Firewall Requirements for Integrating OCS and OWA

If you follow my directions for integrating Office Communications Server 2007 R2 with Exchange Server 2010 OWA, and you also have either a host firewall on your CAS servers or a firewall between the OCS frontend pool and your CAS servers, you may find yourself with only half the intended functionality. You’ll be able to send IMs just fine from OWA clients, but, if you try to receive an IM in OWA, the user on the far side will get an error like this:

image

The following message was not delivered to <user>. More details (ID:504)
This message was not delivered to <user> because there was no response from the server:

This usually indicates some sort of network connectivity issue, and to troubleshoot this, I captured a network trace on the OCS frontend and filtered the display to just show me traffic between my OCS frontend and my CAS server. This is what I found:

image

In the above capture, “.103” is my OCS frontend, and “.90” is the CAS server. The presence of TCP SYNs with no corresponding SYN ACK is a surefire symptom of a firewall issue. I took a look at the CAS servers with TCPView and discovered that the addition of OCS to OWA led to IIS listening on TCP 5075.

image

Once I added a firewall exemption to the Windows Firewall for the IIS Worker Process for TCP 5075 from the OCS pool, everything started working immediately. If you’re using hardware firewalls between your OCS pool and CAS servers, you’ll likewise need to exempt TCP 5075.

TechEd Next Week

I’ll be hanging out in New Orleans at TechE all next week. I’m scheduled to be on one of the Forefront Identity and Access stands Monday and Tuesday most of the day answering Active Directory questions, however I’ll probably be around most of the week there. Come say hello if you’re in town.

Access Denied Error in Exchange Control Panel

If you’ve got a user who gets an Access Denied error similiar to the one below when they click on Options in Outlook Web Access (OWA), they may not have the MyBaseOptions role. Typically this happens because the user has lost their Role Assignment Policy. You can check this with the following PowerShell command, substituting the name of the mailbox you want to check:

Get-Mailbox bdesmond | fl *role*

If you don’t get results similiar to the following (e.g. the result is blank), you need to assign the policy to the user.

RoleAssignmentPolicy : Default Role Assignment Policy

To assign the Default Role Assignment Policy to a mailbox, do something similar to the following, substituting the correct mailbox name:

Get-Mailbox bdesmond | Set-Mailbox -RoleAssignmentPolicy "Default Role Assignment Policy"

There shouldn’t typically be any users in your organization who have this setting null’ed out, but, I and others have seen this happen after you disconnect and reconnect a mailbox to the user.

Troubleshooting BlackBerry Enterprise Server Integration

I thought I’d compile a list of issues that I’ve seen and fixed with regard to BlackBerry Enterprise Server (BES) integration with Exchange and Active Directory. Most of these issues don’t seem to be really well documented on Google but BES will break in strange ways when it hits them. I specifically have seen half-duplex calendaring (e.g. users get their appointments on the device but can’t make updates) with a bunch of these.

Exchange 2010 Address Book Service (DoMT) max connections set to default. This one is documented in BES’ Exchange 2010 guide. You need to tweak MaxSessionsPerUser in the microsoft.exchange.addressbook.service.exe.config file in your Exchange bin folder on your CAS servers. I set mine to 20,000 – a somewhat arbitrary number. You’ll need to bounce the service after this change to have it take effect.

Exchange 2010 Client Throttling set to default. This one is also documented (poorly) in BES’ Exchange 2010 guide. Review my steps here to resolve.

Windows Server 2008+ Domain Controller NSPI throttle set to default. This is a new feature in Windows Server 2008 Active Directory which limits a given user to a total of fifty (50) concurrent NSPI sessions per domain controller. This KB article (949469) documents the steps to resolve (as well as diagnose) this. I set a value of 2,000, again fairly arbitrary. You’ll need to restart the NTDS service for this to be effective.

Exchange 2010 Client Access Array RPC Encryption Required. I haven’t seen this one documented. I haven’t figured out a way to get BES to use RPC Encryption when it makes a connection to the CAS array. If you check the Address Book Service logs on the CAS array, you’ll see something like this if you’re hitting this where 10.10.13.53 is your BES server:

2010-04-24T00:00:08.032Z,84439,0,,,10.10.13.63,CAS02,ncacn_ip_tcp,Bind,80040102,0,,EncryptionRequired,Ntlm

You’ll have to disable the RPC Encryption requirement on the CAS servers to solve this. If I find a workaround for this I’ll update the post. Reference the Set-RpcClientAccess cmdlet to do this.
 

Old Version of the MAPI/CDO DLLs on the BES server. Grab the latest and greatest here.

Exchange 2010 missing RU1. Make sure you’re on RU1 or better for Exchange 2010 RTM.

