Wednesday, January 30, 2013

Microsoft Executive Briefing Unified Communication

Heute mal in deutscher Sprache ;)

Im gestrigen Executive Briefing Center Munich(EBC) bei Microsoft hatte ich die Möglichkeit die Steigerung der Unternehmenseffizienz mit Einführung von Unified Communication darzustellen.
Es ist spannend und interessant die Initialen Möglichkeiten zu eruieren und den CxO Kreis zu erläutern.

Ich wünsche Euch viel Spaß mit der Präsentation:


Skype for Business, Lync and Exchange Web Services (EWS) and different DNS Domains- Exchange crawling e.g. for presence

Hi all,
(This is an updated version 2.2: 09.07.2015)

This blog entry is valid for Lync 2010, Lync 2013 and Skype for Business Server.
Generally, I'll write a new blog article, since the conversion history over multiple device and other service have change with Skype for Business 2015 Server. Once this written, I post the link here.

there is always confusion in how Lync is crawling Exchange Web Services (EWS).
Generally it is necessary to understand how DNS must be implemented:
Just remember, identify if you have DNS Split configuration, different internal and external DNS names and what are your SMTP and SIP Domains.


Very often you find in Lync/ Exchange deployments an issue, where the Lync configuration show up with empty:
EWS Internal URL
EWS External URL
and
EWS Information = EWS not deployed

Therefor Exchange Web Service are not connected deployed and several Lync Integration Features are not working, e.g. Presence Information based on your Outlook Calendar.
The feature depending on EWS are:
  • Unified Contact Store
  • High-Resolution Photos
  • Meeting tab
  • Contact Information
  • Presence based on Calendar Information
  • Conversation History
  • Missed Conversations
  • Missed Calls
  • Voice Mail Playback





Exchange Setup DNS:

You need PER SMTP Domain 3 DNS Record, internally (Split DNS) and on the external DNS Server, 2x for Autodiscover and 1x for EWS
autodiscover.domain.name CNAME exchangeserver(CAS)
_autodiscover._tcp.domain.name SRV 0 0 443 exchangeserver(CAS)
ewsurl.domain.name A exchangeserver (CAS)
if you use internally another domain, e.g. your Active Directory domain, sure you can have internally another EWS published, but Autodiscover use by Lync identifies still the xml file via the users SIPDOMAIN. So split DNS is recommended (at least for Autodiscover)


NOTE:
As it's never really proper discussed:
Autodiscover will never use the internalURL and externalURL. in Exchange 2007/2010 you are able defining those parameters, in Exchange 2013 they are even documented in TechNet, but they simply don't exist anymore. You'll receive an error if you specify the URLs.

The correct discovery process is like (OUTLOOK):
  • SCP lookup (only if client is domain joined)
  • HTTPS root domain query
  • HTTPS Autodiscover domain query
  • HTTP redirect method
  • SRV record query
  • Local XML file
  • cached URL in the Outlook profile (new for Outlook 2013).

The correct discovery process is like (LYNC):

  • internal, Autodiscover is identified by DNS entry.
  • external, Autodiscover is identified by DNS entry.

Additionally you need to check:


Autodiscovery Virtual Directory:
Setup the internal and external URL, including HTTPS and Basic Authentication
Set-AutodiscoverVirtualDirectory -Identity 'autodiscover (default Web site)' -ExternalURL 'https://ews.domain.name/autodiscover/autodiscover.xml' -InternalURL 'https://ews.domain.name/autodiscover/autodiscover.xml' -BasicAuthentication $true

Note:
The AutodiscoverVirtualDirectoy URL are supposed for Microsoft's optional use only.

Therefore it is not necessary and not Best-Practise defining them!
If you set the URL's, it will NOT HAVE AN IMPACT. Meaning, if they are defined or not, it will not change the Autodiscover behavior, since they are NOT USED within Exchange.
What is IMPORTANT, is the Authentication, you must set it the Basic Authentication, so the SSL configuration will take part. 
It would be enough is you configure simply:
Set-AutodiscoverVirtualDirectory -Identity 'autodiscover (default Web site)' -BasicAuthentication $true
But:
If you define them, you have a reminder what is configured, more like a comment


Web Services Virtual Directory:
Setup the internal and external URL, including HTTPSand Basic Authentication
Set-WebServicesVirtualDirectory -Identity "SERVER01\EWS(default Web site)" -ExternalUrl https://ews.domain.name/EWS/exchange.asmx -InternalUrl https://ews.domain.name/EWS/exchange.asmx -BasicAuthentication $true

The EWS Services are responsible for the Lync integration, especially for Calendar Information and The Conversation History.
Therefore this is the most essential configuration.

