OCS 2007
Certificate problems with OCS 2007 - part 1
Oftentimes when deploying OCS 2007 to complex environments something doesn’t work as expected. Even more often the culprit is either a certificates issue or AD (and thus, often a DNS) issue.
One of my colleagues had problems when connecting Office Communicator to OCS 2007, using Access Edge. Thus the workstation was outside the company’s LAN (and AD), and was running Windows Vista with Internet Explorer 7.0. Most companies choose to deploy OCS 2007 with private certificates, i.e. generating their own rather than shelling out the hard-earner dollars to companies like Verisign.
The problem here is that while the workstation is able to connect, you will see a problem with authentication. Debugging this through OCS 2007 Logging Tool (which, I might add, is excellent) it all boils down to certificate problems - the client doesn’t have the CRL (Certificate Revocation List), and IE7 always enforces that by default.
Fix? Uncheck “Check for server certificate revocation” -option from IE7 > Tools > Internet Options > Advanced.
OCS 2007 on a 64-bit server
..and missing those fancy ADUC (Active Directory Users and Computers) controls for enabling users to your pool? Fear not, just run this to get them visible: mmc /32 dsa.msc. Yeah, I’m a keyboard junkie amongst other vices, but this was something I really needed to troubleshoot for a sec. It seems every day is a learning day!
OCS 2007 Standard Edition - 10 insights from the field
I, for one, have been struggling a bit when it comes down to understanding what’s happening with OCS 2007 (Office Communications Server 2007, RTM’d some time ago). Having played with LCS 2005 (Live Communications Server 2005) quite a bit, I’ve been eagerly waiting for the first stabile betas and release candidates of its successor.
Here is my attempt to explain OCS 2007 (Standard Edition) in 10 insights from the field:
10. Can be deployed with SQL Express on the same box - scales a bit poorer but is easier to set up for demo/trial/customer case environments. This is what I use in my daily work
9. Office Communicator 2.0, Office Communicator Mobile 2.0, Microsoft Tanjay/Catalina phones and Communicator Web Access are all good ways of using OCS. Most people will be happy with MOC (Microsoft Office Communicator 2.0), yet one should really take a look at the mobile client for Windows Mobile 5/6 - it’s hugely useful when out of the office. Remember to export your cert chain for this to work.
8. It all boils down to two main support vehicles - Active Directory and Certificate Services. Learn these, and use these for debugging (via the excellent OCS Logging Tool running with Powershell)
7. Start your OCS 2007 deployment with the central server (i.e. the first box that’s going to host your IM/Presence roles of OCS), and go for the Edge Services last. They are always the hardest to set up, and often require quite a lot of troubleshooting with certificate issues.
6. If possible, avoid using third-party certificates. The process is a hassle, and not really worth the headaches.
5. Need to build a demokit/playground for OCS 2007? Here’s my recommendation: Use whatever virtualization solution you prefer (read: Virtual PC 2007), and set up 3 virtual servers:
- Active Directory + Certificate Services -server
- OCS 2007 Standard (all core roles) + Exchange 2007 Unified Messaging
- OCS 2007 Standard (Edge/Mediation/CWA)
In addition use the host as a client for
- Roundtable
- SIP 2.0-phones (such as Cisco, Nokia and Nortel)
- Microsoft Tanjay/Catalina-phones
- Office Communicator
- Outlook 2007 for voice mailbox access
- VoIP Gateway (such as AudioCodes and Dialogic)
Make sure to enable IVT (Intel Virtualisation Technology) if your host supports that, and make that VPC 2007 is configured to use it.
4. Exchange 2007 UM (Unified Messaging) is easy to configure, but has a crappy interface for doing that. Just go out of your comfort zone for a sec, and use the command-line tools to do it. It’s worth it.
3. OCS 2007 Guides are essential - Planning Guide is truly good, yet a few topics are not really described in detail, so prepare for some research during deployment
2. Check, doublecheck, triplecheck and have someone else check that your DNS zones and records are properly set up. “whoops, I missed the underscore” is a quite common problem. Oh yeah, Netbios-traffic (port 135/TCP) and AD RPC-traffic (ports 1025, 1026/TCP and UDP) are needed.
1. OCS 2007 is all about infrastructure! the rest is just persistence.
OCS 2007 launch date confirmed!
OCS 2007 will be officially launched October 16th - see details and link to webcast here: http://www.microsoft.com/presspass/press/2007/aug07/08-21UCGVCFMA.mspx?rss_fdn=Press%20Releases
Upgrading from OCS 2007 RC to RTM
It’s possible to upgrade your existing Release Candidate installation of OCS 2007 to RTM. Alternatively you can do a clean installation (RTM bits here here and Office Communicator bits here). Should you go ahead with upgrade, here’s a few tips you should keep in mind:
- Release Candidate upgrades to RTM only if you have the Volume License (VL) bits - and really, the bits, not just the license
- Evaluation (trial) license does not upgrade to MSDN RTM - at least, it’s not tested
- Release Candidate does not upgrade to MSDN RTM
I find it almost always easier to start from a clean installation rather than do upgrades, but in certain scenarios it’s often necessary to perform a direct in-place upgrade.
OCS 2007 Downloads now available on…
I just checked the Technet website, and Office Communications Server 2007 and Office Communicator 2007 are now available to download. If you haven’t signed up for a Technet/MSDN subscription, you can visit http://technet.microsoft.com/en-au/subscriptions/ and sign up now
Posted in It’s enough to be on your way… (
12 links from 6 sites)
Testing Office Communicator remote connectivity against Access Edge server - tip #1
Recently I was working with a customer, where we had to deploy Office Communications Server 2007 (Release Candidate at the time) to their production environment. As it turned out when setting up Access Edge-role in their DMZ, remote Office Communicator (MOC) clients couldn’t connect to it. At first we thought it was a certificate issue because of all the hassle you have with setting up MTLS, TLS and SSL-certificates to get OCS 2007 fully deployed.
Finally we tried tweaking with the client - by default, MOC is configured to contact OCS via TLS, so it should use port 443/TCP. This is something you can specify on the Access Edge (5061/TCP or 443/TCP) for clients. As it turned out, due to a feature, bug or position of the stars: if the MOC client is unmanaged, you need to manually specify the port in the External Address. Thus, you need to manually specify the port also (the radio button for TLS/TCP is not enough). This is the correct value then: ocs-edge-server.domain.com:443.
I’ll keep you posted with additional OCS 2007 tips from the field.
How to specify internal and external servers for Live Meeting with OCS 2007?
OCS 2007 (Office Communications Server 2007), which was just released to RTM, finally has Live Meeting Conferencing built-in. You can use the Live Meeting client or the web frontend to attend your meetings. Because of the nature of OCS, you can deploy all services internally and expose selected services to external users (even for federated users) through your DMZ.
The challenge here is that when you deploy Live Meeting client centrally through SMS or Active Directory, you would need to specify what is the internal server for LAN users, and what is the external server for roaming users. Actually there’s a switch for that in the GPO template but it only affects Office Communicator 2007 client, not Live Meeting.
So here’s the fix:
Specify the values in registry:
HKEY_CURRENT_USER\Software\Microsoft\Shared\UcClient\ServerAddressExternal
HKEY_CURRENT_USER\Software\Microsoft\Shared\UcClient\ServerAddressInternal
Leech these to your GPO, and roll it out to your client workstations - works like a toilet in the train (bad Finnish humor, I know)!