BES Server missing SP1 MR1 or better. Grab the latest Service Pack and Maintenance Release from RIM. At the time of this writing, MR2 was current which had a whole bunch of Exchange 2010 related fixes for BES around basic functionality. 

Seen other issues? Post them here so others can benefit.

OCS Mac Messenger Certificate Trust Errors with DigiCert

If you’re getting an error from Mac Messenger about the digital certificate file being invalid when trying to sign-in to OCS, you may need to tweak the root config on your OCS servers.

image

The good news is the fine folks over at DigiCert have compiled some simple steps that outline how to do this. You’ll need to reboot after you do them.

Warning: The steps outlined above will immediately render the OCS services inoperable and will require a reboot to straighten things out. DO NOT do this during production hours!

filler

Speaking at TEC 2010 Los Angeles

I’ve got three sessions this year at TEC. TEC is by far the best IT conference I’ve attended (and I’ve been to many). You’ve even still got five days to convince your boss and get a discount on the registration fee! My sessions this year are:

  • Inside Kerberos – I’ve got plans to talk about the mechanics of the key Kerberos message sequences that you’ll run in to with Active Directory. Kerberos is one of those things you rarely have to configure in AD as it “just works”, but, when it doesn’t it really helps to understand what’s going on. We’ll also look at some odds and ends specific to Active Directory. You might even run it a couple guest appearances. Monday, Apr 26 – 4.00 – 5.15 PM.
  • Designing and Planning Active Directory Schema and Data – I’ve got this deck just about baked. We’ll talk about some of the choices you’ll make when designing your own schema extensions as well as tips and tricks for storing, securing, and protecting custom data in Active Directory. I’ve also got time blocked to talk about the soft side of things – planning, testing, change management, etc. Wednesday, Apr 28 – 8.00 – 9.15 AM.
  • Hardcore Windows Troubleshooting – This was my last minute session at TEC last year and it generally got really good feedback. One of the things I’ve found working with Active Directory teams is that they’re often the last line of support for Windows problems regardless of whether or not they involve AD. Thus, I’ve refreshed the deck with new tips, tricks, tools, and scenarios to help you jump in and solve complicated Windows problems. Wednesday, Apr 28 – 11.00 – 12.15 PM.

I hope to see you there. I’ll be in LA Sunday morning until Thursday night. Come find me and say hello! I’m also in the process of setting up pages for each talk on www.theexpertscommunity.com. Gil tells me that anyone will be able to post questions and discussion items on the site and eventually audio recordings of some talks will make it up there too. 

Exposing Organization Level Message Tracking in Exchange 2010 OWA

If your end users are using Exchange Server 2010 OWA, one of the things they can now do is track their messages from the Exchange Control Panel and see largely the same data an administrator sees. What isn’t enabled by default is the ability to delegate this on an organization wide basis via the Exchange Control Panel. There is a duplicate of this interface which lets a user search the entire organization’s message tracking logs. In order to access this, you need to do a couple of things:

  1. Create an Active Directory security group to delegate the rights to in RBAC
  2. Create a new Management Role Assignment for the Message Tracking role
  3. Create a new Management Role Assignment for the View-Only Recipients role

I went ahead and created a group called “Exchange Message Tracking Access” and added my account to it. Next, I ran the following PowerShell command:

New-ManagementRoleAssignment -Role "Message Tracking" -SecurityGroup "Exchange Message Tracking Access"
New-ManagementRoleAssignment -Role "View-Only Recipients" -SecurityGroup "Exchange Message Tracking Access"

Once you login to Outlook Web App with a user who is in the Exchange Message Tracking Access group and go to the Options (Exchange Control Panel [ECP]) section, you’ll see the option of managing “My Organization” in the upper left hand corner:

image

If you select “My Organization”, you’ll get a UI like this:

image

The key thing to nice here is the user friendly UI with the help bubbles. You can delegate this to service desk or other front line support personnel so they can handle end user questions as to the delivery status of their message. Each result provides a details view which shows most of the information available to administrators using Message Tracking cmdlets except in a friendly and understandable interface.

How to Integrate Office Communications Server 2007 R2 with Exchange 2010

One of the new features of Outlook Web App (OWA) in Exchange 2010 is the ability for OWA to act as an IM client if you have Office Communications Server (OCS) in your environment. Once configured, you’ll be able to see and manage your buddy list, manage presence, as well as participate in IM conversations while logged in to OWA. Configuring this integration requires a number of steps on each of your Exchange 2010 Client Access Servers (CAS’). Many of the changes discussed in this blog post will cause brief service interruptions so it is highly recommended that you perform this work during a maintenance window where these interruptions are tolerable.