Publishing EWS service via Reverse Proxy:
Autodiscover and EWS service do NOT support FBA (form based authentication).
The client need the XML file straight and without authentication webpage, than access the EWS URL need to be authenticated at the Exchange CAS server. Authentication must be NTLM over HTTPS. (So do not use http, the password would be submitted in clear text). The NTLM authentication is hard-coded in Lync Client.


Lync Setup:
First the good new, there is nothing which we have to consider for Lync Server. The Feature is a Client Integration Feature, therefor we have nothing to configure.
There is only one exception, this is the CWA integration for Exchange OWA.
During setup and integration of CWA features, truly the EWS configuration must meet the requirements identically with the Lync Client Configuration.


One last thing necessary to consider and plan proper are the Certificates:
Since all communication is based on HTTPS and TLS, which includes the encryption. Certificates are used for trans-coding.
What is now complicated is the DNS Setup, SMTP/SIP Domains and the SAN Names in this involved certificates.

Lync in this case is straight forward, you simply have to include all SIP Domains in your SAN.
But however Exchange now requires another possible way:
  • make sure you have configured the CAS Server Certificates including all SAN Names for all SMTP and SIP domains
  • make us of IIS based redirection web pages. If you chose this configuration, it is possible minimizing the required SAN configuration.
But still in both configurations you need to consider your DNS Zone setup.
If possible and I personally prefer DNS Splitting, for internal and external resolving. This makes your deployment more supportable.

Note:
if you consult a customer and you are propose DNS Splitting, make sure you fully validate other Web base services, which depends on DNS names too!!


How Lync discover the EWS service via autodiscover:

As illustrated, it is essential for best user experiences having the Lync SIP Domain identically with the default Exchange EMail Domain. Lync is using the smtp-domain for the autodiscovery process. This is especially important if you are not inside your corporate network (LAN). Lync is never able to use SCP, only DNS A and SRV-Records.

DNS resolution occurs first:



  • have look into the Autodiscover.xml file and using the server name (DNS) provided there
  • using autodiscover.<smtpdomain>
  • using _autodiscover._tcp.<smtpdomain>

  • Access now the Autodiscover.xml file located on the Exchange environment in the following order.

    http://<smtpdomain>/autodiscover/autodiscover.xml
    https
    ://<smtpdomain>/autodiscover/autodiscover.xml
    http://autodiscover.<smtpdomain>/autodiscover/autodiscover.xml
    https://autodiscover.<smtpdomain>/autodiscover/autodiscover.xml
    _autodiscover._tcp.<smtpdomain>




    One more remarks:
    If you didn't deploy EWS correctly from the very beginning, you might encounter other Client issues. Therefore it is recommended you delete the following file:

    %userprofile%\AppData\Local\Microsoft\Outlook\*autodiscover.xml

    This file is ONLY created by Outlook, Lync do not write this file it only uses the web services.

    Troubleshooting:
    You should try and access Autodiscover via web browse using a link provided above. You must be asked for your credential (it requires you are having a Exchange Mailbox). Exchange will than show you this XML:

     <?xml version="1.0" encoding="UTF-8"?>
    -<Autodiscover xmlns="
    http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
      -<Response>
        -<Error Id="2907134699" Time="12:55:55.0540898">
             <ErrorCode>600</ErrorCode>
             <Message>Invalid Request</Message>
             <DebugData/>
         </Error>
       </Response>
    </Autodiscover>


    If you see this message, Autodiscover is reachable and ok.

    Next check access to https://EWSURL/ews/exchange.asmx you will be redirected after login with your credentials to: https://EWSURL/ews/Services.wsdl and another xml document is provided.

    Verify also on the client, where Outlook is installed HKCU\Software\Microsoft\x.0\Outlook\Autodiscover\RedirectServers and if necessary delete those entries. Double check those Keys too: HKCU\Software\Policies\Microsoft\Office\x.0\Outlook\Autodiscover

    On the Exchange CAS Servers, you also should check manually on the EWS and the Default Website, if NTLM is the first choice for authentication and NEGOTIATE the second option.

