1. Sessions OCS
UCO202 Les dix écueils à éviter pour réussir son déploiement OCS 2007 R2 Leonardo Wormull 10/02/ :00 – 14:00

2. OCS 2007 R2 INFRASTRUCTURE PSTN DMZ Active Directory Public IM Clouds
Yahoo
Live Messenger
Active Directory
QOE
MONITORING SERVER
SQL SERVER
ARCHIVING SERVER
SQL SERVER
Public IM Clouds
CWA SERVER
IIS SERVER
AOL
OCS BACK-END
SQL SERVER
EDGE
SERVER
DMZ
OCS POOL
OCS FRONT END SERVERS
PSTN
Remote Access
-SIP
-PSOM
-RTP/RTCP
FILES SHARE
FILE SERVER
MEDIATION SERVER
Advanced Media GW
Federated Partners
UM SERVER
EXCHANGE 2007
UC ENDPOINTS

3. The ten most frequent problem when deploying OCS 2007 R2
1-Prepare Schema, Forest and Domain 2-Certificates and Certificates 3-Sign-in in automatic mode not working (DNS/Cert issue) 4-Users can’t sign-in (DNS/Cert issue) 5-Users don’t get Address Book (UR/IIS issue) 6-Communication A/V from external user to internal user not working (Edge Setup issue) 7-Invite/Join a Live Meeting conference not working 8-CWA 2007 R2 is reporting error ( ) "Your computer clock is not set correctly" when installed on Windows Server Delegates unable to Schedule Live Meetings 10-A/V quality issues (Network/Firewall issue)

4. 1- Prepare Schema, Forest and Domain
How to prepare schema for LCS\OCS LCScmd.exe /forest /action:Schemaprep How to verify if schema is prepared for LCS\OCS LCScmd.exe /forest /action:checkschemaprepstate How to prepare the forest for LCS\OCS LCScmd.exe /forest /action:ForestPrep How to verify if the forest is prepared for LCS\OCS LCScmd.exe /forest /action:CheckForestPrepState How to prepare the domain for LCS\OCS LCScmd.exe /domain:myDom.com /action:DomainPrep How to verify if the domain is prepared for LCS\OCS LCScmd.exe /domain:myDom.com /action:CheckDomainPrepState

5. 1- Prepare Schema, Forest and Domain
+ OCS extends the schema with 45 new classes and 106 new attributes
Open Active Directory Schema and you will see the new classes and attributes for OCS
LCSCMD.exe /forest /action:forestprep
+ if you run this command by default, it creates the global settings for OCS in the domain partition and not in the configuration container.
+ Forest prep creates the RTC service container (it's the root container for all the Global settings)
+ After Forest prep creates the global objects, it creates the universal security groups that administrators need to be members of.
+Prep Forest defines 2 new property sets (with a property set, you can group a number of attributes into a set, and apply security permissions to it), these 2 sets are of class ControlAccess-Right
1-RTCPropertySet (contains all user attributes extended by OCS)
To configure users, administrators must have Read/Write permission to this set, for instance
RTCUniversalServerAdmins have Read permission - can only view
RTCUniversalUserAdmins have read/write permission - can configure
RTCHSUniversalServices have read/write
2-RTCUserSearchProperySet (contains only msRTCSIP-PrimaryUserAddress attribute)
Used to determine whether a user is authorized to search other users using the find functionality available in OC, only RTCDomainUsersAdmins has full permissions on this property set)
You can find them under Extended Rights
LCSCMD.exe /domain:myDom.com /action:domainprep
PS: you can always check the report for the Preparation from the HTML files under:
C:\Documents and Settings\%username%\local settings\temp

6. 1- Prepare Schema, Forest and Domain
C:\Program Files\Common Files\Microsoft Office Communications Server 2007 R2>lcscmd /forest /action:checkschemaprepstate Microsoft Office Communications Server 2007 R2 Deployment Command Console Copyright (c) Microsoft Corporation. All rights reserved. Executing "Initialize Forest Object" Executing "Initialize Active Directory Connections" Executing "Check Schema Prep State" Check the log file "C:\Users\ADMINI~1.JTE\AppData\Local\Temp\Forest_checkschemaprepstate[2010_02_05][09_23_27].html" for details. Action completed successfully Execution time = 1172 ms

7. 2- Certificates
What Are the Requirements for Certificates and How Do I Get One? Office Communications Server 2007 R2 requires a public key infrastructure to support TLS and Mutual TLS (MTLS) connections. Office Communications Server uses certificates for the following purposes: • TLS connections between client and server • MTLS connections between servers • Federation and public IM connectivity • Remote user access for instant messaging • External user access to A/V sessions and Web conferencing
Note: Requirements for Certificate Wizard
The certificates for each of the 4 options should be stored in the Personal, Certificates folder of the
consolidated edge server.
If you can see them through the MMC / Certificates snap-in but they don’t show up when you try to
assign them using the OCS certificate wizard, it’s usually because the certificate doesn’t have a “Server”
Enhanced Key Usage (EKU) value or it’s missing a private key (or both). Typically this happens with
public certificates.

