Are you really offline on Teams? (part 1)

I will start backwards by presenting the solution before the ‘glitches’.

Making sure that you are really offline for everyone

This is the traditional: ‘I’m off for today/this week, don’t contact me!’
This includes your colleagues and any external or federated contacts.

Just make sure that you choose ‘Sign out’ from all your Teams clients (Windows, Mobile, Linux, OSX, Browser)

The users on your Tenant will see you offline and also the federated persons:

Both Teams federated tenant (on the left) and a SfB on-premise federated users will see me Offline and (hopefully) will not contact me

“Duh! we all know that. So why blog about this?”
You will not say this if you already had another user complaining that he doesn’t actually see your status offline. Now it’s time for the real topic… Why am I not offline for others?!

#1 Quit or shutdown might not put you to Offline status

Shutting down, hibernate your computer or specially using the Quit option on Teams sometimes will not trigger the Offline status. This seems to be related to client version or simply delays between the client and servers on the HTTPS sessions over VPN connection and corporate firewalls. Example:

I have my status Online and I clicked on the Teams task bar icon and quit the application…

…but all internal and federated users that have your contact will still see me as Available and will try to contact me

‘Appear offline’ will not work for all

Microsoft recently made the appear offline status available for Teams, which might be useful as a desperate ‘do not disturb me!!’ (might work for some who ignore the standard ‘DnD’).

Let’s test it!
(1) I have my status Available and I switch to ‘Appear Offline’

(2) My colleagues see me offline on Teams, check!

(3) If you still have an Hybrid federation with SfB onpremises, all the SfB user will see you as ‘Available’ or the last presence status that you had before changing to ‘Appear Offline’

(4) Your federated partners that use Teams will (most probably) see you ‘Offline’ but any SfB federated partner will also see your last status before you changed to ‘Appear Offline’

A Teams federated contact will see offline, but a SfB user will not and it will normally try to call you

If you check the SfB client logs and ran a trace on the SfB Edge server you will notice that all presence change status are sent from Teams to SfB except the ‘Appear Offline’.

Final thoughts

Let’s see if MS will find out and solve these two cases soon.

So… Are you sure that you are appearing offline to everyone right now? 🙂

“Skype for Business ends in July 2021. Migrate now to MS Teams!”… or not?

Some of my contacts and older customers have been coming to me because they were getting approached by some MS Partners that they must migrate their SfB infrastructure to Teams because ‘SfB is dead’ and ends in July 2021.

I will not finger-point no one here, but I want to clarify headers and speeches like this. I deliberate wrote my blog title like this but as friendly ‘click-bait’ 😉

Skype for Business Online will be retired on July 31, 2021

That is the correct heading. Only the SfB Online (SfBO) will be discontinued. SfB on-premises will continue to work and get support (much) after 31.07.2021

Where can read the retirement information from MS:
UPDATE: Skype for Business Online retirement on July 31, 2021
Skype for Business Online to Be Retired in 2021

If you have a plain and simple SfBO tenant your migration is simple (and probably automatically done by MS).

If you are still on SfBO and MS didn’t take any action, then it could mean that you have some an Hybrid SfB, PSTN or 3rd party connectivity:
“Skype for Business Online will be retired on July 31, 2021 after which the service will no longer be accessible. In addition, PSTN connectivity between your on-premises environment whether through Skype for Business Server or Cloud Connector Edition and Skype for Business Online will no longer be supported” – source

In these cases, you really need to take action and plan to move to Teams …or to a SfB On-premises 🙂

Skype for Business server 2015, 2019 are alive at least for 5 years

If you have a full SfB on-premises you can have support up to 14Oct2025. You can check that on the office MS Product Lifecycle

Current SfB lifecycle product support

Although SfB2015 mainstream support is now over, MS is still releasing updates. But to prevent MS to refuse support, either your extend (pay) it, or you should now upgrade to SfB 2019.

There will be a SfB vNext in 2021/22

Has announced by Microsoft there will be a next version of Skype for Business somewhere to be release in the second semester of 2021:
– (MS) The Next Version of Skype for Business Server
– (UC Today) Microsoft Reveals Fresh Details for Skype for Business Server 2022
– (Tom Talks) Skype for Business Server 2022 confirmed, only be available as a subscription

So, if you are comfortable with your reliable on-premises SfB infrastructure and you want to have full administration control as a critical business service, you know that you can have Skype for Business running until 2028 (?)

Teams meeting recording button became unavailable

ISSUE

  • Some day ago, users started reporting that they could not record a meeting. The record option was unavailable:
Start recording button dimmed?
  • The meeting policy for the users allow them to record meetings:
… Houston! we have a problem!

CAUSE

Sooooo… what happened?
Time to investigate what has MS changed recently 🙂

Clue #1: Checking the Microsoft 365 message center
You can find MC222640 ‘Microsoft Teams: meeting recordings saved to OneDrive and SharePoint’ is in progress.
October 19, 2020 (Complete) – You can enable the Teams Meeting policy to have meeting recordings saved to OneDrive and SharePoint instead of Microsoft Stream (Classic)”
But the rest of the info is not clear about what changes and if you need to take a specific action other than opt in/out to MS to change the recordings to OdB (OneDrive for Business) in 2021.

