IT based Communications

a different Unified Communications site

Lync (serious) vulnerable and exploited without MS15-034

The recent MS15-034 security update addresses a vulnerability on how the Windows HTTP stack (http.sys) handles requests.
Although you affected Operating System component is related to IIS, there are many applications that can rely on Windows HTTP stack. And Lync is one of them !
How serious is this vulnerability and why you should patch immediately?

  • It can be used for DoS attacks, but there’s a chance to be used to run code remotly
  • Any user can run an exploit of some type without any special permissions and good knowledge;
    Can be just a simple copy > paste code (see PoC)
  • Your Lync front-end servers can be exploited by an internet attacker, if the reverse proxy role (and/or the firewall) cannot detect and intercept the exploit attempts.

What Lync ‘roles’ are affected?:

  • Front-End – There’s a lot of applications/pools that can be exploited
  • Edge server – not affected from the outside. But the internal DMZ replica service (typically 4443) can be exploited
  • Persistent chat – not affected
  • (SQL) Monitoring reports – affected
  • Office Web Apps – affected

To show you how easy the exploit can be built and run, here’s a simple Proof of concept. I just needed 10 minutes to find a possible http request and run cURL on an internal PC without any admin rights:

exploiting-pcThe server running Lync will stop responding and (if you are fast enough) you will see the operation system generating a dump report, before restarting.


An exploited server will also display a MER message when you logon to it:


You might want to look carefully for Lync and other collocated applications that can also allow an exploit. This command can be used to determine what is relying on http:
netsh http show servicestate | find “://”

So it’s better to start patching all windows operating system on you network… fast

Additional references:

Lync 2013 Cmdlets cheat list

I don’t know about you, but I have some difficult to memorize powershell commands.
In Lync 2013 there are 754 cmdlets available: some that I know and use on a daily basis, a few are specific for Lync Online, several that I never used or need at all but from time to time I find out some that are useful for specific tasks and that… I forget them later.

Cmdlets-sampleGoogle is still my first tool to find out how to get some particular job done in Lync, but I decided to create a summary list Microsoft TechNet Lync 2013 cmdlets (see picture sample on the right) with:

  • The cmdlet that includes the url to the specific TechNet documentation
  • The short description of the command as is on TechNet
    (took me 2 days to build a function to extract this part of text using the page url of the first column.)
  • Add-on: default Lync RBAC groups and command assignment
    It was also another need for me to allow me to plan RBAC permissions grant and create specific roles

If this could be also useful to you, the file can be downloaded here: LyncCmdlets or at Technet

On my next available time, I plan to add more features (like categories)

Lync client update KB2910927 (and later) breaks embeded urls

LyncKB2910927bugI just discovered an issue when installing the December 9, 2014 cumulative update (CU) for Lync client 2013 (KB2910927)

When you try send an url with the prefix www you get the error message “the web page … was not loaded in response to you clicking the link because it is either invalid or restricted for security reasons” (picture on the right). This will appear even if have no URL policies restrictions.

– prepend http:// to the address you want to send, or
– uninstall KB2910927. The previous CU doesn’t have the issue.

Googling on the Internet I also found that a similar behaviour has already been reported and confirmed to Microsoft, and published as KB3053114 issue.

UPDATE: The latest Lync update (KB3039779) fixes the issue.

Lync issue: export-csuserdata failed with “Data in NULL”

It started when a backup script that I implemented logged a failure on the export-csuserdata process. Running the  powershell command isolated would generate the same error text: “Data is Null. This method or property cannot be called on Null values.”
export-userdataerrorSo, we have a sort of user data corruption and not enough clues to locate which of the 4’000 accounts was. The export-csuserdata generated an incomplete zip file but comparing with the last complete backup wasn’t enough to compare and find out what account was generating the error. With some brainstorming and scripting I finally identified the user, and using the export with the userfilter parameter generate the error.