8. 2- Certificates (2)
For Office Communications Server 2007 R2, the following common requirements apply: • All server certificates must support server authorization (Server EKU (Enhanced Key Usage ) ). • All server certificates must contain a CRL Distribution Point (CDP). • If you are supporting public IM connectivity with AOL, AOL requires a certificate configured for both client and server authorization. The certificate assigned to the Access Edge Server external interface should support client authorization (Client EKU ). • Auto-enrollment is supported for internal servers running Office Communications Servers, including an array of Standard Edition servers configured as Director. • Auto-enrollment is not supported for Office Communications Server edge servers.
For details about certificate requirements and obtaining certificates, see the Office Communications Server
2007 R2 Planning Guide and the Office Communications Server 2007 R2 Edge Server Deployment Guide.

9. 2- Certificates (3)
Note: Certificate Summary • The only certificates that require Subject Alternative Names (SANs) are the Access Edge external interface, the Director pool internal interface (if a Director is installed) and the Pool internal interface. • The Access Edge and Next Hop Pool certificates are shown with both server and client enhanced key usage (EKU) set but this is only required if you are using Public IM Connectivity (PIC). • Pre-pending “sip” to the domain name is recommended for entries in the certificate SAN but not for entries in the Edge server’s list of supported SIP domains listed on the Internal TAB under “Internal SIP domains supported by Office Communications Servers in your organization:” • Subject Alternative Name lists (SANs) for the Access Edge external interface, Director and Pool are only required if using the Office Communicator Automatic Configuration feature. • The SIP domain name is independent of the domain name hosting users and/or computers. For example, it’s common to place OCS servers in a sub domain (e.g. corp.contoso.net) but assign users a SIP URI of • A best practice is to have your SIP domain name match your Exchange SMTP domain name.
For details about certificate requirements and obtaining certificates, see the Office Communications Server
2007 R2 Planning Guide and the Office Communications Server 2007 R2 Edge Server Deployment Guide.

10. 3-Sign-in in automatic mode not working (DNS/Cert issue)
Prerequisite for Automatic Sign-in
- SRV records : _sipinternal._tcp._domain.com
- SRV Record : _sipinternaltls._tcp.domain.com
- A record for Poolname
The DNS SRV records _sipinternaltls._tcp. domain.com, _sipinternal._tcp.domain.com and/or _sip._tls. domain.com may need to be configured if automatic configuration is desired
How MOC Clients Locate Services
During DNS lookup, SRV records are queried in parallel and returned in the following order to the client.
_sipinternaltls._tcp.<domain> - for internal TLS connections
_sipinternal._tcp. <domain> - for internal TCP connections (performed only if TCP is allowed)
_sip._tls. <domain> - for external TLS connections
_sip._tcp.<domain> - for external TCP connections (Note: only used for LCS)
where <domain> is the SIP domain used by your internal clients. The last two queries are for clients that
are connecting from outside your internal network. When creating SRV records it’s important to remember
that they must point to an A record in the same domain in which the SRV record is created. For example, if
the SRV record is in contoso.com, the A record it points to can’t be in fabrikam.com, it has to be in
contoso.com.
Using TLS is a best practice so the tables containing certificate and DNS values will not list _siptinernal._tcp
or _sip._tcp records.
The MOC client tries the SRV records in order, querying them all but using the first one that is successful.
After the SRV record is returned, a query is performed for the DNS A record (by FQDN) of the server
associated with the SRV record. If no records are found during the DNS SRV query, the client performs an
explicit lookup of sip.<domain>. If the explicit lookup does not produce results, the client performs a lookup
for sipinternal.<domain>. If the client does not find sipinternal.<domain>, it performs a lookup for
sipexternal.<domain>.

11. OC AUTOMATIC SIGN-IN:Troubleshooting Areas
Front-End
Server(s)
Backend
SQL server
Edge
Servers
DMZ
Data
Audio/ Video
SIP
Public DNS Server
Active Directory
DNS Server
Network
Internet
Internal Client
Remote User

12. OC AUTOMATIC SIGN-IN Microsoft.com SIP URI : leonarwo@microsoft.com
1 - DNS Query (SRV)
_sipinternaltls._tcp.microsoft.com
OCS FRONT END SERVERS
Server Certificate
SN: FE1.microsoft.com
SAN:FE1.microsoft.com
SAN:poolmocs.microsoft.com
DNS
SERVER
2 - DNS Answer (SRV)
_sipinternaltls._tcp.microsoft.com =
Poolmocs.microsoft.com : 5061 TCP 5
3 - DNS Query (A)
Poolmocs.microsoft.com
Microsoft.com
_tcp.
_sipinternaltls. (SRV)
_sipinternal. (SRV)
poolmocs.microsoft.com (A) 6 1
4 - DNS Answer (A) Poolmocs.microsoft.com = 7 8 2 9 3
5 – TLS Handcheck Start (SYN,SYN-ACK,SYN)
Client -> :5061 TCP 4
6 – TLS CLIENT HELLO
7 – TLS SERVER HELLO – Encrypted Message / Certificate Request
8 – TLS CHANGE CYPHER SPEC – Encrypted Message/Certificate
9 – TLS – APPLICATION DATA / SIP - REGISTER
SIP URI :

