Yearly Archives: 2013

Importing a SSL certificate into a Java Keystore via a PKCS12 file

Here are the instructions on how to import a SSL certificate into the Java Keystore from a PKCS12 (pfx or p12) file.

  1. Create a new keystore
    1. Navigate to C:\Program Files\Java\jdk_xxxx\bin\ via command prompt
  2. Execute: keytool -genkey -alias mycertificate -keyalg RSA -keysize 2048 -keystore mykeystore
    1. Use password of: Use the same password/passphrase as the PKCS12 file
    2. What is your first and last name?  (should be the dns you're going to use) [Unknown]:  server.mydomain.com
      What is the name of your organizational unit? [Unknown]: MyCompanysITDepartment
      What is the name of your organization?  [Unknown]:  MyCompany
      What is the name of your City or Locality?  [Unknown]:  CITY
      What is the name of your State or Province?  [Unknown]:  STATE
      What is the two-letter country code for this unit?  [Unknown]:  US
      Is CN=...................................... correct?  [no]:  yes
      Enter key password for <mycertificate>
      (RETURN if same as keystore password): Hit Return/Enter
  3. Empty the keystore
    1. Execute via command prompt: keytool -delete -alias mycertificate -keystore mykeystore
    2. Ensure nothing is in the keystore by executing: keytool -v -list -keystore mykeystore
  4. Import the PKCS12 File
    1. Execute via command prompt: keytool -v -importkeystore -srckeystore whateverthefileis.p12 -srcstoretype PKCS12 -destkeystore mykeystore -deststoretype JKS
    2. Enter the PKCS12 password/passphrase for both the Source and Destination password.

OCSLogger Options Defined for Lync 2013

Here is a very incomplete list of what each option means on the Lync Server 2013 Logging Tool (OCSLogger.exe).  I am still trying to learn how this tool works and am in search of a complete list of what each Logging Options does, so if you have any information on what each option does please drop a comment below so I can add it to the table. --Thanks and hope this helps someone else!

Notes:

Here is a very thorough guide from Microsoft on Specifying Options for Logging for Communications Server 2007

