Wednesday, December 30, 2009

Free SSL Certificate for your Exchange 2010 server

Sounds too good to be true, but… it is. I was doing some research on Public Certificate issuer (after all, I am running all this from home and am on budget as well) and found startcom.org. They offer all Validation Levels certificates and the lowest, Class 1, is free – a perfect scenario to test your Exchange and (hopefully) OCS public connectivity environment. Here is the comparison chart for their services:





I found that the free edition does not support SAN and so, you might need another cert. for autodiscover.your_domain but… not a big deal. Class 2 and above will do it and can’t beat their prices… I will seriously reconsider changing over when our production cert. expires.

Here are the steps to provision your Exchange Server with startcom.org SSL certificate.

***Windows Explorer 7 will NOT work. Save yourself time and frustration, get Firefox to complete this task…

Go to this link: https://www.startssl.com/?app=12

Click on Sign-Up button
Fill in the form…




…and click Continue. An email with validation code will be sent to the email address you’ve used on the form. Enter it and continue. You will be taken to your toolbox.




First thing to do here is to verify your domain – click Check DNS of Domain link. Enter your domain name and TLD, and click Check. Another validation email will follow – you know the drill. Once your domain is verified, it will appear here:




Now it is time to create your Exchange 2010 CSR (Certificate Signing Request). Go to your Exchange server, start EMC and go to Server Configuration. Click New Exchange Certificate on right pane. Give it a name first:




Do not enable Wild Card – we cannot issue it any way.




Because we want (and can only) test some basic functionality, not all options will be used here:




On the next screen you will see some SAN’s but… StartSSL free edition will disregard it any way…




On the next screen you need to enter some info (again – it will be disregarded) and also a location – where the CSR will be saved. In this case – c:\NewReq.req



Click “Next” on the last screen and the request will be processed.



Locate .req file, open it with text editor and copy the text.




The next step will be to submit the CSR to StartSSL for digital signing. Go back to your StarSSl’s Control Panel, click “Certificate Wizard” and select “Web Server SSL…” from the drop down menu.




Click Continue.




***Make sure you click “Skip” button (since we generated the key on our exchange server).

On the next screen paste the text we copied from the .req file.




…and click Continue. Once the certificate is signed, you will receive an email with instructions now to retrieve it.
Go to the Toolbox, Click “Retrieve Certificate” link, select your certificate from the drop down menu and click Continue.



Copy the text in the box – this is your certificate.



Go to your Exchange server, create new text file name it MyCert or so, paste the text and save it. ***NOTE. Change the file extension to .cer to avoid confusion later.

Before we proceed with the Certificate import, there is one more step – we must import the StartSSL Root CA to our Exchange server. Go to your StarCom’s Toolbox and click StartCom CA Certificates link. You will be presented with this screen:




You need to save “Server Certificate Bundle with CRLs (PEM encoded)” to a location accessible from your exchange server. Go back to your exchange server, locate the file “ca-bundle.cer” if you used the default name, right click over it and select Install Certificate. Accept the default settings.

Once the Root CA is installed, we can now complete the Certificate Request. On EMC, highlight the Request you created earlier (this where the Friendly name comes handy), and click Complete Pending Request on the right pane.




Complete the steps in the wizard (you will have to select the .cer file you created earlier), assign the services associated with this certificate and… I restarted the server just in case…
It worked:

Tuesday, December 29, 2009

UC@GMC - The extensions puzzle

Hopefully by now you are already convinced that Unified Communications concept has great practical application(s) in EDU sector. It is time to look closer as of how it was implemented in GMC.


***If you expect to see a screenshots of installation and configuration – this is not happening. OCS 2007 R2 and Exchange 2007 (including UM role) is very well documented, you can find it all over Internet and having it here (again) would be a waste of time. My idea is to share the path, the line of thinking and the steps we went through in order to complete the deployment.

Oh, once Microsoft lifts the NDA over Wave 14, it will be different story…

The first challenge – extensions schema. Current users of Centrex or any hosted PBX are familiar with the Enterprise Extensions concept. Basically, the user dials three or four digits and connects to another user in the same location. What happens is: a normalization rule takes place to “convert” the 4 digit number to “full”, in some cases E.164 format, phone number. For example – 2704 was converted to 478-445-2704, a match is found and the called party is ringed. This is because all numbers are typically within the same PBX (remember, NPA-NXX-XXXX) where XXXX is the “internal” extension.