13. OC AUTOMATIC SIGN-IN Why? SIP URI : leonarwo@microsoft.com DNS Server
Active Directory
Contoso.com
DNS Server
1 - DNS Query (SRV)
_sipinternaltls._tcp.microsoft.com
Server Certificate
SN: FE1.contoso.com
SAN:FE1.contoso.com
SAN:poolmocs.contoso.com
2 - DNS Answer (SRV)
_sipinternaltls._tcp.microsoft.com =
Poolmocs.contoso.com : 5061 TCP 5
3 - DNS Query (A)
Poolmocs.contoso.com
Microsoft.com
_tcp.
_sipinternaltls.
_sipinternal.
Contoso.com
poolmocs.contoso.com 6 1
4 - DNS Answer (A) Poolmocs.contoso.com =
Why? 8 9
5 – TLS Handcheck Start (SYN,SYN-ACK,SYN)
Client -> :5061 TCP 3
6 – TLS CLIENT HELLO
7 – TLS SERVER HELLO – Encrypted Message / Certificate Request 7
8 – TLS CHANGE CYPHER SPEC – Encrypted Message/Certificate 2 4
Internal Client
9 – TLS – APPLICATION DATA / SIP - REGISTER
SIP URI :

14. Why? - If not match TLS Hand check fail .
- TLS security check match DNS SRV record answer with Domain name requested.
- If not match TLS Hand check fail .

15. 4-Users can’t sign-in (DNS/Cert issue)
1 - DNS Query (SRV)
_sipinternaltls._tcp.microsoft.com
OCS FRONT END SERVERS
Server Certificate
SN: FE1.microsoft.com
SAN:FE1.microsoft.com
SAN:poolmocs.microsoft.com
SAN:poolmocs.contoso.com
2 - DNS Answer (SRV)
_sipinternaltls._tcp.microsoft.com =
Poolmocs.microsoft.com : 5061 TCP
DNS
SERVER
3 - DNS Query (CNAME / A)
Poolmocs.microsoft.com 5
Microsoft.com
_tcp.
_sipinternaltls. (SRV)
_sipinternal. (SRV)
Poolmocs.microsoft.com (CNAME)
Contoso.com
poolmocs.contoso.com (A)
4 - DNS Answer (CNAME / A)
Poolmocs.microsoft.com = Poolmocs.contoso.com
Poolmocs.contoso.com = 6 1 8 9
5 – TLS Handcheck Start (SYN,SYN-ACK,SYN)
Client -> :5061 TCP 3
6 – TLS CLIENT HELLO
7 – TLS SERVER HELLO – Encrypted Message / Certificate Request 7
8 – TLS CHANGE CYPHER SPEC – Encrypted Message/Certificate 2 4
Internal Client
9 – TLS – APPLICATION DATA / SIP - REGISTER
SIP URI :

16. 5-Users don’t get Address Book (UR/IIS issue)
Active Directory
BACK-END
SERVER
Remote Access
OCS POOL
OCS FRONT END SERVERS
DOMAIN
CONTROLER
EDGE
SERVER
DMZ
FILE SHARE
REVERSE PROXY
UC ENDPOINTS
HTTPS : TCP/443
LDAP : TCP/389
SIP: TLS/ TCP/5060
SQL : TCP/1433
SMB : TCP/445
SIP: MTLS/5061

17. ADDRESS BOOK SERVICE: User Replicator1
Active Directory
Microsoft.com
1- Every 60 sec by default User Replicator send an LDAP Dirsynch query based on cookie version
- SearchRequest: BaseDN: DC=Microsoft,DC=com, SearchScope: WholeSubtree, SearchAlias: neverDerefAliases
+ BaseObject: DC=Microsoft,DC=com
+ Scope: WholeSubtree
+ Alias: neverDerefAliases
+ SizeLimit: 100 entries
+ TimeLimit: 75 seconds
+ TypesOnly: False
+ Filter: (&(|(objectClass=user)(objectClass=contact)(objectClass=group))(!(objectclass=computer)))
+ Attributes: ( objectClass )( distinguishedName )( objectGUID )( objectSid )( msRTCSIP-OriginatorSid )( isDeleted )( msRTCSIP-PrimaryUserAddress )( msRTCSIP-PrimaryHomeServer )( displayName )( mail )( msRTCSIP-UserEnabled )( telephoneNumber )…
2- AD Send back data to FE (set new cookie)
3- FE store data into Backend Database
- User and Ressource ID are stored in RTC\dbo.Ressource
- New Dirsynch cookie to RTC\dbo.UrReplicationCookie
Front-End
Server(s) 2 3
Back End
SQL Server
The address book data is retrieved from Active Directory, stored in the RTC database, extracted from the RTC database, and then placed in files and the RTCAb database for use by various clients
The following steps are performed:
User Replicator (UR) reads the new or modified (that is, added, deleted, changed) user and contact object information from Active Directory and writes it into the RTC database. This process runs every 60 seconds.
ABServer.exe reads the address book information from the RTC database and generates two sets of full and delta (that is, contains only the changes) address book files for use by Office Communicator (that is, with the file extension *.lsabs) and Office Communicator Phone Edition (that is, with the file extension *.dabs). These files are placed in a NTFS directory. ABServer.exe also creates a full database (that is, RTCAb) that is used by the Address Book Web Query Service. By default, ABServer runs on a daily basis at 01:30. Also all phone numbers that cannot be normalized are placed into a .txt file in the same NTFS folder.
Office Communicator, Office Communicator Phone Edition, and other related clients download either the full or delta file on a daily basis. They are access either through a file URL (also called a UNC path) to the NTFS folder or through a HTTPS URL (or HTTP if configured). The address book entries are then stored locally in the GalContacts.db and potentially in GalContactsDelta.db.
Office Communicator Mobile clients leverage the Address Book Web Query Service, which leverages the latest daily updates in the RTCAb database.
AD user and contacts objects with one of these attributes get synced by the User replicator:
- msRTCSIP-PrimaryUserAddress - telephoneNumber - homePhone - Mobile