Time to reverse-engineering the root cause:

Step #1: A network and then a SQL trace on the Backend database, show that the export-csuserdata calls a store procedure of the rtcxds named ‘XdsBackupAllItems’ with the user’s SID on the parameter

Step #2: Executing the store procedure confirmed the output data with two NULL values

SQLCMD -S Server249\LYNCCORE -d rtcxds -Q "exec dbo.XdsBackupAllItems @_TenantId='92e2a9d7-41d7-4c43-bbba-46122f5d5ab6', @_ExtensionParameter=null"
 <app:DocItem xmlns:app="urn:schema:Microsoft.Rtc.Management.Xds.AppLayer.2008" Name="urn:lcd:M****_K*****@s******.com" ItemId="92E2A9D7-41D7-4C43-BBBA-46122F5D5AB6" Owner="04DDEDCE-ED20-514D-8586-58BEE1904EE8" OwnerPool="pool0101.s*****.com" Signatu 

 <app:DocItem xmlns:app="urn:schema:Microsoft.Rtc.Management.Xds.AppLayer.2008" Name="urn:confs:M****_K*****@s******.com" ItemId="92E2A9D7-41D7-4C43-BBBA-46122F5D5AB6" Owner="04DDEDCE-ED20-514D-8586-58BEE1904EE8" OwnerPool="pool0101.s*****.com" Signatu 

 <app:DocItem xmlns:app="urn:schema:Microsoft.Rtc.Management.Xds.AppLayer.2008" Name="urn:upc:M****_K*****@s******.com" ItemId="92E2A9D7-41D7-4C43-BBBA-46122F5D5AB6" Owner="04DDEDCE-ED20-514D-8586-58BEE1904EE8" OwnerPool="pool0101.s*****.com" Signatu 
 <app:DocItem xmlns:app="urn:schema:Microsoft.Rtc.Management.Xds.AppLayer.2008" Name="urn:hcd:M****_K*****@s******.com" ItemId="92E2A9D7-41D7-4C43-BBBA-46122F5D5AB6" Owner="04DDEDCE-ED20-514D-8586-58BEE1904EE8" OwnerPool="pool0101.s*****.com" Signatu  

Step #3: Manipulating the store procedure we can identify which field(s) is generating the NULL

Step #4: After several attempts stripping down the SQL statement, I found the two records on the table ‘Item’ that didn’t have a reference to any DocId field on the ‘Document’ table.

I don’t know what caused the ‘orphaned’ relationship, since there are tables field constrains to prevent that…. but it’s time to find a solution that doesn’t compromise all existing data.

Simulating on a Lab environment showed that moving the user between pools or even disabling from Lync will not clear the bad records, and once the user was back on the pool database the issue will return.

The fix turn out to be more simple. Since the two records on the ‘Item’ table don’t have the constrain relation with the ‘Record’ table, they could be deleted without problems with the following SQL statements:

DELETE FROM [rtcxds].[dbo].[Item] WHERE ItemId = ’92e2a9d7-41d7-4c43-bbba-46122f5d5ab6′ and DocId = ‘17941959’
DELETE FROM [rtcxds].[dbo].[Item] WHERE ItemId = ’92e2a9d7-41d7-4c43-bbba-46122f5d5ab6′ and DocId = ‘17941967’


Lync bug: the disappearing phone numbers

It started with an user reporting that, when he changes from networks (ex: wired to wireless) his phone numbers on the Lync client disappear. After more than 48 hours of simulation I was able to identify the issue. It turns out that when you have a Distribution Group on your contact list where your account is member, when you expand the list, your users Active Directory phone numbers disappear. Here’s the issue report:

The user personal phone numbers on the Lync client disappear when he expands an Active Directory distribution list where he is a member.

When the phone numbers disappear, they become unavailable to several call features (transfer calls, user the ‘join audio from’ in meetings)


  • Affects all telephones numbers of the user stored on Active Directory.
  • Affects users that have (active directory) distribution groups where their user is a member
  • Doesn’t affect phone number entered manually by the user on the Lync Client

Steps to reproduce
1. Check in your Lync client that the numbers are visible: ‘Tools > Options > phones’
Lync numbers OK

2. Search and add an active directory distribution list where the user is a member;

3. Expand the distribution list (if Lync does’t automatically do it) , go again to ‘Tools > Options > phones’ and you see that that some or all numbers disappeared
Lync numbers gone

The user does not need to logout from Lync. Search for his own contact name and the AD numbers will appear again.
Lync numbers back

Additional notes

  • After using the workaround, collapsing or expanding the same distribution list, the phone numbers don’t disappear until you logout/login back again to the Lync client and expand a list;
  • If you have more similar lists on the personal contacts and expand it will cause the same issue;
  • If you close the Lync client with the Distribution Group expanded, when you sign-in the number will disappear;
  • Even with the Distribution Group collapsed the number migth disappear at the sign-in.