This is valid for all our offices. However, one problem - user in Milledgeville dials 4 digits to call colleague in Milledgeville, user in Valdosta dials 4 digits to call colleague in Valdosta, while calls cross-campus required fill 10 digit number. Of course, a long distance charge would occur due to the fact they reside in different Local Calling Area.

Since we will now host (and control) the environment, we wanted to make “dial by extension” available for cross-campus calls as well. OCS is E.164 compliant. In order a call to be processed, the number must be presented as +1 NPA NXX XXXX. A call (as we know it at home) is typically 7 digits (445 2704) for local calls, 10 digits (478 225 2704) for some local area calls and 11 digits (1 478 445 2704) for long distance. OCS uses RegEx (Regular Expressions) to capture, evaluate and manipulate the input and convert it to E.164 format. For example: ^(\d{7})$ to be translated to +1478$1

On English, this means “Match numbers that are exactly 7 digits long. Prepend '+1478'.” With other words, when users dial 4452704, the number will be presented as +12784452704 for further processing.

Now, we know that Local Area Codes/Prefixes are different for our remote offices, for example 478-387-XXXX for Milledgeville and 229-269-XXXX for Valdosta. So, if I assign a “location” code for every campus (2 for Milledgeville, 3 for Warner Robins, 4 for Valdosta and so on), I could build a RegEx to capture 5 digits input and translate it to E.164:

^4(\d{4})$ to be translated to +1229269$1 i.e. “Match numbers that start with '4' and are a total of 5 digits long. Remove 1 digits from the beginning and add '+1229269'.” Now Milledgeville user would dial 40001 and call Valdosta user whose phone number is actually (229) 269-0001.

Number manipulation is a very powerful tool. A full deployment of UC, including Exchange UM, introduces Auto Attendant feature which can be used as “Dial by name” – the caller speaks the name of the called party and if match is found, the call is connected without further interaction. This come very handy especially in our case (we changed ALL phone numbers – a very downing task indeed, and a separate post will be dedicated to it). We created a RegEx to translate *99 to the Auto Attendant’s E.164 number and so, while in the middle of the changeover confusion, our users found easier to dial *99 and dial by name vs. wander around if the user’ number was changed yet or not.

Our remote offices are connected to Main Campus with VPN links (as to any other campus as well), and so, since now the calls are placed over the IP Network, the LD charges which normally occurred in the past, were completely eliminated. Furthermore, by carefully evaluation the Local Calling Areas and creating proper call routes, a further reduction of LD charges was achieved. Now is this possible:

We established already that (in US), there is something called Local Call (free), where IF the caller and the called party are within the same Local Calling Area, no charges will occur. So, with RegEx, we evaluate the number against the Call Routing table and forward the call to the (most) appropriate gateway:

When a user from Valdosta dials ANY number beginning with 478-387, the system will determine that the most appropriate gateway is the one in Milledgeville because the call will be FREE since appears to ordinate from Milledgeville. Translate this to a large business with office(s) on another continent… This is, by the way, the magic behind dialing US number and “John” with Indian accent takes your customer support call…

Friday, December 25, 2009

Let there be Voice

And the President said, Let there be Voice: and there was Voice.


Indeed. The much needed Enterprise Voice... for many reasons. Extraordinary savings, complete integration with our existing services, new, unseen before features and… the age’s old question – “Can I do it.” Don’t get me wrong, the latter is strictly personal. As a Professional, I will never jeopardize my Institution’s operations just to see what I am made of.