Clue #2: check the client settings received from the servers for new parameters.
Found a new one inside the callRecording: supportedOdbRegions with a list of countries, with “ch” is where my tenants are

"callingConstants.callRecording": {
    "downloadRecordingExpirationDays": 20,
    "supportedOdbRegions": [
        "ae",
        "ch",
        "de",
        "no",
        "sa",
        "br",
        "sg"
    ]
},

Clue #3: Let’s have a closer look at the meeting policies
Nothing has seem to have changed. Recordings are allowed (AllowCloudRecording) and using MS Stream (RecordingStorageMode), but…

… what will that parameter AllowRecordingStorageOutsideRegion=false do?

SOLUTION

As you know, Stream is not available in all regions like CH, so if AllowRecordingStorageOutsideRegion is getting honored, you cannot record if you are not allowed to save on the region that your account is? Solution(s):

  1. RecordingStorageMode=OneDriveForBusiness
    and/or
  2. AllowRecordingStorageOutsideRegion=true

My preference goes to #1 using the PS command

Set-CsTeamsMeetingPolicy ‘Global’ -RecordingStorageMode OneDriveForBusiness

Problem solved! you got your recording button back and your recordings are now available on OdB

Final notes and references

Looking at that client settings list, the Tenants on the regions United Arab Emirates (ae), Switzerland (ch), Germany (de), Norway (no), South Africa (sa), Brasil (br) and Singapore (sg) could also experience the same issue.

Teams ‘Busy on Busy’ causes missed call storm notifications

Recently in my company we decided to rollout the ‘Busy on Busy’ feature for all users, to suppress the annoying ring sound that comes on your headsets when you are on a call (or a meeting) and this makes it difficult to hear others.
But after a few days, some users started reporting a new symptom.

ISSUE

Scenario:
– Teams Tenant using Direct Routing
– User enabled for ‘Busy on Busy’
– User is on the busy state ‘in a call’ (PSTN, Teams-to-Teams or meet/confcall)

When a PSTN number calls that user, he will hear the busy tone. But the user will get a storm of missed calls notifications from the same number:

Storm of missed calls notification from a single call

Cause

When checking the SBC (Audiocodes) logs I could confirm several calls from the PSTN provider for every Busy answer of Teams:

The caller seems to be dialing every second when it gets a busy

Knowing that the user and his phone do not redial that fast, I decided to open an inquiry on the Telecom Provider.
But when I was collecting the SIP call logs, something came up when I was checking the Q.850 reason cause code:

All busy fields seems OK, but what’s that code=34 ?!

The ITU-T Q.850 codes specifies that 34 is ‘NORMAL_CIRCUIT_CONGESTION‘. The SBC sends this SIP ‘Busy Here’ to the Telecom providers and depending on the Telecom provider of the caller, it will retry the connections several times until it hangs-up.
Know you know why you get so many missed calls in a few seconds.

SOLUTION

From the ITU-T Q.850 codes table, the reason code for Busy should be 17.
Let’s fix this Teams Busy here ‘hiccup’.
Since I am using an Audiocodes this is my solution:

  • Create a Message manipulation rule that will detect if the ‘SIP 486 Busy here’ has the incorrect reason code. If so change it to ’17’.
Busy code not ’17’ ? let’s change it
  • Add or assign this message manipulation to the Teams inbound routing

Now when Teams send the Busy here, your SBC will send to the Telecom provider SIP message with the correct busy code, and they will not call again 😉

Hi real Telecom providers, the called number is busy here

Final notes and references

After the troubleshooting and solution I ‘googled’ for the right keywords and looks like that there are other blogs with the same and similar situations with different reason codes numbers:

SfB Online portal is gone: how do I manage user phones now?

For the last 28 hours I confirmed reports that the SfB Legacy portal disappeared from the Teams Admin Center (TAC). Probably as part of the retirement plan or just a temporary bug because today is back 🙂

This new article explains where to find the Skype for Business settings on the TAC, but…
…what about managing Enterprise Voice users on Tenants with Direct Routing (DR)? Would could do this on the SfBO portal, but there is currently no UI on TAC to do this.

Workarounds

  1. Use powershell (very user-unfriendly for 1st line support agents) to manage the users for voice
Import-Module MicrosoftTeams
# this will prompt for the login modern authentication
$sfbOnline=New-CsOnlineSession
Import-PsSession $sfbOnline
  
#User to configure $theUser=@{'SipAddress'='sip:first.last@company.ch';'LineURI'='tel:+41333444555'}
#ex: enable the user for enterprise voice and/or set the number
Set-CsUser -Identity $theUser.SipAddress -OnPremLineURI $theUser.LineUri -EnterpriseVoiceEnabled $true
#ex: disable the user for enterprise voice 
Set-CsUser -Identity $theUser.SipAddress -OnPremLineURI $null -EnterpriseVoiceEnabled $false

2. Locate and use the SfBO legacy portal
The tab item is gone, but the portal is still there ;). Use this powershell script to find the right one for your Tenant

# tenant base url (when it was created)
$tenantBaseUrl = "<customID>.onmicrosoft.com"
$sfbOnline=New-CsOnlineSession -OverrideAdminDomain $tenantBaseUrl Import-PsSession $sfbOnline
(Get-CsOnlinePowerShellEndpoint -TargetDomain $tenantBaseUrl).host

It will return the admin URL where your Tenant is hosted. So, for example if the return value is https://admined4.online.lync.com/, your SfBOnline admin center is https://admined4.online.lync.com/lscp

Open it on a browser and you got your SfBO admin center back 🙂

NOTES
– to use the powershell, make sure that you have installed the Teams Powershell Module
– Don’t forget to assign new users Phone System licenses (or E5) or you will get an error like: Cannot modify the parameter: “OnPremLineURI” because it is restricted for the user service plan: MCOMEETADD, MCOProfessional.