Here is a guide from Microsoft on Using Lync Server 2013 Logging Tool

Component Description
ABCommon Enables logging for the Address Book service.
ABServer Enables logging for the Address Book service that provides global address list information from Active Directory to the Office Communicator client.
ABServerIISModule
ADConnect Enables logging for Active Directory connectivity.
ADminUI Enables logging information for the Lync Admin Control Panel, logging interactions and calls.
AggregationScript Enables logging for the component that determines the aggregate user state and capabilities across all endpoints.
ApiModule Enables logging for the component that exposes the Office Communications Server API to MSPL (Microsoft SIP Processing Language) and managed code applications.
ApplicationServer
AppShareOoty
ArchivingAgent Enables logging for the Archiving agent that runs on the Front End Server and writes SIP messages to Message Queuing.
ArchJournal
AsMcu
AutoDiscover
AvMcu Enables logging for the A/V Conferencing Server.
AvMP
CAAServer
CASServer
CertProvisioning
ChatCommon
ChatEndpoint
ChatRoomManagement
ChatSDK
ChatWebService
ClientVersionFilter Enables logging for the Client Version Filter, an application that can be used to allow/block access from clients that conform to certain versions.
CLSAgent
CLSCommon
CLSController
CLSControllerLib
CLSFormat
Collaboration Logs activities of the collaboration object layer pertaining to instant messaging.
CpsDiagnostics
CpsHostingFramework
DataMCU Enables logging for the Web Conferencing Server.
DataMCURunTime
Deployment
DeviceUpdate
DeviceUpdateHttpHandler
Dialin
Dlx Enables logging for the Group (DL) Expansion service.
ExumRouting Enables logging for the component that routes calls to Exchange Unified Messaging for voice mail.
HybridConfig
IIMFilter Enables logging for the Intelligent Instant Messaging (IIM) application that filters incoming IM traffic using criteria specified by administrators.
ImMcu Enables logging for the IM Conferencing Server, which enables group IM by relaying IM traffic among all participants.
InboundRouting Enables logging for the Inbound Routing component that handles incoming calls largely according to preferences that are specified by users on their Enterprise Voice clients.
IncomingFederation
Infrastrucutre
InterClusterRouting
InternalCommon
JoinLauncher
LCCertHelper Enables logging of the component used for certificates-related functionality in SipStack, MMC, WMI, and the Certificates Wizard.
LcsServer Enables logging of the RtcSrv service. On a Front End Server the RtcSrv service is the Office Communications Server Front End service. On an Access Edge Server, the RtcSrv service is the Office Communications Server Access Edge service.
LDM  Enables logging of Web Conferencing Server Connection Management which manages TLS/MTLS connections from clients and other servers such as the Web Conferencing Edge Server.
LocationInformationService
Lyss
Mach
ManagementCore
MCUFactory Enables logging for the Focus Factory which determines which conferencing server is available to service the conference scheduling request.
MCUInfra Enables logging for the component that provides communication between the Focus and the conferencing servers.
McxService
Media_MMVR
Media_PAL
MediaStack_AUDIO_AGC
MediaStack_AUDIO_DRC
MediaStack_AUDIO_ECHODT
MediaStack_AUDIO_FAXDT
MediaStack_AUDIO_HEALER
MediaStack_AUDIO_NOISEDT
MediaStack_AUDIO_VAD
MediaStack_AUDIO_VSP
MediaStack_AudioCodes
MediaStack_AudioEngine
MediaStack_COMAPI
MediaStack_COMMON
MediaStack_Crossbar
MediaStack_Crypto
MediaStack_DebugUI
MediaStack_DebugUI_AEC
MediaStack_DEVICE
MediaStack_MassConvertedTraces1
MediaStack_MediaManager
MediaStack_PerFrame
MediaStack_PerPacket
MediaStack_QualityController
MediaStack_RTCP
MediaStack_RTP
MediaStack_StreamingEngine
MediaStack_TLS
MediaStack_Transport
MediaStack_VIDEO
MediaStack_VOICEENHANCE
MediationServer Enables logging for the Mediation Server that translates between the Office Communications Servers and the media gateway.
MRAS Enables logging for the Office Communications Server Audio/Video Authentication service, which provides authentication services for the A/V Edge Server, the component that provides the functionality to share audio and video with external users.
OutboundRouting Enables logging for the Outbound Routing component that routes calls to PBX or PSTN destinations, applies call authorization rules to callers, and determines the optimal media gateway for routing each call.
OutgoingFederation
PDP
PowerShell Enables logging for most of the PowerShell interfaces from the Lync Amdin Control Panel.
QueueDLL Enables logging for the component that facilitates inter-process communication between the server and applications.
RDPApiTrace
RDPEncComTrace
ReachJoin
ReachPerf
RgsClientLib
RgsCommonLibrary
RgsDatastores
RgsDeploymentApi
RgsDeploymentLibrary
RgsDiagnostics
RgsHostingFramework
RgsMatchMakingService
Routing_data_Sync_agent
RtcDbSyncAgent
RtcHost Enables logging for the component that is the host for all server API applications.
RTCSPL Enables logging for the component that is the host for running MSPL (Microsoft SIP Processing Language) script based applications.
S4 Logs all SIP messages between the Mediation server and PSTN gateways
ServerAgent
ServerConfiguration
ServerTransportAdaptor
SIPStack Enables logging for the SipStack component that handles TLS/MTLS connection management and SIP call flows.
StoreWeb
TranslationApplication Enables logging for the Translation Service which is the server component that is responsible for translating a dialed number into E.164 format based on the normalization rules defined by the administrator.
UCMA_Workflow
UCWA
UdcAgent
UserPinService
UserServices Enables logging for the UserServices component that provides closely integrated IM, presence, and conferencing features built on top of the SIP proxy. Includes the Focus and Focus Factory.
WebInfrastructure
WebRelay
WebScheduler
WPP_OC_RDP_APPSHAPI
XDS_File_transfer_agent Enables logging of replication data, specifically file transfer aspects.
XDS_Master_replicator Enables logging for the creation of replication packges and notifications.
XDS_Replica_Replicator Enables logging for receipts of replication packages and notifications.
XmppCommonLibrary
XmppListener
XmppRouting
XmppTGW

 

 

Veeam Backup and Replication 6.5 for VMware- CHMOD mask [0] error

Symptom:
When running a backup, you receive the following message:

5/20/2013 1:43:48 PM :: Error: Client error: File does not exist. File: [E:\Backups\VMs\VM2013-05-20T010122.vib].
Failed to restore file from local backup. VFS link: [summary.xml]. Target file: [MemFs://Tar2Text]. CHMOD mask: [0].

Solution:
From what I gather, this error is generated when you do not have a full backup completed.  For example, lets say you have an external hard drive you backup to and your next scheduled backup is an incremental.  Now when your incremental backup runs, since a full backup does not exist, the incremental backup cannot be made and you result with the above error.

To allow your backup to complete successfully, you will need to manually create full backups for each of the "problem VMs", so the incremental can backup properly.  To do so, you can right click on your Veeam Backup Job and select "Active Full".  This will create a full backup and then let your scheduled incremental jobs run as intended.

