Sunday, July 10, 2011

Lync Phone Edition and third party Root CA Authority


As a Network Administrator, I often check variety of server and application logs to verify the health of the environment. Today I‘ve noticed that the Aastra 6725ip phone in my office (connecting to my home lab's Lync deployment via public internet) never updated the firmware to the latest – “4.0.7577.250”. Strange indeed… 

Now I remembered that the phone never downloaded the Address Book either. Why would that be? I have deployed reverse proxy with certificate from StartSSL, which is included in the Root CA Authority of Windows OS. The functionality was verified and external users could successfully connect to a meeting organized by lynclog.com user.

Quick reference to the TechNet article revealed the sad truth – while StartSSL is present on Root CA store of Windows, it is not in Lync Phone Edition.


Now what?!? Looks like the certificate I use on TMG provides only half of the functionality… or does it? If you think of it, my internal Domain Root CA is not presented in the Phone Edition store either, and yet a phone connected to the LAN works. This is, because according the article, “First, the device searches for Active Directory Domain Services (AD DS) objects of the category certificationAuthority. If the search returns any objects, the device uses the attribute caCertificate. That attribute is assumed to hold the certificate, and the device installs the certificate.

The root CA certificate must be published in the caCertificate for Lync Phone Edition.”

So, what if I use “certutil -f -dspublish RootCA” and publish the StartSSL Root CA in my pKIEnrollmentService store? The assumption is that AFTER I connect a device for first time on a LAN network and sign in, all certificates in the Domain Certificate Authority will be downloaded to the device (including StartSSL Root CA) and later, when I take the device on Public Internet, as long as it is not reset to “factory defaults”, where the Certificate Store will be restored to original state, the phone will trust my Reverse Proxy and it should download updates, address book etc. Needless to say, my lab Exchange server also uses StartSSL for OWA service and so, this integration should function as well.

One way to find out - I have already downloaded StartSSL Root CA to my domain controller...



 …and will use the above command to publish it.


As we can see, the certificate was added. I should expect to find it in the phone edition store after resetting it and sign in again.

After some digging through the SELog, I found the following line:


For now, I will “assume success” as well and take the device to my office tomorrow to examine the result. Also, a quick look at just joined to lynclog.com domain workstation shows that StartCon (StartSSL) Root CA is present in the local Trusted Root Certification Authorities i.e. downloaded automatically along with the Domain Root CA.


As usual, this example is for testing purposes only. A caution and careful consideration is necessary if/when the Administrator decides to push third party Root CA via Active Directory Certificate Services.

07/13/2011 Update:
As a Proof Of Concept – it worked as expected. The phone, looged over Internet, did promptly update the firmware and rebooted. HOWEVER, this method should not be used in production environment. To me it looks like Phone Edition Update is an image based and firmware upgrade replaces everything (including the local Certificate Store) thus rendering our exercise above inapplicable in production environment.

22 comments:

Chris Norman said...

Nice post Drago. I had a question about this just recently.

Drago said...

Chris,

I could not test today from the office – first day after vacation… you know how it is. In any case (success or failure), I will report once get some results.

Adrien said...

Unfortunately, Aastra phone did not benefit from your workaround.
They don't load the new CA, and thus they can't connect to Exchange at all.

Has Microsoft any idea on when they will include the same CA in the trusted roots for Lync, Exchange and Lync Phone?

Drago said...

If when you say “the same CA”, if you are referring to StartSSL, there is one simple answer: never. By default, Windows server 2008 and later has very limited Trusted Root CA upon installation. An extended list (where StartSSL is included) is offered via Windows Update Service.

Mobile devices are whole different story. I am not sure what are the limitations (if any), but you have noticed that only top lever Root CA are included. Lync Devices are pretty much the same…

A list of Public Authorities for Lync Phone Edition devices can be found here http://technet.microsoft.com/en-us/library/gg398270.aspx

Anonymous said...

I was wondering where the SELog is that you referred to?

Sophie Grace said...

Very useful post. This is my first time i visit here. I found so many interesting stuff in your blog especially its discussion. Really its great article. Keep it up. Please search instagram story viewer to discover nice photos and videos on instagram.