Can I make Teams Live Events in my country?

As I work with Swiss customers, this topic would sooner or later end on my ‘homedesk’. As a simple question became a challenge, it’s time to share it.

The customer has a MS365 Tenant in Switzerland and with these ‘COVID-19 age’ it asked: ‘I have Office E3+E5 licenses and I want to create a Teams Live Event for my 550 employees, but I cannot find the button’ (?!)

Traditionally you use Teams for interactive meetings up to 300 participants, but for more participants (up to 20’000) and also more professional presentations, Microsoft provides to his customers Live Events.

If you follow the official documentation, you find the instructions on how to do it using Teams. But if your tenant is based on Switzerland, Germany or France you will get stuck on ‘Step 1. Schedule a live event

You call your Teams admin and he confirms that your user has been granted Live Event permission policy … but the ‘Live Event’ option is still not available.

You will scratch your head and try on the Windows, web, Mac client until you ask Microsoft support or google until you find my blog or the official Microsoft link:

Regional availability

You can use Teams live events in multiple regions across the world. The following information shows availability for event team members and attendees.

These countries/regions and clouds aren’t supported
Germany, France, Norway. South Africa, South Korea
Switzerland, UAE, Government Community Cloud (GCC)-H, DOD

Case closed! You cannot make Teams Live Events if your tenant is on one of these countries/regions.

There are no technical limitations or GDPR reasons as other EU countries have (like Portugal or Italy). I believe it’s more a political/legal concerns involving companies,governments, CISO’s and where sensitive data is stored like a Live Event recording.

And now what?

‘But I don’t share that concern and I am paying for a subscription that includes that!’

In that case you can still schedule Live Events…. They are documented 🙂 Here’s 2 of the my 3 ‘workarounds’:

Yammer

Use or create a Yammer group, grant admin permission to the organizers, switch to the classic Yammer style… there it is! 🙂

how to create a Live Event from Yammer

To organize and conduct the event you can google for some videos or follow Microsoft documentation: Organize a live event in classic Yammer

The main advantage of conducting throw Yammer is that users can interact throw the Q&A channel (I am not a particular fan of this UI method) and it will stay organized for future view on a yammer channel.

Live event in Yammer

Microsoft Stream

Microsoft Stream is the back-end of Teams and Yammer Live Events. When you schedule them, it will be used to Broadcast and record the Live Event video produced by you to the audience.

Has long as your account has Live Events permissions (it’s allowed by default to all Tenant users) it’s a ‘one-click’ way from https://web.microsoftstream.com

How to create a Live Event from Stream

Live Events created from Stream are broadcasts mainly but it the easiest tool to create. You compose the event information, set access permissions, send a nice looking email to the participants and you can record it make adaptations and include captions to share it later :). People receive and click link, it opens the browser and… voila.

Again use Google or just the Microsoft documentation ‘Create a live event in Microsoft Stream‘ to prepare yourself and the presenters.

About the options

Depending on the final audience (employees only, guests, anyone) please check the tables on the ‘features breakdown by service and event type‘. Depending on the Production setup choice, there are limitations to know on how can people watch, interact or even produce

About other Microsoft Options

While you are still Teams-limited here’s some additional information regarding Microsoft additional solution:

  • Moving your tenant to another region is not possible
  • In August/2020 MS launched a Team add-on “Advanced communications
    After a contact with MS support, this feature just increases the number of participants and allows logo upload of a Live Event.
    It will not remove your regional restrictions, so don’t waist your money
  • On December CY2020 Microsoft is rolling out Large Meeting support for Teams (up to 1’000 interactive participants)
  • As a plan C you can always create a small dedicated tenant on a ‘supported’ region and create a Teams Live Event and invite your employees 😉

Producing the content

All looks simple, right? Well… Live Events are not meetings. It’s much more than a ‘create meeting’ click and send invites to the participant.

They are similar to a TV show. You need to plan in advance the content, the audience communication, invites to send train in advance your participants and … Produce it. You are going to need a producer tool (and a person with know-how) that will aggregate all the audio and video sources and send them to Microsoft Stream to broadcast to your audience.

Creating and scheduling from Teams

This is the big advantage of Teams. You schedule the Live Event with all details, select the audience, presenters and the producers and send the invite. For the producers, the Teams client will turn into a Producer software. Presenter will join the meeting you place the content to share and start the event from there and change the content and video throw the event.