Configuring Lync Server to push out latest Microsoft Lync Phone Edition firmware

I noticed today that a large shipment of Polycom phones we were going to deploy were using the RTM version of Lync Phone Edition and were outdated compared to Microsoft's latest version.  That being said, here is a guide on how to update the firmware for your phones.

At the time of this writing, it appears there are only a few different manufacturers that distribute the Microsoft Lync Phone Edition phones.  For reference, here are the Microsoft URLs for each of those phone types:

Deploying latest firmware for the Microsoft Lync Phone Edition

  1. Download the latest firmware for the Lync Phone Edition device.
    1. In my case, I want to push out the latest firmware for the Polycom CX600s, which can be found here (links to the firmware of other phones can be found above in this same article): http://www.microsoft.com/en-us/download/details.aspx?id=23866
  2. Double click on the downloaded file (UCUpdates.exe), and run through the wizard.
    1. Select your language:
      Microsoft Lync Phone Edition Wizard - Select Language
    2. Accept the EULA
      Microsoft Lync Phone Edition Wizard - Accept EULA
    3. On this step, extract the files to a folder you can recognize.  All firmware downloads are called UCUpdates.exe and ucupdates.cab, so I highly recommend you sort out each firmware to a corresponding folder.
      Microsoft Lync Phone Edition Wizard - Extract To 
    4. Click the "Click this link to open folder in Windows Explorer." and verify you see the ucupdates.cab file.
      Microsoft Lync Phone Edition Wizard - Open Extracted Contents
    5. Here we see the ucupdates.cab file.
      ucupdates - Extracted files
  3. Copy the ucupdates.cab file over to your Lync Front End Server if you didn't in the first step.
  4. Execute the following powershell command (where the WebServer is the Front End Pool or Front End Server in a standalone instance):
    1. Import-CsDeviceUpdate -Identity service:WebServer:lync.mydomain.local -FileName "C:\Polycom CX600\ucupdates.cab" -Verbose
      1. Note: I added the optional -Verbose parameter to show the output of what the PowerShell command is doing behind the scenes.  Some people have mentioned this step taking awhile to complete, this will at least give you some comfort if things are moving forward or not.
  5. Once the command has completed successfully, head over to the Lync Server Control Panel (LSCP) (Web GUI), and navigate to Clients > Device Update.  Here you should see the firmware for your device and you should notice that the version shows up under the "Pending Version" column.  This means that the firmware will NOT be pushed until we manually approve it.
    LSCP - Clients - Device Update - Polycom
  6. Now we will push out the firmware to one device to ensure the firmware actually works.  Inside of the Lync Server Control Panel, click on the Test Device tab.
    1. Click the New... button and then select Global test device
    2. For Device Name, type in something like Polycom CX600 to identify what will be pushed to it, and then enter in the MAC address of the phone in the Unique identifier field.
      1. Note: if you use the MAC address as the Unique identifier, make sure you leave out any special characters, it should be only the hex address.
    3. Here is a screenshot below of my test device:
      LSCP - Clients - Test Device
  7. At this point, all you need to do is wait until the phone reboots and applies the update automatically (you don't need to approve the firmware or anything like that, it just starts to deploy to the test device).
    1. If you want to check what is going on, if you login to your front end server and navigate to C:\inetpub\logs\LogFiles\<randomID>, you can see the process of the phone trying to pull the update files and then reconnecting with the updates.  In my case, I could see the phone boot, pull the new firmware files, and then reboot and make new requests with the latest version in the headers.
    2. 2013-05-16 15:43:13 192.168.1.21 POST /locationinformation/liservice.svc/mex - 443 - 192.168.2.2 OCPhone/4.0.7577.4066+(Microsoft+Lync+2010+Phone+Edition) - 200 0 0 114
      2013-05-16 15:43:13 192.168.1.21 POST /RequestHandler/ucdevice.upx - 443 - 192.168.2.2 Microsoft+UCPhone+Device+(lcs_se_w14_main:1077577:2012/02/18:16:44:15) - 200 0 0 219
      2013-05-16 15:43:13 192.168.1.21 GET /RequestHandler/Files/UCPhone/POLYCOM/CX600/Rev-5/ENU/4.0.7577.4387/CPE/CPE.nbt - 80 - 192.168.2.2 Microsoft+UCPhone+Device+(lcs_se_w14_main:1077577:2012/02/18:16:44:15) - 200 0 995 240
      2013-05-16 15:43:13 192.168.1.21 POST /groupexpansion/service.svc/mex - 443 - 192.168.2.2 OCPhone/4.0.7577.4066+(Microsoft+Lync+2010+Phone+Edition) - 200 0 0 30
      2013-05-16 15:43:15 192.168.1.21 POST /WebTicket/WebTicketService.svc/mex - 443 - 192.168.2.2 OCPhone/4.0.7577.4066+(Microsoft+Lync+2010+Phone+Edition) - 200 0 0 129
      2013-05-16 15:43:17 192.168.1.21 POST /WebTicket/WebTicketService.svc/cert - 443 - 192.168.2.2 OCPhone/4.0.7577.4066+(Microsoft+Lync+2010+Phone+Edition) - 200 0 0 68
      2013-05-16 15:43:17 192.168.1.21 POST /locationinformation/liservice.svc/WebTicket_Bearer - 443 - 192.168.2.2 OCPhone/4.0.7577.4066+(Microsoft+Lync+2010+Phone+Edition) - 200 0 0 197
      ..........Some random logs here..........
      2013-05-16 15:44:16 192.168.1.21 GET /RequestHandler/Files/UCPhone/POLYCOM/CX600/Rev-5/ENU/4.0.7577.4387/CPE/CPE.nbt - 80 - 192.168.2.2 Microsoft+UCPhone+Device+(lcs_se_w14_main:1077577:2012/02/18:16:44:15) - 200 0 0 61951
      2013-05-16 15:44:16 192.168.1.21 GET /RequestHandler/Files/UCPhone/POLYCOM/CX600/Rev-5/ENU/4.0.7577.4387/CPE/CPE.cat - 80 - 192.168.2.2 Microsoft+UCPhone+Device+(lcs_se_w14_main:1077577:2012/02/18:16:44:15) - 200 0 0 44
      2013-05-16 15:44:16 192.168.1.21 GET /RequestHandler/Files/UCPhone/POLYCOM/CX600/Rev-5/ENU/4.0.7577.4387/CPE/CPE.cat - 80 - 192.168.2.2 Microsoft+UCPhone+Device+(lcs_se_w14_main:1077577:2012/02/18:16:44:15) - 200 0 0 10
      ..........Some random logs here..........
      2013-05-16 15:51:55 192.168.1.21 POST /groupexpansion/service.svc/mex - 443 - 192.168.2.2 OCPhone/4.0.7577.4387+(Microsoft+Lync+Phone+Edition) - 200 0 0 11
      2013-05-16 15:51:55 192.168.1.21 POST /locationinformation/liservice.svc/mex - 443 - 192.168.2.2 OCPhone/4.0.7577.4387+(Microsoft+Lync+Phone+Edition) - 200 0 0 8
      2013-05-16 15:51:56 192.168.1.21 POST /WebTicket/WebTicketService.svc/mex - 443 - 192.168.2.2 OCPhone/4.0.7577.4387+(Microsoft+Lync+Phone+Edition) - 200 0 0 10
  8. Once the firmware has been applied to your test device and all is well, we need to approve the firmware for all phones in the organization.  To do so, follow the steps below.
    1. Navigate to Clients -> Device Update
    2. Click Edit, Select all
    3. Click Action, Approve
      LSCP - Clients - Device Update - Approve

