Lync Distribution Group

 

To add a certain number of Lync users to certain client list, you can create a distribution group with the following options
 

 

  1. The group scope should be universal
  2. The group type will be Distribution.
  3. You must include the e-mail address

Now when this group is created, you can add any number of users to it. I will add couple of users from Lync users
 

 
After adding the users that I wanted to add. Now I have to go to Lync server and force the Address book synchronization between GAL and Lync.
 

 
Wait about 5 mins to Clients to download latest updates and then you will be able to see the changes on the client list. If not you can force the clients to download the new updates by using GPO to force special registry value
 
This registry will be applied on the Clients
 
reg add HKLMSoftwarePoliciesMicrosoftOffice15.0Lync /v GalDownloadInitialDelay /t REG_DWORD /d 0 /f
From here you can now see the changes on Lync’s contact lists.
 

del.icio.us Tags: ,

Set Pin Authentication for Lync on DHCP Server

 

NOTE: I have attached the DHCPUTIL and all of the other required files with it, so you directly download them to your DHCP Server.

This is the shortest way to setup up Pin Authentication for Lync on the DHCP Server… 

First Copy/Download all the DHCP Utilities content from Lync Front end server to DHCP server and run the following command line

 

Note: Make sure you run DHCP on Command line (CMD) as an administrator. 

 

DHCPUtil.exe -SipServer YourFrontendFQDN.com –WebServer YourFrontendFQDN.com –RunConfigScript

 

On Lync Server make sure you run the following CMDLET on Lync powershell 

 

set-CsRegistrarConfiguration -EnableDHCPServer $true

 

That’s it you should be all set after you ran this command line and you should be able to see the new DHCP options are showing in the DHCP server console. 

To test the configuration you can run the same tool with a different parameter which will do the test for you, On a nother computer that’s not the “DHCP” open command prompt and run the following command line.

 

DHCPutil.exe –EmulateClient

 

Note: I’m attaching all the required files to this page below for download.


Troubleshooting:

 

If you run the command and you get the error below, then you might have a missing step 

 

DHCPUtil.exe -SipServer YourFrontendFQDN.com –WebServer YourFrontendFQDN.com –RunConfigScript

 

C:UsersadminDesktop> DHCPUtil.exe -EmulateClient

 

Starting Discovery …

Result: Failure =  -2147014848

Resolution:

On the Lync Server run the command 

set-CsRegistrarConfiguration -EnableDHCPServer $true 

Again on Lync server “Not DHCP” run the DHCPUtil.exe -EmulateClient to test the configuration.

 

http://www.moh10ly.com/blog/VoIP/set-pin-authentication-for-lync-on-dhcp-server/pin_auth.rar

 

del.icio.us Tags: ,

Web Conferencing Server connection failed to Establish on Edge server

 

Web Conferencing Server connection failed to Establish on Edge server 

 

In an environment of a domain with a backup DC you might face a problem with Lync Edge deployment.

After the step where you have to add the CA authority certificate to your Trusted CA store in Edge Server you might notice 

some errors with Edge server trusting the connection from Front end or vice versa.

The problem will happen if there’s two CA certificates in the Trusted CA store and you only have imported one of them.

 

 

Looking at the Front End server Certificate store which is joined to the Domain.

 

 

Errors might be generated by the same symptom are:

Web Conferencing Server connection failed to establish.

Over the past 1 minutes Lync Server has experienced incoming TLS connection failures 1 time(s). The error code of the last

failure is 0x80090325 (The certificate chain was issued by an authority that is not trusted.

) and the last connection was from the host “”.

 

Cause:

‘This can occur if this box is not properly configured for TLS communications with remote Web Conferencing Server.


Resolution:

Check your topology configuration to ensure that both this host and remote Web Conferencing Server can validate each 

other TLS certificates and are otherwise trusted for communications.

 

The XMPP Translating Gateway Proxy has no connections to any XMPP gateways.

Cause:

Connectivity issue.