Teams client in Live Event Producer mode

Creating and scheduling from Yammer

When scheduling live events from Yammer it will ask you for the producer to use: An external/3rd party (same as Stream) or Teams (it will not be electable if you are on an ‘unsupported’ zone)

Creating and scheduling from Stream

When scheduling live events from Stream you can only use a 3rd party solution to send the content to Stream for broadcasting. You will get a list of support hardware/software solution providers or use another compatible solution

There is this great free software solutions OBS Studio, that grab so many sources (cameras, mobile phones, capture desktop, web browser, applications and event Teams -with the NDI option ON-) and so easy to use that the only limit is your imagination and skills.

Composing this post while filming with the laptop and mobile cameras. (I should have shaved for this ocassion…)

There you go my Swiss friends! You can now Produce and Stream live events.

Let’s see if this post will gets 1’000 likes/shares to publish an ‘eastern egg’ regarding just Teams Live Events 😉

Polycom CCX family experience

Just had the pleasure to have the newest Microsoft family models of Poly on my lab: CCX400, CCX500 and the CCX600 for a short time.

This generation of phones are android-based, touch-screen only and have two hardware versions: with or without an handset (except CCX400). The audio quality is simply… Poly at is finest :): HD Voice, Acoustic Clarity technology providing full-duplex conversations, acoustic echo cancellation and background noise suppression.

The black design is stylish, high-resolution crystal clear screens and an optimal user interface.
Apologize for my low photography skills that don’t make justice with my review.

CCX400 (on the left) with the big brother CCX600
CCX400: with 5-inch color LCD (720 x 1280 pixel)
9:16 aspect ratio
CCX600 with 7” color LCD (1024 x 600 pixel), 16:9 aspect ratio
The larger screen of the CCX600 allows you to view more details like a Meeting appointment

Just like all the other models, you have can:

  • Activate a management Web interface were you can remotely manage the phones on all details
  • Remote capture a live screen (and even remote control the phone)
  • Centrally manage and provision them (Poly RPRM, ZTE, …)

The phones are OpenSIP, Skype for Business and also support, off course, MS Teams.

But you don’t get much control of the phone throw its Webadmin UI, since it’s basically now running a Microsoft cloud based client managed by the Team admin center:

On the age of softphones, Poly continues to provide a great set of solutions where a deskphone companion still helps: a reception, a meeting room, a secretary or common area phones.

You can get all the details on theses phone family on the official Poly CCX site, but here’s some brief differences:

CCX400CCX500CCX600
5” color LCD (720 x 1280 pixel)
9:16 aspect ratio
5” color LCD (720 x 1280 pixel)
9:16 aspect ratio
7” color LCD (1024 x 600 pixel)
16:9 aspect ratio
One USB type-A port1 USB type-A port
1 USB Type-C port
1 USB type-A port
1 USB Type-C port
Bluetooth 4.2Bluetooth 4.2
Wifi
full comparison details here

NOTE: there is also a CCX700 not mentioned here because it supports the OpenSIP firmware only

Teams new meeting experience breaks call queues answering

Just recently enable several call queues on customers and experienced this situation. Here’s the workaround for those who were scratching the head like me.

ISSUE

When a user receives and picks a call from a Call Queue from the Windows desktop client, the call window closes immediately after it opens and the call drops

Affected users/clients:

  • Only users receiving calls from call queues (CQ)
  • Users with Teams client v1.3.0019173 (64bit) and above running on Windows 10

Unaffected users/clients:

  • Normal inbound calls not coming from CQ (or Autoattendants)
  • Mobile or Web clients can answer calls from CQ

Cause

(not confirmed) Issue related to call queues created between mid to 29th of  September

(confirmed) The issue is caused by the new meeting experience feature launched in July/2020

(23.10.2020) Fixed

Since today that the issue has disappeared from both Tenants. Maybe something done by MS on them since I only detected the issue on these two.
The latest client version update was on 16th October, so doesn’t seem to have been the solution and the cause.

Workarounds

  1. Disable the ‘new meeting experience’ feature and restart the Teams client

2. Or, use the Web Client to answer call queues

NOTES

  • This feature is being rolled out gradually to Tenants, so some might not have received and noticed the issue
  • For customers that don’t control version rollout (i.e. users can install Teams by their own) – It seems that the automatic clients updates (it reinstalls Teams) will enable this feature automatically

Reference(s):

https://microsoftteams.uservoice.com/forums/908686-bug-reports/suggestions/41119102-if-new-meeting-experience-is-enabled-telephone

https://techcommunity.microsoft.com/t5/microsoft-teams-blog/new-meeting-and-calling-experience-in-microsoft-teams/ba-p/1537581/page/6#comments

Workplace contingency plans: the hidden issue

iStock-920982208-AndreyPopov-1200x600-600x300The Covid-19 pandemic caused an worldwide cause for concern. The best way to contain it is to reduce people direct interaction.
Some governments already imposed travel bans, forbid crowded events and closing schools.
Companies also limited travelling and ultimately send people to home office.

This is a great case scenario for companies to have the right UCC solution in place.
People can still collaborate, arrange meetings on the ‘safety’ of their home without the risks of public transport travelling, office doors knobs, next desk colleague or customer meetings.
Now, Skype for Business and others become a critical tool for companies.