Enabling use of the VMware Horizon View 5.2 HTML5 Portal

Today I tried upgrading VMware's View Connection and Security servers from 5.1 to 5.2.  All went well, but when I browsed out to our security server, I noticed that the web client did not exist.

Solution:
Turns out that VMware View 5.2 itself doesn't contain the HTML5 interface to control your desktop through the browser.  In order to enable this feature, you must download the VMware Horizon View Feature Pack on the connection server as well as install the Remote Experience Agent with the HTML Access component on the virtual desktops.  All of these can be obtained from the "My VMware" center.

First, I navigated to the VMware Horizon View 5.2 Feature Pack downloads and downloaded the VMware-Horizon-View-HTML-Access_x64-1.0.0-1049726.exe (Click here to go to the VMware download portal).  Once downloaded, I installed this on my Connection Servers.  This can be installed while the Connection server is running, no downtime neccessary.

Next, I downloaded the Remote Experience Agent for 64-bit desktops (VMware-Horizon-View-5.2-Remote-Experience-Agent-x64-1.0-1046150.msi) file (Same download portal as mentioned above) and installed that on the client machines I wanted to be accessible via the HTML5 page.

Next, I opened up the VMware Horizon View Administrator web GUI and navigated to View Configuration -> Servers -> Connection Servers.  Right click on the connection server and ensure the Blast Server URL has been configured properly.

Next, still inside of the VMware Horizon View Administrator web GUI, I navigated to Pools, selected the Pool I wanted to allow HTML5 Web Access to, hit Edit..., selected the Pools Settings tab, and checked HTML Access.

