Communicator 2011 Mac connect via Edge? Yes!
I honestly haven’t found a straight answer to this question. Does it connect via Edge or not?
Well, the short answer is yes! When I first installed Office it was almost a surprise when it installed a mac version of Communicator, pleasantly surprised too. I installed it, got it working on the lan and then jumped on a train armed with my 3G dongle. I fired it all up got Outlook connected without vpn and duly then expected Communicator to work. It didn’t.
I know that the Windows version was working fine, so I was confident I had no SRV funnies. I went to the forums/technet/support/google and found no answer, only some other folk asking similar questions. I loaded my vpn tunnel and presto, communicator connected. I tried again and again, on various internet connections, plain dsl etc, it didn’t work. I came to the conclusion it wasn’t in the feature set. Most answers in forums were to offer vpn, this just seemed a backward step and unnecessary admin overhead
Last week I installed the latest patch for Communicator 2011 (13.1.0 (101123)) and nosed around the desktop sharing feature and wrote my article on it here. I encouraged my colleagues and team to install the patch also. The following day, Nick in my team was working at home and left me a message to say he’d signed in via Edge!
Being the unbelieving pessimist I am, I had to see it for myself, I fired up 3G and presto, it took a little time, but it signed in over Edge on 443.
So, yes, it works, but only on the latest patch.
Check the basics
You live and learn, my Dad always said it to me as a kid. As ever, it’s true. I’d spent an annoying 2 hours last night going over and over settings of an OCS Edge server, I’d re-run the setup, and found nothing to modify/add/change, I’d checked certificates a couple of times. Reboots of clients and servers, eventually at risk of missing my last train out of town, I left it.
I wanted to get Communicator on Windows mobile working, and external Communicator working for our travelling staff who often vpn back to just get email and OCS.
Today, fresh eyes, I went through the event viewer to spot anything, and noticed that my external client had skipped through sipinternal. ; sip. and sipexternal. Hang on, I know I’d configured a record for sip. Ping goes nowhere!! How basic. Check DNS, can’t spot it, but as I turn my head away I see it, my sip entry is a CNAME for a real server A record, and there is the extra ‘i’ in our domain suffix. Take it out, small delay for DNS propogation and tada.. Communicator on my mobile over 3G working.
Small details… small details…
LCS 2005 Standard to OCS2007R2 Standard: Part 5 Moving LCS to the Configuration container
When OCS2007R2 installs, the default container for global settings in the configuration container in AD, whereas your LCS installation was put into the System container of the root domain. Again the document highlights all the reasons for this, but essentially for co-existence and speed, you will need to move your LCS settings from their current home in the System container over to Configuration.
Microsoft have kindly provided a terrifying script to do this for you. The script tool is availble to download here The msi extracts to a \MigrateOCS folder on your chosen drive.
Now you come to what I affectionately call the 8 steps of doom. Most critically, please be aware that once you’ve got to an completed the final step, which deletes the LCS configuration from its old home, you can no longer install LCS servers into your domain. In theory you could re-prep the domain etc, but I tried on a test domain, it goes horribly wrong. So, once you do the last step (8) there is no going back.
AND.. you must complete the last step before continuing to the proceeding steps which extend the schema, the schema version you are on is 1007, and extending the schema to OCS 2007R2 will make this version increment to 1008. The script has a schema version check in it, which will deny you with the following message:
Schema Major Version: 1008
This tool only supports schema major version up to 1007
Each of the 8 steps is detailed in the doc, you’d do well to read through it. A few of the steps had me confused in syntax terms, I’d have loved an example, so I’ve included mine here: LCS-VBS.txt Included in here is what you will see if you upgrade the schema and then try to perform tha last step (8)
Okay, so, that’s AD, LCS, schema all ready for our OCS install.
Note: IF you’re daft enough to not run step 8 (deleting the old 2005 system info with the script) you CAN go into ADSIEdit and bin it yourself. I can see no reason for doing it retrospectively, BUT, I offer this advice with no guarantee of success of without warning of extensive damage to your directory db. I did it (in test) I know it works… BE WARNED, there must be reason for Microsoft checking versions.