But there is a ‘unexpected catch’ for companies to send half or more of their workers home: How do workers access the company internal resources? usually using a VPN.

Suddenly, companies have a large number of people using the internet speed and bandwidth to fighting for access to the systems (and also the Internet) -and it’s probably not the 1Gpbs per user as on the office LAN –

Now this old feature topic raised again.

The issue

Besides the issue of available bandwidth (including the one at home), how this can this get worth?

Sound_featureSome companies have VPN policies (either to security reasons or simplified administration) to enforce all their managed PC to send all the traffic throw the VPN (let’s call it ‘Forced-tunnel VPN’).
This includes applications traffic, emails, files, internet browsing including video content and… Skype for Business (SfB)!

As you already imagine people expect audio, video and the shared contents to be real-time but the SfB client is competing with:

  • Other applications loading files, email, video from the same tunnel
  • Double encryption/decryption: SfB encrypts his traffic and the VPN encrypt the traffic that is sent over the internet

If not well planned or prepared, IT support is going to have a flood of disgruntled users complaining about voice quality issues, failures, and unsuccessful meetings.

‘Force-tunnel VPN’ creates an additional problem for real-time protocols. Instead of delivering the packets to the shortest route possible, it will take a very long path in some cases. Let’s use the following picture to show you that:

Sfb-ForcedTunnel

There are two evident situations:

  • The calls between two home office worker of the same company will go first to the VPN server. And the call might get encrypted/decrypted twice
  • If another ‘SfB enabled’ company also uses Forced-tunneling the traffic will (1) get encrypted/decrypted until the SfB Edge server (2) to the other company Edge server and encrypted/decrypted again.

Now you have SfB traffic getting encrypted on an (overloaded) VPN tunnel traveling between several other systems and networks.

End user calling: “Skype for Business is a sh***. Totally useless”

Is there a solution?

Ask the CFO that you need to increase the internet bandwidth 🙂

Or… implement a Split-tunnel VPN.
SfB takes advantages of protocols like ICE and STUN/TURN to pass through routers and firewalls and get the shortest path to the other endpoint.

Let’s see the same picture now, where users don’t use a VPN or there is a complete Split-tunnel configuration:

Sfb-SplitTunnel

Differences?:

  • Home Office calls are going directly throw the Internet and encrypted only once (native done by SfB)
  • The other SfB call and conferencing will go to the internal LAN throw the SfB Edge server (and encrypted only once)
  • All SfB traffic will not consume VPN bandwidth

Is it important? as the Covid-19 continues to spread, more and more companies will adopt, someway or another, home office policies.
If 5% of home office of the users complaining about calls issues might not be important, but if you suddenly have 50-75% of your staff at home a SfB issue would make you look at a different perspective.

How to implements a split-tunnel for SfB?

There are many resources on the Internet to implement split-tunneling. I will not enumerate them because you need to understand how your VPN is implemented and the Windows configurations in place (local firewall, group policies, QoS)

The main concept is to ensure that all the SfB traffic can bypass the VPN. You need to:

  • Ensure that the home office client can reach and route traffic to the Edge servers
  • Block media ports from reaching the internal front-end servers
  • And let the SfB client do the rest!

Almost there! this will get you a ‘half-split-tunnel’. Unless your VPN client is smart enough to allow the SfB client to reach any public IP address, the above solution allows them to reach the Edge servers. The traffic will bypass the VPN, and it will use the Edge servers:

HalfSfb-SplitTunnel

To get to the complete split-tunnel solution, you actually need to configure the VPN client to route only the internal company addresses and let the remaining apps to reach the internet.
Advantages: your VPN will only have traffic for the internal applications, Skype for Business calls will go throw the fastest path.

This solution also place another challenge for companies with stricter security rules: ‘all companies PC traffic must go throw the VPN’. A good opportunity to rethink on newer security solutions 😉

And before you decide to optimize the SfB calls,  here’s my IT usual recommendations:

  • test first before rolling out to users: worst than some call quality issues is having no calls at all
  • Ensure that you have enough resources on the help-desk to support users troubleshooting their Home LAN and the router

You can now a happy ‘home office quarantine’ 🙂

Final notes:

  • This is not an issue/solution specific for SfB. You will face the same situation either if you are using Cisco on-premises, MS Teams, Webex, ….
  • Keep safe! Careless is as bad as Panic.

 

One Uppercase letter+one misconfiguration=4 hours quest

Just a normal a day with a SfB on-premises (yes, there are still some installed in the world) after migrating the RGS from another domain to this one and you decide to look around on the Monitoring services if everything is OK…

ISSUE

Just go to the Monitoring Reports and pick ‘Response Group Usage Report’:
sqlcollation
And… come on !! really?
sqlcollation2

Let summarize my last 4 hours:
(1) Go to the the SSRS, <program files>\Microsoft SQL Server\LogFiles and you will find this ‘self explanatory’ error message (whaaaat?):
processing!ReportServer_0-41!f30!10/14/2019-14:54:52:: w WARN: Data source ‘CDRDB’: Report processing has been aborted.
processing!ReportServer_0-41!f30!10/14/2019-14:54:52:: e ERROR: Throwing … —> Microsoft.ReportingServices.ReportProcessing.ReportProcessingException: Query execution failed for dataset ‘MainDS’. —> System.Data.SqlClient.SqlException: Invalid column name ‘TCTIme’.