VMware Horizon View - VM Pool - HTML Access

Last, you need to open port 8443 (or whatever External Blast URL port number you used) on your security server (when installing the Security Server, by default the rules are added to Windows Firewall but are not enabled).  To do enable the rules, remote to your security server, open up your firewall (in my example, Windows Firewall with Advanced Security), and enable the VMware View Connection Server (Blast-In) rules.

VMware Horizon View - Security Server - Windows Firewall

 

 

Some errors you may come across

Problem: When you try to login to your desktop via the HTML5 GUI, you receive the following error:

You are not entitled to use the system.

Solution: You need to make sure you entitle the user to the pool or make sure you have checked the HTML Access checkbox for the pool as mentioned above.

-------------------------------------------------------------------------------------------------------------------------

Problem: When connecting to the View Desktop you receive the following error message:

The display protocol for this desktop is currently not available.  Please contact your system administrator.

Solution: Make sure the VMware Blast service is running on your virtual desktop/you have installed the Remote Experience Agent as mentioned above.

-------------------------------------------------------------------------------------------------------------------------

Problem: When connecting to the View Desktop you receive the following error message:

All available desktop sources for this desktop are currently busy. Please try connecting to this desktop again later, contact your system administrator.

Solution: Log out of the Web GUI and log back in.

-------------------------------------------------------------------------------------------------------------------------

Problem: When connecting to the View Desktop you receive the following error message:

Unable to connect to desktop: There is no available gateway for the display protocol. Try again, or contact your administrator if this problem persists.

Solution: Log out of the Web GUI and log back in.

-------------------------------------------------------------------------------------------------------------------------

Problem: When connecting to the View Desktop, you are redirected to a page and are given a 404 page cannot be displayed.

Solution: Make sure you have enabled the ports on your external firewall for the Security Servers as well as the firewall on the host running the security server (Windows Firewall as mentioned above).

-------------------------------------------------------------------------------------------------------------------------

Known Issues

Please note, there is a list of published Known Issues by VMware.  I would recommend giving the following article a peruse to be familiar with those issues: http://www.vmware.com/support/viewclients/doc/horizon-view-html-access-release-notes.html

 

Tutorial: 802.1X Authentication via WiFi - Active Directory + Network Policy Server + Cisco WLAN + Group Policy

Here is how to implement 802.1X authentication in a Windows Server 2008 R2 domain environment using Protected-EAP authentication.  I have designed the tutorial to be worked on in the specific order to prevent downtime if deployed during the day.  By creating the Network Policy server first, once we switch the authentication type from whatever to 802.1X via RADIUS, our Network Policy Server will immediately start processing requests and allowing machines on the domain.  By configuring the Cisco Wireless LAN Controller or Group Policy first, clients will try connecting to a RADIUS server that doesn't exist or present invalid credentials.  If you have any suggestions on how to better the implementation I demonstrate here, please drop a comment below to improve security/stability of these types of deployments. 🙂

Active Directory

First, we need to create a security group in Active Directory to allow a list of specific users and computers to login to the domain.  In this example, we will allow any authenticated user or machine on the domain to authenticate successfully to the RADIUS sever.  In the screenshot below, we can see I have added both Domain Users and Domain Computers to a security group called WirelessAccess. Here is a screenshot with the above settings.

802.1X - AD Security Group

Network Policy Server

  1. Create a new Windows Server 2008 R2 or Windows Server 2012 machine
  2. Add the machine to the domain
  3. Give the machine a static IP: (I'll use 10.10.10.15 throughout this document as a reference to this server)
  4. Open up Server Manager, click Add Roles, click Next on the Before You Begin screen, check Network Policy and Access Services and click Next, click Next on the Introduction screen, check Network Policy Server (leave the rest unchecked) and click Next, click Install.
  5. Once Network Policy Server is installed, launch the Network Policy Server snap-in (via MMC or Administrative Tools)
  6. Inside of Network Policy Server, on NPC (Local), select RADIUS server for 802.1X Wireless or Wired Connections from the dropdown and click Configure 802.1X
    1. On the Select 802.1X Connections Type page, select Secure Wireless Connections, and enter My Company's Wireless.  Click Next.
    2. Click on the Add... button.  Enter the following settings:
      1. Friendly name: Cisco WLAN Controller
      2. Address: 10.10.10.10 (Enter your WLAN Controller's IP address)
      3. Select Generate, click the Genereate button, and then copy down the Shared Secret the wizard generated (we will use this later to get the WLAN Controller to talk to the RADIUS server).  Click OK.
    3. Click Next.
    4. On the Configure an Authentication Method, select Microsoft: Protected EAP (PEAP). Click Next.
    5. Click Next on the Specify User Groups (we will come back to this).
    6. Click Next on the Configure Traffic Controls page.
    7. Click Finish
  7. Click on NPS (Local) -> Policies -> Network Policies. Right click Secure Wireless Connections and click Properties.
  8. Click on the Conditions tab, select NAS Port Type, and click Remove.
  9. Still on the Conditions tab, click Add..., select Windows Groups and click Add..., click Add Groups..., search for WirelessAccess and click OK.  Click OK on the Windows Groups dialog box, click Apply on the Secure Wireless Connections Properties box.  You should now have something like the image below:
    802.1X - Secure Wireless Connections Conditions
  10. Click on the Constraints tab.
    1. Uncheck all options under Less secure authentication methods like the image below:
      802.1X - Secure Wireless Connections Constraints
    2. Click Apply