 

Resolution:

Check that a configured gateway is running.

 

TLS outgoing connection failures.

Over the past 1 minutes, Lync Server has experienced TLS outgoing connection failures 1 time(s). The error code of the 

last failure is 0x80090325 (The certificate chain was issued by an authority that is not trusted.) while trying to connect to

the server “EGELYNCFE.domain.local” at address [192.168.16.45:5061], and the display name in the peer certificate is 

“Unavailable”.

Cause: Most often a problem with the peer certificate or perhaps the host name (DNS) record used to reach the peer 

server. Target principal name is incorrect means that the peer certificate does not contain the name that the local server 

used to connect. Certificate root not trusted error means that the peer certificate was issued by a remote CA that is not 

trusted by the local machine.

 

Resolution:

Check that the address and port matches the FQDN used to connect, and that the peer certificate contains this FQDN 

somewhere in its subject or SAN fields. If the FQDN refers to a DNS load balanced pool then check that all addresses 

returned by DNS refer to a server in the same pool. For untrusted root errors, ensure that the remote CA certificate chain

is installed locally. If you have already installed the remote CA certificate chain, then try rebooting the local machine.

 

Resolution:

To Resolve this problem, make sure that you export both CA from Front End and import them in to Edge’s Trusted root 

CA Local store.

 

 

Enable-CsTopology : Multiple Active Directory entries were found for type “ms-RTC-SIP-EdgeProxy” with ID in a multiple Domain Environment

 

If you ever tried to publish Lync topology and receieved the following error, then go on read this article to the end to find the solution.

 

Enable-CsTopology : Multiple Active Directory entries were found for type “ms-RTC-SIP-EdgeProxy” with ID in a multiple Domain Environment