    Use the appcmd command to query the settings:
    C:\Windows\System32\inetsrv>appcmd list config /section:windowsAuthentication
    <system.webServer>
    <security>  
    <authentication>  
    <windowsAuthentication enabled="true" useKernelMode="false">  
    <providers>  
    <add value="Negotiate" />   --> Must NOT be first!
    <add value="NTLM" />
     
    </providers>  
    <extendedProtection>
     </extendedProtection>  
    </windowsAuthentication>  
    </authentication>  
    </security>
    </system.webServer>

    If you need changing this setup, please user this method:
     cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM,Negotiate"
    or:
    C:\Windows\System32\inetsrv>appcmd set config /section:windowsAuthentication /-providers.[value='Negotiate']
    C:\Windows\System32\inetsrv>appcmd set config -section:system.webServer/security/authentication/windowsAuthentication /+"providers.[value='Negotiate']" /commit:apphost



    Also see the cache files in Lync, navigate to C:\Users\<user>\AppData\Local\Microsoft\Office\15.0\Lync\sip_uer@sip-domain.name there is file named: EwsFolder<user>@sip-domain.com.cache this file is not readable, so delete it and let is recreate.

    If nothing should help, resetting the Exchange virtual Directories is the last option:
    refer to her: TechNet ff629372

    Note:
    The Registry Key under HKCU\Software\Microsoft\Office\x.0\Lync\<user.name>\...
    here LyncAutodiscover is not for EWS, it caches the LYNC WEB SERVICES only.

    ------------------------------------------------------------------------------------------------


    MAPI/EWS Error Handling




    While transient failures are those for which the UC client or device attempts to reconnect to the server running Microsoft Exchange, permanent failures are those for which no attempts are made to reestablish the connection.

    Connection Type
    Transient Failures
    Permanent Failures
    MAPI
    Sign-in failure
    Process terminated
    Everything else
    EWS
    Everything else
    EWS Autodiscovery issues
    Credential-related issues



    The following summary describes the retry logic that the UC client or device will use in response to an error condition representing EWS or MAPI connectivity failure.

    Error Condition
    Error Description
    Retry Connection
    MapiFolderCriticalError
    Non-recoverable MAPI error (Win32 system call failure or otherwise occurred)
    No
    EwsFolderCriticalError
    Non-recoverable EWS error occurred
    No
    EwsFolderTransientError
    Recoverable transient error (change of networks or momentary network outage)
    Yes
    EwsNotConfigured
    Non-recoverable condition where EWS is not configured in the environment, or one of the following conditions exist:

    1)       No cached EWS URLs in the registry and there is a failure contacting EWS

    2)       Cached EWS URLs are found, but hourly refresh fails 24 consecutive times

    3)       If EWS response is successful, however, no EWS URLs are present in response
    No
    MapiFolderTransientError
    Recoverable transient error (change of networks or momentary network outage)
    Yes
    MapiNotInstalled
    Non-recoverable condition where MAPI/Outlook not installed
    No


    Feature Availability

     

    UC Client Features (by Connection Type)

     

    Lync / Attendant Feature
    Exchange Server 2003
    Lync Server (No EWS)
    Exchange Server 2007, Exchange Server, 2010
    Lync Server (No EWS)
    Exchange Server 2007, Exchange Server 2010,
    Lync Server (MAPI + EWS)
    Exchange Server 2007, Exchange Server 2010,
    Lync Server
    (No MAPI)
    Voice Mail Notification – Read/Unread
    MAPI (Pushed)
    EWS (Subscription)
    Missed Conversations Notification – Read/Unread
    Voice Mail display in Lync
    N/A
    Recent Conversations in Conversation Environment
    N/A
    Exchange Contacts Integration (Merge/Search)
    MAPI (Pushed)
    Write Conversation History to Exchange
    MAPI (On Demand)
    EWS (On Demand)
    Create Contacts in Exchange (write)
    N/A
    Free/Busy Calendar Information
    MAPI (Polled)
    EWS (Polled)
    Working Hours
    N/A
    Out of Office Manager
    MAPI (Polled)
    Exchange Delegates
    MAPI (Pushed)
    N/A




    UC Device Features (by Connection Type)

    Device
    Context
    Exchange Server 2007, Exchange Server 2010
    Lync Server Features (No EWS)
    Exchange Server 2007, Exchange Server 2010
    Lync Server Features (EWS)


    Polycom CX700 IP desk phone


    Signed in through computer (USB)

    Signed in through device

    (Username/Password)
    MWI
    Call Voicemail
    View Contacts
    MWI, Call Voice mail, Calendar
    View Contacts, Call Logs
    Unified Contact Store
    Aastra 6725ip, Polycom CX600, Polycom CX3000

    Signed in through computer (USB)

    (Username/Password)
    MWI
    Call Voicemail
    View Contacts
    MWI, Call Voice mail, Calendar
    View Contacts, Call Logs
    Unified Contact Store
    Aastra 6721ip, Aastra 6725ip, Polycom CX500, Polycom CX600, Polycom CX3000
    Signed in through PIN