Cisco WLAN

  1. Login to your Cisco Wireless Lan Controller
  2. Add a RADIUS server to your controller
    1. Click on the Security tab
    2. Select AAA -> Radius -> Authentication on the left side
    3. Click the New... button in the top right
      1. Server IP Address: 10.10.10.15 (The IP address of your NPS server we setup earlier)
      2. Shared Secret Format: ASCII
      3. Shared Secret: The long generated password you wrote down when setting up the Network Policy Server
      4. Confirm Shared Secret: Same password in previous step
      5. Key Wrap: unchecked
      6. Port Number: 1812
      7. Server Status: Enabled
      8. Support for RFC 3576: Enabled
      9. Server Timeout: 2
      10. Network User: Checked
      11. Management: Checked
      12. IP Sec: Unchecked
      13. Here is a screenshot with the above settings
        802.1X - Cisco WLAN - RADIUS
  3. Create or modify a wireless network to use 802.1X
    1. Click on the WLANs tab
    2. Create a new wireless network or select an existing WLAN ID to edit
    3. On the "WLANs > Add/Edit 'My SSID'" page, use the following settings
      1. Security Tab
        1. Layer 2 Tab
          1. Layer 2 Security: WPA+WPA2
          2. MAC Filtering: Unchecked
          3. WPA+WPA2 Parameters
            1. WPA Policy: Unchecked
            2. WPA2 Policy: Checked
            3. WPA2 Encryption: AES checked, TKIP unchecked
            4. Auth Key Mgmt: 802.1X
          1. Here is a screenshot of the above settings
            802.1X - Cisco WLAN - Security
        2. Layer 3 Tab
          1. Layer 3 Security: none
          2. Web Policy: unchecked
        3. AAA Servers Tab
          1. Authentication Servers: checked Enabled
          2. Server 1: Select your RADIUS server from the dropdown
          3. Local EAP Authentication: Unchecked
          4. Authentication priority order for web-auth user: Move RADIUS over to the right
          5. Here is a screenshot of the above settings802.1X - Cisco WLAN - AAA Servers
        4. Click Apply

