Microsoft Communicator for Mac 2011 (Version 13.0.0)
The new version of Office for Mac 2011 (std) is available to download for MVLS customers. It’s very early as I didn’t expect the release until mid October. One surprise for me was the inclusion of a Communicator for Mac (Version 13). I hadn’t realised (I can’t admit to having done piles of research!) that there was the intention of releasing a full communicator client for mac. I have until now been using the MSN client, which functioned very well.
Setup was very easy with all the SRV records in place, it was very straightforward, email address, username and password and I was in. First impressions are excellent, I can’t see anything I am missing. It prompts for it to be your default presence client and also your default voice client for Telephone and Conference.
I’ve yet to try out the voice side of things, but I’m interested to se ow it fares with a live meeting request.
As per the Windows version of the Communicator 2007 client, logging options are offered, which I am pleased about, and places the log files into your /users/username/library/logs folder.
Mac features like bouncing apps in the dock are all present, with options for Once or continuous bounce.
Displaying of your out of office is optional as is presence indicators based on Exchange calendar.
Another intersting inclusion is the option to use Bonjour to allow local users to be displayed in your contacts list, additionally allowing to block or allow their ability to see you.
Video, conversation saving (prompted or auto) are also there.
Amusingly the status indicator (that has always been round) is a square, just to be different.
Final verdict? Well, i think it’s great, I spent the day using it at home today to connect back to the office over dsl, and where the windows client would have dropped out a few times, it was rock solid. Fantastic.
Connecting to OCS on Linux and Mac
I spend most of my compute time in a Windows OS, and probably mostly that’s still XP. Lately I’ve started to force myself to use linux gui and now, as a result of a change of focus at work, MacOS.
This means getting other clients to connect to OCS. Sure there is always the fallback of WebMOC, but nothing beats a full-fat client imho.
Getting it to work in linux was new territory for me, so I enlisted the help of one of our linux happy developers, who ran through a ‘how to’ for using empathy under Ubuntu. Now even as a linux newbie, can see how this would port to Pidgin etc, and other distributions.
Linux:
Create yourself some root certificates from your AD cert authority.
Download the .cer file(s) to your linux desktop from somewhere you can get to ftp;Smb etc
Drop into a terminal session and make sure you know the path to .cer file(s) (e.g /etc/*username)
#openssl x509 -inform der -in Certfilename.cer -out Certfilename.pem
Do this for as many .cer files as you have (perhaps 1 from primary, 1 from secondary)
# sudo mv Certfilname.pem /etc/ssl/certs
# sudo apt-get install pidgin-sipe telepathy-haze
# sudo shutdown -r “now”
Now restart empathy
# add an account (f4)
# type SIPE
# Account = mail address,domain\username
# Password = domain password
# Advanced – use defaults
# You can try with servername if you know it, though providing you setup SRV correctly, it should be a case of Apply.. You’re on…
Mac:
Create yourself some root certificates from your AD cert authority.
Download the .cer file(s) to your linux desktop from somewhere you can get to ftp;Smb etc
Connect to this share – Connect to server (under the Go in the Finder menu)
Smb://blabla.lukedarby.co.uk/sharename/Rootcerts
Put in your Active Directory username and password, domain\username
Open Certfilname.cer and add to login then select ‘Always Trust’ when asked, you’ll then be asked for the keychain password (mac)
Then do the same for an other certs (perhaps you do primary and secondary)
Install MS Messenger 7.0.2 (currently)
You’ll need to copy the install to your Mac then install it.
Go with Defaults until your asked to choose between Personal or Corporate and you need to select Corporate.
Then you need to enter your details, for the user ID you need to put domain\username.
Complete… You’re on…
Now, I need to get an iPad client working. Currently all the available apps for for iPhone or iPod touch. The most interesting looking being ‘Fuze Messenger’ but this is only supported for OS 4.0, which at the date of writing isn’t available for iPad.
There are some others claiming to answer the issue (iOCS) but they’re iPhone apps and just blow up to an enormous size on an iPad and look..well, silly.
Comparing Cucimoc 8.0(1) to 7.1.x
Cucimoc 7.1.x was and is a decent product for the feature set it offers, but as of the beginning of June 2010, Cisco have released Cucimoc 8.0(1).