At line:1 char:1

+ Enable-CsTopology

+ ~~~~~~~~~~~~~~~~~

    + CategoryInfo          : InvalidData: (:SourceCollection) [Enable-CsTopology], InvalidDataException

+ FullyQualifiedErrorId : DuplicateADEntry,Microsoft.Rtc.Management.Deployment.ActivateTopologyCmdlet

to enlarge please click on the screenshot

to enlarge please click on the screenshot

Open ADSIEDIT and look in the following snapshot. Open Configuration for your DC

Collapse the menu and click on Services

Click on RTC Service

Click on Global Settings and on the right pane look if there’s any duplicated entries and remove them.

As you can see on my right pane I have 2 duplicated (msRTCSIP-EdgeProxy) and I’m going to remove one of them and see 

if I can publish my topology or not. But before that I will have to make sure that I export the entry that I wanna delete.

to enlarge please click on the screenshot

I right clicked on the last value and deleted it and here how it became now.

to enlarge please click on the screenshot

Now I will try to publish my topology and see what happens, my topology publishing failed with 

a new error this time.

to enlarge please click on the screenshot

I will have to go and check where’s this coming from, since it mentions TrustedService. I will go look in the trusted service

This is not going to be easy, as you need to be careful where you look .. You will need to make sure that you’re looking

at the right FQDN

to enlarge please click on the screenshot

Here I could find the value MRAS for the FQDN Edge server

So I looked here and found 2 identical entries with a different (CN) if you scroll down you will see that the GruuId is the

same, FQDN is the same, port is the same.

to enlarge please click on the screenshot

to enlarge please click on the screenshot

Let’s delete one of them and see again if we can publish our topology, So I deleted the one that starts with {b344}

I will do this using the Lync Powershell, you can see below that the Topology was published successfully.

to enlarge please click on the screenshot

To resolve the warning you will have to issue the cmdlet Enable-CsAdForest after the Enable-CsTopology

to enlarge please click on the screenshot

 

del.icio.us Tags: ,,,

Did you know that you can get hosted mail for free for your domain?

Yandex Offers Mail Accounts with Users’ Own Domain Names

 

This is probably an old news for some people but for me it’s the first time that I have heard/read about it! Yandex offers a free hosted email @YourOwnDomain.com! I have heard this only today from a friend who have been using it already on his own domain and the service quality is perfect and it’s 100{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f} FREE.

 

While searching online, I came through this article that was published by Yandex in regard to this service. The article was published on the Internet on October 27, 2009.

Yandex offers domain owners an opportunity to create an electronic mail account with any name they choose, including their personal name, as in ivan@theterrible.ru or peter@thegreat.ru. Using Yandex’s email service for domain owners, anyone who owns a domain can now create an email account for themselves, as well as accounts for their family, friends or co-workers, and share a personalized domain name with them.

The owner of one domain can have up to a hundred accounts — enough to serve a small company or to be distributed among the staff of a secondary school. The users of the Yandex’s email service for domain owners can benefit from all the features available to the users of the Yandex.Mail service, such as a modern interface, spam protection and unlimited space. The email service for domain owners is accessible online or via email clients Outlook, The Bat and other.

To create an email account with a personalized name, domain owners can visithttp://pdd.yandex.ru (in Russian). The service is currently in beta testing. Feedback, questions (including requests for more than one hundred email accounts) and partnership ideas are welcome at domain@yandex-team.ru.

In addition to having a personalized email address, domain owners can also create websites with personal domain names on Yandex’s free web hosting service narod.ru. Now Yandex offers its users an opportunity to have both a free, up-to-date website and a free, convenient email account in their own domain.

 

I already have some domains that I didn’t use any email servers for them and it came to my mind to use this service for those both domains.

Here’s mine, I already set it up on two different domains and if you want you can send me a test email to info@moh10ly.website  

 

image

 

image

Hope this was useful for you.Winking smile

 

del.icio.us Tags: ,,,

Setting up Snort on Pfsense

If you would like to protect your system from any public attacks e.g. (Exploits, Transitive trust, Data driven, Infrastructure, DOS, Magic… Etc.) then you should consider deploying IDS or IPS system to detect and protect your network from any attacks.
In Pfsense the famous open source firewall, you have the capability to deploy Snort which is one of the most famous and old IDPS systems around.
