Integrating Cisco Meeting Server with Lync/Skype for Business

I have implemented this week multiparty conferencing through the new Cisco’s CMS conferencing product. CMS enables Lync and Cisco users to participate in the same conference with a seamless behavior between Lync and Cisco experience.

The CMS is excellent for organizations where both Lync and Cisco UC deployments are used. (yes, Cisco is best in Telephony, yes Lync is best in Chat & IM, and yes opinions are shared for video/webconferencing)

The configuration is pretty straightforward. I’m really surprised with the ease of the configuration in CMS.

I will not detail how to integrate CMS with CUCM. A prerequisite of the following is that Cisco endpoints eg. Jabber and/or DX endpoints are able to connect to the same Space.

Note that the word “Space” in Cisco meeting Server is actually the equivalent of the Collaboration Meeting Room in Cisco Conductor.

The configuration steps on Lync/SfB Front-End are detailed in the CMS deployment guide Appendix C.

So basically, you need a choose domain for CMS  which needs to be different than the Lync domain. (for example, if your Lync deployment is contoso.com , you may choose for example the domain cms.contoso.com to route calls from Lync to CMS). This is because Lync needs to differentiate “Lync internal” calls (user@contoso.com) from “Lync external” calls (room@cms.contoso.com). You may even choose a completely different domain like “contoso2.com”, not only a different subdomain.

Here are the steps :

1- Download the Root CA certificate that signed the CMS certificate and import it to each Lync Front-End server. Put it in the “Trusted Root Certificate Authorities” folder. The Root CA certificate should be a .cer or .crt or whatever certificate file extension.

Importing the Root CA certificate that signed Lync Front-Ends to CMS is recommended however not required since CMS certificate verification is disabled by default.

2- Open Lync Server Management Shell to create the “Trunk” between Lync and CMS. The “Trunk” with CMS will be of type “Trusted Application Pool”; as far as Lync guys are concerned. Type the following cmdlets :

New-CsTrustedApplicationPool -Identity cms.contoso.com -ComputerFqdn cms.contoso.com-Registrar sfb-pool.contoso.com -site 1 -RequiresReplication $false -ThrottleAsServer $true -TreatAsAuthenticated $true

New-CsTrustedApplication -ApplicationId meetingserver-application -TrustedApplicationPoolFqdn cms.contoso.com -Port 5061

$x=New-CsStaticRoute -TLSRoute -Destination “cms.contoso.com” -MatchUri “cms.contoso.com” -Port 5061 – UseDefaultCertificate $true

Set-CsStaticRoutingConfiguration -Identity global -Route @{Add=$x}

and Finally : Enable-CsTopology

3- That’s it ! From a Lync client call “room@cms.contoso.com” and you should be in the virtual room. Don’t forget to open your webcam. Seems that Lync don’t negociate inbound Video until you actually open your webcam and trigger the outbound Video negociation.

4- You may face a problem where the Lync call to “room@cms.contoso.com” window appears and then disappears suddenly and the call gets disconnected.
I troubleshooted the issue in the CMS

2017-01-25 16:17:47.805 Info call 25: recognised as Lync
2017-01-25 16:17:47.805 Info call 25: incoming encrypted SIP call from “sip:lyncuser@contoso.com” to local URI “sip:room@cms.contoso.com” (Lync)
2017-01-25 16:17:47.817 Info conference “Test”: unencrypted call legs now present
2017-01-25 16:17:47.922 Info participant “lyncuser@contoso.com” joined space 32c459e9-fb89-4b5f-96d9-73aab7e5c7f4 (Test)
2017-01-25 16:17:47.962 Info call 25: ending; remote SIP teardown; ICE negotiation in process – connected for 0:00
2017-01-25 16:17:47.962 Info participant “lyncuser@contoso.com” left space 32c459e9-fb89-4b5f-96d9-73aab7e5c7f4 (Test)

A detailed call trace on CMS will show a SIP BYE message with the cause :
ms-client-diagnostics: 52001;reason=”Client side general processing error.”;UserType=”Callee”;MediaType=”audio”

