You have to choose between beeing secure or stop working with OCS according to Microsoft !:

Your evaluation period may be expired with this error in event viewver :

Event source: OCS Server
Event id: 12290
Event text: The evaluation period for Microsoft Office Communications Server 2007 R2 has expired. Please upgrade from the evaluation version to the full released version of the product.

So, you follow the “Upgrading Office Communications Server 2007 Evaluation to the Full Released Version” document :

http://www.microsoft.com/downloads/details.aspx?FamilyId=54A5521D-A928-46F2-8BF7-125DA636DD2E&displaylang=en

BUT here’s the result :

OCS Setup log :

Failure
[0xC3EC78D8] Failed to read the Office Communications Server version information. This can happen if the computer clock is not set to correct date and time.

 

After some research I’ve found that the workaround was to remove  the MS Crypto API security update KB974571. So I removed the update, rebooted the machine, and OCS 2007 R2 was up and running again, without any issues.

What is the position of MS regarding this issue :

http://support.microsoft.com/kb/974571/en-us

Microsoft recommends to postpone installing KB974571 on any LCS 2005 / OCS 2007 /OCS 2007 R2 servers.

“Microsoft is investigating this issue, and will determine the most appropriate way to address it. Customers who are not running OCS or LCS server are not affected by this known issue, and can safely ignore this issue.

Customers who have deployed the OCS or LCS product on a server should assess the risk that is involved to decide whether to install the security update on that server. These customers should revisit this Knowledge Base article often, because this article will be updated as soon as more information and a resolution are available.”

Nice one from MS !

You can download Exchange Server 2010 Release Candidate to the Microsoft Download Center!

This is the build number 14.00.0639.011 and you can download it from here :  http://www.microsoft.com/downloads/details.aspx?FamilyID=c6d27da1-ba2c-4570-a491-c0d7b39ede8b

This build is compatible with both Windows 2008 SP2 and Windows 2008 R2 (from RC1 through to RTM). As we changed the store schema between the Exchange Beta and RC, there’s no in-place upgrade from the Beta release. However, we will support in-place upgrade from the Release Candidate through to the final RTM build.

Extract from “Paul Bowden – Release Manager – Exchange Server”

 ——————————————————————————————–

Here’s a quick start guide to get you up and running as quickly as possible with the new build:

 

Windows 2008

1.       Install Windows Server 2008 x64 (Standard or Enterprise – but not Core or Web Server) and join the appropriate domain

2.       Install Service Pack 2 from http://technet.microsoft.com/en-us/windows/dd262148.aspx

3.       Install .NET Framework 3.5 Service Pack 1 from http://www.microsoft.com/downloads/details.aspx?FamilyID=ab99342f-5d1a-413d-8319-81da479ab0d7

4.       Install the .NET Framework 3.5 SP1 Update from http://www.microsoft.com/downloads/details.aspx?FamilyID=98E83614-C30A-4B75-9E05-0A9C3FBDD20D

5.       Install the combined PowerShell v2/Windows Remote Management package (Windows 6.0-KB968930.msu) from https://connect.microsoft.com/windowsmanagement/Downloads/DownloadDetails.aspx?DownloadID=21268

6.       For Hub Transport and/or Mailbox roles, install the Office Filter Pack from http://www.microsoft.com/downloads/details.aspx?FamilyId=60C92A37-719C-4077-B5C6-CAC34F4227CC

7.       Open a command prompt, and use the installation scripts from the \Scripts sub-folder on the installation media to enable operating system components:

a.       For a typical installation of Client Access, Hub Transport, and the Mailbox role, run:

• ServerManagerCmd –ip <media>\Scripts\Exchange-Typical.xml

a.       For a Client Access role only, enter:

• ServerManagerCmd –ip <media>\Scripts\Exchange-CAS.xml

b.      For a Hub Transport role, enter:

• ServerManagerCmd –ip <media>\Scripts\Exchange-Hub.xml

c.       For a Mailbox role, enter:

• ServerManagerCmd –ip <media>\Scripts\Exchange-MBX.xml

d.      For a Unified Messaging role, enter:

• ServerManagerCmd –ip <media>\Scripts\Exchange-UM.xml

e.      For an Edge Transport role, enter:

• ServerManagerCmd –ip <media>\Scripts\Exchange-Edge.xml

8.       For Client Access server roles, run “sc config NetTcpPortSharing start= auto” from a command-prompt

9.       Restart the computer

10.   Run the Setup.exe program from the Exchange 2010 download package

 

Windows 2008 R2

1.       Install Windows Server 2008 R2 (Standard or Enterprise – but not Core, Web Server or Foundation Server) and join the appropriate domain

2.       For Hub Transport and/or Mailbox roles, install the Office Filter Pack from http://www.microsoft.com/downloads/details.aspx?FamilyId=60C92A37-719C-4077-B5C6-CAC34F4227CC

3.       Open a Windows PowerShell console window from the Accessories menu

4.       Enter “Import-Module ServerManager” and press return

5.       Use the Add-WindowsFeature cmdlet to enable operating system components:

a)      For a typical installation of Client Access, Hub Transport, and the Mailbox role, enter:

• Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy
• Set-Service NetTcpPortSharing -StartupType Automatic

b)      For a Client Access role only, enter:

• Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy
• Set-Service NetTcpPortSharing -StartupType Automatic

c)       For a Hub Transport role or Mailbox role, enter:

• Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server

d)      For a Unified Messaging role, enter:

• Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Desktop-Experience

e)      For an Edge Transport role, enter:

• Add-WindowsFeature NET-Framework,RSAT-ADDS,ADLDS

6.       Restart the computer

7.       Run the Setup.exe program from the Exchange 2010 download package

 

Active Directory Configuration

a.       The schema master must be running a minimum of Windows Server 2003 with Service Pack 1

b.      The forest must be in Windows Server 2003 functionality mode (or later)

c.       All Exchange 2010 servers must be able to communicate with a global catalog server which is running Windows Server 2003 with Service Pack 1 (or later)

d.      Read-only domain controllers (RODC) are not supported with Exchange 2010

e.      We generally recommend that you install Exchange 2010 on member servers versus domain controllers. This helps to secure your installation

 

Enjoy your test !

Office Communications Server 2007 R2 Capacity Planning Tool

http://www.microsoft.com/downloads/details.aspx?familyid=F8CBDDD6-7608-4BBE-9246-16E96C62BEF4&displaylang=en

 Integrating Telephony with Office Communications Server 2007 and 2007 R2

 http://www.microsoft.com/downloads/details.aspx?FamilyID=8cde0c3a-042e-445b-a514-2d12ed5b2ac2&displaylang=en

Microsoft Office Communications Server 2007 R2 Client and Devices Technical Reference

http://www.microsoft.com/downloads/details.aspx?familyid=7EEA9543-EC18-4BEB-BA49-1023A441147C&displaylang=en

 

Microsoft Office Communications Server 2007 R2 Site Resiliency White Paper

http://www.microsoft.com/downloads/details.aspx?familyid=C930FEBB-3A44-4BF3-969D-1C52675A7063&displaylang=en

 

Live Meeting 2007 Technical Considerations Whitepaper

http://www.microsoft.com/downloads/details.aspx?familyid=E52C945A-BF33-48AC-B5D8-D8C4E93C71CC&displaylang=en

 

Unified Communications Phones and Peripherals Datasheet

http://www.microsoft.com/downloads/details.aspx?familyid=74BD3EC0-C7DC-4111-A9B7-A9AFBDC86AA9&displaylang=en#filelist

Enabling Any SIP Phone & Any SIP Trunking Service Provider with OCS 2007 R2 !

Goals of the demo :

 Use asterisk like a UPD/TCP translator between OCS and a SIP trunking services in UDP mode.

• make calls from Microsoft Office Communicator to the sip trunk
• dial from a external mobile or a PSTN phone trough the sip trunk and answer the call on either a hard or soft  phone or Office Communicator.
• control forwarding and simultaneous ringing options from the Communicator

 I use Asterisk 1.6 which support TCP and UDP installed on CentOS 5 – Kernel 2.6.18

Installation steps :

1. Add a mediation server to the OCS infrastructure
2. Add an asterisk server
3. Configure Mediation server to use the asterisk box
4. Resolve NAT problem (if needed)
5. Create two SIP trunks :
   1. Asterisk to OCS
   2. Asterisk to SIP Trunk service
6. Define the context used by this trunks
7. Configure follow me
8. Test the infrastructure

 

Basic schema :
 

OCS R2   —-    Mediation —-   Asterisk    ——   Firewall   —   SIPTrunk
MTLS       —-        TCP       —-        UDP —-  NAT —–     UDP

  

I use Hyper-V for the two OCS servers and VMware for the Asterisk server.