In order to do so you will have to go to Packages from System/Packages and install it
clip_image001[5]
After clicking on the packages button, you will get a list of packages and among them snort will be listed there
clip_image002[4]
Click on the + on the far right to start the installation process.
clip_image003[4]
I’ll Click on Confirm to continue
clip_image004[4]
After it’s been installed now you’ll be able to see it on the Services menu tab.
clip_image005[4]
Click on Snort and let’s go configure it.
clip_image006[4]
Before you start configuring Snort, you must know that in order to successfully get it to work you must be registered in at least one of the snort communities which publishes important rules that tells snort what to check.. Similar to the firewall’s rules.
The websites are as following and you can find their settings under the Global settings tab in snort window
https://www.snort.org/users/sign_up
https://portal.emergingthreats.net/register
clip_image007[4]
I will sign up to Snort free account and configure all of the snort supported rules in order to get the most of it. After signing up I’ll need to activate my account.
clip_image008[4]
clip_image009[4]
I have receieved the confirmation now and I’ll confirm my account now, Once confirmed Snort will provide you with a code called VRT Oinkmaster confirmation code.
clip_image010[4]
When your account is activated, you will need to go to your profile by clicking on your activated e-mail top right and you will find it on the left side. Copy the code and paste it to your snort on pfsense.
clip_image011[4]
Just like this
clip_image012[4]
So after I added the code this is how my Global Settings tab looks like (I enabled all the other free rules as well)
clip_image013[4]
clip_image014[4]
Now I will go to Updates tab and start updating rules tab. After clicking update this is how it will look like:
clip_image015[4]
When finished this is how it’ll look like
clip_image016[4]
Once Finished this is how the updates tab will look like
clip_image017[4]
If you are connecting to Pfsense from any location where you are planning to enable Snort Interface for then before you enable snort you must consider going to Pass Lists and add your IP (Either private if you’re planning to enable the LAN Interface or Public IP if you’re planning to include WAN Interface).
clip_image018[4]
In order to create a Pass list, you will have to create an Alias and add the Ips you would like to include in the pass note that these IPS are never going to be checked or filtered by Snort.
In order to create an Alias List, click on Firewall Tab and scroll to Alias
clip_image019[4]
Once in IP list page click on the + button far right to add the Ips that you would like to pass.
clip_image020[4]
From type select the type of hosts that you’d like to include there, for me I’d like to include only a couple of Ips
clip_image021[4]
Click Save and Apply then Close then go back to Snort’s Pass Lists and click on + to add new Pass list.
Select all the Networks, WAN IP, GATEWAY, DNS and finally the Alias that you have created and save.
clip_image022[4]
Once saved, this is how the pass lists is going to look like
clip_image023[4]
Now we can go back to Snort Interfaces and enable the WAN Interface for snort. I’ll click on Snort Interfaces tab and click + to add the new interface
clip_image024[4]
Below I will select block offenders in order to protect myself from DDoS attacks and other attempts to crack internet exposed servers e.g. (FTP, Http..etc) .
clip_image025[4]
clip_image026[4]
Here from Pass List I will select the list which I’ve created in the Pass List tab
clip_image027[4]
As you can see below when the icon is red it means that the Snort is not running and you will have to press on the red icon to turn it on.
clip_image028[4]
After enabling the WAN interface you will have to go define some rules and enable them.
clip_image029[4]
Let’s define some rules for this interface e.g. FTP in order to do so I will click on the E next to the WAN description far right on the top snapshot.
We should go to WAN Categories and select different category in order to apply rules.
clip_image030[4]
Note:
Enabling all rules might affect your VM or PM’s processor performance.
Now I will select all the rules from the rules list below and that will enable all the rules also that are included in the Snort GPLv2 Community.
clip_image031[4]
Once added, you will have to apply changes and then click on Apply …. And for any reason the service did not start as in the below snapshot then you should navigate to Status tab and check the “System Logs”
clip_image032[4]
In System logs I noticed the following error:
clip_image033[4]
After doing a lot of digging on this error it seems that it’s caused by the rule “Sensitive Data” and after disabling all the rule set in this rule I was able to start Snort on WAN again.
clip_image034[4]
When this is done, I will test snort if it’s working by simply try to hack into pfsense’s portal by using wrong passwords for let’s say 10/20 times and see if my IP will get blocked (I’ll use a different Public IP which is not in the pass lists)..
