Pages

Tuesday, 14 October 2014

Reset Office 365 User Passwords via PowerShell

Recently I had a need to reset a group of users passwords in Office 365 to be the same password. However if your reading this article you undoubtedly know that using the Office 365 Admin web interface it is only possible to reset them to randomly generated passwords. It is possible however to reset the passwords utilising PowerShell to a password which you want. To do this you will need to install the Microsoft Online Services Sign-in Assistant and then the appropriate Azure AD module for PowerShell which is linked below.


To set the passwords for multiple users, I used a single column CSV file with the usernames to be reset. The script is shown below.


To break it down, The crux of what we are doing relies around this command (shown with the syntax to change the password for a single user). The ForceChangePassword $false means the password doesn't have to be reset upon first login.

Set-MsolUserPassword -UserPrincipalName jneurohr@abc.onmicrosoft.com -NewPassword xxxx -ForceChangePassword $false

  1. $msolcred = Get-Credential - This will prompt you for credentials, for which you would supply the Office 365 administrator username/password.
  2. Connect-MsolService -credential $msolcred - Connects to the service
  3. $csvFile = "C:\_Delete\output.csv" - Defines the location of the CSV file in $csvFile
  4. $csv = Import-Csv $csvFile -Header UPN - Import the CSV file list and store it as $csv, and set the header for column one
  5. A foreach loop is then used to iterate through each line in the imported CSV file executing the password set command using the UPN from the CSV as the -UserPrincipalName argument.

Wednesday, 8 October 2014

Integrating Pexip Infinity with Microsoft Lync

This post shows the configuration required to integrate Pexip Infinity with Microsoft Lync. Pexip Infinity version 6 and Lync 2010 are used in this example (the same process should apply to Microsoft Lync 2013 as well). I'm going to assume that the Pexip Management Node and Conferencing node are configured to a working base and similarly for the Microsoft Lync environment. I've also assumed that the Pexip Management and Conferencing nodes have a trusted CA and CA issued certificates installed. See my other Pexip related posts on how to do this.

Firstly configure the Pexip conferencing node with a SIP TLS FQDN, which matches the conferencing nodes FQDN and certificate common name.

  1. Log into the Pexip Management node and navigate to, Platform configuration > Conferencing nodes
  2. Select the conferencing node and set the SIP TLS FQDN to be the FQDN of the conferencing node and click Save

Next define the MSSIP domain
  1. Log into the Pexip Management node and navigate to Platform configuration > Global settings
  2. Set the Lync MSSIP domain, to the domain used by the Lync deployment and click Save
Next define the Lync FE
  1. Log into the Pexip Management node and navigate to Platform configuration > Lync servers and click Add Lync server
  2. Enter the name and address of the Lync FE and leave the other fields at their defaults, click Save

Next add the Lync Server to the relevant location (the one containing the conferencing node)
  1. Log into the Pexip Management node and navigate to Platform configuration > Locations
  2. Open the location and select the Lync server defined above, click Save

To allow two way media with remote/external and federated Lync clients, define a TURN server and add it to the relevant location. In my case a VCS Expressway is being used.
  1. Log into the Pexip Management node and navigate to Platform configuration > TURN servers and click Add TURN server
  2. Enter the details of the TURN server and click Save
  3. Next navigate to Platform configuration > Locations
  4. Open the location and select the TURN server defined above, click Save


Next on the Lync Server create an application pool for the conferencing node and a trusted application

Log into the Lync FE and run the below commands from the Lync Server Management Shell

PS C:\> New-CsTrustedApplicationPool -Identity pxpcn01.xyz.internal -Registrar lync-pool01.brs.local -site 1 -RequiresReplication $false -ThrottleAsServer $true -TreatAsAuthenticated $true

PS C:\> New-CsTrustedApplication -ApplicationId sydcspxpcn01 -TrustedApplicationPoolFqdn sydcspxpcn01.xyz.internal -Port 5061