Online Games said...

We’ve heard the question “is online betting safe?” thousands of times and it’s a legit concern. There are risks associated with any kind of real money gambling, and that risk is magnified when you’re betting online with sportsbooks and bookmakers that don’t have a physical presence. https://gervaisjervis9.wixsite.com/tooltech/post/tips-for-finding-the-best-cricket-betting-sites-in-india

Email Marketing Guide said...

Hey i am for the primary time here. I came across this board and I to find It truly useful & it helped me out a lot. I’m hoping to provide something back and help others such as you aided me. Visit instagram story viewer

https://www.theartfulhomedomain.com/site/bestofbettingsites.com said...

I came across your blog while searching for submissions. Nice strategy for the future, I'll be bookmarking your entire rises right away...

https://www.linkspropeller.com/site/bestofbettingsites.com

Unknown said...

You can find reviews of online cricket betting sites, details about where to get the best cricket betting odds, 100 percent free cricket betting tips as well as articles on the topic of online cricket betting on cricket betting india.
https://www.sqlservercentral.com/forums/user/cricketbettingindia-org

besttrevel said...

This is a very helpful article. This is my first visit to this place. I found a lot of interesting information on your blog, particularly the discussion. It's a fantastic post. Continue to do so. http://myfishbook.fr/membres/bestnarantour/

Renu Yadav said...

I have read a few of the articles on your website now, and I really like your style. Thanks a million and please keep up the effective work. To know about online cricket betting, check out here: https://www.playping.com/engagedeals/status/63751

mobile-windscreen said...

Thank you for giving this useful information; I'd like to add it to my bucket list; keep blogging! I appreciate a lot of the material you've provided, especially the comments, and I'll be back. spoke.com/companies/mobile-windscreen-60b4a40730f3613ff20081c4

N.S Kehal said...

Being one of the best professional accounting firms in Vancouver, we committed to delivering financial and accounting services that will be tailored to your business. Our professional advice will support you in every way.
https://www.proformative.com/users/ns-kehal

Male Enhancement said...

Thank you for providing this great information; I'd like to add it to my bucket list; please continue blogging! I appreciate a lot of the information you've supplied, particularly the comments, and I'll return. https://bookme.name/enquirymart

N.S Kehal said...

Being on top will be overwhelming work for businesses and individuals. If you are unable in dealing with tax issues, then it will be difficult for you next time as of the complex tax system in Canada. The best consultation of an accountant in Surrey BC will help you in this case.
http://ttlink.com/kehalcpa

goodreads said...

Thank you for giving this useful information; I'd like to add it to my bucket list; keep blogging! I appreciate a lot of the material you've provided, especially the comments, and I'll be back. https://www.goodreads.com/user/show/138236166-pradorey-bodegas

deviantart said...

The information you've provided is quite useful, and I appreciate you sharing it with me. I thoroughly enjoyed reading your blog. It was well-written and easy to understand. https://www.deviantart.com/turkeytour/about#about

UK Immigration said...

If you are seeking for the best immigration lawyers in Pakistan for a UK visa, please contact our top immigration lawyers in Pakistan

Emails Crunch said...

Verizon email not working
Verizon Email not working today
Verizon webmail problem
Aol Verizon email
Verizon email issues
Free Emails that don't require a phone number Verification
create email without phone number
Emails That Don’t Require Phone Number

Anonymous said...

How healthy are your business's finances? Accounting Canada will help you determine if all of your clients are paying late, and whether you're earning profits through interest costs, or if you're actually turning profits. A competent accountant will help you reap the most value of your financial strategy.
https://pharmahub.org/members/12729/blog/2022/01/accounting-canada

Ashish Mehta said...

Get out (dont take a walk!) to discover the latest fashions in informal bottoms and casual pants for guys. Explore boys joggers in an array of trendy shades, camo designs and cargo pants, too. The boys joggers we offer pair well with a basic t-shirt or the latest style he's is adoring!
https://anthrilo1.tumblr.com/post/668203800280072192/joggers-pants-for-girls