After trying about 7 attempts with wrong username and password I tried refreshing the page
clip_image035[4]
Here is what I got
clip_image036[4]
I will go check Snort blocked list and see if the IP that I tried connecting from is there note that the Public IP which I was trying to connect from was
clip_image037[4]
As you can see below the IP has been blocked and the alert description says it as it is (http_inspection)
So that means that our snort works as it’s supposedly expected to.
clip_image038[4]

If this has helped you, please leave a comment Winking smile

del.icio.us Tags: ,

Setup Squid Guard (Proxy Server) on Pfsense

In order to setup Squid Guard you should have two packages installed on your Pfsense for it to work properly.
First package should be Squid 3 (In case you’re publishing Exchange web services with it) or Squid if not.
Second Package would be Squid Guard-Squid3 for for Squid 3 or Squid-Guard for Squid.
In my case I am using Squid 3 because I use its reverse proxy to publish Exchange web services so I will install SquidGaurd-Squid 3 to configure its proxy server.
I already downloaded and installed it but If you didn’t do so then you will have to navigate to >System > Packages >Available Packages and there you can find it and install it.
clip_image001
From the Services Menu drop down you will find those 3 below (Proxy Filter, Proxy Server and Reverse Proxy)
clip_image002
First I will go to Proxy Server and Enable “Transparent Http Proxy” in the General tab page
clip_image003
If you scroll down you will find “Logging Settings” and other options that you don’t need to enable. Logging is required mostly for troubleshooting times.
Next I will go to “Local Cache” tab and change the Squid Hard Disk cache Settings in order to take more than 100 mb. I will make it 5000mb which is 5 GB to make internet browser faster for users who visit the same websites often.
After that you don’t need to do anything except saving changes in the end of the page below
clip_image004
Now I will go to “ACLs” page and enable the Local networks that I have, I will write them in the “Allowed subnets” section and save the page.
clip_image005
Now I am finished with the Proxy Server settings, I will go to Proxy Filter and I will scroll down to the end of the page to Enable Blacklist option and paste the link below then click Save to save the changes
http://www.shallalist.de/Downloads/shallalist.tar.gz
clip_image006
Now I will go to Blacklist tab to download the black list from there then I will copy the link below and press on Download
http://www.shallalist.de/Downloads/shallalist.tar.gz
clip_image007
When I finish downloading I will go to “Common ACL” tab page and configure the Rules there which we have downloaded. As you can see below I have everything already configured but in order for you to configure it you will have to press on the > Green Start button first of all
clip_image008
After you press on the Green button It will show you the rules that you want to configure. I have already configured (Alcohol, Deny, Gambling, Hacking, Social net)…
clip_image009
clip_image010
Then next I will configure the Redirect mode and type my own customized message that will appear to the clients behind Pfsense and use safeSearch.
clip_image011
When done I will save this page and go to the General tab page and will click on Apply all changes and save the page.
clip_image012
Note:
you should see that SafeGuard service state “Started” in order for it to work. If for any reason the service is not started try to navigate to >Status > System logs and check your logs here if there’s anything related to SafeGaurd or Squid.
clip_image013
Now I will go to the Client and check if my client with “Pfsense as their default gateway” will respond to the Safe Guard rules or not.
I tried opening Facebook or Twitter but both are not working and they gave me the same message which I have customized in Pfsense.
clip_image014
Over all this had been easy setup and everything works perfectly
Hope this would be useful to you all. Open-mouthed smile

del.icio.us Tags: ,,,

What is Suppressing in Snort? And how to use it (Basic Tutorial)

Suppression allows an administrator to control how many alerts are generated from (or to) a given host or for a particular signature. 
What does it do exactly?
Suppression prevents rules from firing on a specific network segment without removing the rules from the ruleset. By using suppression, ruleset can be quickly turned for a specific environment without disabling rules that maybe useful in general.
How it works?
Assuming that you want to download an executable file/content from any website. If you have ticked all the rules in snort for your wan connection, Snort will alert this and block it in case you have the block option enabled as well. You will get something similar to this alert in the alert tab.
clip_image001
And in Block tab, You will get something like this :
clip_image002
This is a website that I visited “cyberduck.ch” to download a FTP application but snort alerted and blocked the download host IP which is “c315635.r35.cf1.rackcdn.com”