Next on the Lync Server create a new route for the SIP domain used by the Pexip VMRs. And lastly enable the topology 

Log into the Lync FE and run the below commands from the Lync Server Management Shell

PS C:\> $Route3=New-CsStaticRoute -TLSRoute -Destination "pxpcn01.xyz.internal" -MatchURI "collab.xyz.internal" -Port 5061 -UseDefaultCertificate $true

PS C:\> New-CSStaticRoutingConfiguration -Identity "service:Registrar:pool01.xyz.local"

PS C:\> Set-CSStaticRoutingConfiguration -Identity "service:Registrar:pool01.brs.local" -Route @{Add=$Route3}

PS C:\> Enable-CsTopology

At this point you can now add the Pexip VMR on Lync and dial in from the Lync client.

Tuesday, 7 October 2014

Integrating Pexip Infinity with Cisco Expressway-C

This is just a short post to show the configuration required to integrate Pexip Infinity with the Cisco Expressway-C. Pexip Infinity version 6 and Expressway-C version X8.1.1 are used. The same process could be used for the Cisco VCS Control. I'm going to assume that the Pexip Management Node and Conferencing node are configured to a working base and similarly so for the Expressway-C/VCS:C. I'm also going to assume that the Expressway-C has had a trusted CA and CA issued certificates installed. See my SIP-TLS and VCS related posts on how to do this. And that it is trunked to a Gatekeeper/SIP Registrar such that endpoints can call outbound to the Expressway-C matching the domain @.collab.xyz.internal

First install the CA certificate (and chain if applicable) for the issuing CA. I'm using a Windows Certificate Authority and the same certificate template as used in my previous VCS SIP-TLS posts to generate the certificate file.
  1. Log into the Pexip Management node
  2. Navigate to Platform Configuration > TLS certificates
  3. Click Upload trusted CA certificates
  4. Locate the appropriate certificate file and click save


Next generate and upload CA signed certificates for the Pexip Management and Conferencing Nodes 
  1. Use the following command to generate a CSR and private key for the management node - openssl req -out mn.csr -new -newkey rsa:2048 -nodes -keyout mn_privatekey.key
  2. Ensure the Common name you enter is the FQDN of the server
  3. Do not enter a password when requested
  4. Paste the contents of of the mn.csr into the advanced certificate request box of the Windows CA request web page
  5. Download the certificate in base-64 format
  6. Once you have the .cer and mn_privatekey.key files log into the Pexip management node
  7. Navigate to Platform Configuration > TLS certificates
  8. Click Upload certificate for the management node
  9. Select the certificate and private key files from earlier and click save
  10. Repeat the process for each conferencing node


Next add the Expressway-C as a SIP proxy
  1. Log into the Pexip management node and navigate to > Platform configuration > SIP proxies
  2. Click Add SIP proxy
  3. Enter a name and the FQDN of the Expressway-C
  4. Port as 5061 and protocol as TLS, click Save

Next add a Virtual Meeting Room (VMR)
  1. Log into the Pexip management node and navigate to > Service Configuration > Virtual Meeting Rooms
  2. Click Add Virtual Meeting Room, configure a name and alias and click Save

Now over on the Expressway-C configure a neighbor zone for the Pexip Conferencing Node
  1. Log into the Expressway-C and navigate to > Configuration > Zones > Zones and click New
  2. Configure as shown below and click Save

Finally add a search rule to the Expressway-C to route calls to the Pexip Conferencing Node

  1. Log into the Expressway-C and navigate to > Configuration > Dial plan > Search rules and click New
  2. Configure as shown ensuring the target is set to the Pexip neighbour zone created above


At this point you can now dial your Pexip hosted VMRs, In my case jason.vmr@collab.xyz.internal