Lync issue: “We could’t reach …”

wecouldtreachDuring the last weeks of a very large deployment project that I’m working, I faced  the following different problems but with a similar pattern.
This customer’s Lync infrastructure has 2 sip domains (let’s just call and and the issue was occurring with users from different domains:

  • tried to make (was delegated permissions to) call on behalf of
  • fail to join audio PSTN (Call me at number…) if the conference organizer was
  • User agents fail to make PSTN calls on behalf of an response group with a different SIP Domain (this one referenced in a post by Joachim Dissing)

In all cases the user received the same error message “We couldn’t reach…”.
A look on the client Lync-Uccapi-0.uccapilog file revealed an INFO message with a surprising message
callmeissue-uccapilog“User does not exist”, source = >edge server> (?!).
Time to trace the outboundrouting on the Front End Servers, which reveal also something peculiar:

TL_VERBOSE... (OutboundRouting,OutboundRoutingTransaction.constructor:outboundroutingtransaction.cs(382))Creating a OutboundRoutingTransaction object (3)
TL_VERBOSE... (OutboundRouting,OutboundRouting.OnRequest:outboundrouting.cs(289))[3719388760]Enter
TL_VERBOSE... (OutboundRouting,OutboundRoutingDispatcher.ProcessIncomingRequestHeaders:outboundroutingdispatcher.cs(1520))[3719388760]Enter
TL_VERBOSE... (OutboundRouting,OutboundRoutingDispatcher.ProcessIncomingRequestHeaders:outboundroutingdispatcher.cs(1552))[3719388760]Referred-by header found: <>;ms-identity="MIIBwgYJKoZIhvc....hg==:Wed, 24 Sep 2014 12:24:33 GMT";ms-identity-info=";;transport=Tls";ms-identity-alg=rsa-sha1
TL_VERBOSE... (OutboundRouting,OutboundRoutingDispatcher.ProcessIncomingRequestHeaders:outboundroutingdispatcher.cs(1678))[3719388760]Exit
TL_VERBOSE... (OutboundRouting,OutboundRoutingDispatcher.OnRequest:outboundroutingdispatcher.cs(242))[3719388760]From uri:
TL_VERBOSE... (OutboundRouting,OutboundRoutingDispatcher.OnRequest:outboundroutingdispatcher.cs(243))[3719388760]From User Uc Enabled: True
TL_VERBOSE... (OutboundRouting,OutboundRoutingDispatcher.OnRequest:outboundroutingdispatcher.cs(246))[3719388760]ReferrerUri:
TL_VERBOSE... (OutboundRouting,OutboundRoutingDispatcher.OnRequest:outboundroutingdispatcher.cs(247))[3719388760]Referrer Uc Enabled: True
TL_VERBOSE... (OutboundRouting,OutboundRoutingDispatcher.OnRequest:outboundroutingdispatcher.cs(248))[3719388760]Referrer is Local: True
TL_VERBOSE... (OutboundRouting,OutboundRoutingDispatcher.OnRequest:outboundroutingdispatcher.cs(249))[3719388760]Referrer is inCurrentDeployment: False
TL_VERBOSE... (OutboundRouting,OutboundRoutingDispatcher.OnRequest:outboundroutingdispatcher.cs(250))[3719388760]Referrer DeploymentLocator: NULL
TL_VERBOSE... (OutboundRouting,OutboundRoutingDispatcher.OnRequest:outboundroutingdispatcher.cs(256))[3719388760]IsAvMCUDialOut: True
TL_VERBOSE... (OutboundRouting,OutboundRoutingDispatcher.OnRequest:outboundroutingdispatcher.cs(257))[3719388760]Alternate Tel URI: tel:+80001
TL_VERBOSE... (OutboundRouting,EmergencyCallHelper.IsEmergencyCall:emergencycallhelper.cs(38))IsEmergencyCall = False
TL_NOISE... (OutboundRouting,Settings.GetMatchingVacantNumberEntry:settings.cs(323))Checking for Vacant number entries for +90000
TL_VERBOSE... (OutboundRouting,OutboundRoutingDispatcher.CheckAndRouteVacantNumberRange:outboundroutingdispatcher.cs(1838))[3719388760]+90000 does not match any Vacant Number range
TL_NOISE... (OutboundRouting,Settings.GetMatchingCPSEntry:settings.cs(291))Checking for CPS entry for +90000
TL_VERBOSE... (OutboundRouting,OutboundRoutingDispatcher.CheckAndRouteCallParkService:outboundroutingdispatcher.cs(1165))[3719388760]+90000 does not match any CPS range
TL_VERBOSE... (OutboundRouting,OutboundRoutingDispatcher.HasAvoidPSTNTollByPassPolicy:outboundroutingdispatcher.cs(2577))[3719388760]AvoidTollByPassUsage not found.
TL_VERBOSE... (OutboundRouting,OutboundRoutingDispatcher.IsAnonymousUser:outboundroutingdispatcher.cs(3221))[3719388760]user URI is not anonymous
TL_VERBOSE... (OutboundRouting,RoutingHelper.AddHeaderIfNotAlreadyPresent:routinghelper.cs(169))[3719388760]Adding ms-conference header with value true
TL_VERBOSE... (OutboundRouting,RoutingHelper.AddHeaderIfNotAlreadyPresent:routinghelper.cs(185))[3719388760]Adding MSReferrerPhone header with value <;user=phone>
TL_INFO(TF_PROTOCOL) (OutboundRouting,OutboundRoutingDispatcher.ProcessOutboundRequestToPstn:outboundroutingdispatcher.cs(1401))[3719388760]Target Domain and caller domain not same, sending request on its way...
TL_VERBOSE... (OutboundRouting,ClusterPingEngine.TimerCallback:clusterpingengine.cs(221))(0000000000D28422)Enter TimerCallback
TL_VERBOSE... (OutboundRouting,ClusterPingEngine.GetQueuedEvents:clusterpingengine.cs(286))(0000000000D28422)No events to process
TL_VERBOSE... (OutboundRouting,ClusterPingEngine.ScheduleTimer:clusterpingengine.cs(349))(0000000000D28422)Exit