You’ll need to download two packages in order to proceed:

You can simply run the first download on one machine as it will extract the contents to C:\WebService Provider Installer Package (by default). Inside of this folder will be a number of installers which you’ll need to execute (in order) on each of your CAS servers:

  1. Visual C++ Redistributable (vcredist_x64.exe)
  2. Unified Communications Managed API (ucmaredist.msi)
  3. OCS Service Provider (cwaowassp.msi)

Finally, you’ll need to patch the UC Managed API by installing ucmaredist.msp.

Note: If you have User Account Control (UAC) enabled on your CAS servers, you should execute all of these packages from an elevated command prompt.

Once these packages are installed, you’re ready to configure OWA for integration with OCS. You’ll need to have the name of the OCS Pool which you plan to have your CAS servers connect to on hand as well as some information about the certificate on each CAS server which will be used to secure communications between the CAS server and OCS. Specifically, you’ll need to collect the certificate issuer string as well as the certificate’s serial number. You can do this using the following PowerShell command:

Get-ExchangeCertificate | fl Subject,Issuer,SerialNumber

You should get text returned back similar to the following:

Subject      : CN=mail14.briandesmond.net, OU=IT, O=“Brian Desmond Consulting, LLC”, L=Chicago, S=Illinois, C=US

Issuer       : CN=DigiCert Global CA, OU=www.digicert.com, O=DigiCert Inc, C=US

SerialNumber : 478C52B6B53E467F9331BB8CB4B2BDB8

Note: If you are using different certificates on each CAS server in your array, you’ll need to collect this data individually on a per CAS server basis.

Make note of the issuer and serial number values for the certificate. You’ll need to tell OWA to use this certificate for communications with OCS. To do this, browse to C:\Program Files\Microsoft\Exchange\V14\ClientAccess\Owa and open the web.config file with notepad. Scroll down and find the following section:

<add key="IMPoolName" value="" />

<add key="IMCertificateIssuer" value="" />

<add key="IMCertificateSerialNumber" value="" />

These are the three values you’ll need to populate for OWA to make the connection to OCS. The first value should be the FQDN of the OCS pool you want to connect to, and the following two values should be copied out of the Get-ExchangeCertificate spew collected earlier as shown below:

<add key="IMPoolName" value="ocspool01.briandesmond.net" />

<add key="IMCertificateIssuer" value=’CN=mail14.briandesmond.net, OU=IT, O="Brian Desmond Consulting, LLC", L=Chicago, S=Illinois, C=US’ />

<add key="IMCertificateSerialNumber" value="47 8C 52 B6 B5 3E 46 7F 93 31 BB 8C B4 B2 BD B8" />

Warning: There are three extremely important things you need to do when customizing the configuration settings shown above:

  1. If your certificate’s issuer includes any double quotes (as mine does), you must enclose the data in single quotes instead of the default double quotes as shown above.
  2. You must insert the spaces in between each octet in the serial number as shown above.
  3. You must remember to update these values when you renew or replace the certificate on a CAS server.

Once OWA is configured, you’ll need to configure your OCS pool to trust the CAS servers. To do this, access the OCS Administration Pool, and open the Front End Properties of the pool (right click the pool, Properties>Front End Properties). On the Host Authorization tab, add an entry reflecting the certificate you configured in the web.config file in the previous step. You’ll also want to check the “Treat As Authenticated” and “Throttle As Server” checkboxes as shown below:

image

In order for this change to take effect immediately, you may need to restart the services on your OCS Front Ends. Doing this will disconnect any currently connected clients so it may instead be advantageous to wait for caches to refresh. The final step is to enable OCS IM integration for the OWA virtual directory. To do this, run the following PowerShell command:

Get-OwaVirtualDirectory -Server YourCasServer | Set-OwaVirtualDirectory -InstantMessagingType OCS

Users who are enabled for OCS should see their buddy list as well as a jelly bean to manage presence next time they login:

image image

In summary, there are four key steps you’ll need to take in order to enable OCS integration with Outlook Web App in Exchange 2010. First, you’ll need to download the service provider and latest rollup for the components in the service provider download. Next, you’ll need to install the components downloaded on each Client Access Server. You’ll then collect certificate information from each CAS server and configure that information along with your OCS pool information in the OWA web.config file. Finally, you’ll add the CAS certificate to the list of trusted hosts in OCS and enable OCS integration on the OWA virtual directory.

Converting HyperV Snapshots to Dumps

Microsoft has had a tool internally for a while that would convert a saved state or snapshot of a HyperV virtual machine into a dump that you could open with the Windows debugging tools. This is really pretty handy sometimes when troubleshooting. The good news is this tool is now publically available here.