There are some significant differences between the 2 products.
- Cucimoc 8 no longer uses the TabUrl area to display the applet/pane, instead it ‘bolts’ itself to the bottom of the screen, like this:
Excellent improvement. - TabUrl can now be set to a unc file share or URL to a centrally held config (strictly speaking you could do this in 7, but cucimoc had to be part of it)
- Conversation History now displays a an alert for missed calls, with the number of them missed.
- The options for device selection move from the OCS Tools menu, to the options button on the cucimoc pane itself, much better and quicker to get to.
- You can now connect to MeetingPlace or Cisco Unified MeetingPlace Server -CUMS (though Meetingplace Express won’t work for me, the notes show Cisco Unified MeetingPlace Express VT 2.0 is supported) from within cucimoc.
- Place and receive video calls, with greater video support not only from the front pane, with ability to answer as video or voice only from the prompt.
- You can also connect through to Voicemail and Visual Voicemail, this is essentially done using IMAP.
- The park feature which I had some trouble with in 7, works perfectly in 8.
Windows 7 support is there for 32 bit, but there is still a Q2/2011 being suggested on some Cisco documents for full 64 bit support. However, the release notes suggest support for 64 bit already being there with the exception stating [On 64-bit editions of Windows 7, you cannot use video when you have Cisco UC Integration for Microsoft Office Communicator set to use your desk phone for phone calls.] (pg8 Table6)
That said, I have it working on 64 bit, on both version 7.1.x and 8.0, but drag and drop calling would not initially work on 7.1.x. This seems common based on the technet msg boards having similar questions. We have got it working however by installing both the x86 and x64 C++ 2008 redistributable packages. I will continue to work on this, as it’s a little messy. In addition to this, more testing shows that on 64 bit versions it’s best to install using the .exe rather than the .msi as it has C++ and .Net as bundled stubs.
The release notes can be found here:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucimoc/8_0/english/release/cucimocReleaseNote.html
The Installation Guide can be found here:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucimoc/8_0/english/installguide/Installation_Guide_for_Cisco_UC_Integration_for_Microsoft_Office_Communicator_Release_80.pdf
Annoyances? Well, maybe just 1 or 2 :) . If you use extension mobility (EM) and login to an alternate deskphone you get an alert message saying you have selected an unknown device. This happens in either version 7.1.x and 8.0. You get a handy little instruction to go the the Communicator menu, Tools ->Select device. However in version 8, they have moved the ‘select device’ to the options tab on the cuci pane, it’s just that the alert message still says the exact same thing… a little QA missing.
It can also be a little sluggish on low bandwidth/dsl links (phone call pop; login etc)
Finally, on a few XPSP3 installs I see this when I use alt-tab to flick between apps. Again, poor QA.
Lastly, the voicemail feature, it changes your voicemail icon to be red when you have voicemail, nice, but, it is slow to react, and doesn’t extinguish until there is a state change (i.e hard phone to softphone switch etc)
All that said, I like it, just want to tweak a few more bits.
OCS 2007 R2 XMPP to Google federation failing
I’ve been spending some time getting the Microsoft OCS2007R2 XMPP gateway working. In essence, it provides OCS users with Jabber/XMPP connectivity outside of the organisation. Nominally, we want to use it to connect to Google, so GTalk/gmail/googlemail users. We could of course use it to connect to others via stds based XMPP, jabber.org users etc.
I had hoped to use XMPP to connect to facebook chat, but although facebook have provided 1 bugfix to allow the use of xmpp clients to connect to it, there is no server to server (S2S) support. More detail here.
So, for now, it’s Google. I went through my config, and provisionally i went with a simple solution of an Edge server in the DMZ with and XMPP (single nic) also in the DMZ. Both boxes are non-domain integrated for security.
My biggest issue was in getting the MTLS connection between Edge(outside NIC) and XMPP. I just couldn’t get it to create the connection, Edge would ignore the cert provided by XMPP. I solved this eventually by installing the respective certificates on each server as trusted roots and presto, it worked.
I was using my own @googlemail.com account for testing and it just wouldn’t work. I went over and over my config to no avail. So I went back to the web. Low and behold a patch for XMPP. KB979311.