(2) Start a SQL Server profiler session for the LcsCDR database, repeat the ‘query’ and you will get the call to a storage procedure:
sqlcollation3

(3) Open the LcsCDR database and manually execute that stored procedure dbo.CdrRGSUsageTrend. Gotcha!
sqlcollation4

(4) edit (Modify) the store procedure and you will find one line where the temporary column ‘TCTime’ with the ‘I’ in uppercase (the only one on the entire SQL statement)
sqlcollation5

CAUSE

(1) The uppercase ‘I’ is a long-term MS bug.
If you go to the <program files>\Common Files\Skype for Business Server 2015\DBSetup and open the ‘CdrDb.sql’ you will find it defined like that.

(2) Check the LcsCDR properties, and you might find that the collation is not Case Insensitive (CI) which means that ‘i’ <> ‘I’
sqlcollation6

WORKAROUND

Modify the ‘I’ to lower case and save the store procedure.
This will solve the problem… until you update SfB databases, because the CdrDB.sql will replace the store procedures with the uppercase ‘I’… unless MS fix this on the next CU

THE SOLUTION

Change the DB SQL collation to Case Insensitive (CI), like the default ‘Latin1_General_CP1_CI_AS’

You might now say that you really need an ‘I’ (or two) to troubleshoot this one 😉

Skype for Business security challenges – part 3

This is the third part of the topic: ‘enhancing Skype for Business environments’. In case you miss, check part 1 and part 2 to get the full picture.

On the previous topic post I focused on the ‘challenges’ on exposing user accounts and service from unauthorized access or DDOS. But now let’s see the scenario with authorized users using the collaboration features.

As mentioned before SfB is a tool that enables collaboration between people: any device, anytime and anywhere. And with federation you just extend all these capabilities with people across the world (specially with open federation).

meeting-collaboration

But the ‘openness’ of the features can sometimes expose more information than people want to unintentionally share, or worse: intentionally!

 

Let’s use a reverse example: in a traditional meeting room you share information with a specific group of people. If it’s confidential you want to make sure that the information keeps private (closed room), that only the right participants are present, no open doors and all whiteboards, slides erased before leaving the meeting.

It should be the same on a SfB Meeting, right? But from my experience, who checks if the meeting URL is private and no available for guest access? Did you select ‘End Meeting’ when it finished? Did you remove all the shared content that was uploaded?

Another unintentional situation: How many of you sent a username and password using a chat session ? I did 🙂 (and regret it sometimes)

Federation is a great capability of SfB (I loved it, really!), but it can also go against you. Others can see your presence, ‘chat-noying’ and, on extreme cases, it can show more than you think.

Let’s use the picture of a federated test contact that I have on my SfB. This is what you can see from you contact when he changes the privacy level:

ContactCard-privacy

(1) external contacts

(2) Colleagues

Workgroup

Friends and family

Presence

X

X

X

X

SIP

X

X

X

X

Email

X

X

X

X

Title

X

X

X

X

Company

X

X

X

X

Department

X

X

X

X

Office

X

X

X

Work phone

X

X

X

Mobile

X

X

X

Time zone

X

X

Home Phone (3)

X

Other Phone (3)

X

(1) default when adding federated contacts

(2) default for internal company contacts

(3) values set manually by the user on the SfB client

‘So what?’ some people ask
What if the customer finds out that you are an outsourcer, when you mentioned that you work on the main contractor? What if someone based on an email looks on the recipients and locates one the VIP? Why contact you for urgent matters if they can ‘escalate’?

The most extreme example is in fact a risk: Would you allow collaborators on a bank to share their desktop with outside participants and give remote control. The quickest corporate espionage is based on a rogue employee exposing sensitive data to competitors. SfB and other similar tools can be a good tool.

I can hear the readers thinking: this guy is paranoid !!
Answer: I’m not 😉  My out-of-the-box thinking always covers security aspects of the projects that I participate

SfB provides to SysAdmins several features to control and limit on how people collaborate, but in some situations it lacks of granularity. Let’s see some examples:

  • You can limit the modalities (can share desktop, application, remote control, use audio/video) on a per user basis. BUT… not per group of users
  • Remember the extreme case of undesired desktop/application sharing? You can block with policy. BUT… what if the end-user support is outsourced and you want your users to share the desktop with them ? or with any ‘company group’ domain partner?
  • You can in fact block your contact card and presence, by setting that only users on your contact list. BUT… it will do it for all external and internal contacts

Other examples of situations that you can think when administrate SfB:

  • Limit federated contacts to reach VIP’s or specific departments
  • Block showing internal presence status to all external users.
  • Prevent an internal user to share an application but allow external user to share with that user.
  • Scan file transfer for virus/malware

And then you get your Legal department with security concerns and compliance policies:

“We need to prevent disclosure of confidential data (ex: block or alert in case confidential project code names, share customer data that violates GDPR rules)”

This 3rd part was also the last one on enumerating the challenges. The next one(s) would be on how to mitigate them.

