Monday, July 23, 2012

Lync 2013 – XMPP Federation

Within Lync 2013, XMPP is first class service i.e. now we have native support – no gateway is required. This not only eases the deployment and manageability, but also provides scalability and high availability.

  1. Get-CsXmppAllowedPartner (Returns information about XMPP partners authorized to communicate with your organization)

  2. Set-CsXmppAllowedPartner (Modifies an existing XMPP allowed partner)

  3. Get-CsXmppGatewaySettings (Returns information about the XMPP gateway configuration settings in use in the organization)

  4. Set-CsXmppGatewaySettings (Modifies the XMPP gateway configuration settings in use in the organization)


XMPP support is defined in the topology on Site level:

…where the edge server used for federation route in the topology will be enabled automatically for XMPP support:

 To enable support for XMPP federation,  the Edge Federation must be enabled. To verify your setting, use Get-CsAccessEdgeConfiguration and examine “AllowFederatedUsers” parameter. If “False”, use: Set-CsAccessEdgeConfiguration -AllowFederatedUsers $true to enable federation.

***It is important to note that the above command will enable federation for all partners, not only XMPP – something the Administrator must consider before proceed further.


To enable support for XMPP Federation, a new SRV record for every supported SIP domain must be created in the Public DNS. For example:

SRV record for to resolve to the Access Edge FQDN of the Edge server and port must be set to 5269.


The firewall must be configured to allow inbound and outbound connections for the Access edge IP address on TCP port 5269.

Additional steps

Next step is to configure XMPP allowed partner. This can be done via eitherControl Panel and Lync management Shell. To set Google Talk as XMPP partner:

New-CsXmppAllowedPartner -TlsNegotiation NotSupported -SaslNegotiation NotSupported -EnableKeepAlive $false -SupportDialbackNegotiation $true

Alternatively via CSCP:

After replication, test the new XMPP setup - presence and IM capabilities:

Friday, July 20, 2012

Lync Web App 2013 (LWA)

There is so much to be said about the next generation of Lync platform – Lync 2013. I am sure bloggers around the world, right now, at this very moment are scratching heads with the one question – where do I start. I am no exception…

Today I want to share few screenshots of the new LWA taken from my (Steve forgive me) iPad 2. First and foremost – the wait is over. Today we can use our tablets (whatever they can be) to join Lync meetings and have (almost) full meeting experience. Why “almost” – we will see below.

When opened meeting link in web browser, I was presented with the new LWA look:

Of course, I also had the option to sign as Authenticated User, i.e. Presenter.

I joined as “Guest” and landed in the Lobby because the Conferencing Policy of my Lab does not allow Anonymous users to jump in a meeting just like that…

From my Slate device (to set the record straight – running Windows 8 RC), I joined as Organizer and “accepted” the Guest in the lobby. I was on Lync meeting from iPad!!!

Time to test the modalities.

IM - check.

Poll - check.

WhiteBoard - check. See the controls on right?

Desktop sharing - nope. But I have been told so in the beginning. Oh yeah, I am on iPad...

I could not test PowerPoint presentation and cannot comment as of this moment. Will follow up once my WAC (Office Web App Companion server) is deployed in the lab. I expect to work, since WAC uses standard DHTML and JavaScript, supported on most of the mobile platforms today.

Needless to say, the LWA worked full-featured on any device I had in hand that ran Windows OS.

So much Lync, so little time...

Wednesday, July 18, 2012

Lync 2013 Prerequisites (Windows Server 2012)

If you wish to install Lync 2013 Preview on Windows 2012 RC, here is an easy way to prep your Front End server:

Download “LyncFeatures.xml” and place it on C:\

On your server, start PowerShell as Administrator and run the following:

Import-Module ServerManager
$x = Import-Clixml C:\LyncFeatures.xml
$x | Add-WindowsFeature

Reboot when done and proceed with Lync 2013 installation.

