2003.  With Exchange 2010 SP2 it has made that process somewhat easier(wizard), but it still requires knowing how all the services work to get it right.  My advice is carefully determine what Hybrid mode offers your company and if those additional benefits are worth the extra efforts involved in implementing it.

Peter Gleek

Exchange 2010 RTM Setup Fails with Event ID 1002

While working through an Exchange 2010 RTM installation (to be updated to SP2 of course when the time came) at a customer site, we ran into an error that at first had us baffled:

Exchange Server component Mailbox Role failed.
Error: Error:
The following error was generated when “$error.Clear();
$name = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxUniqueName;
$dispname = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxDisplayName;
$dismbx = get-mailbox -Filter {name -eq $name} -IgnoreDefaultScope -resultSize 1;
if( $dismbx -ne $null)
{
$srvname = $dismbx.ServerName;
if( $dismbx.Database -ne $null -and $RoleFqdnOrName -like “$srvname.*” )
{
Write-ExchangeSetupLog -info “Setup DiscoverySearchMailbox Permission.”;
$mountedMdb = get-mailboxdatabase $dismbx.Database -status | where { $_.Mounted -eq $true };
if( $mountedMdb -eq $null )
{
Write-ExchangeSetupLog -info “Mounting database before stamp DiscoverySearchMailbox Permission…”;
mount-database $dismbx.Database;
}

              $mountedMdb = get-mailboxdatabase $dismbx.Database -status | where { $_.Mounted -eq $true };
if( $mountedMdb -ne $null )
{
$dmRoleGroupGuid = [Microsoft.Exchange.Data.Directory.Management.RoleGroup]::DiscoveryManagementWkGuid;
$dmRoleGroup = Get-RoleGroup -Identity $dmRoleGroupGuid -DomainController $RoleDomainController -ErrorAction:SilentlyContinue;
if( $dmRoleGroup -ne $null )
{
Add-MailboxPermission $dismbx -User $dmRoleGroup.Identity -AccessRights FullAccess -DomainController $RoleDomainController -WarningAction SilentlyContinue;
}
}
}
}
” was run: “Couldn’t resolve the user or group “domain.local/Microsoft Exchange Security Groups/Discovery Management.” If the user or group is a foreign forest principal, you must have either a two-way trust or an outgoing trust.”.

Couldn’t resolve the user or group “domain.local/Microsoft Exchange Security Groups/Discovery Management.” If the user or group is a foreign forest principal, you must have either a two-way trust or an outgoing trust.

The trust relationship between the primary domain and the trusted domain failed.

The bolded portion was the key, although we (okay, I – MCB) completely misread it.  We took this to mean that it was an issue with the member server trust, but that of course is a completely different error:

The trust relationship between this workstation and the primary domain failed.

We (okay, I – TB) finally figured out what was up – the customer had two broken domains trusts in the environment.  When asked, the customer said, “oh, yeah, I think we know about that, they are before anyone’s time and we were afraid to touch them.”  That of course was not a helpful answer, but they were onboard with whacking the trusts since they didn’t work anyway.

One of the things that caused us pain here is that there are substantial number of web pages and forum posts about this particular error, but they all relate to SP installation on an existing installation.  They go through recreating system mailboxes and all kinds of other hoops, but that was in our case the completely wrong thing to do.

Once we removed the bad trusts, the installation worked.  Yay.  It’s a case perhaps of “RTFEM.”  There’s a good question here of exactly why Exchange Setup cares here – it knows enough information to find the group in question without going through trusts, but it insists on doing so anyway.  One could even go so far as to this being a bug, although without knowing the team’s reasoning it’s difficult to jump to that conclusion.

In any event, hopefully this post helps other people out.

– Tom Bridge and Michael C. Bazarewsky
”Exchange Rock Stars” (Tom made us say that)

System Center User Group – Embracing the Consumerization of IT

Presented by Jason Roundy & David Glass – Quest Software
Wednesday April 11th, 2012 from 5:45pm – 7pm

Register Here

The culture of work is changing. Tech-savvy and always-connected people want faster, more intuitive technology, uninterrupted services and freedom to work anywhere, anytime, on a variety of devices. It’s time to give people the freedom to get things done their way. In return, you’ll unleash passion and productivity like never before.
Quest’s User Workspace Management solutions enable the modern business desktop and ‘Flexible Workstyle’ by easing the migration to modern Microsoft platforms such as Windows 7 & 8, SCCM 2012, MDOP, Remote Desktop Services (RDS), VDI and Mobile Device Management.
Jason Roundy is the product manager for Quest’s Management Xtensions (QMX) for System Center and has been in the IT industry for 20 years. During this session Jason will provide an overview of the QMX solution and how you can extend System Center to seamlessly manage your Apple Desktop, iOS & Android Mobile devices along with Windows and your other platforms – under one single pane of glass. Jason will also show us the console integration, HW and SW inventory, reporting and distribution in a small demo environment. Don’t miss this opportunity to learn how to say ‘YES’ to your clients’ enterprise management requirements for Apple and more!

Refreshments and pizza will be provided.

Registration is recommended as seating is limited.

For further information and questions, please contact:
Andrew Thorne
athorne@bennettadelson.com
216.369.0140

Location:
Microsoft Corporation
Park Center III
6050 Oak Tree Blvd, Suite 300
Independence, Ohio 44131

About the Cleveland System Center User Group
This group’s focus is on the Microsoft suite of applications for managing and maintaining the infrastructure environment bundled under the System Center umbrella. This suite includes Configuration Manager (ConfigMgr), Operations Manager (OpsMgr), Virtual Machine Manager, Reporting Services, Mobile Device Manager, and Data Protection Manager. Please join the Cleveland System Center User Group for introductions to Microsoft technology, technical deep dives, as well as advanced topics to extend and support your solutions. This is a great opportunity to join with your peers in the Cleveland area and learn from both the presenter and the group.

© 2010 Bennett Adelson. 6050 Oak Tree Blvd, Cleveland, OH 44131

Windows 8 Road Show slides

I would like to thank all those who attended the Bennett Adelson Windows 8 Preview Roadshow.  In all, we had almost 100 attendees, many good conversations and received  a lot of great feedback.  We enjoyed putting on the event and hope that you will join us for the upcoming System Center 2012 Roadshow……..Details to be released soon!

We have attached the presentations in PDF format and hope that you all walked away having learned something and are considering the business value of implementing Windows 8.

Thanks Again,

Jarrod Roark | Bennett Adelson | Columbus
Director – Advanced Infrastructure

Winner of Microsoft 2011-2012 Partner of the Year, Heartland District

0 – Windows 8 Keynote

1 – Windows 8 Tools and Storage

2 – Windows 8 Hyper-V Deeper Dive

3 – Windows 8 Backup and Recovery Strategies for Hyper V

4 – Windows 8 Contact Us