  

Step-by-steps

Step 1 : Add a mediation server to your infrastructure

1. Install a mediation server
2. Configure certificate
3. Add the OCS reskit tools (useful for troubleshooting)
4. Create a dial plan
5. Create a location profile with two normalization rules.

The first will be use for internal numbering and the second is a generic rule that redirect all call that do not correspond to a valid extension number in OCS to the default gateway.

• Internal : OCS user have an three digit extension beginning by 2

Phone pattern : ^2(\d{2})$

Translation pattern : +2$1

• Generic rule : All number are concerned (be careful to put this rule in second position in your location profile)

Phone pattern : ^(.*)$

Translation pattern : $1

Assign the location profile to the front-end server (properties of the pool / properties of front-end / Voice Tab)
NB : Test your dial plan using the Enterprise Voice route helper

Step 2 : Add an asterisk server

1. Download trixbox 2.2 Virtual Appliance from VMware website http://www.vmware.com/appliances/directory/939
2. Configure basic settings (Ip address, ..)
3. Add this line in the begining of sip.conf

tcpenable = yes
bindport = 5060

1. Access the web Trixbox interface (use Mozilla) In system menu / Network / Configure IP, Subnet, DNS and a valid hostname on internet : Ex : sip.mydomain.com

 

Step 3 : Configure Mediation server to use the asterisk box

1. Open the properties of your mediation server verify that :
2. in General tab : the gateway listening port is 5060
3. In next hop connections tab : put the IP address of your asterisk server in PSTN gateway next hop with 5060 for the port number

Step 4 : Resolve NAT problems (if needed)

1. In Asterisk, Go to PBX / Config File Editor / and edit SIP_NAT.conf

nat=yes

externip=Valid_FQDN

localnet=Your_Localnet/Your_Subnet

1. Open in your firewall port
   • 5060 in UDP and TCP for SIP
   • RTP: 10000 to 20000 UDP
2. Verify that you can see you valid public IP in the Trixbox system status

 

Step 5 : Create two SIP trunk in Trixbox : asterisk to OCS and Asterisk to SIP Trunk service

• Asterisk to OCS

Trunk Name : ocs

PEER Details :

host=ip-mediation-server

type=peer

qualify=yes

transport=tcp

insecure=very

port=5060

canreinvite=yes

fromdomain=yourdomain

context=from-ocs

 

Incoming Settings :

User context : (I put a OCS username here)

User details :

host=ip-mediation-server

type=peer

transport=tcp

insecure=very

port=5060

context=from-ocs

register string :

(leave blank)

 

 

• Asterisk to SIP Trunk service

Trunk Name : siptrunk

PEER Details :

type=friend

disallow=all

allow=ilbc&speex&gsm&alaw&ulaw

username=username

secret=password

host=yoursipregistrar

canreinvite=no

context=from-siptrunk

Incoming Settings :

Clear all

register string :

username:password@yoursipregistrar (/yournumber if needded)

  

Step 6 : configure context

Edit Extension_Custom.conf and add a the end of the file :

[from-ocs]

exten => _X.,1,Answer

exten => _X.,2,Dial(SIP/${EXTEN}@siptrunk,,tr)

#include extensions-away-status.conf

[from-siptrunk]

exten => _X.,1,Set(numDialled=+${EXTEN:Number_of_X_to_ignore})

exten => _X.,2,Set(__FROM_DID=${EXTEN})

exten => _X.,3,Answer

exten => _X.,4,Dial(SIP/${numDialled}@ocs,,tr)

 

exten => _X.,4,Dial(SIP/${numDialled}@ocs)

 