2017-01-25 16:18:50.797 Info SIP trace: connection 31: incoming SIP TLS data from 10.210.30.9:59210 to 10.210.30.5:5061, size 699:
2017-01-25 16:18:50.797 Info SIP trace: BYE sip:room@cms.contoso.com;transport=tls SIP/2.0
2017-01-25 16:18:50.797 Info SIP trace: Via: SIP/2.0/TLS 10.210.30.9:59210;branch=z9hG4bKDEEFB2EF.FF22BB7957D3B46E;branched=FALSE
2017-01-25 16:18:50.797 Info SIP trace: Max-Forwards: 69
2017-01-25 16:18:50.797 Info SIP trace: Via: SIP/2.0/TLS 172.30.22.241:6174;ms-received-port=6174;ms-received-cid=E5400
2017-01-25 16:18:50.797 Info SIP trace: From: <sip:lyncuser@contoso.com>;tag=d8804dbf7f;epid=eedfaef46a
2017-01-25 16:18:50.797 Info SIP trace: To: “Test” <sip:7000@cms.contoso.com>;tag=a1ed2fe26aae6b2b
2017-01-25 16:18:50.798 Info SIP trace: Call-ID: 3238de7a9d0547978d0a00d24623c4cb
2017-01-25 16:18:50.798 Info SIP trace: CSeq: 2 BYE
2017-01-25 16:18:50.798 Info SIP trace: User-Agent: UCCAPI/15.0.4893.1000 OC/15.0.4893.1000 (Skype for Business)
2017-01-25 16:18:50.798 Info SIP trace: ms-client-diagnostics: 52001;reason=”Client side general processing error.”;UserType=”Callee”;MediaType=”audio”
2017-01-25 16:18:50.798 Info SIP trace: Content-Length: 0
2017-01-25 16:18:50.798 Info SIP trace: ms-routing-phase: from-uri-routing-done

The problem was that, by default, the “SIP Media Encryption” parameter on CMS (menu Configuration > Call Settings) was set to “disabled”. Since Lync requires encryption you may turn it to “allowed” and everything will work as a charm!

One last thing, the Lync client can also give you the presence status of the room. It will show Ready if nobody is in the Room and “In a call” if a meeting is in progress.

Advertisements

Collaboration Edge with Let’s Encrypt certificate and 7800/8800 IP phones

I have finished few weeks ago a Collaboration Edge deployment through Expressway for a customer.

We used in this deployment the new “free” Certificate Authority aka Let’s Encrypt.

In fact, this authority is supported by 7800/8800 series IP phones as stated by the Certificate Authority Trust List document.

Many websites provides simplified management and generation of Let’s Encrypt certificate (native one requires API integration etc. a hussel!), we used sslforfree.com for instance.

We have generated the certificate for ONLY the FQDN of Expressway as Subject Name. We did not put anything as SAN, no top-level domain especially. (Expressway version is 8.7.3 but it should work for later versions)

And it worked like a charm. One last thing is that the certificate has to be regenerated each 3 months so that it keeps current.

He’s my conclusion in two points:

  • Let’s Encrypt is trusted by Cisco IP phones and can be used as the Certificate Authority for Expressway-E
  • Putting ONLY the FQDN of Expressway in the certificate is pretty enough to make phones work outside the corporate LAN

 

Corporate directory for 7800/8800 IP phones on CME “Host not found”

Last week, I was deploying a new CME with some 7821 IP phones with some 8861 IP phones for the executivess.

However, I faced a problem regarding the corporate directory on those new SIP IP phones.

Phones were stating “Host not found”.

I searched around forums and blogs but didn’t find anything helpful.

As soon as I added the following three commands, the corporate directory worked.

CME(config)#ip http server

CME(config)#telephony-service

CME(config-telephony-service)#url directories http://CME-IP-Address/localdirectory

Following this, the Corporate directory worked like a charm! Yes it doesn’t mean anything to use “telephony-service” which is supposed to be used in case we have Skinny phones. Well not.

Don’t forget to save your config! “wr” 😉