A supposed PSTN call was not possible because the SIP Domains were diferent ?!
After some more ‘reverse engeneering’ the outboundrouting process (users with the same domain will  process the call to the mediation server) I suspect that  some code validation was not doing the right Thing.

Time to open a MS Support ticket and in less than 24 hours I got the answer:
The failure is due to new design change in 2013 Outbound Routing. Product group will publish a server side hotfix within 2 weeks to fix the following issue:
“Target Domain and caller domain not same, sending request on its way…” In this case, caller’s domain and target domain do not match. In the hotfix we will stop doing the domain check.

Less than 2 weeks, Microsoft released Lync server Cumulative Update (CU6)  but didn’t find an exact reference to my issue except the KB2995173.
Next step: download CU6, apply on the pre-production environment and check:

TL_VERBOSE (OutboundRouting,OutboundRoutingTransaction.constructor:outboundroutingtransaction.cs(382))Creating a OutboundRoutingTransaction object (3)
TL_VERBOSE (OutboundRouting,OutboundRouting.OnRequest:outboundrouting.cs(289))[2359519239]Enter
TL_VERBOSE (OutboundRouting,EmergencyCallHelper.IsEmergencyCall:emergencycallhelper.cs(38))IsEmergencyCall = False
TL_NOISE (OutboundRouting,Settings.GetMatchingVacantNumberEntry:settings.cs(323))Checking for Vacant number entries for +90000
TL_VERBOSE (OutboundRouting,NumberRangeListT<>.GetMatchingRange:numberrangelist.cs(235))(00000000026B0DA2)No matching range found.
TL_NOISE (OutboundRouting,Settings.GetMatchingVacantNumberEntry:settings.cs(363))No matching Vacant Number Range found.
TL_NOISE (OutboundRouting,Settings.GetMatchingCPSEntry:settings.cs(291))Checking for CPS entry for +90000
TL_VERBOSE (OutboundRouting,NumberRangeListT<>.GetMatchingRange:numberrangelist.cs(235))(00000000003C60F1)No matching range found.
TL_NOISE (OutboundRouting,Settings.GetMatchingCPSEntry:settings.cs(316))No matching range found
TL_VERBOSE (OutboundRouting,RoutingHelper.AddHeaderIfNotAlreadyPresent:routinghelper.cs(169))[2359519239]Adding ms-conference header with value true
TL_VERBOSE (OutboundRouting,RoutingHelper.AddHeaderIfNotAlreadyPresent:routinghelper.cs(185))[2359519239]Adding MSReferrerPhone header with value <;user=phone>
TL_VERBOSE (OutboundRouting,RoutingHelper.AddHeaderIfNotAlreadyPresent:routinghelper.cs(169))[2359519239]Adding ms-privacy header with value id
TL_VERBOSE (OutboundRouting,RoutingHelper.RemoveHeaderIfPresent:routinghelper.cs(202))[2359519239]ms-vm-escape-timer header not present request.
TL_VERBOSE (OutboundRouting,EmergencyCallHelper.IsEmergencyCall:emergencycallhelper.cs(38))IsEmergencyCall = False
TL_VERBOSE (OutboundRouting,PhoneRouter.GetRoutes:phonerouter.cs(146))(0000000001F30767)target phone number: +90000, PhoneRouteUsage: chz