Now By adding a suppression line to snort suppression tab, the rule sid:16313 which happens to be a “download of executable content with x head”, will not fire again in the alerts tab after I add the following line to the suppression list.
clip_image003
The first line with the hash in the beginning is just a title for the rule to remind you later what it exactly does.
The gen_id 1 and sig_id will usually appear in the alert tab so in case you got some rules blocking websites which you visited and don’t want them to get blocked you can filter the alert tab and search for your rule, get the gen_id and sig_id and create the suppression line for it.
Note: adding new suppression lines won’t take effect unless you restart the interface which snort is monitoring.
clip_image004
 
Hope this was useful to you Smile 

del.icio.us Tags: ,,,,

How I configured my own name server (Public DNS) on Pfsense

To configure your own nameserver, first you must have a public domain (domain.com) ..
In this example I will register a free domain from this registrar: www.freenom.com
The process for registration is pretty simple, you will have to follow the wizard and validate your email then sign in to your portal to edit or configure your free domain.
I have already added a new domain for myself which is called ( moh10ly.cf )
clip_image001
To configure name servers, You must fulfill the following prerequisites:

  1. Public static IP.
  2. DNS Package on Pfsense
  3. Firewall that supports static NAT.

Next step: I will click on Manage domain to change the DNS configuration to point it to my own name server
clip_image002
When you get the following window, click on Management tools and choose “Register glue records”
clip_image003
Very important note:
Next add your Name servers (They don’t need to exist as we will create them later) but you will have to create 2 at least and you can point them to the same Public IP address.
clip_image004
Scroll down and you will find an option to add the second dns, you can call it dns2 and point it to the same IP address.
Next save changes, then click on Management tools –> Name Servers and there if you couldn’t find the new name servers you have configured then enter them here.
clip_image005
Save changes again
Now let’s go on Pfsense and setup our Public DNS (Name Server), You will have to go to “System>Packages>Available Packages” and there download “dns-server” or “TinyDns”
clip_image006
When you have finished installing TinyDns you will find it under “Services” menu. Click on it
Once you are there, click on “Settings tab” and on the binding IP address place your Public IP which you’ll use for the name servers. And make sure you use the WAN NIC to listen on.
clip_image007
Save and click on the “New domain wizard” to setup your domain
clip_image008
Click Next
clip_image009
On the next window configure your domain as in the following, make sure that it matches your configuration on registrar’s domain.
clip_image010
Click Next and Finish
Once finished, go to the Add/ Edit record tab and there you will find 4 created records
clip_image011
Next create the root DNS record which is . And point it to the same public IP and any other records that you might have an installed role for like Exchange, IIS ..etc
clip_image012
Now it’s time to configure the firewall to allow inbound queries on port 53. here’s the rule that I have created under (FirewallRules) because I have only one Public IP address on WAN I won’t use a static NAT rule.
clip_image013
I will go back to TinyDns on Pfsense to see the incoming requests for name resolving from public clients.
Under the logs tab I could see the requests I was making from my PC using google as my DNS.. So everything works fine.
clip_image014
That’s it, the configuration of your own Name server is done. Smile

del.icio.us Tags: ,,,

FreePBX 6.12.65 Integration with Lync 2013

Installing AsteriskNow (FreePBX 6.12.65) and integration with Lync 2013
Download AsteriskNow from the following Link
http://www.asterisk.org/downloads/asterisknow
First the setup window will come: there I will choose No RAID on Asterisk 13 since this is a virtual machine.
clip_image001
Here I will choose IPv4 static IP (Manual configuration) and click OK
clip_image002
clip_image003
clip_image004
Choose the time zone according to the nearest location to you
clip_image005
Next, we’ll configure the root password
clip_image006
Here it’s formatting the Disk that I have assigned to the VM.
clip_image007
It should start the installation now and should download all the required packages from the internet incase they were not found on the ISO which I’ve loaded.
clip_image008
Now the installation is about to finish and once it does, the machine is supposed to restart on its own allowing you to go to the Web UI.
clip_image009

Upon setup and restart, you might get the following error! The error states that your PBX can’t access the internet so you might wanna double check your NIC configuration and that you’re able to reach to it. 