In particular it resolves: XMPP federation to gmail.com works. However, XMPP federation to googlemail.com does not work.
So, I install the patch, and 1 reboot later, it works! Phone the boss, sit back and grin.
End? No, of course not, about 2 hours later it stops. Random, it just stops. I checked the config, despite knowing I had changed nothing. I find nothing untoward, of course.
So I install wireshark and start to watch traffic. Eventually i fixate on DNS (port 53). This is based on part experience and partly because it’s the only variable beyond my control as such.
The XMPP session (5269) to Google is done via TCP dialback. In essence, your XMPP server does an service location record lookup (SRV) based on the destination email address suffix (googlemail.com or gmail.com etc), so it does a DNS query for _xmpp-server._tcp.googlemail.com
This then returns an address (or in Googles case a cluster of addresses). Your server then does an A name lookup for the address supplied from that lookup and attempts to connect to the resulting IP address.
At the same time as you’re doing this, the google server does a reverse lookup based on your source email suffix, and again IT does an SRV lookup for _xmpp-server._tcp.lukedarby.co.uk and then based on the the resulting name an A name record, then compares this to the source IP address, if they match, you have connection.. a dialback.
I watched these lookups, they seem fine, an SRV lookup for google gets:
_xmpp-server._tcp.google.com SRV service location:
priority = 5
weight = 0
port = 5269
svr hostname = xmpp-server.l.google.com
_xmpp-server._tcp.google.com SRV service location:
priority = 20
weight = 0
port = 5269
svr hostname = xmpp-server1.l.google.com
_xmpp-server._tcp.google.com SRV service location:
priority = 20
weight = 0
port = 5269
svr hostname = xmpp-server2.l.google.com
_xmpp-server._tcp.google.com SRV service location:
priority = 20
weight = 0
port = 5269
svr hostname = xmpp-server3.l.google.com
_xmpp-server._tcp.google.com SRV service location:
priority = 20
weight = 0
port = 5269
svr hostname = xmpp-server4.l.google.com
google.com nameserver = ns1.google.com
google.com nameserver = ns2.google.com
google.com nameserver = ns3.google.com
google.com nameserver = ns4.google.com
xmpp-server.l.google.com internet address = 74.125.47.125
xmpp-server1.l.google.com internet address = 74.125.155.125
xmpp-server2.l.google.com internet address = 74.125.47.125
xmpp-server3.l.google.com internet address = 74.125.45.125
xmpp-server4.l.google.com internet address = 74.125.45.125
As you can see there are 5 entries returned, which only ever seems to come from 3 differing ip addresses:
74.125.155.125
74.125.47.125
74.125.45.125
Although all of this looks ok, I suspected these are load balanced addressed to a farm of real servers, but 1 or some of these servers are legacy gmail configured boxes and just don’t account for googlemail.com addressing. After all, googlemail.com was an after thought for them when they had rights issues introducing gmail to the UK
Hey!, why can’t Google be fallable!
I decided to try and prove this, and decided a quick and dirty way was to use a host file, so that when my xmpp server did the A names lookup it got the result I staged in the hosts file.
I chose 1 of the addresses above, and dropped it in (155) for all 5 names.
Sure enough, googlemail.com federation works, simply sprung into life.
Next thing is to try and work out which of the above don’t work, I suspect it’s 45, but I don’t know… yet.
So there you go, if like me you’re struggling, that’s why, Google infrastructure folk are as lazy as the rest of us 
Note: Another more simple solution is to convert your @googlemail.com account to @gmail.com, as Google is moving away from googlemail over to gmail now. You can do so here, you’ll need to sign into your account.
CUCIMOC ldap tribulations
I have spent the best part of 3 weeks wrestling with CUCIMOC. It’s fair to say I haven’t been the biggest supporter of this particular piece of software during this time. I respect the feature set, but I can dial a colleague with almost as few clicks on the handset as easily as I can through cucimoc, and the same goes for creating conference calls etc.
One document I would say is prescribed reading is this article. It holds loads of information, but imho is not very clear about valuable points.
Out of the box, getting the integration with CM7 was quite simple, we put the necessary framework devices in place, logged into CUCIMOC with telephonenumber and ‘pin’. All good, or so we thought….