Thursday, 2 October 2014

Integrate CUCM and Expressway-C to Microsoft Lync with a SIP-TLS Trunk

This post details how to integrate between endpoints registered to Cisco Unified Communications Server (CUCM) and Microsoft Lync utilising a SIP-TLS trunk between CUCM and a Cisco Expressway-Core appliance. This post references a single CUCM node (version 10.5) with a single Expressway-C (version X8.1.1). A Microsoft Lync 2010 enterprise pool is also used with a single Front End. It is assumed that CUCM and Expressway-C have a basic config and endpoints can register with SIP-TLS and dial other endpoints within CUCM. It is also assumed that Lync is configured and clients can register and video call each other within the Lync pool. Note you will require the Microsoft Interoperability key on the Expressway-C to do SIP-TLS with Lync 2010, and if you are using Lync 2013 you need the key for both TCP and TLS.

This post builds upon some previous articles, for reference see the post Configuring a SIP-TLS Trunk Between VCS and CUCM for how to configure the trunk between the CUCM server and the Expressway-C appliance.

Firstly configure the cluster name on the Expressway-C
  1. Log into the Expressway-C, and navigate to System > Clustering
  2. Since this is a lab with a single appliance, set the cluster name to be the same as the FQDN of the appliance itself

Next add the domain used by your CUCM (as defined in the enterprise parameters)
  1. Log into the Expressway-C, and navigate to Configuration > Domains
  2. Click new, enter the domain and click create domain

Next configure the B2BUA
  1. Log into the Expressway-C, and navigate to Applications > B2BUA > Microsoft Lync > Configuration
  2. Set the following
    1. Microsoft Lync B2BUA - Enabled
    2. Lync Signaling destination address - the FQDN of the FEP
    3. Lync signaling destination port - 5061
    4. Lync signaling transport - TLS
    5. Transcoders and TURN - Both set to No
    6. Advanced settings all default

Next add the Lync FEP as a trusted host
  1. Log into the Expressway-C, and navigate to Applications > B2BUA > Microsoft Lync > B2BUA Trusted Hosts
  2. Click New, enter the server name and IP address and set the type to Lync device
  3. Click Save
    1. Note I also added the Edge server to allow clients registered via the edge to call endpoints registered on CUCM

Lastly configure search rules to the Lync clients and for the CUCM endpoints
  1. Log into the Expressway-C, and navigate to Configuration > Dial Plan > Search rules
  2. Add a search rule to route calls for the CUCM endpoints via the CUCM SIP-TLS neighbor zone
  3. Add a search rule to route calls for the Lync clients via the B2BUA SIP-TLS zone which was automatically created for you

Next Configure the Lync Front End to trust the Expressway-C
  1. Log into the Lync FE, and run the command below from the Lync Server Management shell
New-CSTrustedApplicationPool -Identity expc.collab.yyy.internal -ComputerFQDN expc.collab.yyy.internal -Registrar lync-pool01.yyy.internal -site 1 -RequiresReplication $false -ThrottleAsServer $true -TreatAsAuthenticated $true
  • Identity - the Expressway-C cluster FQDN (noting this must must match the common name/SAN specified in the expressway server certificate, which you would have created referencing my previous post)
  • ComputerFQDN -  the FQDN of the Expressway-C (again matching the common name/SAN)
  • Registrar - the Lync pool FQDN
  • Site - the site to which the application is  homed, found by using the command Get-CsSite
Next assign the application to a specific application pool
  1. Log into the Lync FE, and run the command below from the Lync Server Management shell
  2. Following that run the command Enable-CsTopology to apply the configuration
New-CsTrustedApplication -ApplicationID ExpresswayApplication1 -TrustedApplicationPoolFqdn expc.collab.yyy.internal -Port 65072
  • ApplicationID - internal label for the application
  • TrustedApplicationPoolFQDN - the FQDN of the Expressway-C
Lastly define a route for the SIP domain
  1. Log into the Lync FE, and run the command below from the Lync Server Management shell
$Route1=New-CSStaticRoute -TLSRoute -Destination "expc.collab.yyy.internal" -MatchUri "collab.yyy.internal" -Port 65072 -UseDefaultCertificate $true

Followed by

Set-CsStaticRoutingConfiguration -Identity global -Route @{Add=$Route1}

At this point you should now be able to call from a Lync client to the Video EP and vice versa. This screengrab is of me calling from Lync to an EX60 registered to CUCM.