TL_VERBOSE (OutboundRouting,PhoneRouter.GetRoutes:phonerouter.cs(215))(0000000001F30767)#hits: 1, route names: CHZ 
TL_VERBOSE (OutboundRouting,PhoneRouter.GetRoutes:phonerouter.cs(218))(0000000001F30767)Exit
TL_VERBOSE (OutboundRouting,OutboundRoutingTransaction.SetRouteInformation:outboundroutingtransaction.cs(770))[2359519239]Target is not LBR Restricted; If target has an associated site id then target is a PBX and we may need to enforce PSTN toll bypass rules.
TL_VERBOSE (OutboundRouting,OutboundRoutingTransaction.SetRouteInformation:outboundroutingtransaction.cs(788))[2359519239]Target does not have a site assigned to it.  No need to enforce PSTN toll bypass rules.
TL_VERBOSE (OutboundRouting,OutboundRoutingTransaction.GetRoutes:outboundroutingtransaction.cs(589))[2359519239]Forking disabled since there are no backup gateways or routes.
TL_VERBOSE (OutboundRouting,OutboundRoutingTransaction.GetNextHop:outboundroutingtransaction.cs(890))[2359519239]Attempting to find GetNextHop: Length:1; StartAt:0; Tried:1; Name/State:chze33vd-Up
TL_VERBOSE (OutboundRouting,OutboundGateway.ApplyRulesInList:gateway.cs(475))(0000000001220146)No outbound translation rules defined for Target chze33vd
TL_VERBOSE (OutboundRouting,OutboundGateway.GetTranslatedCallerId:gateway.cs(408))(0000000001220146)No outbound Calling number translation rules defined for target chze33vd
TL_VERBOSE OutboundRouting,OutboundGateway.UpdateCallerId:gateway.cs(381))[2359519239]Updated Caller Id (new PAI =<tel:+80001>)
TL_VERBOSE (OutboundRouting,OutboundRoutingTransaction.SetState:outboundroutingtransaction.cs(445))[2359519239]Set transaction 3 state to ClientTimerRunning
TL_VERBOSE (OutboundRouting,ORTransactionTimer.AddPendingTransaction:ortransactiontimer.cs(213))(000000000004DFF6)Enter
TL_VERBOSE (OutboundRouting,ORTransactionTimer.AddPendingTransaction:ortransactiontimer.cs(242))(000000000004DFF6)Global timer started.
TL_VERBOSE (OutboundRouting,ORTransactionTimer.AddPendingTransaction:ortransactiontimer.cs(249))(000000000004DFF6)Exit
TL_VERBOSE (OutboundRouting,OutboundRouting.OnRequest:outboundrouting.cs(292))[2359519239]Exit
TL_VERBOSE (OutboundRouting,OutboundRoutingTransaction.SetState:outboundroutingtransaction.cs(445))[2359519239]Set transaction 3 state to ClientTerminated
TL_VERBOSE (OutboundRouting,ORTransactionTimer.RemovePendingTransaction:ortransactiontimer.cs(255))(000000000004DFF6)Enter
TL_VERBOSE (OutboundRouting,ORTransactionTimer.RemoveListEntry:ortransactiontimer.cs(190))(000000000004DFF6)Remove list entry. Id: 3
TL_VERBOSE (OutboundRouting,ORTransactionTimer.RemovePendingTransaction:ortransactiontimer.cs(262))(000000000004DFF6)Global timer stopped.
TL_VERBOSE (OutboundRouting,ORTransactionTimer.RemovePendingTransaction:ortransactiontimer.cs(267))(000000000004DFF6)Exit