Skype for Business security challenges – part 2

This is second part of the topic: ‘enhancing Skype for Business environment’. In case you miss, check part 1 to get the full picture.

This one will be shorter and quick to read. It’s about authentication of your user accounts. I will write in form of questions and not go through descriptions the idea is to make you reflect on the topic.

4459ddd7-a3ca-47b7-869e-730176fcae51………..skype-signin

And now how can I:

  • enable multi-factor authentication (ex: RSA keys, biometrics, passwordless, …) on SfB Clients?
  • limit specific mobile devices to connect to SfB (ex: iPhone 10.2.1 only, block Huawei devices)?
  • login in SfB with different credentials than my Domain?
  • prevent the user to save credentials locally on any device?
  • restrict a user can sign-in on a maximum of two different mobile devices?
  • prevent two or more users to sign-in from the same mobile device?
  • limit users to sign-in from specific locations/networks (ex: employees service tablet to only inside the sales store Wifi) ? and block from specific countries?

A little side topic: If by this time you have the idea that ‘Skype for Business’ and MS are unsecured,… well most of this challenges can be also observed on the main competitors 🙂

Take me to part 3 >>

 

Skype for Business security challenges – part 1

So…! You have roll-out Skype for Busines (SfB) on you company. Either it’s a simple or more complex (HA, PSTN connectivity,…) it contains 3 components: a Front-end on an Active Directory and an Edge and a Reverse Proxy. These last two are, hopefully, isolated by firewalls.

SfB Topology example
Skype for Business topology example

Then you configure several policies to allow remote user access (PC, mobiles clients, ), federation with other SfB domains and conferences.

SfB is about enabling collaboration between people: any device, anytime and anywhere. Once you enable all these abilities to your users, you also create new security challenges to your company.

I would prefer not to call them ‘security risks’ at this time, BUT… ignoring them after reading and knowing them, it would change subject title!

Since there is quite a significant amount of content to cover, I divided this topic into smaller post. Initially I will expose the challenges and after them, I will describe how to mitigate them.

Keep also in notice that, although:

  • I use an On-premises SfB as the example, you will see very similar challenges using Office 365, in either Skype for Business Online or Microsoft Teams;
  • the challenges might be related to external user connectivity, they can be replicated using just inside your corporate LAN.

Let’s start with the first topic:

Part 1 – Denial of Services and exploits

 

1.1. Denial of Services by account lockout

Requirements:

  1. knowing a SIP address of an user. How difficult is that? In 90% of the case it matches his email address.
  2. knowing the account login. What are the chances that the UPN is the same as the SIP and Email address? Knowing the domain and the samaccountname might be more tricky, but it’s possible.

As soon as someone knows a valid SIP address I can use a SfB client (windows of for mobile) and can now try to login with credentials 5 or more times.

sfb client login attempt
You can try to login on Skype for Business with different credentials

A successful ‘DDoS’ will lock that user AD account (for some minutes or forever depending on the AD policy).

Not big security issue? Well let’s think:

  1. a locked user is a person that cannot work until support unlock him
    (and gets locked again by an active DDoS).
    This can be harmful from but can a possible attempt to sabotage a competitor to reply on time to a last minute RFC. And what happens
  2. It will a significant issue if the affected user is a VIP or the CISO
  3. by default there is no direct way to prevent these, since even the remote access policies will only take effect after the user successfully logs-in
    remember the traditional message: ‘your account is not allowed to sign-in from external networks’?
  4. It can get worse: imagine that you have several UCC 3rd party applications that uses SIP ‘service’ accounts? What happens if they get locked-out?
    What if there are still some companies that uses the default ‘administrator’ account? It can also get locked out the same way as many other critical domain ‘service’ accounts

Getting more concerned now? Using SfB clients is not the only way to cause account lockouts…. (Whaaaaatt?)

A simple SfB installation exposes some Webservices that actually ask for user credentials. How? Less experient SfB administrators configure topology with ‘easy-to- guess’ short URLs.

Here an example of a dialin.company.ch. If you click on the Sign In you will get the chance to enter a username and password (to change a PIN).

short-url-ddos

But there are more services: (1) the join a meeting URL allows you to try to authenticate, (2) the webscheduler (if installed) request the same, (3) if NTLM is enabled on the IIS (SfB webservices), any browse access attempt on known URLs will request authentication (ex: for the address book service: https://lsweb.company.ch/abs)

1.2 Denial of Services or attacks on published external Web Services

As stated before, a very basic SfB deployment will expose the web services to the internet throw a basic reverse proxy role that forwards the traffic throw the DMZ.

There are at least some potential challenges:

  1. Simple DDoS against the IIS services until the servers CPU/memory is exhausted
  2. Direct exploit of SfB vulnerabilities that on worst case can run unwanted command on the Front-end servers
  3. ‘Espionage’: someone can try to guess and find some running meeting with ‘guest’ permissions, since the formats are usually https://meet.company.ch/<username>/<meetingID>

 

1.3. Service exposures

The default (at least for mobile clients) discovery service is https://lyncdiscover.company.com. Just by sniffing this URL you might get some more information. And if you provide a SIP address you will get even more because of the authentication.