Implementing VoIP is not an easy task. There are many factors to be considered – from pure technical details to, yes, the “psychology of change”. Do you remember when I said “Beware what you wish” in my first post? Although I have been testing OCS EV for almost 18 months and had 100% confidence in my ability to pull this in GMC, I underestimated the ability of our users to fight “change in the work place” with any means. Can’t blame them, though – when a three star General (our President) say “I want it and I want it now”, my military training kicks in, the “common sense” receives “Shut up and do it” command and… Let me explain:

First – why I talk singular. GMC have five major locations, two extensions office and five offices in military bases throughout the State of Georgia. Total of 1,300 computers, 500 FT users, 4,000 – 6,000 students – all this maintained with 9 (nine) IT folks. I am responsible for the entire network and all servers (all 60 of them). Because of this, I take my role in the Institution VERY seriously since there are no “shared” responsibilities and so, “I” is the expression of pride and curse in the same time.

Second, the deployment was completed in 45 days. Now, this might look a lot of time and yet, it was quite not enough in terms of working with the users to explain the upcoming changes and mainly, to setup the new service as close as possible in order to mimic their current work flow while greatly enhancing it. Even though the Management realized the benefits of the migration, some of our end-users (still) see it as “twisting hands”… Can’t make everybody happy…

What we did comes… tomorrow.

Tuesday, December 22, 2009

UC@EDU (part deux)

EDU sector is like nothing else out there. It has its own dynamics, rules, and in many cases the complexities of the work flow well exceed “normal” business operations. Just a few percent of the US economy can claim tens of thousands “new customers” every semester while obligated to maintain all records in perfect state.


Throwing new technologies in to the work flow not necessarily makes it more efficient. It least, not in the beginning… Let’s face it – the vision of the feature often contradicts with the reality of today. It is always been my opinion that IT folks (in EDU sector) should undergo a training course in “psychology of the work space”. We love to see our self as “the computer gods” and all our users as “that part of the earth population with only one legacy – to make our life miserable”. Well, the truth is, this is how they see us as well.

Having said that, the concept of “seamless integration” looks the best solution to satisfy both Institutional goals and end-user requirements. If you are reading this blog, most probably you are IT person. You have been there already. Just remember the last time when someone said “but I have been doing it THIS way for the last 10 years, why I have to change my 8-to-5 habits?”

I haven’t been born Microsoft’s fan. I work very hard on myself to stay away from prejudice in my professional decisions. I spent few hours every month in the business office areas, just hanging around with cup of coffee and trying to “feel” the work flow, talking to the colleagues about the current procedures and collecting “off the record” opinions. Then, I go to the drawing board and see how or if the newest IT technologies can fit in the current work flow, not override it. How this translates to GMC’s current state…

When I took this job 5 years ago, GMC had 5 (five) servers. HP UX for the college system, one UNIX web server and another for email, one Windows server (for something I don’t remember) and Novel file server. Blah! All computers with Windows XP OS. I got to think backwards – if my computing environment is Windows OS, shall I continue to make it work with different platforms thus spending most (or all) of my time keeping up with the changes in each, or simply unify the entire computing environment under one platform? Wouldn’t my Institution benefit more from the conceptual unity of present and feature rather than “keeping the environment running”? The only logical conclusion was to go Active Directory environment.

The breakthrough was implementing Exchange 2007 as email solution. The reason (partially) was my desperation to get rid of MailCall, which is pain in the hiney anyway. I have seen many of our users using Yahoo calendar and different chat services as collaboration tool already (I not know about you, but as Net Admin, any waste of bandwidth makes me lose sleep for days) and so, being myself, I set an exchange server in Production, migrated IT department to it and began selling the solution. I did not run to CEO right away, no… I knew I can sale this in a split second. I worked “from the first floor and up” until everybody had “wet dreams” about it and wanted it more than a Democrat wants a credit card. Exchange opened the doors of unseen till now collaboration. I will skip the details, ya’ll know it. So you know the early days of LCS 2005. I have to confess - LCS was the next step mainly because of two reasons – preserving bandwidth and “what happens in GMC must stay in GMC”. I don’t like the idea that someone out there was logging my user’s conversations…

Then came OCS 2007. I still had my doubts of the value of OCS as voice solution. The rest, however, was beautiful. OCS brought the collaboration in our environment to a whole new level. Needless to say, because of the Campus Agreement, all I needed was money for the hardware. Our users now had the ultimate collaboration tool at their discretion.