The routing engine looks much different now but… voila! it works.
Time to plan an CU6 upgrade to 6 pools, 18 Front End Servers, 8 Edge Servers, … :)

To finish this post an explanation about the suspicious ‘user not found’ message. It turns out that since the outboundrouting dispatch the ‘call’ back to the Lync engine, the next step was to forward the invite to the edge since it was dialog between different domains. The  Edge Servers will simply return back because they check that the destination domain was… internal (smart guys)… didn’t o much deeper to understand who put the message received by the Lync Client.

Comments welcome

Lync glitch fun #1

Time to implement a find+replace tool on the development tools  :)


Can Lync fly?

This was a proof-of-concept that I made quiet a time ago (may 2013). I was hoping to perform it again with more data and images, but never got the right time :(
With all the new features of Lync 2013 (mobile devices), one of my curious questions was: can I make a video call using Lync on a plane?

The Cookbook
– A Lync 2013 deployment (front-end + edge servers);
– one computer (my home PC) and a smartphone (Iphone 4) with Lync client
Airfield with 3G network coverage
– A plane and a pilot
– A co-pilot to handle the lync call – we prefered to leave the pilot with is main task ;)
– Clear sky for great images

The outcome
Mission partially acomplished! There was one expected problem an one unexpected failure. 3G coverage while the plane is on air is very unstable (image freezes during transmition and the call failed after several minutes) and I forgot to give record permissions to the ‘land’ user.

So I have to improvise and manage to save one picture from my desktop.

I want to thanks to this guys that made this test possible:
Flight academy Hangar 5, for the plane (and is aso a great place to learn to fly);
– “Captain” Nuno Colaço for the flight.


I don’t think we will have Lync conferencing as an airplane gadget, but it’s will just be matter of time and legislation to allow the use of wireless devices on board.
But the airlines will be looking for this potential. One of our customers where I deployed Lync was evaluating the possibility to use Lync with the pilots Ipad to discuss fligth plans with the main office control room (this while on land, of course).

Other samples of video call from planes:
– An inflight facetime videocall from a commercial flight (2010);
Skype in-flight video call made on MSNBC TV;
– Skype Call and Google + Hangout with Gogo Inflight Wifi (2011).

2013 in review

The stats helper monkeys prepared a 2013 annual report for this blog.

Here’s an excerpt:

The concert hall at the Sydney Opera House holds 2,700 people. This blog was viewed about 36,000 times in 2013. If it were a concert at Sydney Opera House, it would take about 13 sold-out performances for that many people to see it.

Click here to see the complete report.

Lync 2013 protocol workflow

Microsoft published an updated version of the Lync protocol workload for all type of conversations: Presence, IM, AV, Webconferencing, Application Sharing and Enterprise Voice.
It looks complex, but it’s a great poster to have if your main job role is deployment and support. It helps you to see all possible elements envolved in a communication while deploying and troubleshooting.

It also has includes the CMS replication workflow, DNS records envolved and Certificates.

If you want download an high definition pdf file or even the visio version, you can get from the Microsoft Download Center here.

Getting ready for Lync voice? start here

If you are thinking about connecting link to the public telephony network, here’s a free light reading for the weekend.
It will not take more than 1 hour reading, and is not going to explain the ‘how-to’, but has a good overview of what you need to know before digging in ;)

Click on the picture to jump to the download page.

Lync in action – client ecosystem

What’s the most noticeable new feature about Lync 2013?
We cloud browse several sites or documentation to read quiet a lot of improvements, but for me and the end users being able to use comunicate the same way on several diferent devices is the key advantage.