18. ADDRESS BOOK SERVICE: User Replicator1
Active Directory
Microsoft.com
Front-End
Server(s) 2
ROOT\CIMV2 UserReplicator Settings : instance of MSFT_SIPUserReplicatorSetting { Backend = « BackEnd_FQDN"; InstanceID = "{963099A5-0F DA8-713F0F3CA5C3}"; RegenerateCookiesNow = FALSE; ReplicationCycleInterval = 60; }; 3
Back End
SQL Server
Technical Background information about the changes introduces with QFE2 MOC 2007 R2 (( )
-in earlier versions of OC, any local failure in the parsing of the delta GAL file OR creating/updating the local DB would lead to downloading of the full file. Starting QFE2 of OC2007 R2, all such error conditions will not lead to full file being downloaded. The new logic is - if a compact file is downloaded successfully then a delta file will not be downloaded in the same attempt. Even if the client fails to parse the compact file or it fails to update the local GAL database due to any error conditions the delta file will not be downloaded. The client will look for up to last 7 days of compact file and if the file is not found or could not be downloaded it will try to download the delta file. This is to support those deployments that haven’t upgraded the server to the latest QFE but the clients have been upgraded.
- In QFE2, the new logic is that the client will look for up to last 7 days of delta file in order to update the GAL DB. If the GAL DB was updated within last 7 days and a newer delta file is not found then the client will not download the full delta file even if there is a failure in downloading the delta file. If a delta file newer than the current state of the local DB is found and is downloaded successfully, then the client will not download a full file even if there is a failure during the parsing of the delta file or writing to the local GAL DB. The client will download the full file only if the local DB hasn’t been updated in last 7 days AND a newer delta file is not available. Thus if the server generates full files but no corresponding delta file for 7 consecutive days then the client will download a full file.
- Multiple changes are done to reduce the size of download files to reduce the overall network bandwidth utilization. Following are the changes done to reduce the daily file download size significantly:
o In this QFE server is creating new compact delta files in addition to the existing delta files. These compact delta files will only contain the difference in changed properties for a contact object.
§ Before the QFE the delta files will have the full contact object with all the properties if there is change in even 1 property of the contact.
§ With this QFE, the compact delta file will have contact object with only the changed properties.
Note: New and deleted contacts place the whole contact object into the file. If you have 10 properties and delete the contact, that counts as 10 property changes.
o Following fields are no longer part of the compact delta file:
§ OtherHomePhone
§ otherMobile
§ IP Phone
§ manager
o Title and Location fields are not added to the compact delta files if the user has a SIP address. These properties will be read from Presence document for SIP enabled users.
Note: OC clients using QFE 2 will use these new Compact delta files instead of existing delta files. Server will continue to create both the existing delta files in addition to compact delta files for backward compatibility with previous OC clients. There are no changes done to existing delta or full file schema.
- OCS R2 QFE 2 addresses changes the logic of when the delta files should not be created. Before this QFE delta files were not created if the “change” of the GAL file is more than 1/8th of the existing GAL full file. “Change” was measured based on the delta of changes in contact objects, So even a single property update of a contact object will be considered as a change in contact object.
With this OCS R2 QFE 2, the “Change” is computed based on the delta at property level. Also the limit of change for compact delta files is 4 times the regular delta file limit, so full file will not be created as long as the change is less that ½ the size (i.e. 50%) of full file.
Here is an example of describe the before and after QFE logic:
o Assume GAL file has 10 Contact and each of them as 10 Properties (e.g. First, Last, Display Name, Organization, Phone….)
o Let’s say Organization property changes for a 3 out of 10 users. This will impact 3 Contact objects out of 10.
o Before QFE
§ The change will be computed based on contact objects.
· Total number of contacts is 10
· Total number of contacts changed is 3 (i.e. Organization property of 3 contacts is changed)
· % of change = 30% (i.e. Total number of contact changes/Total number of contacts)
· 30% change from the existing GAL file will trigger a full file creation instead of delta files.
o After QFE
§ The change is computed on properties (This only applies to compact delta file change rate calculation, legacy delta file change rate is still calculated on contact level)
· Total number of properties is 100 ( i.e. 10 Contacts times 10 Properties)
· Total number of change in properties is 3 (i.e. Organization property of 3 contacts is changed)
· % of change = 3% (i.e. Total number of property changes/Total number of Properties)
· 3% change is much lower than the 50% change limit of compact delta file so it will not create the full file.
- The changes made in the logic should greatly reduce the number of instances on server when the compact delta files was not created and it forced client to download the full file.
Note: The upper end of % change for Compact Delta files is 80% so if delta files are set to 20% or higher, the Compact files will still be bound by 80% change in full file size.
- To reduce the network congestion because of simultaneous downloads and also to control bandwidth utilization, following functionalities are enabled as part of this QFE.
o Randomized and distributed time window for first time download: OC client by default will randomly assign a time window of 0-60 min for each user to initiate the first time full download of GAL file. The time delay for download can be configured through a registry setting, so an admin or user can change the setting to be 0, for immediate GAL download.
§ Set the following registry entry on user’s machine for immediate download
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Communicator]
"GalDownloadInitialDelay"=dword:

19. ADDRESS BOOK SERVICE:
1- ADDRESS BOOK files creation is done every 24 hours. -By default every night at 01:30 AM -ABS sevice initiate Address Book Files creation(SQL Queries). 2-Back End SQL send back data according « required attributes » table (RTC\dbo.AbAttribute) 3-FE store data into .LSABS / .DABS files . (Full and Delta ones) on File Server (SMB) Fxxxx.lsabs -> xxx= number of days since 01/01/2001 .lsabs -> AB for Communicator clients .dsabs-> AB for UC Devices Each day -> 1 Full + n Delta

20. ADDRESS BOOK SERVICE: ABS settings

21. ADDRESS BOOK SERVICE:ABS Settings
AB Settings :
ROOT\CIMV2
instance of MSFT_SIPAddressBookSetting {
Backend = « Backend_FQDN";
DaysToKeep = 30;
ExternalURL = "
IgnoreGenericRules = FALSE;
InstanceID = "{D265A402-BD08-4BCB-BEB3-CC7AFBD47C08}";
InternalURL = "
MaxDeltaFileSizePercentage = 1250;
OutputLocation = "\\\\FileServer_FQDN\\AB";
PartitionOutputByOU = FALSE;
RunTime = 130;
SynchronizeNow = FALSE;
SynchronizePollingIntervalSecs = 300;
UseNormalizationRules = TRUE; };
ABSERVER.EXE -REGENUR
ABSERVER.EXE -SYNCNOW : launch UR replication and create ABS files
ABSERVER.EXE -DUMPFILE <xxx.lsabs>

22. ADDRESS BOOK SERVICE : Client Side
1- SIP REGISTER 2-SIP OK 3-SUBSCRIBE(s) Event: vnd-microsoft-provisioning-v2 4-SIP 200 – OK (s) <absInternalServerUrl> <absExternalServerUrl> 5- HTTPS GET 6- SMB READ REQUEST \\fileserver\absfileshare\xxx.lsabs 7- SMB READ RESPONSE 8-WebComp send back file to client over https
File Server
Front-End
Server(s) 6 7
Web Components
IIS Server 1 3 5 2 4 8
ABS Data stored localy in : %userprofile%\Local settings\application data\microsoft\communicator\galcontact.db
Internal Client

23. ADDRESS BOOK SERVICE
Increased service requests since CU2 (build )
New design introduced with Naming convention
F-xxxx.lsabs - Full Files
Full File creation date
C-xxxx-yyyy.lsabs -Compact Delta Files
Full File creation date Delta File creation date
xxxx: in days since Jan 1, calc: Date = HEX2DEC(xxxx)
Design goal: reduce load and traffic by providing a central point of location and compressed data
Instead of having the clients accessing the AD individually
Technial details:
Technical Reference for Office Communications Server 2007 R2
Address Book Server Drilldown
File names for full files are of the form F-xxxx, where xxxx is the file creation date expressed as the hexadecimal 0-based number of days since January 1, Delta file names are of the form C-xxxx-yyyy.lsabs, where xxxx is the full file creation date, and yyyy is the delta file creation date. Files are also assigned the appropriate *.lsabs or *.dabs file extension

24. 6-Communication A/V from external user to internal user not working (Edge Setup issue)
Server(s)
Front-End
Server(s)
Public
Network
Internal
Network
External User
Internal User

25. AV Edge Provisioning/Credentials
SIP Register
ms-user-logon-data: RemoteUser
<mrasUri>sip:av.tailspintoys.com</mrasUri>
200 OK
Access
Edge
OCS FE
Server
<location>internet</location>
SIP Service
External
Client
<hostName>av.tailspintoys.com
<udpPort>3478
<tcpPort>443
<username> 77qq8yXccBc2lwOmFy
<password> Wnujl0eo00YkV/5dg=
<duration>480
200 OK
Service
MTLS
200OK
A/V Auth
A/V
Edge
Outer
Firewall
Inner
Firewall