    (PIN/Certfiicate)
    MWI
    Call Voicemail
    View Contacts
    MWI, Call Voice mail, Calendar
    View Contacts, Call Logs
    Unified Contact Store





    Feature Impact



    UC Client Features (Connectivity Failures)

    Scenario
    Configuration Information
    Error Message in UI
    Feature Impact
    MAPI Available
    EWS Available
    MAPI status OK
    EWS status OK
    None
     No features impacted




    MAPI Unavilable
    EWS Available
    MAPI unavailable, retrying connection
    None
    No features impacted

    MAPI unavailable
    EWS status OK





    MAPI Unavailable
    EWS Not Deployed
    MAPI unavailable, retrying connection
    Lync is experiencing connection issues with Exchange. Lync will attempt to repair the connection.

    All features impacted

    MAPI unavailable
    EWS Not Deployed
    Lync cannot connect to the Exchange server. Please try signing out and signing back in.






    Scenario
    Configuration Information
    Error Message in UI
    Feature Impact
    MAPI Available
    EWS Unavailable
    MAPI status OK
    Lync is experiencing connection issues with Exchange.  Lync will attempt to repair the connection.

    Voice Mail,
    Contacts (write),
    Working Hours, and Conversation History (read) impacted

    EWS Unavailable, retrying connection
    EWS unavailable
    Lync cannot connect to the Exchange server. Please try signing out and signing back in.




    MAPI Not Installed
    EWS Unavailable
    MAPI not installed
    Lync is experiencing connection issues with Exchange.  Lync will attempt to repair the connection.

    All features impacted

    EWS unavailable
    Lync cannot connect to the Exchange server. To restore this connection, please try signing out and signing back in.




    MAPI Unavailable
    EWS Unavailable
    MAPI unavailable
    Lync cannot connect to the Exchange server.  Lync will attempt to retry the connection.

    All features impacted

    EWS unavailable
    Lync cannot connect to the Exchange server.  Lync will attempt to retry the connection.






    UC Device Features (Connectivity Failures)

    Device
    Context
    Notification Message
    Features Impacted
    Polycom CX700 IP desk phone

    Signed in through computer (USB), or

    Signed in through device

    (Username/Password)
    Unable to connect to Microsoft Exchange. Retrying…
    (Transient)
    Calendar
    Call Logs
    Unified Contact Store

    Aastra 6725ip, Polycom CX600, Polycom CX3000

    Signed in through computer (USB)

    (Username/Password)
    Unable to connect to Microsoft Exchange. Retrying…
    (Transient)
    Calendar
    Call Logs
    Unified Contact Store
    Polycom CX700 IP desk phone

    Signed in through computer (USB)

    Signed in through device

    (Username/Password)
    Please sign in to restore the connection to Microsoft Exchange.
    (Permanent)
    Calendar
    Call Logs
    Unified Contact Store
    Aastra 6725ip, Polycom CX600, Polycom CX3000

    (Username/Password)
    Signed in through computer (USB)

    (Username/Password)
    Please sign in to restore the connection to Microsoft Exchange.
    (Permanent)
    Calendar
    Call Logs
    Unified Contact Store
    Aastra 6721ip, Aastra 6725ip, Polycom CX500, Polycom CX600, Polycom CX3000
    Signed in through PIN

    (PIN/Certfiicate)
    Unable to connect to Microsoft Exchange. Please contact your support team.
    Calendar
    Call Logs
    Unified Contact Store


    UC Device Features (Authentication Failures)

    Device
    Context
    Notifcation Message
    Features Impacted

    Polycom CX700

    (Username/Password)

    Expired Password

    Invalid EWS Credentials

    Connectivity to Exchange is currently unavailable due to invalid credentials. To restore access to Call Logs, Voice Mail and Calendar information, select Re-signin.

    All features impacted


    Aastra 6725ip, Polycom CX600, Polycom CX3000

    (Username/Password)

    Expired Password

    Invalid EWS Credentials

    Connectivity to Exchange is currently unavailable due to invalid credentials. To restore access to Call Logs, Voice Mail and Calendar information, select Re-signin. Ensure you are connected to a PC running Microsoft Lync.

    All features impacted

    Aastra 6721ip, Aastra 6725ip, Polycom CX500, Polycom CX600, Polycom CX3000

    (PIN/Certfiicate)


    Ethernet Only

    Ethernet + USB


    Connectivity to Exchange is currently unavailable. To initiate access to Call Logs, Voice Mail and Calendar information, select Re-signin. Ensure you are connected to a PC running Microsoft Lync.

    All features impacted