In the above example you will get the front-end server FQDN that reply to the request. Might be harmless, but this server internal FQDN is an additional clue to try to use it for user UPN DDoS attacks and as you dig throw other responses you might get to know a little bit more about the internal topology.

 

lyncdiscover-exposure
A normal lyncdiscover and authentication process of a SfB mobile client

Ready to proceed to part 2?

Skype for Business 2015 Server CU8a or CU9?

UPDATE 13/March 21:48 – Microsoft is updating now the info. It’s March2019 update to address a security vulnerability (CVE-2019-0798).Specific details here:
Microsoft Lync Server/Skype for Business spoofing cross site scripting
Better start planning to rollout March/2019 CU9 then! (and Lync 2013 Server if you still use)

I downloaded all the cumulative updates as soon as they are released. I like to keep an history and peek on the changes. Today I need to get the January/2019 CU8, but my repository was unavailable. So I went to official CU download site, but I noticed that the date published was from yesterday, but pointing the the KB3061064 (?!). When I got back the access to my repository, I noticed that this file also has a different version:
SfBupdate-list

Now I have two January/2019 CU with different versions (6.0.9319.537 and 6.0.9319.544) and different file sizes.
Time to dig and spot the differences: there are two msp files that changed:

OcsCore.msp

diff-ocscore
Two noticeable changes:
– non-US dll language files: they were compiled in different dates, but still have the same version number
– The Tracing files (used by CLS/OcsLogger tracing tool). These one have some significant changes:
diff-trancing

EnterpriseWebApp.msp

The files on both packages have the same size, but a ‘look inside’ reveals one particular difference: the ‘Lync.Client.Common.Consolidated.js’ is different.
diff-enterpriseWeb.png

A closer look reveals 5 lines of codes changes (one seems an additional protection)
diff-javascriptupdate

So… since MS didn’t update any documentation so far:

  • Is this CU8 republished?
    If so, MS will now have customers with different files for the same CU
  • Is this a CU9 (or a Cumulative Security update -SU-)?
    It could be, since the date matches the usually releases cycles.

Running the cumulative update installer on a Front-end server with January2019 CU8, confirms the patches changes on the identified components:

unNamedCU

The point the a KB4492303 and KB4492302 that don’t exist.

UPDATE 3/April/2019: Microsoft update the ‘Get updates’ section of KB3061064 section with an additional line:
4494279 Fix for Skype for Business 2015 and Lync Server 2013 spoofing vulnerability

That document mentions a ‘March 20’19 security update’:

The March 2019 security update contains a security fix for the spoofing vulnerability that is described in the following security advisory:

My official guess is now is that this is a SU9 and MS just decided to update this ‘silently’

But some IT engineers might believe that they are downloading and installing CU8 today.

 

The importance of knowing about certificates

Deploying and managing a Lync/Skype for Business environment demands you to know a lot more about technologies and protocols. Their communications are encryption which means that you need to deploy certificates and specially to maintain them over time. One wrong, forgotten or misplaced certificate can give you lot of headaches.

The following issue I faced recently, on a Lync 2013 environment is a good example of how a simple misplaced CA certificate can cause unexpected behaviours.

ISSUE and symptoms

After restarting the servers, the Lync services start reporting connection errors and denials due to certificate validation.

As a consequence, the users experience several issues:

  • Contacts presence status unknown
  • Address book unavailable
  • Unable to schedule, start or join meetings
  • External users unable to join/dial-in meetings

They are still able to sign-in, send IM’s and perform peer-to-peer calls (including video and desktop sharing) and PSTN inbound/outbound calls.

On the servers you will find from several others, eventID 32042 errors ‘Invalid incoming HTTPS certificate’ and eventID 30998 ‘Sending HTTP request failed’

Cause

The clue came from some informational events of services receiving invalid client certificates.EventID-61029

The last description line ‘Certificate error: 21482049809.’  translates to error code 0x800b0109, which is defined as CERT_E_UNTRUSTEDROOT. Lync server could not trust the subordinate CA that was installed on the local machine store ?!

Turns out that a new PKI has been deployed, and I found a subordinate CA incorrectly installed on the ‘Trusted Root Certificate Authorities’ of the servers.
(a subordinate CA can be easily identified because it’s not self-signed (‘Issue To’ name doesn’t match the ‘Issued By’)

subCA-on-TrustedCAstore

Windows Server 2012 (and higher) implements checks for a higher level of trust for certificate authentication. By finding the invalid certificate, doesn’t provide any Trust Root CA list and therefore the services cannot to validate the certificates presented to them.

SOLUTION

  1. Delete the subCA from the Trusted Root CA store of the server
  2. Reboot the server so it can load correctly the Trusted Root CA list.

Final notes

The issue will only start after a server reboot, so it can take quite some time to associate the cause/effect…. especially if you have just install a OS update !! (and blame it, uninstall, …)

Only after knowing exactly the issue, I manage to ‘google-fu’ a 4 years-old KB2795828 with a similar situation.
From that one I got a very usefull powershell script that help us to find any non self-signed CA on the Trusted Root CA store of the machine

Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Format-List *