Tuesday, 30 September 2014

Configuring a SIP-TLS Trunk Between VCS and CUCM

This post details how to configure a SIP-TLS trunk between Cisco Video Communications Server (VCS) or Cisco Expressway-Core and Cisco Unified Communications Server (CUCM). This post references a single CUCM node (version 10.5) with a single VCS Control (version X8.2.1) lab build throughout, and only the minimum steps to achieve the desired outcome are described. It is assumed that both CUCM and VCS have a basic config and endpoints can register with SIP-TLS and can dial other endpoints registered to the same system (VCS>VCS, CUCM>CUCM etc.)

Starting with the VCS, Install a certificate signed by a trusted Certificate Authority (CA). For a Microsoft CA, create a template with the following extensions (note I copied the base Web Server template)

  • Application Policies - Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1)

Then install the CA certificate (and chain if applicable) for the issuing CA you are using to the VCS

  1. Log into the VCS and go to Maintenance > Security certificates > Trusted CA certificates
  2. Select the file to upload, and click append CA certificate

Next generate a CSR on the VCS and install the resulting certificate

  1. Log into the VCS and go to Maintenance > Security certificates > Server certificate
  2. Click Generate CSR
  3. Specify the details in the Additional information section, the rest should be fine as default
  4. Click Generate the CSR
  5. Back on the Sever certificate page, click download to download the CSR
  6. Submit the request to the CA using the template create above and download the certificate in Base 64
  7. Back on the Server certificate page, Select the certificate file received from the CA, and click upload server certificate data

Next add a zone for CUCM

  1. Log into the VCS and go to Configuration > Zones > Zones
  2. Click New and configure as shown below. Ensure that you use the FQDN of the CUCM node as the peer address, so that it will align with the common name used in the CUCM SSL certificate

And finally add a search rule appropriate for your dial plan

  1. Log into the VCS and go to Configuration > Dial plan > Search rules
  2. Click new and configure as appropriate, noting the FQDN for the CUCM is defined in the CUCM Enterprise Parameters (shown later). Example below

Next move on the CUCM and if not already done install the appropriate SSL certificate and CA certificates. See my other post here for reference on how to do this: Registering a Cisco Videoconferencing Endpoint to CUCM using SIP-TLS

Next create a new SIP Trunk Security Profile

  1. Log into Cisco Unified CM Administration and go to System > Security > SIP Trunk Security Profile
  2. Click Add New
  3. Configure as shown below taking note to use the FQDN of the VCS as the X.509 Subject name such that it will match the common name in the VCSs server certificate

Next set the CUCM Cluster FQDN

  1. Log into Cisco Unified CM Administration and go to System > Enterprise Parameters
  2. Locate Clusterwide Domain Configuration
  3. Set the Cluster Fully Qualified Domain Name, to the domain you want to use in your URI's
  4. Click Save

Next add the SIP Trunk to the VCS in CUCM
  1. Log into Cisco Unified CM Administration and go to Devices > Trunk
  2. Click Add New
  3. The Trunk Type should be SIP Trunk, the Device Protocol should be SIP and the Trunk Service Type should be None(Default)
  4. Create the trunk similarly to the below adjusting where required (most defaults are fine). Ensure that
    1. SRTP Allowed is checked
    2. The SIP Information\Destination, destination address and port should be that of your VCS and port 5061
    3. The SIP Trunk Security Profile, is set to the one create earlier


Lastly create a SIP Route Pattern for the VCS SIP domain

  1. Log into Cisco Unified CM Administration and go to Call Routing > SIP Route Pattern
  2. Click Add New
  3. Configure similarly to what is shown below, selecting Domain Routing as the Pattern Usage and enter the SIP domain used on the VCS in the IPv4 Pattern.
  4. Select the SIP trunk created earlier towards the VCS.