We are IT. We can say “I am not playing game on my work computer. I am doing research as of now playing games on my work computer impacts my work performance” and get by with it! Not the same in the business areas, though. Or faculties – they have their own “demons” as well. In environment where every minute is precious, unifying all means of communications is vital for dealing the constantly increasing work load.

OK, we already established the fact UC is a must in every mid-to-large scale business. Now, what would be the logical approach to realize this? Shall I let X_company System Integrator to invade my environment with their proprietary servers, software requirement, patches, service contracts, etc.? Do I have to bite my lips, run a sacred ritual and spit in the four directions every time when I install updates on my windows environment, hopping that I don’t have to talk to “Scott” with the awful accent… again? Or, upon deployment of the new server and/or service, I will wait for AD replication to complete, then restart my test machine and verify is the new feature is available? Which scenario makes more sense to you?

Next comes the Voice… in the next blog.

Monday, December 21, 2009

UC@EDU

Some readers might get the impression I go to church every Sunday and do Bible study on Wednesdays. Uhm, no. I am Bulgarian, Eastern Orthodox and go to church on two occasions – to find my inner peace before I make an important decision or... to get away from my wife… just kidding. “Amen” for me is what “Eureka” was for Archimedes – “I got it”!


Enough said on this, let’s move on.

Georgia Military College is a two-year liberal arts junior college, a high school and a middle school. The main campus is located in Milledgeville, GA. We have campuses in every major city in the state and recruiting centers in every military base as well. Everybody in the Educational area knows what the telephony is as a part of the business flow… I am constantly amazed by the ability of our staff members to joggle between the kid on the counter, keyboard and the phone. I personally will not last a full day in this environment. As IT person, however, I am responsible to provide the tools available out there to optimize the business process, with other words, to get more work done with the same staff for the same working hours as yesterday. The good old capitalist way to “work people to death” is not an option (any more) and so, optimizing the work flow by introducing the concept of Unified Communications seems one very logical choice.

Let’s look the following example (the EDU people will recognize the situation right away):

A student in Valdosta campus goes to the business office to inquiry about his/her degree. Because the degree processor is located in the Main campus in Milledgeville, Valdosta folks have option to either:

     1. Say “Can you stop by this afternoon for an answer” (bad customer service - hell knows no fury as a student mistreated in the Business Office)
     2. Jump on the (PSTN) phone and dial Milledgeville (Long Distance charges) and hope:
        a) The other party is there
        b) It is not on the phone already (busy signal)
        c) It is not busy (“I have enough of my stuff to deal with”) with something else
        d) It is not in a bad mood in the moment
        e) Send an email to Milledgeville and… go back to a)

We can extrapolate from here to eternity the possible outcomes. However, the key here is – user A attempted to communicate with user B while they are physically separated by location and network. The essentials from the example above are:

     1. Is the user at his/her desk (Presence)


     2. Is it already on the phone (Availability for a particular task – a phone call in this case)

     3. Was anyone else tasked with this work flow




By introducing this part of Unified Communications concept (part of Office Communications Server 2007), we just solved one fundamental problem:

1. We located the right person

2. Asked the question




3. Received an answer and served the student



More on UC@EDU tomorrow...