26. 2 PARTY AUDIO CALL: EXTERNAL
INVITE
Access
Edge
OCS FE
Server
TRYING
TRYING
m=audio RTP/SAVP
a=candidate:UDP
a=candidate:UDP
a=crypto:2 AES_CM_128_HMAC_SHA1_80
a=remote-candidate:EbG+8ZNb5MSDsF3D
a=maxptime:200
a=rtpmap:114 x-msrta/16000
a=fmtp:114 bitrate=29000
a=rtpmap:111 SIREN/16000
a=fmtp:111 bitrate=16000
a=rtpmap:112 G7221/16000
a=fmtp:112 bitrate=24000
a=rtpmap:115 x-msrta/8000
a=fmtp:115 bitrate=11800
a=rtpmap:116 AAL2-G726-32/8000
a=rtpmap:4 G723/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:97 RED/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:
a=encryption:required
External
Client
Internal
Client
RINGING
200 OK
m=audio RTP/SAVP
a=candidate:UDP
a=candidate:UDP
a=crypto:2 AES_CM_128_HMAC_SHA1_80
a=remote-candidate:t5hj4JqMUT5RnDEwQ2ktkCunoma
a=maxptime:200
a=rtcp:59129
a=rtpmap:114 x-msrta/16000
a=fmtp:114 bitrate=29000
a=rtpmap:111 SIREN/16000
a=fmtp:111 bitrate=16000
a=rtpmap:112 G7221/16000
a=fmtp:112 bitrate=24000
a=rtpmap:115 x-msrta/8000
a=fmtp:115 bitrate=11800
a=rtpmap:116 AAL2-G726-32/8000
a=rtpmap:4 G723/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:97 RED/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:
a=encryption:required
STUN BINDING REQUESTS
:50009
:50008
A/V
Edge
NO BIND RESPONSE
:50008 UDP
:50009 UDP
RTAudio 26Kbit/s
RTCP/SRTCP
RTP/SRTP
:59129 UDP
:59785 UDP
RTAudio 26Kbit/s
RTCP/SRTCP
RTP/SRTP
External
Firewall
Internal
Firewall

27. 7-Invite/Join a Live Meeting conference not working
Front-End
Server(s)
Web Conferencing
Server
Network
Internal User
Internal User

28. CONFERENCING COMPONENTS
FRONT END (ACCESS SERVER)
SQL
FOCUS FACTORY
FOCUS
SQL
BACK END DATABASE
SIP TLS/5061
C3P Over HTTP
SQL
MCU FACTORY
PSOM SSL/8057
WEB CONFERENCING (DATA MCU)
SIP TLS/5062
The C3P Protocol
The OCS conferencing solution is based off of Centralized Conference Control Protocol (commonly referred to as CCCP or C3P for short). This is an XML-based client-server protocol that piggy backs on a SIP and provides the following mechanisms:
A conference document (or roster) that lists the participants in the conference and the various modes in which the various participants are currently in.
A command/response mechanism that allows clients to issue commands to the conferencing server (focus factory) so they can create the conference or control other aspects of it.
For instance, AddConference is a C3P command that is used to add a conference to the focus factory. The focus factory responds with a unique conference SIP URI, which is based off the user's own SIP URI. For example, say my SIP URI is When the client issues an AddConference command, the focus factory would return a unique key to the conference that looks something like this: This SIP URI key uniquely identifies the OCS conference. It can be shared with other participants to give them access to the conference. This is the same URI that is sent in the message generated by using the Invite by option.
Since the conference's SIP URI is created using the conference creator's own SIP URI, this ensures that the policies applied to the conference can be derived from the creator's policies. It also means that policies related to dial out to PSTN and the like can be applied based on what is allowed for the specific conference leader.
Another C3P command, AddUser, is a command that adds a participant into the conference. It also specifies the role of the participant, such as attendee or presenter. The leader/presenter has to add himself to the conference using AddUser as soon as the AddConference command is issued. The leader/presenter can use AddUser to invite endpoints or clients with a SIP URI into a conference, as well as PSTN phone numbers. To initiate dialing out to phone numbers from the MCUs, a <dialout> XML node has to be set in the AddUser command. I will refer to this combined command as AddUserDialOut.
A third C3P command, GetConference, is used to retrieve all conference capabilities. Once a client connects to the focus, it needs to retrieve the SIP URI information about the various MCUs in the system so it can talk directly to the MCUs. This information about the MCUs is retrieved using GetConference. An Audio/Video MCU SIP URI that is retrieved using GetConference looks something like this: Note that each of the SIP URIs— whether a conference focus factory or a specific conferencing server—is actually a Globally Routable User URI (GRUU). I briefly talked about GRUUs in the "How Presence Powers OCS 2007" article.
As I mentioned before, C3P rides on top of the SIP, and the SIP allows sessions to be created between any two user agents (or, to be syntactically correct, between a user agent client and a user agent server). The payload of a SIP session need not always be an audio or video SDP (Session Description Protocol); it can be a way to establish a pure signaling channel. This concept is used by clients to establish a SIP-based signaling channel with the focus factory to a particular conference session.
Front End Servers 5062 TCP Used for incoming SIP listening requests for IM conferencing.
Front End Servers 5063 TCP Used for incoming SIP listening requests for audio/video (A/V) conferencing.
Front End Servers 5064 TCP Used for incoming SIP listening requests for telephony conferencing.
Front End Servers 5065 TCP Used for incoming SIP listening requests for application sharing.
Live Meeting 2007 client 8057 TCP Used for outgoing PSOM traffic sent to the Web Conferencing Server.
Live Meeting 2007 client 443 TCP Used by Live Meeting 2007 clients connecting from outside the intranet for:
SIP traffic sent to the Access Edge Server. PSOM traffic sent to the Web Conferencing Edge Server.
IM CONFERENCING (IM MCU)
SIP / RTP-RTCP
A/V CONFERENCING (AV MCU)