At this point you should now be able to initiate calls from CUCM registered endpoints to VCS registered endpoints and vice versa

Thursday, 18 September 2014

Registering a Cisco Videoconferencing Endpoint to CUCM using SIP-TLS

This post details how to register a Cisco Videoconferencing endpoint, specifically TC based endpoints such as the C or EX series, to Cisco Unified Communications Manager (CUCM) 10.5 utilising SIP-TLS. This post references a single node lab build throughout, and only the minimum steps to achieve the desired outcome (registering the TC based Videoconferencing endpoint to CUCM using SIP-TLS).

Firstly why use SIP-TLS in the first place. Using the Transport Layer Security (TLS) protocol will protect the SIP messaging traffic on the legs where it is enabled, preventing a third party (the forever mentioned and nefarious BOB) from intercepting the SIP messages for malicious purposes, such as deciphering the caller and callee details which could be sensitive in certain environments. An important note here is that TLS will only be used on the legs where it is configured and enabled so unless TLS is working end-to-end you are not totally secure from interception. Not directly related to TLS but also worth noting is SRTP, which is the Secure Real Time Transport Protocol, this should be used in tandem with SIP-TLS so that media traffic is encrypted also. You can use SRTP without SIP-TLS but the SRTP keys would then be exposed in the SIP messaging which could allow our friend or foe BOB to decrypt the SRTP traffic. Lets kick on with the configuration.

After initial build of CUCM 10.5 the following steps are done.

Start the required services from Cisco Unified OS Administration

  • Cisco CallManager
  • Cisco TFTP
  • Cisco AXL Web Service
  • Cisco CTL Provider
  • Cisco Certificate Authority Proxy Function

Change the cluster security mode from non-secure-mode to mixed mode

  1. SSH to CUCM and login as admin
  2. Run the command utils ctl set-cluster mixed-mode
  3. Restart the Cisco CallManager and TFTP Services from Cisco Unified Serviceability 

Install a certificate signed by a trusted Certificate Authority (CA). For a Microsoft CA, create a template with the following extensions (note I copied the base Web Server template)

  • Application Policies - Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), IP Security end system (1.3.6.1.5.5.7.3.5)
  • Key Usage - Select Digital Signatures, Signature is proof of origin (nonrepudiation), Allow key exchange only with key encryption (key encipherment) and Allow encryption of user data



Then create the CSR from UCM, submit the request to the CA and then upload the certificate to UCM

  1. From Cisco Unified OS Administration navigate to Security > Certificate Management
  2. Click Generate CSR
  3. On the Generate Certificate Signing Request page, set the Certificate Purpose to be CallManager. Leave the rest of the fields as default
  4. Submit the request to the CA using the template you created above, and download the certificate in Base 64
  5. Back on the CUCM Certificate Management page, click upload certificate/certificate chain
  6. First upload the CA certificate (and chain if applicable) for the issuing CA selecting CallManager-Trust as the Certificate Purpose
  7. Then upload the CUCM certificate selecting CallManager as the Certificate Purpose
  8. Once done restart the Cisco CallManager and TFTP Services from Cisco Unified Serviceability


The next step is to create the Phone Security Profile

  1. From Cisco Unified CM Administration, go to System > Security > Phone Security Profile
  2. Find the Non-Secure profile for the endpoint model and click copy
  3. Update the name removing the "Non-", or name it to your preference and configure as shown below
  4. Once done click Save