LCS 2005 Standard to OCS2007R2 Standard: Part 4 LCS Certificates
Ok, TLS is paramount in LCS to OCS communication. I’m not trying to teach you LCS, but if you were like me and once the thing talked 5060 on TCP, you dusted your hands and got on with something else, then you need to review your LCS certificate situation.
Firstly then, check and if needs be reconfigure the LCS certificate you have in use.
The document notes the format for the certificate, I struggled to grasp it initially. However, simply, it needs to be a Web certificate with Subject Name:<YourServerName>.domainname.com with Subject Alaternative Name 1 of the same as the subject and then 2 as sip.domainname.com and as many sip.<enableddomainnames> as you have enabled in your LCS install
Example:
Subject: LCSServer.lukedarby.co.uk
SAN
LCSServer.lukedarby.co.uk
sip.lukedarby.co.uk
sip.someotherlukedarby.co.uk
sip.motherdarby.com
The simplest way to do this is using the LCS 2005 resource kit executable LCSCertUtil.exe which will be in the location you allowed it to install, typically C:\Program Files\Microsoft LC 2005\ResKit. It makes the whole process so simple. Remember you CA needs to have the format of ‘CAServer\CAServer’
Now add this to the LCS server, drill down to the pool, go to properties, Security, Select Certificate and pick the cert you just created. Now go to the General tab and configure your Mutual TLS entry to use the same certificate (If needs be create one, typically this talks on port 5061). Click ok to confirm your changes.
Now, the last few blogs have concentrated on putting LCS into peak condition, so it’s ready to go to the next phase of installation.
LCS 2005 Standard to OCS2007R2 Standard: Part 3 Internal CA and LCS 2005 Patches
If you’ve only ever used your installed Windows/AD CA rarely for base certificates, then you’ll almost certainly need to do some work on it for both Windows 2008 and of course the subject of this post, OCS.
We have a windows CA, most SMB’s will, but it’s a vanilla install. We have a tiered setup of primary and secondary CA’s. During the installation of OCS you will need it to issue a SAN certificate. In actual fact, we had to re-issue a new certificate to our LCS install with sip alternate names for all our enabled domains. LCS to OCS communication is via Mutual TLS, so if you want your old world LCS users to be able to talk to newly migrated OCS users, you will need to get your certificates right.
Unless you want to pay for commercial certitifcates, it’s best to just use you internal CA, but before you can issue a VALID SAN cert, you’ll need to make some modifications to it. If this is your first 2008 server using a certificate in your domain, you will need KB922706, and once that’s done, KB931531 which amounts to issuing from a command line:
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc
Now, that puts us in good stead for the next phase, we can reliably request SAN certificates and for Windows 2008 servers.
I’d left our LCS server on SP1, I’d found no pressing need to add postfix patches, but for this install we have to look at LCS preparedness first. It needs to be SP1 and then patched with any post SP patches. These are all outlined in the Word document I mentioned above in the section titled ‘Before you begin Migrating From Live Communications Server 2005′ I would follow this section completely with 1 exception, I wouldn’t bother updating the client for the moment. The unpatched client will still atached to either flavour of server (incl OCS)
Server Patches:
http://go.microsoft.com/fwlink/?LinkId=140892
http://go.microsoft.com/fwlink/?LinkId=132177
http://go.microsoft.com/fwlink/?LinkId=140865
http://go.microsoft.com/fwlink/?LinkId=140105
Client Patch(msp):
http://go.microsoft.com/fwlink/?LinkId=139875
If you’ve regularly run windows update, you may find that at least 1 or 2 of these patches are already installed, DON’T re-install KB921543, as once uninstalled it can’t be re-installed.
There will doubtless be reboots after these patches, so notify your users of downtime in advance.
IMPORTANT!!If you had not patched your LCS server in a while, you may not have had Windows security patch KB974571 applied, I hadn’t. In essence, this ASN fix breaks LCS and OCS!! The symptoms are that the server will not start the service. Details are here as well as the fix OCSASNFIX.EXE
This serves to support my argument that Windows patches are crucial to your environment, but don’t rush to apply them, stay a little behind. If you’d jumped to install the latest and greatest, you could have been faced with lengthy downtime, and possibly engaging MS Professional services.
Luke Darby
Technology Infrastructure | Media | Communication | Broadcasting
United Kingdom