This is usually related to the DNS setup on the Centos machine where “AsteriskNow” is setup.
clip_image010
If you do a test and try to update your system from the CLI window you might get this error which is related to the DNS.
To resolve it, you’ll have to replace the localhost with any public DNS e.g. (google or comodo DNS) or any internal DNS that’s capable of reaching out to the internet to resolve this problem.
To edit the DNS you will have to type in the command  “nano /etc/resolv.conf”
  
The default DNS is the localhost
and you’ll have to manually change it and save the  settings
Press Ctrl + X and then Press Y to save and hit Enter
To test that we can access the internet you can nslookup google.com for instance and see if it works

Once you are able to resolve the google.com, that error will go.

Now to continue, let’s setup a FreePBX Admin (Make sure you remember both username and password)

image
clip_image012
Click on the (FreePBX Administration) and enter the username and password you have just created in the previous step.
This will allow you to the configuration portal
clip_image013
Extensions configuration:
To start, let’s configure an extension (Since I don’t have an IP phone now) so I will use a SIP application for my test (Zoiper or Xlite would do fine)
clip_image014
Select Chan SIP device as this talks directly with Lync Trunk then Click Submit once you choose the device .
clip_image015
Now I will configure the new extension’s number, name and secret and port too.
clip_image016
Under device options, you have to set the secret (Password) which you’ll use to login to your sip phone or sip softphone..
Note:
You need to also make sure that the port configured under the device is what will be used for the device to login with this sip extension
so basically the sip port in this case is 5060 which is the default one unless you’re already using a different port then you’ll have to reconfigure it here.
 
image
I’ll leave the rest of the options on default value and click submit. Then apply Config
Applying Configuration
clip_image018
Now I will use a soft phone (SIP Application) on my PC to check out if calls are working properly. And for the second extension a second computer with the same software or even A software like Zoiper or Xlite can be utilized on iPhone or Android for the same purpose.
clip_image019
No other settings are required on the SIP phone after that it should register without an issue. And you’ll be able to make calls between SIP phones
clip_image020
I am going to call my computer (3700) sip phone (Xlite) from my iPhone (Zoiper) soft phone (3800)
clip_image021
So calls are working properly between SIP extensions, now we’ll have to go configure Lync and Asterisk Configuration.
Before starting, we’ll have to enable the TCP protocol on Asterisk for Lync to send calls to Asterisk since Lync talks only TCP.
Enabling Asterisk to listen on TCP
Enable TCP for Lync and SIP Phones for Asterisk
clip_image022
I’ll have to configure the local networks and the RTP port range as well.
clip_image023
Next I’ll click on Submit, and apply configuration then on top right I’ll click on Chan SIP to configure the ports and the right protocol
clip_image024
Under SIP Settings, make sure your settings matches the snapshot below, then navigate to advanced settings
clip_image025
Under Advanced General settings make sure that CHAN_SIP is bind to port 5061 or else calls from Lync will fail with “Unauthorized” error code.
clip_image026
Once you change the port scroll further down to Other SIP settings and add the following variables
Tcpenable = Yes
Transport = tcp
clip_image027
Submit the changes and apply the configuration.
Lync Configuration
Now I will go on Lync server now (Standard edition) and enable the TCP port for the mediation server (Collocated mediation service)
To do so
Right click on your Mediation server and edit properties and Enable TCP port and change it from 5068 to 5060.
clip_image028
I will publish the topology
clip_image029
Published the topology and now it’s time to run the setup as it will install the mediation server role on Front end.
clip_image030
Next I will run the second step (Setup or remove Lync Server Components):
clip_image031
I will go check if the mediation service is enabled now
clip_image032
I will run the command netstat -anb >1.txt
The command will export all the ports status on the server including each of the Lync services.
clip_image033
So Lync mediation service is listening on the default sip port 5060.
Now I will go back to the topology and add the PSTN Gateway (AsteriskNow)
Right click on PSTN Gateways –> Click add PSTN gateways
clip_image034
Next
clip_image035
Next, I will type in the AsteriskNow PBX IP address and the port that “Chan_SIP” driver is listening on since all calls are going to be routed to it.
And will select my mediation server and the Mediation server’s configured port on Lync.
clip_image036
Click Finish and Right click on your front end server and click properties
Make sure you
clip_image037
Click on Make default and then OK then publish the topology
Asterisk Configuration
Asterisk side of the Integration