Next add a new Phone

  1. From Cisco Unified CM Administration, go to Device > Phone
  2. Click Add, and select the Phone type corresponding to your videoconferencing endpoint model
  3. Configure the phone profile for your environment ensuring that you set the Device Security Profile to the Phone Security Profile you created earlier
  4. Set the Certificate Authority Proxy Function (CAPF) Information as shown below, amending the date to a time in the future
  5. Configure the admin username and password corresponding with the admin user/pass on the endpoint
  6. Once done click Save


Once this is done add a DN to the phone profile

  1. From the Phone, click Add a new DN
  2. Configure as per normal with the Directory number etc. and click Save

Now on the endpoint configure provisioning

  1. Log into the endpoint and navigate to Configuration > System Configuration > Provisioning
  2. Set the Mode to CUCM and the Address to the CUCM node

Once this is done the endpoint should be provisioned with the CTL/ITL, which can be verified from Configuration > Security > CUCM, shown below. Also SIP settings should be automatically provisioned (shown below), noting the DefaultTransport is set to TLS.



And that's it. You should now be able to make and receive calls.

Pro Tip #1

I came across this issue in the lab when testing various certificates whereby the TC based endpoint would show a SIP registration status of "Failed: Failed to send". Looking at the eventlog/all.log on the endpoint, I also extracted the following errors.

Sep 16 03:59:41.042 ppc appl[2831]: 138.02 PROV I: [requestItem] Requesting http://10.105.83.65:6970/CTLSEP0050600534bc.tlv, state=ProvItemCTL (CTL requested)
Sep 16 03:59:42.196 ppc appl[2831]: 139.17 PROV I: [requestItem] Requesting http://10.105.83.65:6970/ITLSEP0050600534bc.tlv, state=ProvItemITL (ITL requested)
Sep 16 03:59:42.681 ppc appl[2831]: 139.65 PROV W: [authorizeAndInstall]: secProcessTrustFile("/tmp/ITLFile.tlv") failed: 1 (TL_FAILURE)
Sep 16 03:59:42.685 ppc appl[2831]: 139.66 PROV I: [requestItem] Requesting http://10.105.83.65:6970/SEP0050600534bc.cnf.xml.sgn, state=ProvItemConfig (config requested (either full or mini))
Sep 16 03:59:43.141 ppc appl[2831]: 140.12 PROV W: [ProvisionItem] failed to strip signature/decrypt payload
Sep 16 03:59:43.148 ppc appl[2831]: 140.12 PROV ERROR: [handleFailedProvRequest] reqURL=http://10.105.83.65:6970/SEP0050600534bc.cnf.xml.sgn status=failed reason=Failed to decrypt/verify signature of /SEP0050600534bc.cnf.xml.sgn
Sep 16 03:59:43.153 ppc appl[2831]: 140.13 PROV I: CUCMProvisionUser: Failed to provision (status=Failed)
Sep 16 03:59:43.159 ppc appl[2831]: 140.13 PROV I: void CUCMProvision::CUCMProvisionUser::tryNextUrl() exhausted (pausing)

Further investigation shows that from the endpoint Configuration > System Configuration > Security > CUCM page, when compared with the the output of show itl from the CUCM CLI, that the CCM+TFTP certificate serial numbers don't match. Looking at the output of show ctl from the CUCM CLI show the incorrect serial number as well. To resolve this run the command utils ctl update CTLFile, then restart the Cisco CallManager and TFTP services from Cisco Unified Serviceability. From the endpoint then go back to Configuration > Security > CUCM, and select Delete CTL/ITL. Once it has pulled down the updated CTL/ITL files, stop and start the SIP service from Configuration > System Configuration > NetworkServices, and SIP should register successfully. 

Endpoint:
Role CUCM-TFTP
Issuer CN=FOO Enterprise CA
Serial Number 5B:6A:D9:3E:00:06:00:00:00:B7
Subject Name CN=SYDCSVUCM01.collab.foo.internal; OU=Infrastructure; O=Foo; L=Sydney; ST=NSW; C=AU
Subject DNS Name SYDCSVUCM01

UCM:

Wednesday, 23 July 2014