Monday, July 16, 2012

Wednesday, July 4, 2012

Connection to Microsoft Exchange is unavailable on Lync 2010 Phone Edition

You know, I’ve learned something today. When something does not work as expected, there is a reason for that, even when you don’t see it… right away.

One of our customers had an issue with Lync Phone Edition calendar integration. The phones simply refused to connect to EWS, period. To make the issue more puzzling, a phone signing form Public Internet worked, but one on LAN did not. Customer uses BIG-IP F5 hardware load balancer as HLB appliance.

The troubleshooting process started with reviewing the phone logs (.CLG2 in particular). I know, it is very hard to read them logs, but TextPad did the job. I was looking the calls for Autodiscover web services. LPE uses Autodiscover to obtain both internal and external EWS URLs. In the log I found the following: “NAutoDiscover::DnsAutodiscoverTask::TryAutodiscoverUrls: Exception with this url. hr=0x80072f0d”. This error translates to “The security certificate on the server is invalid”. What??? VeriSign Certificate is not trusted??? Tens of thousands of users connect to their Exchange accounts from desktop and mobile devices in and out, and yet LPE does not like the certificate.

There are three things I need to mention here:

  1. The customer uses certificate signed from Public CA on the CAS array
  2. Because of this fact, the customer already added VeriSign Root CA to the Lync certificate store by following the procedure described in Kevin’s blog:
  3. Customer set “internal” and “external” VIPs on F5 for all Exchange services
First step was to examine the certificates deployed to CAS array. This is very important in order to establish the number of intermediate certificates. In the first example we have one intermediate – VeriSign Class 3 Secure Server CA.

Now, let’s look another certificate:

In this case we have two intermediates – the issuer (VeriSign Class 3 Secure Server CA – G3) which is sub for VeriSign Class 3 Secure Server CA.

I was puzzled as of why web browser did not fail when visiting, but the phone did, until realized - browsers are capable of following the chain all the way up to the Root CA i.e. F5 presents Identity Certificate – and the browser will follow the chain up to the Root CA.

There are many, many posts in Internet about mobile devices failing to connect to EWS. Additional research shows that mobile devices, due to the limited size of the Certificate Store and platform specifics, require ALL INTERMIDIATE certificates to be presented along with the identity certificate in the initial handshake. This way the device will follow that chain “internally”, until the Root CA in the local store validate the chain.

We already know the limitation of Aries platform in this regard, and so I thought – what if we have the same limitation and behavior as Mobile Devices have? This prompted close examination of the handshake between client and server. Below is an example of successful handshake:

What is important here - we have immediate flow of type “Application Data”, which means the handshake was completed successfully, a trust was established, and data exchange has begun.

Let’s now look closely what happens:

After initial Client and Server “Hello”, the server will offer the Certificate(s).

As we continue to drill, we see that two certificates were offered

…server identity and the intermediate issuer, which matches the chain as we saw already:

All Lync Phone Edition have to do now is to check if “VeriSign Class 3 Secure Server CA” can be trusted, and we do because the Root – “VeriSign Class 3 Public Primary CA” is in the Trusted CA Root Store of LPE.

Now let’s see what was happening in the customer environment… we would expect to see this same flow internally…

During the Certificate presentation, we note that the ONLY certificate offered from F5 is the “Identity Certificate” and no Intermediate was present:

Of course, LPE could not follow the chain and the handshake failed miserably. We asked for and received said Server Identity Certificate, but could not validate the Issuer - VeriSign Class 3 Secure Server CA.

We spoke with the F5 team, and they confirmed that the Internal VIP for CAS array had only Server Identity Certificate assigned, but not intermediate. After assigning the correct Intermediate Certificate to the internal services for Autodiscover and EWS, the issue was resolved.  I am still baffled from the fact one can/must assign intermediate certificate to service on F5. This should be done automatically during the certificate import…

***This concept or troubleshooting can be applied when investigating connectivity issues between CAS and Mobile Devices where not only F5, but other HLBs are used and we have problems with SSL.