I don’t have the resources to get all them, but fortunally I have good friends that I was able to join one day and make my most complete demonstration of how you can join people together in a videoconference. The following picture summarizes the result (sorry for the low resolution, but was the only way to get a full panorama – click to see it larger).

Some notes and impressions about this demo setup:
LyncConference2Devices>> Pidgin is present, but was’nt participating on the conference. The reason is explained on a previous post;
>> The Windows PC was connected to a wired network while all the others were using a wireless network;
>> in a multipoint conference Lync will only allows VGA resolution;
>> the iPad has a very good display resolution;
>> the iPhone front camera resolution is very poor compared with the back camera (not a good experience);
>> video went smoothly during the entire test.
>> there are still missing some guests: a Windows Phone, Lync WebApp, Lync Basic and Lync Attendant.

As this is what I call: a real UC experience :)

Now… I wonder If we could make Lync fly?

Lync deployment: using Virtual Desktops (VDI)

Now with a full Lync 2013 deployment it’s more easy to have things to write :)
Before Lync 2013, building demo environments using a complete virtual infrastructure was a ‘challeging’ task. With a virtual desktop I needed to use some extra techniques to send video (a USB redirector was the best method), but the experience wasn’t good enough.

Microsoft Lync 2013, RDP and RomoteFX  introduced this capability: The Lync 2013 VDI component allows a Windows client to use the local media devices on a remote session (a Windows Desktop or RDS Windows Server). Actually the component will send audio and video directly to the peer or Lync Server, wich will assure the same quality and experience. It looks like a very strip-down version of the full client.

After some more (late) hours reading and heaving testing, I finally mastered the right implementation. This is what we ned to  deploy and configure:

Virtual Desktop

1. Windows 7 SP1, Windows 8 (32 or 64 bits), Windows 2008 R2 SP1 or Windows 2012;
2. Remote desktop enabled (Win7/8) or RDS (Windows Server);
3. Ensure that remote recording is enabled for remote desktop, so you can send your local microphone audio. Command line:
REG ADD “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp” /v fDisableAudioCapture /t REG_DWORD /d 0 /f
4. Lync 2013 full client installed with the latest updates.

Lync Server 2013

1. Lync user account must have Media Redirection client policy enabled
This setting can only be enable using powershell. For global policy:
PS> Set-CsClientPolicy -EnableMediaRedirection $TRUE

about_RDP8Local desktop

1. Windows 7 SP1 , Windows 8 (or embedded versions);
2. For Windows 7 SP1, install KB2574819 (DTLS support) and then KB2592687 (RDP 8.0);
3. Lync 2013 VDI with the same OS bitness (install VDI x86 plugin on a 32 bits Windows version, and the VDI x64 plugin on a 64 bits OS).
4. compatible USB webcam installed

…We are ready to start using it!

Before you connect, you should configure you remote desktop client correctly. Enable remote audio on Local Resources tab > ‘Remote Audio settings…’ and ensure that ‘Persistent bitmap caching’ is disabled on Experience tab.

After connecting start (if is not already running) your Lync client session and wait for an additional logon window and If everything is authenticated correctly, you should see a confirmation at the bottom right of your remote Lync client.

All you need to do is make a video call. I received this impressive 720p wide video flowing fine and without delays.

And this is how you can have UC on a VDI. This is a good foundation for a cloud offer (UCaaS), although you have to evaluate the costs (ex: licensing the local and remote Windows). One thing for sure, there aren’t that much capable solutions available.

Take into account about some limitations, like:
>> Not supported with Office 365;
>> No Integrated Audio Device and Video Device tuning pages, and you can only use your local default audio/video devices (cannot switch between cameras);
>> Not Multi-view video, recording of conversations or joining meetings anonymously.

Additional notes:
>> There’s also support for VMware Horizon view and Citrix HDX;
>> You can also use Windows enabled terminals (Wyse Z90D7, R90L7, X90m7 and HP t610 and t5740e).
>> if you have a 32 bit version of Office installed, you’ll get a noticed blocking the plugin setup. You need to uninstall Office.
>> You can have a Lync client installed on the same computer as the plugin, but you cannot run both at the same time.
>> The plugin could not start correctly when I used my VPN connection.