Group Policy

  1. Go to your domain controller and open up the Group Policy Management console.
  2. Right click the Organizational Unit you want to apply to policy to and select Create a GPO in this domain, and Link it here...
    1. Note, the policy must be linked to the OU containing a group of machines you want to have WiFi access to or a parent of the OU.
  3. Enter in 802.1X WiFi Policy for the Name and click OK
  4. Right click your new GPO and click Edit
  5. Navigate to Computer Configuration->Policies->Windows Settings->Security Settings->Wireless Network (IEEE 802.11) Policies
  6. Right click and select Create A New Wireless Network Policy for Windows Vista and Later Releases
  7. Ensure the following settings are set for your Windows Vista and Later Releases policy
    1. General Tab
      1. Policy Name: My Wireless Policy for Vista and Later Clients
      2. Description: Vista and later wireless network for my company.
      3. Check Use Windows WLAN AutoConfig service for clients
      4. Here is a screenshot with the above settings802.1X - General
      5. Click the Add... button and select Infrastructure
        1. Connection Tab
          1. Profile Name: My Network
          2. Enter in your SSID (Wireless network name that gets broadcasted) and click the Add... button
          3. Check Connect Automatically when this network is in range
          4. Here is a screenshot of the above settings802.1X - Properties
        2. Security Tab
          1. Authentication: WPA2-Enterprise
          2. Encryption: AES
          3. Select a network authentication method: Microsoft Protected EAP (PEAP)
          4. Authentication Mode: User or Computer authentication
          5. Max Authentication Failures: 1
          6. Check Cache user information for subsequent connections to this network
          7. Here is a screenshot of the above settings with the Advanced tab open as well802.1X - Security Settings
        3. Click OK
    2. Network Permissions Tab
      1. Enter your network into Define permissions for viewing and connection to wireless networks if it hasn't been added already.
      2. Uncheck Prevent connections to ad-hoc networks
      3. Uncheck Prevent connections to infrastructure networks
      4. Check Allow user to view denied networks
      5. Check Allow everyone to create all user profiles
      6. Uncheck Only use Group Policy profiles for allowed networks
      7. Leave all Windows 7 policy settings unchecked
      8. Here is a screenshot with the above settings (note, you may change the settings above to be in accordance to your policy.  Just ensure you don't check Prevent connections to infrastructure networks).
        802.1x - Network Permissions
      9. Click OK
  8. Right click and select Create A New Windows XP Policy
  9. Ensure the following settings are set for your Windows XP Policy
    1. General Tab
      1. XP Policy Name: My Wireless Policy for XP Machines
      2. Description: My wireless policy for XP machines.
      3. Networks to access: Any available network (access point preferred)
      4. Check Use Windows WLAN AutoConfig service for clients
      5. Uncheck Automatically connect to non-preferred networks
      6. Here is a screenshot of the above settings.
        802.1X - XP General
    2. Preferred Networks Tab
      1. Click the Add... button and select Infrastructure
        1. Network Properties Tab
          1. Network name (SSID): My SSID
          2. Description: My wireless network
          3. Uncheck Connect even if network is not broadcasting
          4. Authentication: WPA2
          5. Encryption: AES
          6. Check Enable Pairwise Master Key (PMK) Caching
          7. Uncheck This network uses pre-authentication
          8. Here is a picture of the above settings
            802.1X - XP Network Properties
        2. IEEE 802.1X Tab
          1. EAP Type: Microsoft: Protected EAP (PEAP)
          2. Eapol-Start Message: Transmit
          3. Authentication Mode: User or Computer Authentication
          4. Check Authenticate as computer when computer information is available
          5. Uncheck Authente as guest when user or computer information is unavailable
          6. Screenshot of above settings
            802.1X - XP IEEE
        3. Click OK
    3. Click OK

Removing last Lync 2010 Front End – Unassigned Number Error

Symptom:
You receive the following error when trying to publish your new Lync Topology, after removing the last Lync 2010 Front End Server.

Result: Call orbit depends on an application server that is being removed.
ServiceInUse: The new topology XML removes services that will create stale configuration settings.
ServiceInUseResolution: Consult your Lync Server documentation to learn how to to disassociate the service of the settings using it.

Error: Cannot publish topology changes. Unassigned number still exists on one or more deleted application servers.
▼ Details
└ Type: InvalidOperationException
└ ▼ Stack Trace
└ at Microsoft.Rtc.Management.Deployment.Tasks.PublishTopologyTask.CheckIfVacantNumberRangesInUse(DeletedServices deletedServices) at Microsoft.Rtc.Management.Deployment.Tasks.PublishTopologyTask.VerifyServiceDependentSettings(DeletedServices deleteServices) at Microsoft.Rtc.Management.Internal.Utilities.LogWriter.InvokeAndLog[T](Action`1 action, T arg)

Error: An error occurred: "System.InvalidOperationException" "Cannot publish topology changes. Unassigned number still exists on one or more deleted application servers."

Solution:
Open up the Lync Server Management Shell as an Administrator on a different Front End server that you aren't retiring and execute the following command:

Get-CsUnassignedNumber

For each of the returned results with the AnnouncementServerFqdn matching the server you are trying to retire, execute the following command:

Set-CsUnassignedNumber -Identity IdentityFromPreviousCommand -AnnouncementService newlyncpoolorfrontend.mydomain.local

Alternately, you can change the Front End server these numbers are on through the Lync Web GUI (Cscp).  To do so, navigate to the Lync Server 2013 Control Panel, click on Voice Features->Unassigned Number, and then double click every entry that has a destination with the old Front End.  When the Edit Unassigned Number Range dialog shows up, type in the FQDN to the new Front End Pool/Server and then click OK. Repeat for each number.

Lastly, if you want to cleanup your Lync server, you can remove all instances of the old Announcements using the following command:

Remove-CsAnnouncement -Identity "ApplicationServer:myoldfrontend.mydomain.local"

Alternately, if you published the topology, you may have to remove the Announcements individually by using entering the command below with the entire Identity value or via the old ApplicationServer's name (in my case it was 1-ApplicationServer-1 as shown below):

Remove-CsAnnouncement -Identity "ApplicationServer:probablysays1-ApplicationServer-1/1951f734-c80f-4fb2-965d-51807c792b90"

Once all Unassigned Numbers have been moved to the new Front End server or pool, you should be able to successfully publish your topology.

Removing last Lync 2010 Front End - Conference Error

Symptom:
You receive the following error when trying to publish your new Lync Topology, after removing the last Lync 2010 Front End Server.

