Thursday, November 27, 2014

Generate a RPAD or VCS-C certificate with an internal CA (Client/Server Certificate)

Last time, when I tried to upload a certificate on a VCS-C, I faced an issue about certificate template.
Indeed, the VCS need a certificate with server and client authentication attributes.

But, by default, there is no template with both attribute. So we have to create one.

How to create a new certificate template :

Log on your certification authority and open mmc.exe.

Once mmc open, File > Add/Remove Snap-in


Add Certifacation Authority > Local computer.


Right click on certificate Templates and select Manage

This display all certificate template available. Right click on the Web Server template, and duplicate the template.

Change the name of the template (Client/Serveur in my case) and Select Allow private key to be exported on Request Handing Tab 

 In Extensions Tab, Edit the Application Policies and add Client Authentication

Ok your template is now ready. Click Ok to validate and come back to mmc window.

You can't see your new template in the directory Certificate Templates?
You just have to right click on Certificate Templates > New > Certificate Template to Issue
Highlight your new template and click OK.


You can now generate your certificate with your new template.
Command line:  certreq -attrib "certificatetemplate:Client/Serveur" -submit vcs.txt
Where Client/Serveur is the name of the new template and vcs.txt the certificate request of the VCS/expressway.






Posted by at No comments:
Labels: , , , , ,

Sunday, November 23, 2014

POLYCOM – LYNC integration: RealPresence connect (part 1)

Part 1: Architecture and requirements 



I will try to explain how to configure the servers to realize the configuration of the new Polycom option: the RealPrecense Connect.
First, I found many information in the official Polycom documentation :(http://supportdocs.polycom.com/PolycomService/support/global/documents/support/strategic_partner_solutions/Polycom_Unified_Communications_Deployment_Guide_for_Microsoft_Environments_us.pdf) but I want to give more details not obvious (for me J) in this guide.



The RealPresence Connect is an amazing feature which provides the users to schedule a video conference with outlook. This conference will be easely reached from Lync client or from a video room system.
Lync or web participants just have to click on the link when the video room’s users have to call the conference ID.

Let’s begin the technical part!

The target architecture:


Requirements:

Microsoft Lync 2013 Server -> 5.0.8308.577
RMX: 8.4
DMA: 6.1
The RMX must be connected with the front end. You can register it with the DMA (H.323) in order to use it with the Polycom infrastructure only.

The configuration has two steps:
                    1-      Register the RMX in the lync infrastructure
                    2-      Configure the SIP trunk between the DMA and the front end

Two others parts will describe this steps.

 Again, I recommend to following the Polycom document for this configuration. I just want to specify some points.

Posted by at 1 comment:
Labels: , , , , , ,

POLYCOM – LYNC integration: RealPresence connect (part 2)

Part 2: RMX configuration

Create and add the RMX certificates with an internal PKI.



Open the Microsoft Management Console (mmc.exe) of your Certificate authority server.
File > Add/Remove Snap-in > Certificate > Computer > Account Computer
Select in the personal directory the root certificate (All roles) and export it once with the private key (.pfx with password) and one without the private key (.cer 64 based).
Now on your RMX manager open Setup > RMX secured communication > Certification Repository.
List of the trusted certificates of the RMX

You can now add the root CA in trusted certificate (Edit the .cer and copy paste to the add menu).
To associate a certificate to IP Network Services, you must add the root certificate to the interface first. Personal certificate > Add > IP network Services > .pfx
Enter the .pfx file with the right password.
If all happens without errors you can now create a specific request for the interface. Personal certificate > Add > IP network Services > Certificate request
Fulfill all fields (FQDN of the rmx for the common name) and paste the request in the text file.
Use the certsrv command to generate the rmx’s certificate on the PKI.
certreq -attrib "certificatetemplate:webserver" -submit rmxcertrequest.txt
Push the certificate in the RMX, on IP network services. Click Add and paste the file generated.
Your RMX has now his certificate; it can be trusted by Lync. If you haven’t an internal certificate authority, you can generate this certificate from the Lync FE.
You can follow the guide for Create a trusted application pool, define a static route on Lync and create a new Lync user associated to a meeting room.

Configure your RMX

Lync registration

In this example, H.323 is disabled on my RMX (it can be registered on the DMA).
Do not forget to accept the SIP registration on the conference profile:
Sip registration to Lync

You can now create your lync meeting room which will be registered to the Lync server.

Tip: If you change the duration of the VMR, the VMR will try again a registration to the lync server. If the VMR is not registered the first time, you can modify your configuration and test it without delete and recreate the VMR.
 Your VMR is now reachable with a lync client!
Lync client connected on the VMR10


The first part of the configuration is done!
Posted by at No comments:
Labels: , , ,

Saturday, November 22, 2014

POLYCOM – LYNC integration: RealPresence connect (part 3)

Part 3 DMA Configuration:



I haven’t faced any issue for the DMA integration. The entire lync configuration is well explained in the Polycom documentation. You can erase the static route to the RMX for the one to the DMA. After that, this is exactly the same process than the RMX. I'll just present some screenshots to have another a view of this integration.

The certificate part is very similar than the RMX. First, you upload the root certificate. After, with the certificate request, you can generate the DMA’s certificate on your PKI.


Configuration of the external SIP Peer
Next hop address: FQDN of the Lync FE
Destination network: sip domain





RMX connection

As I said before, the RMX not has to be registered on the DMA but it must be knonw by the DMA.

The registration is Inactive because the RMX is registered to the Lync FE in SIP and H.323 is disabled. The new logo which appeared means your RMX is configure to support cascaded conferences with Lync.

 Dial Rules



Resolve to Lync Conference ID: Will match when using RealPresence Connect.
Lync Server Rule: Will match when a video endpoint call a Lync user.
For the RealPresence Connect, only the first rule is needed. 



Your configuration is ready !
Posted by at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)