In order for the configuration to work, we’ll have to configure a new trunk of the Asterisk IP PBX to identify where is the Lync server ..etc
Let’s go to our Asterisk portal, configure new trunk by going to Connectivity -> Trunks then choose “Add SIP(chan_sip) Trunk”
clip_image038
You will need to fulfill the boxes in red below each with what pertain to it.
clip_image039
The IP 172.16.24.195 is my Mediation server (Front end since Mediation server is collocated)
TCP is the protocol that Lync uses
5060 is the port which Lync listens on
I will clear all the settings below “User Details” and save this trunk
clip_image040
Now field cleared and next will click on Submit Changes.
clip_image041
Inbound Routes
I have applied the configuration and now it’s time to create routes on Asterisk to route calls to Lync.
To configure routes, click on Connectivity and then Inbound routes
clip_image042
clip_image043
clip_image044
Click Submit now and Apply Config for changes to take effect
clip_image045
Outbound Routes
It’s time to configure the outbound routes, Depending on your Lync users URI or telephone number and extension number you will have to configure
Your outbound routes according so it will be able to route it properly to Lync users.
I’m going to show my user’s uri and extension on Lync server and what does it look like now
clip_image046
So the entire number is +2163314210 but my extension is basically 4210
Now again click on Connectivity > Outbound routes and add new “Dial Pattern” as following
The +216331 will be automatically entered by AsteriskNow once you dial the number defined in the “Match Pattern” field
clip_image047
Once finished configuring the required dial patterns you can submit and apply …
clip_image048
Lync Voice Route Configuration
Now it’s time to go configure Lync Routes, Go to Lync Server and open the Control panel, Go to Voice routing there we will go under the dial plan
tab and choose New User Dial Plan.
If you don’t want to mess up your Global dial plan or let every new user be able to use this dial plan ,you will have to configure a user dial plan.
clip_image049
I will have to create 2 normalization rules at least in the new dial plan. The first one is going to normalize the inbound numbers
And the second one is going to normalize the outbound.
clip_image050
Since on PBX I choose to create extensions that begins with 3 and are 4 digits long, I will create a normalization rule that’s exactly 4 digits
And it starts with 3. depending on your PBX configuration for the extension and inbound routes Lync needs to either have or not have the + in the dial plan
clip_image051
Now I will create the second dial plan which is from Asterisk to Lync “To match the full URI”
The normalization rule that I am creating here is 10 digits long and it starts with 21633 and it has + digits to add
clip_image052
clip_image053
After creating the Dial plans, it’s time to test them now! I will go to the Test Voice Routing Tab and create a test
So the test for Asterisk Extensions goes well
clip_image054
Now I will test the Lync dial plan
clip_image055
Since Asterisk is going to send the full URI as it will auto complete it even if the user enters the extension only (4210) then our rule is configured properly
Now after configuring rules and testing them it’s time to go to Voice Policy tab and create a new voice policy for Asterisk
clip_image056
Click on New under “Associated PSTN Usages”
clip_image057
Click on New under Associated Routes
clip_image058
You can leave the pattern .* (Which will allow all calls) for the time being until we test everything between both systems.
Scroll down and click on Add next to “Associated Trunks”
clip_image059
clip_image060
Select the available trunk and add it then Click OK 3 times and commit all changes
clip_image061
Now after applying all the configuration, It’s time to apply some tests.
From Asterisk to Lync
Below when I initiated the call I managed to see the SIP invite coming from the IP “172.16.24.195” which is my AsteriskNOW PBX IP going to Lync and then the phone starts ringing.
When I have answered the call the RTP starts flowing.
clip_image062
Here I typed RTP in the Wireshark filter and could see the RTP media flowing between Asterisk and Lync Mediation server on the G.711 codec.
clip_image063
Note:
What I like about Asterisk is that it sends all users information along with the call and doesn’t strip them out, in extension information I have typed the extension name as “NEWPHONE” and put it all in capitals.
clip_image064
From Lync to Asterisk
Since the call is from Lync to Asterisk, then I will have to run wireshark or trace on Asterisk to see the Invite.
clip_image065
You can see Asterisk logs if you click on “Reports> Asterisk LogFiles”
clip_image066
Once the call has ended I was able to see that in detail as well in the logs.
All the media was
clip_image067
Next few days I will install and configure Brekeke to work with both (Asterisk and Lync) in the same environment… and share my deployment update with you all.
Hope this would do be of good help Open-mouthed smile

del.icio.us Tags: ,,,