Sunday, December 20, 2009

Why Microsoft voice

Why Microsoft (new in VoIP market), and not Cisco, Nortel, Away or anyone else…
Earlier this year I threw a party in IT office when the last Linux server died. RIP, my archenemy! No more Google to find THIS one singe command for THIS one version you were on. My concept how GMC network should be run finally become reality.
If you are Educational Institution, K12 or High Ed, look at your environment. How many business or else applications you see that were meant to be run on Linux? Or MAC? When was the last time an online student application was developed for Mozilla or Safari first, then tweaked to work with Internet Explorer, or it was the other way around? Or your college application or anything else for that matter… Can someone PLEASE show me a school book that starts with “Make sure you login as ROOT…” or “Start you iTunes and make sure you set your status to show the song you are listening at the moment before you proceed further…” How many times you were tricked by your IT people to “put this on Linux – it is free and I know it”? Make no mistake – this is part of the “job security” conspiracy. I am sure this will piss a lot of people out there, but it is time to “think reality”.
So, let see - I have 1,300 computers in seven campuses all over the state of Georgia. Because of AD DS, I control every aspect of the environment behavior. Software installation and updates, group policy management, email, you name it. All, except… voice. So, what would be the logical choice for implementing voice solution in our College? Hmm, why I don’t we spend (taxpayers) money for third party VoIP solution – we will be completely dependent of their integrators, support, software updates, proprietary servers, with extraordinary yearly support fees, but… who cares – ain’t my money anyway. Well, I do! Georgia Military College is a “semi” State agency – only 20% of our budget comes from the State and our business model is entirely market oriented. You can’t spend what you don’t have (unless you are Democrat in the Congress, of course) and increasing efficiency while lowering cost is our mantra. Amen to that!
We already have Campus Agreement with Microsoft - the sweetest deal one can get out there. Oh wait, Office Communications Server enterprise CAL is included - the one for the voice part of OCS. This means I can not only integrate presence and chat, but the entire Unified communications concept in my environment while spending just a fraction of the cost other vice I would with third party? All I have to do is to deploy few servers, change the phones, setup a SIP Trunk and actually cut my cost for phone service 80% while introduce features my users never dreamed of…

Friday, December 18, 2009

To trunk or not to trunk – this is the question

SIP Trunking that is…

Let’s analyze the options for a feature VoIP deployment. We have three basic starting points:

1. A small to medium business which currently have POTS as telephony solution (large enterprises are “large” partially because they have seen the light well back in the time and are VoIP already :-))
2. Enterprises that already have local PBX (VoIP or PSTN)
3. Any size business that have hosted VoIP

Georgia Military College failed in the first category – each endpoint directly connected to a Centrex PBX, served by the local phone company. The service, however, was “provided” by the GTA (Georgia Technology Authority – a State agency created with the idea to negotiate the best rate/services with the local Phone Providers and provide high quality services… Really?!?). So, we had a service charge of $23.60 per line, and that is – for the simpler service one can imagine, very close to what Alexander Bell invented. Want Caller ID – no problem, add $14,60 to the service charges – you get my point. Our IT office had 4 lines/numbers which rand on 10 phones simultaneously. Great productivity environment, right? Anyway, it was a “saver” – 10 phones and only 4 lines charged ($94.60). This year, however, the State of Georgia awarded the contract to AT&T, which in return immediately announced “price reduction from $23.60 to $16.00” just… now would be per ENDPOINT. So, the new MRC for the IT office would be… $160.00. Wow!!!

Let’s dissect this. We have NPA.NXX.XXXX where NPA are the area codes, NXX are the Exchange codes (remember, PBX = Private Branch Exchange) and finally XXXX which is the local number within the local Exchange. So, the number 478-445-4705 translates to Area Code = 478, Exchange Code 445 (a PBX located in the office of WindStream in Milledgeville, GA) and extension = 2705 (terminated on mine (and 9 others) desks. When I call 478-225-2706 (another former GMC number), what actually happens is my call gets to the PBX (WindStream office) where a match is found, a digital relay is closed and the copper pair that goes in to my phone is connected to the copper pair that ends in to another phone in the office next to ours. Well, it is a little more complicated than this but… you get the picture. So, we are paying for the ability to connect one termination point to another (even if they are few feet apart).

Now look the tricky part. XXXX equals to 10,000 (the maximum numbers of extensions) i.e. 0000 to 9999. A call within the range is “local” i.e. never leaves the PBX. Because it is internal, there is no problem since the PBX was designed with THIS capacity i.e. 5,000 users on one end of town pick up the phone and call the other 5,000 located in the other part of town. So far, so good.

Let’s look what happens when I dial OUTSIDE my local exchange. WindStream (in Milledgeville) holds the following NPA.NXX: 478 414; 445; 451; 454; 456; 457; 804 i.e. when I dial 478-452-XXXX, the local Exchange (still within WindStream’s infrastructure) will find the matching pair and connects me. Now, if you think WindStream have10,000 copper pairs between each PBX in order to cover (the alleged demand) i.e. all 10,000 users of 478.445.XXXX will dial all 10,000 users of 478.452.XXXX, and another 10,000 copper pairs between 478.445.XXXX and 478.453 .XXXX just in case, you are wrong. There is much “thinner “cable with way less number of copper pairs. Why? Because telephony is like Health insurance – a big gamble with the odds that LESS people will get sick while ALL insured will pay their premiums thus payments for service will be made and profit will be generated at the same time. And here the term TRUNK comes in use. The gamble here is that less people will dial OUTSIDE the local exchange than a pure “local” call. Same rule apply to calls outside the NPA i.e. Long Distance calls.