Comments are welcomed


Lync Federation: Skype is available

MicrosoftSkypeSince May 23rd, Microsoft replace the messenger federation with Skype. There are several blogs and a Microsoft also released the official documentation, but here’s my quick provision instructions and ‘proof of work’.

Must have requirements:
*** Lync Edge configured with public certificates
*** PIC domain provisioned
*** _sipfederationtls.<_yourdomain> registered on Public DNS
*** Skype users should be logged on with a Microsoft ID account (not skype)

Instructions for Lync administrators:
1> enable federation on Access Edge Configuration
2> configure policies for user access
3> replace MSN sip provider with Skype provider
PS> Remove-CsPublicProvider -Identity Messenger
PS> New-CsPublicProvider -Identity Skype -ProxyFqdn -IconUrl -VerificationLevel 2 -Enabled 1

lync-client-skypefederationAnd then, (authorized) Lync users can add Skype contacts:
1> click on add contacts and pick Skype (see right picture);
2> you must enter the Skype user’s email in the following format: user(domain name); this step is not required for the Microsoft public domain accounts:, or For details about supported custom domain names, see “Known issues that occur with PIC and Lync / Communications Server”;
3> If your Skype contact already had your sip address, you should see his presence state after you had is contact. If not, he will receive a notification like this

Now comes the great part – you can:
> share presence
> exchange instant messaging and make peer-to-peer audio calls ! Just right click on your contact…
…and you’re talking!

And here you go: Lync-Skype federation – your company talking with million of people… anywhere, anytime!

Some notes about this federation:
> This configuration works for Lync 2013; It also works for Lync 2010, but you need to strip the iconurl parameter from the powershell command; it looks like it also works with Office Communications Server 2007R2.
> You cannot make video calls for now. It’s on Microsoft priority list but, for now, no compatible codecs are available (will Lync support SILK, or Skype will adopt RTvideo or just plain H264SVC ?)
> we can only have peer-to-peer converations. There’s no audio conference or even instant messaging (why not this last one?!)


Troubleshooting: the “clearinghouse effect”

This is the first category post, regarding very strange and “hard to find” problems in Lync deployments.

trouble_connectiong_to_serverserver_temporary unavailableThis customer had a full working Lync Edge server, but it stop working for remote desktop user access (!!). I mean, you could login using mobile clients, talk with federated users, but if you have a Windows or OSX client… users could not log in. To makes things harder there were several behaviours: with some users the client would just loop on the log on process, wihle others would give two type of error messages: “server temporarily unavailable” and “…having trouble connecting to the server”.

As always, I took the log and trace sip packets (good faithfull snooper). Nothing was found on the client side, so the clue has to be on the edge server.
And I got the message ‘The connection from a remote user client is refused because remote user access is disabled – SIPPROXY_E_CONNECTION_EXTERNAL_INTERNET_ACC ESS_DISABLED”
Gotcha! – remote user access was disabled on the Edge server. It was a simple problem… not!:
….* Remote user access was in fact enabled on the control panel;
….* Replication was working fine and settings were identical;
….* clients were not receiving  this warning message and lync mobile was able to log in.

Result: 4 days working on it, lots of swearing, hitting the firewall and even installing a new edge server and renewing certificates would solve the problem. At the end of the day I just take a look at the edge configuration setting using the shell and noticed a particular enable parameter:
There’s not much about this setting on the documentation, except this warning ‘ This parameter should not be changed unless you are instructed to do so by Microsoft support personnel’.

It turns out that the customer execute to command shell to enable Partner Discovery, but might also have set the beClearingHouse. After disabling it, the magic happens… Everything was back to normal !!

This is a clear case of ‘what does this button do if I press it?’. If you don’t ear any bang… it doesn’t mean we still didn’t broke anything.
But I would recommend Microsoft to document this and even update the Edge/client code to give more clues about this one.

Another annoying thing:
Set-CsAccessEdgeConfiguration -BeClearingHouse $false
will simply not change the setting. After some more time, you’ll find out that oyu need to include two more parameters
Set-CsAccessEdgeConfiguration -BeClearingHouse $false -EnablePartnerDiscovery $true -UseDnsSrvRouting


Get every new post delivered to your Inbox.

Join 134 other followers