29. CREATE A CONFERENCE FOCUS FACTORY FOCUS SERVICE FRONT END OCS 200 OK
requestId=" ">
<addConference>
<msci:conference-id>3A33C8AC9BEECD4DAFE BEA739</msci:conference-id>
<msci:expiry-time> T04:00:46Z</msci:expiry-time>
<msci:admission-policy>openAuthenticated</msci:admission-policy>
<msci:conference-view><msci:entity-view entity="chat"/>
<msci:entity-view entity="audio-video"/>
<msci:entity-view entity="meeting">
<msdata:app-viewing-behavior>enableWithFullSharing</msdata:app-viewing-behavior>
<msdata:conferencing-type>collaboration</msdata:conferencing-type>
Internal
Client
200 OK
The scheduling client communicates with the Focus Factory to create a new conference. To create a conference, the Focus Factory on the server creates and configures a conference record. The Focus Factory then sends the URI for the Focus instance to the client. The conference URI includes the organizer of the conference and a unique conference identifier. The syntax is as follows:
<unique ID>.
requestId=" " C3PVersion="1"
code="success">
<addConference>
<conference-info xmlns="urn:ietf:params:xml:ns:conference-info"
state="partial" version="1"/>
</addConference>
</response>

30. JOIN A CONFERENCE INVITE FRONT END OCS SESSION PROGRESS FOCUS FACTORY
requestId="0">
<addUser>
<conferenceKeys
<ci:user xmlns:ci="urn:ietf:params:xml:ns:conference-info"
<ci:roles><ci:entry>attendee</ci:entry></ci:roles>
<ci:endpoint entity="{6F488A99-D3C D69-80E1C75B2385}"
SESSION PROGRESS
TRYING
Internal
Client
INVITE DIALOG CREATED
requestId="0" C3PVersion="1"
code="success">
<addUser>
<conferenceKeys
<ci:user
<ci:roles>
<ci:entry>presenter</ci:entry>
</ci:roles>
</ci:user>
</addUser>
</response>
INFO
requestId="3">
<addUser
<conferenceKeys
<ci:user
<ci:display-text>Kevin Cook</ci:display-text>
<ci:roles><ci:entry>presenter</ci:entry></ci:roles>
<ci:endpoint entity="{CDF6EA5F-CD7B-4E30-9FD6-62A5C6A40ADA}"
sip-instance=""<urn:uuid:BA8EE1B2-7EF BCCE-D75F4C82294D>"">
<ci:joining-method>dialed-in</ci:joining-method>
Licensing Requirement
Licensing requirements for Public IM Connectivity depends on the service providers you want to connect with and your Communications Server client access licenses.
Windows Live and AOL: Customers with Office Communications Server 2007 R2 Standard Client Access License or Office Communications Server 2007/ Live Communications Server 2005 SP1 Standard CAL license with active Software Assurance (SA) qualify for federation with Windows Live Messenger and AOL without additional licensing requirements. Customers who do not meet the qualifying requirement should buy the Office Communications Server Public IM Connectivity license for federation with Windows Live Messenger and AOL.
Yahoo!: Federation with Yahoo! requires the Office Communications Server Public IM Connectivity (PIC) per user subscription license.
The Office Communications Server PIC license is sold separately on a per-user, per-month basis as a Microsoft service. PIC service licenses are available for Microsoft Volume License customers only.
Google Talk: Federation with Google Talk can be enabled through the Microsoft Office Communications Server 2007 R2 XMPP Gateway, available at no additional licensing cost. This Gateway provides presence sharing and instant messaging (IM) with XMPP (Extensible Messaging and Presence Protocol) networks like Google Talk.
System Requirements
Public IM Connectivity requires a fully licensed and installed version of Communications Server (Live Communications Server 2005 SP1 or higher version). For detailed system requirements, visit the Office Communications Server 2007 R2 technical documentation website.
Provisioning Requirements
To provision your Office Communications Server environment for federation with public IM service providers (Windows Live, AOL, Yahoo!), the following information is required:
The fully qualified domain name (FQDN) of your Access Edge service
The name of your SIP domain
If Public IM Connectivity licenses were purchased through Microsoft Volume Licensing, details on how to submit this information will be available through the Microsoft Volume Licensing website.
If you qualify for federation with Windows Live and AOL through Office Communications Server 2007 R2 Standard CAL, please contact your Account Manager for details on submitting information about provisioning your network.
For more information on the provisioning process, please read the Office Communications Server Public IM Connectivity Provisioning Guide.
For more information on the Microsoft Office Communications Server 2007 R2 XMPP Gateway, please visit the download page.
INFO

31. AVEdge Provisioning/Credentials Joining a Conference (OC and Console)
nic
SIP Invite
OCS FE
Server
<hostName>av.tailspintoys.com
<udpPort>3478
<tcpPort>443
<username> 77qq8yXccBc2lwOmFy
<password> Wnujl0eo00YkV/5dg=
<duration>480
200 OK
Access
Edge
{MRAS Credentials}
200 OK
CCCP: Add User
A client can join itself to the conference in one of the following two ways:
To join to an IM Conferencing Server or an A/V Conferencing Server (Conferencing Servers that communicate using SIP), a client issues a direct media INVITE to the conferencing server URI.
To join to a Web Conferencing Server (which does not use SIP), a client issues an addUser C3P dial-in command targeted at the conferencing server URI. (All C3P commands are carried inside a SIP INFO.)
Edge Server 3478 UDP Used for STUN/UDP inbound and outbound media communications.
Service
MTLS
200OK
ENDPOINT
A/V Auth
A/V
MCU
A/V
Edge
Outer
Firewall
Inner
Firewall