Then we went through the process of integration the CUCM7 servers with AD, opting to use telephonenumber as the primary login mechanism for handsets (who wants to tap out first.last on their 7960 when they use extension mobility!!)
Straight after that, the CTI control of the hard phone (7940/7960) instantly broke. The softphone option would work on occasion, but we simple couldn’t get the hard phone to work again.
A long week of trying various things in our test lab it all came down to the selection of login choice, pin number and password. We are currently CUCM4.x users and in that environment we use pin and password interchangeably, but in CM7 with ldap/AD integration, they become 2 separate items, your pin logs you into a hard phone device and your password is integral to anything you sign into under software emulation of phone devices.
Armed with this in our heads, we went back through our CUCM7 (with AD integration) config, placed all the framework services into the system, then logged into CUCIMOC with telephone number, and password. Hooray RCC/CTI works!
So, that working reliably and predictably, we moved onto the final section of getting ldap to work from the client for CSF data. The CSF data comes into play when someone rings you who isn’t in your Outlook contacts, isn’t a MOC user, but is held in your directory. CSF facilitates that you get a name to reflect against an incoming phone number. This is done via your client talking ldap to AD to retrieve a name for the phone extension. I have done several attempts at getting this to work, but each time I ended up with a disconnected session in the ‘server status’ section of CUCIMOC.
I used wireshark to sniff this conversation, and saw I was getting: W80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece.
Several Googles later I was left confused, was this indeed a context auth error, a password error or an invalid Kerberos token. I went over the wireshark packet trace again and noted that although my username etc was parsing correctly, the password had ’123456′ in clear text. This is the pin i was using in the test lab! So here it was passing correct AD creds with pin number. I changed the login field to use telephone number etc and got variants of these pair of pin/password/extension no/sAMAccount. Never the combo I needed!
I kept putting ldap://<ldapservername> into a browser and would get an error like this:
I then went over the sample data offered with the CUCIMOC client (cucimoc-Admin-ffr.7-1-3.zip) and in particular the file held in ..\Config\SampleCUCIMOC-CUCSFAdminData.bat file.
This clearly defines what entries you will need for stand alone or ADM configured machines via policy. Not only this, but it provides a means (via the batch file) for deploying these settings in basic login scripts etc.
I studied these values, comparing them over and over again with my own, held in my HKCU registry. I could see nothing that helped me, but I keenly tried any variant I could think of. One key kept jumping out at me though, as something I would need to give careful consideration, namely: POLICY_CREDENTIALS_IsLdapSynchronizedWithCucm. Now I’d always assumed that as we had integated CUCM integrated into AD, I would have to have that set to true, and so I did. Again, rebooting between each change to be sure they were taking effect, I was unsuccessful.
So I went back to wireshark/thinking/reading and discussing. A chance conversation with our CUCM Admin, got me closer to the pin vs password conundrum I highlighted above. they are 2 different things in CUCM7 integrated to AD. I was used to CUCM4.
I went back to CUCIMOC and logged it in correctly, with my phone extension as the username and my AD password as the password. Hoorah, MOC logs in, phone control works for CTI and softphone, but… ldap is still disconnected.
I started to read the documentation again, thinking about pins/passwords/samaccountname/userprinciplename/telephone number etc. I then re-read this article which made me start to think about the POLICY_CREDENTIALS_IsLdapSynchronizedWithCucm string value. What if I changed that, that would allow me to specify ldap creds surely.
Changing this to ‘false’ then provides exactly the change highlighted in the document, specify samaccountname and password and bingo.. ldap working at last!
Something I was struggling to find during this little process, was a WORKING example of the registry settings, so hopefully to save you some pain, here are mine.
Why isn’t this documented more clearly, if you make the seemingly inane choice to use telephonenumber as your login mechanism of choice whilst integrating CUCM with AD, you set in place your inability to get ldap to auth properly without having to specify a username and password seperately for client ldap, and you HAVE to set POLICY_CREDENTIALS_IsLdapSynchronizedWithCucm=”false”
Hurrah it works! I’ll not get those tedious hours of my life back though….
Luke Darby
Technology Infrastructure | Media | Communication | Broadcasting
United Kingdom