Step 7 : Configure follow-me in Asterisk

Assign line number from your sip trunk to Asterisk extension and redirect to phone extension in OCS by using a # after the number.
DID number from your SIP trunk provider —> Extension in Asterisk —> Follow-me to OCS extention (use # after the number to precise that it’s external to asterisk)

Step 8 : Test the infrastructure

1. Troubleshooting tools that you can use in Asterisk :
   1. Log as root with a terminal tools (putty) / Type asterisk –r / Type sip set debug on
   2. Assign a line prefix to test the trunk from a softphone directly connected to Asterisk
      Ex : Create a outbound route with “9|.” to test the trunk by dialing 9 before the number
2. Troubleshooting tools that you can use in OCS :
   1. Eventviewer
   2. Use the Debug tools (right click your mediation server)
   3. MS Netmon
   4. OCS Route helper to validate your dial plan.

Have fun with that and leave me a message if encounter some problems!

It’s probably possible to do the same with other IP/PBX like : Freeswitch, OpenSer, SipxECS, …

Date : 04/08:2009  - Author :  Yann Espanet – mail : yann@unifiedcommunications.eu

Trouble to use regular expressions in defining routes for OCS ? Download a whitepaper from Globalknowledge and a cheatsheet from addedbytes !

• Tips on Understanding Microsoft Regular Expressions from GlobalKnowledge

“Microsoft has introduced regular expressions for the main purpose of normalizing E.164 numbers and allowing users to dial numbers by a pattern they are accustomed to, and to define routes to send to an external gateway for PSTN connectivity. This white paper focuses on the regular expression process and the syntax used by the Microsoft OCS (Optional Component Manager) Expert to create a dial plan and normalization rules that will properly be interpreted and executed. Regular expressions are also used for Address Book translations of numbers in the user contact database that would have to be converted to the E.164 format. This paper also examines tool sets that can be used right on your XP or Vista computer to test regular expression constructs without disturbing the corporate production environment.”

http://images.globalknowledge.com/wwwimages/whitepaperpdf/WP_Parlas_MicrosoftOCS.pdf

• regular-expressions-cheat-sheet-v2.pdf

http://www.addedbytes.com/download/regular-expressions-cheat-sheet-v2/pdf/

Is better to use TCP rather than UDP for SIP message fragmentation concerns ?

First concerns : maximum size of a UDP datagram

The maximum message size for a UDP datagram socket is limited by the maximum size of an IP datagram and the size of the UDP datagram socket buffer.
The maximum size of an IP datagram limits the maximum message size of a UDP message to 65507 bytes. Therefore, using the maximum socket buffer size will allow multiple maximum-sized messages to be placed on the send queue. The default inbound and outbound message size limit for a UDP datagram socket is 65535 bytes.  

The maximum message size for a UDP broadcast is limited by the MTU size of the underlying link, which is 1500 on Ehternet.

Here’s the MTU for different media :

Network                                     MTU 

Token Ring 16 Mb/s                17 914

FDDI                                           4 352

Ethernet                                     1 500

IEEE 802.3/802.2                    1 492

PPPoE                                        1 480

X.25                                               576

UDP has no fragmentation mechanism like TCP or IP, but it used the fragmentation of IP layer.

Transmission Control Protocol (TCP) is an example of a protocol that will adjust its segment size to be smaller than the MTU.
User Datagram Protocol (UDP) disregard MTU size thereby forcing IP to fragment oversized datagrams.

Conclusion :

TCP provide transport-layer fragmentation. If a SIP message is larger than the MTU size, it is fragmented at the transport layer. When UDP is used, fragmentation occurs at the IP layer. IP fragmentation increases the likelihood of having packet losses and makes NAT and firewall traversal difficult, if not impossible. This feature will become important if the size of SIP messages grows dramatically.

 Second concerns : Multiple-Stage Fragmentation

While the fragments above are in transit, they may need to pass over a hop between two routers where the physical network’s MTU is only 1,300 bytes. In this case, each of the fragments will again need to be fragmented. The 3,300 byte fragments will end up in three pieces each (two of about 1,300 bytes and one of around 700 bytes) and the final 2,100-byte fragment will become a 1300-byte and 800-byte fragment. So instead of having four fragments, we will end up with eleven.