32. 8-CWA 2007 R2 is reporting error ( ) "Your computer clock is not set correctly" when installed on Windows Server 2008
When trying to log using CWA get: “Cannot sign in because your computer clock is not set correctly or your account is invalid.(Error code: )”.
1- Resolution: the SPN of the CWA URL is missing, add the SPN to the CWAService Account.
In Adsiedit. location CWAService Account, go to properties, find SPN and add to it CWA URL reboot.
2- If you do a network trace you will see: KRB_ERROR  - KDC_ERR_PREAUTH_REQUIRED (25)
3- You need to verify the account and the server with checkspn.vbs
C:\Program Files\Microsoft Office Communications Server 2007 R2\ResKit>cscript checkspn.vbs /check /s:jte-fe.jte-leo.fr
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.
Entry (1): CN=RTCService,CN=Users,DC=jte-leo,DC=fr
SUCCESS: The sip/jte-fe.jte-leo.fr is correctly registered

33. 8-CWA 2007 R2 is reporting error (0-1-492)
We have an article for this: 1. Typically a client will be connecting using the FQDN (fully qualified domain name) of the web server. Since Kerberos is only attempted if the website is in Internet Explorer's Intranet security zone, the website will need to be added to that security zone either using a GPO or manually. 2. a one-way trust (the resource Forest trusts the User forest) is required for this scenario. In future scenarios (e.g. if they introduce delegation) a two-way trust will be required. 3- again check the sevice C:\Program Files\Microsoft Office Communications Server 2007 R2\ResKit>cscript checkspn.vbs /list /u:cwaservice Microsoft (R) Windows Script Host Version 5.7 Copyright (C) Microsoft Corporation. All rights reserved. LDAP://CN=cwaservice,CN=Users,DC=jte-leo,DC=fr http/JTE-CWA http/JTE-CWA.jte-leo.fr
We have as workarround:
1- Use Forms Base Authentication
2- Use what is on the following blog:
3- Limit CWA to "single" forest single server (doesn't support NLB)
4- Use windows 2003 for CWA instead of Windows 2008
5- We have change the permission to RTCComponentService to log on as batch fixed the problem on 1 machine but we have not been able to replicate (inconsistent!)

34. 9-Delegates unable to Schedule Live Meetings
[ ( 50) 10:08:31:275 <RTL> ] [ PID: 0908 TID: 0304 ] Displaying error message "An error occurred while executing this command. If this error persists, please contact your Live Meeting administrator." for HRESULT 0x Err: 0x > (E_INVALIDARG) (kernel32.dll) One or more arguments are invalid
With the release of the July 2009 Cumulative update for Office Communications Server 2007 R2 and associated technologies, it is now possible to allow a non-Enterprise voice user to enable Conference Delegation (Boss/Admin Feature). Knowledge base article

35. Verify pre-requisite software: Office Communicator 2007 R2 version or later Office Live Meeting 2007 client/Outlook Add-in version or later Configure Required Registry Entry On the “Boss” machine, enable the following registry key in only one of the two locations: Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Communicator] "EnableExchangeDelegateSyncUp"=dword: Or [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Communicator]

36. 10-A/V quality issues (Network/Firewall issue)
Help And How To: Voice and Video Call Quality 2- Using DNAT with OCS
+++ DNAT problem with load balanced pools
An audio or video session exits unexpectedly when an external user tries to add a third user to the session in Communications Server 2007
This issue occurs in an environment that has the following configuration:
• You have a Consolidated Office Communications Server 2007 Enterprise Edition pool that is deployed behind a hardware load balancer device.
• The hardware load balancer device is running in a destination network address translation (DNAT) configuration.
To work around this issue, use one of the following methods. f
Method 1: Add an entry in the hosts file
Modify the hosts file on each front-end server in the Communications Server 2007 pool. In the hosts file, add an entry to map the fully qualified domain name (FQDN) of the pool to the IP address that is assigned to the particular front-end server. Method 2: Change the load balancer configuration to use SNAT
MSFT_SIPPoolConfigSetting.Backend entry must be changed – see KB for more details
+++ Configurations that fail only in certain cases
- Federation between companies that either only allow audio traffic over UDP or TCP
External clients that are behind a proxy requiring authentication
Coexistence between LCS 2005 SP1 and OCS 2007 EE with a single Front End Server shows presence issues, when OCS VIP and dedicated IP are the same
Running Windows Server 2008 AD Prep in a Windows Server 2003 AD with OCS 2007 deployed will cause OCS to fail when checking forest prep state (see upcoming version of OCS Supportability Guide)
SOX OCS 2007 R2 - Unable to download shared meeting content / x

37. The local parameters

38. Useful Links
Validation and Troubleshooting Hints in Office Communications Server 2007 R2 Office Communications Server 2007 Solution Center How-To

39. Useful Links
Updates Resource Center for Office Communications Server 2007 R2 and Clients Retrieve Installed Versions of Office Communicator and Office Live Meeting

40. Sessions OCS
UCO403 OCS 2007 R2 Edge Server : fonctionnement et mise en oeuvre Eric Scherlinger 10/02/ :00 – 17:00