How this translates in to our situation? GMC have 220 telephone users in Milledgeville campus.
1. Business Office (everyone in the Educational area knows what the BO does – talks on the phone most of the time.)
2. Faculties (in class most of the time), doing “phone business” mostly returning voice mail calls
3. All others

After a long research, I went with a ¼ ratio i.e. one trunk line per every four phone users. Because OCS is now our local Exchange, we should not account for the “internal calls” – GMC user to GMC user but rather OCS - >PSTN and PSTN -> OCS. I got lucky; it worked perfectly for our situation. For the eight months of EV, our logs showed not more than 10 (ten) calls rejected due to “exceeding the trunk capacity” i.e. more than 40 people (our current number of concurrent calls in Milledgeville) attempted to use our SIP trunk (connection with the PSTN network).

A concurrent call trunk with our provider (more in the next post) carries MRC of… $13.00 and so, the total (fixed – your CEO will love this) cost for our Milledgeville campus - $520.00 per month. Can I have Amen?!? A campus with 500 Middle/High School kids and their teacher, 2,500 students and their faculties plus the Business office, Admissions, Alumni etc. for $520.00 a month?!? Can I have Amen again?

More about our journey is to come in the next few days.

Thursday, December 17, 2009

PSTN is dead. Long live VoIP!

Follow the money!

Deep Throat was right! Just, in our case, nothing sweetens the life of the Management as a scratched line in the new budget.

As IT guy, I have been pitching VoIP for about two years. Every time my boss sent me to “take a drug test”. If it ain't broke, don't fix it… you know how it goes… However, one day our business office contacted me regarding an ISDN line in a remote office; I went to check what they are talking about and out local Phone Gate exploded. I carried the monthly phone bill with wheel barrel (all 700 pages of it) back to my office and spent next few days digging. You will be surprised what I found in it – charges for a phone service we considered “disconnected” (at least OUR record showed a disconnection order was placed), double charge for the same service (one remote office was charged for three Auto Attendant services and they were not aware of it), number of accounts charged for a Voice Mail box (the people did not knew they had one… hmm, wander if someone from the phone company decided they need one but forgot to inform them). In fact, we were paying for an ISDN line (active or not) located in a building that we no longer occupy. I am not implying it is always the Big Bad Phone Company that cheats. As we say in my native country, Bulgaria – “It is not crazy the one that eats the entire cake, but the one that gives it”. Long story short, our MRC was $10,000, effective charges varied month by month between $11,500 - $13,000 (not sure what your provider charges, but we were paying $250 when moving a user from one office to another and the “number” needed to be moved as well.)

We at Georgia Military College already had Office Communication Server R2 deployed and all roles but Enterprise Voice was used. For me, as IT guy, EV integrated with Exchange UM role was the logical choice for telephony solution for the college, just… my approach was wrong! Let me tell you a story. After many attempts, my VP managed to arrange a meeting with the President (sort of Grand Jury) where we presented our case. So, I am going to the meeting and as IT, got carried away talking about the beauty of Unified Communications - integration of presence, email, voice, voice mail, conferencing etc. After 15 minutes or so, the President goes “…why are you wasting my time with this…” and I almost had a hard attack. Fortunately, the second part of the presentation was about the money. Sweet topic, indeed. Needless to say, before the end of the presentation, I had the money for deployment on my disposal with the words - “I want this and I want this now”. Beware what you wish, I can add, but this is whole different story and I will blog about this later.

Today, eight months later, we are 100% OCS EV. Our MRC for phone service is $2,100 (remember $13,000 just few months ago?) and we are very close to our ROI point.

I started this blog to share our experience and hopefully help some colleagues to achieve their dream – Unified Communications at their work place.