ConferencingPoolInUse: The new topology XML removes services that will orphan existing conference directories.

Error: Cannot publish topology changes. Conference directories still exist on a pool that would be deleted. Remove the conference directories before continuing.
▼ Details
└ Type: InvalidOperationException
└ ▼ Stack Trace
└ at Microsoft.Rtc.Management.Deployment.Tasks.PublishTopologyTask.VerifyOrphanedDirectories()
at Microsoft.Rtc.Management.Internal.Utilities.LogWriter.InvokeAndLog(Action action)

Error: An error occurred: "System.InvalidOperationException" "Cannot publish topology changes. Conference directories still exist on a pool that would be deleted. Remove the conference directories before continuing."

Solution:
On one of your front end lync servers, open up the Lync Server Management Shell as an Administrator.  Once open, execute the following command:

Get-CsConferenceDirectory

For each of the items that have a ServiceID referencing the Front End server you are trying to retire, execute the following command (replacing the appropriate values with the output found from the previous command):

Move-CsConferenceDirectory -Identity X -TargetPool poolorfrontendserver.mydomain.local

After all conferences have been moved off of your Lync 2010 Front End server, you should be able to successfully publish the topology.

Lync meetings drop dial-in (PSTN) calls after 30 seconds to a minute

Symptom: Upon using Lync 2013 meetings, I noticed that PSTN callers were being dropped from dial-in meetings.  This drop was approximately after 30 seconds or a minute.  After finally pulling the plug and calling Microsoft for support on why this was happening, we found that our Session Boarder Controller was not sending responses back to Lync telling Lync that a person was still apart of the call.

Solution: Execute Get-CsTrunkConfiguration and look for the RTCPActiveCalls and RTCPCallsOnHold values. If both of these values are true, try setting them to false via the following command:

Set-CsTrunkConfiguration -RTCPActiveCalls $false -RTCPCallsOnHold $false

This should tell Lync to not drop the user's call even if it doesn't receive any media packets from the SBC.  If this does work, then I highly recommend you enable the Session Timer to ensure dropped calls do not continue forever in your Lync meeting.  To enable that option, execute the following command:

Set-CsTrunkConfiguration -EnableSessionTimer $true

Just for reference, here are some more in-depth notes on what the RTCPActiveCalls, RTCPCallsOnHold, and EnableSessionTimer variables do.

RTCPActiveCalls -This parameter determines whether RTCP packets are sent from the PSTN gateway, IP-PBX, or SBC at the service provider for active calls. An active call in this context is a call where media is allowed to flow in at least one direction. If RTCPActiveCalls is set to True, the Mediation Server or Lync Server client can terminate a call if it does not receive RTCP packets for a period exceeding 30 seconds. Note that disabling the checks for received RTCP media for active calls in Lync Server elements removes an important safeguard for detecting a dropped peer and should be done only if necessary.

RTCPCallsOnHold - This parameter determines whether RTCP packets continue to be sent across the trunk for calls that have been placed on hold and no media packets are expected to flow in either direction. If Music on Hold is enabled at either the Lync Server client or the trunk, the call will be considered to be active and this property will be ignored. In these circumstances use the RTCPActiveCalls parameter. Note that disabling the checks for received RTCP media for active calls in Lync Server elements removes an important safeguard for detecting a dropped peer and should be done only if necessary.

EnableSessionTimer - This parameter specifies whether the session timer is enabled. Session timers are used to determine whether a particular session is still active. Note that even if this parameter is set to False, session timers can be applicable if the remote connection has session timer enabled. In such a case, the Mediation Server will reply to session timer probes from the remote entity. The default is False.

Polycom Lync Phone - An account matching this phone number cannot be found

Symptom:

When you try to sign in to a Polycom Lync Enabled phone (CX600, CX3000, etc.), you receive the following error:

An account matching this phone number cannot be found. Please contact your support team.

Solution:

I found out that this appeared to be caused from a change made to the Lync front-end server.  There are two things that need to happen.

  1. Make sure the ports for 80 and 443 have been opened on the server's firewall.
  2. Try running the following command in the Lync Management Shell on the front-end server.
    1. Test-CsPhoneBootstrap -PhoneOrExt 15555551234 -PIN 5678 -verbose
    2. The verbose command should output all information needed to figure out where things are going wrong.  In my case, I had an issue with the phone being able to pull-down a certificate (The verbose command revealed the following: "Could not download certificate chain from web service.").  After restarting IIS, I was able to authenticate via the phone to Lync.
    3. Just as an FYI, once you see Result: Success, you will be able to login to the phone.  Prior to seeing that, I was seeing a Result: Failed when the phone could not connect.