 

This example shows illustrates a two-step fragmentation of a large IP datagram. The boxes represent datagrams or datagram fragments and are shown to scale. The original datagram is 12,000 bytes in size, represented by the large gray box. To transmit this data over the first local link, Device A splits it into four fragments, shown at left in four primary colors. The first router must fragment each of these into smaller fragments to send them over the 1,300-byte MTU link, as shown on the bottom. Note that the second router does not reassemble the 1,300-byte fragments, even though its link to Device B has an MTU of 3,300 bytes.

 

What about the impact on SIP performance ? A CPU problem, not a network problem ..

Today’s SIP application is mostly operating over the unreliable transport protocol UDP. In lossy environment such as wireless networks and congested Internet networks, SIP messages can be lost or delivered out of sequence. The SIP application then has to retransmit the lost messages and re-order the received packets. SIP has a builtin process for dealing with the unreliable nature of UDP, however to parse the SIP data a transition from kernel to usermode is required. This additional processing overhead can degrade the performance of the SIP application.

Conclusion : 
It’s not a network problem, but a CPU problem !

Take a look at this study :
http://www.research.ibm.com/people/n/nahum/papers/sigmetrics07-sip-perf.pdf

Security concerns ?

• UDP packets are not interrogated in the same manner as TCP packets making it an easy way to exploit SIP problems.
• UDP posses a problem for NAT traversal, QOS, and fragmentation.
• Authentication – By using TCP you can leverage TLS and SRTP to make it extremely difficult to ease drop on conversations.

 

What about SCTP to transfer SIP messages ?

Ref : RFC 4168
http://www.rfc-editor.org/rfc/rfc4168.txt

Therefore to solve this problem, the researchers are looking for a more appropriate transport layer for SIP. SCTP, a transport protocol providing acknowledged, error-free, non-duplicated transfer of messages, has been proposed to be an alternative to UDP and TCP. The multi-streaming and multi-homing features of SCTP are especially attractive for applications that have stringent performance and high reliability requirements and an example is the SIP proxy server.

Ref :
http://www.bth.se/fou/cuppsats.nsf/all/7d8446ad03071d5ac12575890073deec/$file/Thesis%20Report%20Final.pdf

But additional testing need to be done, and Microsoft doesn’t support SCTP for the moment !

Another article can be found there :

Increased SIP Performance with Stream Control Transmission Protocol
http://blog.tmcnet.com/cross-talk/2008/07/increased-sip-performance-with-stream-control-transmission-protocol.html

SCTP and its applications
http://www.apng.org/9thcamp/Slide/Satit.pdf

 

Is Microsoft does not support UDP for SIP implementation at all ?

Right in OCS but not in his small business product !, Microsoft SIP Solution for Small Business support UDP !!

http://www.microsoft.com.nsatc.net/responsepoint/resources-whitepapers-sbsintegration.aspx

“Microsoft Response Point is complete phone system software designed specifically for small businesses with 1-50 employees. In the past, deploying an advanced phone system to a small business was considered impractical.”

“Network Protocols
Response Point transfers data and communicates using standard protocols. Generally, there should not be any network configuration changes needed to support these protocols. All hardware and software connected to your network—the router, SBS, and other computers— should work automatically with the following protocols:

 Session Initiation Protocol (SIP over UDP) to establish and coordinate phone calls between devices.

• Real-time Transport Protocol (RTP) to transmit audio over the LAN in the G.711 μLaw and G.723 encoding formats.
• Secure Hypertext Transfer Protocol (HTTPS) and Extensible Markup Language (XML) to communicate configuration settings between the Administrator program and base unit, or the Assistant program and base unit.
• Dynamic Host Configuration Protocol (DHCP) to acquire IP addresses; to discover the location of the base unit; and to discover phones and phone line adapters that have not been provisioned yet.
• Hypertext Transfer Protocol (HTTP) and Extensible Markup Language (XML) to provision phones and phone line adapters.”

 

 

Screenshot of trying to install OCS R2 64bit 3.5.6907.0 on Windows 2008 R2 Standard 6.1.7100 Build 7100 …..

Adam Glick from Microsoft demonstrates the newest Exchange 2010 features for Windows Mobile 6.1/6.5 :