Skype for Business Blog articles https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/bg-p/Skype_for_Business_Blog Skype for Business Blog articles Fri, 19 Aug 2022 22:52:19 GMT Skype_for_Business_Blog 2022-08-19T22:52:19Z Skype for Business Server support, Skype for Business App SDK, & migrating users to Microsoft Teams https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/skype-for-business-server-support-skype-for-business-app-sdk-amp/ba-p/3599779 <P>For millions of customers around the globe, Microsoft Teams is the preferred communications and collaboration platform, enabling chat, calling, meetings, file sharing, and application integration all from a single, cloud-based application.</P> <P>&nbsp;</P> <P>However, we understand some customers wish to maintain an on-premises deployment, either as a stand-alone or part of a hybrid configuration with Teams. As such, Microsoft will continue to support Microsoft Lync Server 2013, Skype for Business Server 2015, and Skype for Business Server 2019 through Microsoft’s&nbsp;<A href="#" target="_blank" rel="noopener">Fixed Lifecycle Policy</A> that covers customers through <A href="#" target="_blank" rel="noopener">Mainstream</A> and <A href="#" target="_blank" rel="noopener">Extended Support</A> phases.</P> <P>&nbsp;</P> <TABLE> <TBODY> <TR> <TD width="210"> <P><STRONG>Product</STRONG></P> </TD> <TD width="126"> <P><STRONG>Start Date</STRONG></P> </TD> <TD width="150"> <P><STRONG>Mainstream End Date</STRONG></P> </TD> <TD width="138"> <P><STRONG>Extended End Date</STRONG></P> </TD> </TR> <TR> <TD width="210"> <P><A href="#" target="_blank" rel="noopener">Microsoft Lync Server 2013</A></P> </TD> <TD width="126"> <P><EM>Jan 25, 2011</EM></P> </TD> <TD width="150"> <P><EM>Apr 10, 2018</EM></P> </TD> <TD width="138"> <P>Apr 11, 2023</P> </TD> </TR> <TR> <TD width="210"> <P><A href="#" target="_blank" rel="noopener">Skype for Business Server 2015</A></P> </TD> <TD width="126"> <P><EM>Jul 30, 2015</EM></P> </TD> <TD width="150"> <P><EM>Oct 13, 2020</EM></P> </TD> <TD width="138"> <P>Oct 14, 2025</P> </TD> </TR> <TR> <TD width="210"> <P><A href="#" target="_blank" rel="noopener">Skype for Business Server 2019</A></P> </TD> <TD width="126"> <P><EM>Oct 22, 2018</EM></P> </TD> <TD width="150"> <P>Jan 9, 2024</P> </TD> <TD width="138"> <P>Oct 14, 2025</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>Lync Server and Skype for Business Server customers who may be considering a move to the cloud are strongly encouraged to look at Microsoft Teams, our solution for modern work and a core component of most Microsoft 365 subscriptions. Microsoft Teams is where you’ll find our latest innovations to enable modern work for your organization, as well as enterprise-grade accessibility and security. Guidance is available to <A href="#" target="_blank" rel="noopener">plan a successful migration</A> from Skype for Business Server 2019 to Teams.</P> <P>&nbsp;</P> <P>At Ignite 2020, we announced plans for a version-less subscription for an on-premises solution we have been calling “vNext”. We continue to evaluate customer needs for this opportunity and remain committed to supporting Skype for Business Server beyond October 14, 2025, but do not have additional details to share currently. Customers who wish to remain on-premises should plan to upgrade to Skype for Business Server 2019 as this version provides the furthest window for Mainstream Service, the smoothest upgrade to the “vNext” and the easiest path to migrate users to Teams in the future.</P> <P>&nbsp;</P> <P><STRONG> End of Support for Skype for Business</STRONG><STRONG> App SDK</STRONG></P> <P>We want to remind customers that along with the retirement of Skype for Business Online in July 2021, the <A href="#" target="_blank" rel="noopener">Skype for Business App SDK</A> is no longer supported for either online or on-premises deployments of Skype for Business. We encourage developers using the Skype for Business App SDK to transition to Azure Communication Services (ACS) to enable voice, video, chat, and telephony in your apps along with the ability to join Teams meetings (as a guest).</P> <P>&nbsp;</P> <P>Stay tuned to this blog post for future news and announcements about Skype for Business Server and be sure to check out the <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-teams-blog/bg-p/MicrosoftTeamsBlog" target="_blank" rel="noopener">Tech Community Teams Blog</A> for the latest Teams updates.</P> Wed, 17 Aug 2022 17:29:36 GMT https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/skype-for-business-server-support-skype-for-business-app-sdk-amp/ba-p/3599779 Paulkwo 2022-08-17T17:29:36Z Skype for Business Server 2019 - Announcing the general availability of Modern Admin Control Panel https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/skype-for-business-server-2019-announcing-the-general/ba-p/2203816 <P>We are pleased to announce the general availability of Modern Admin Control Panel (MACP), as part of the Skype for Business Server 2019 <A href="#" target="_blank" rel="noopener">March 2021 Cumulative Update</A>.</P> <P>&nbsp;</P> <P>This is a continuation to our earlier released versions of MACP. You can read about previous releases, Phase 2 March 2020 <A href="https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/skype-for-business-2019-control-panel-phase-2-released/ba-p/1240564" target="_blank" rel="noopener">here</A> and Phase 1 in July 2019 <A href="https://gorovian.000webhostapp.com/?exam=t5/Skype-for-Business-Blog/Introducing-Skype-for-Business-Server-2019-Control-Panel/ba-p/771205" target="_blank" rel="noopener">here</A>.</P> <P>&nbsp;</P> <P>We had covered ‘Home’, ‘Users’, ‘Conferencing’ and ‘Federation and External Access’ tabs in earlier releases. In this release we introduce following tabs: ‘Voice Routing’, ‘Voice Features’, ‘Response Group’ and ‘Conferencing (Dial-In-Access Number sub-tab)’</P> <P>&nbsp;</P> <P>We continue to listen to our customers to prioritize and ship new features and updates. Hence based on your feedback, this release also includes the following enhancements.</P> <UL> <LI>Addition of OAuth (optional) to login into MACP portal</LI> <LI>Support for Simple URL to access MACP portal</LI> </UL> <P>Please start using new Control Panel and share feedback and questions via the ‘Give Feedback’ link in the Control Panel. Read on for details.</P> <P>&nbsp;</P> <P><STRONG>Installation Instructions</STRONG></P> <P>1. Run <A href="#" target="_blank" rel="noopener">SSUI</A></P> <P>2. Run Bootstrapper.exe</P> <P>3. Please install the Management OData if not installed using below steps:</P> <P class="lia-indent-padding-left-60px">a. Open PowerShell in Administrator mode</P> <P class="lia-indent-padding-left-60px">b. Run command: Add-WindowsFeature ManagementOData</P> <P>The administrator account must have CsAdministrator role privileges and must be SIP enabled. If the OAuth is set up, administrator is not required to be SIP enabled.</P> <P><BR /><FONT size="5"><STRONG>Launching and Using Control Panel</STRONG></FONT></P> <P>Please put in <EM>https://&lt;your pool FQDN&gt;/macp</EM> or the configured simple URL <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-teams-blog/microsoft-teams-displays-now-available/ba-p/1810291" target="_blank" rel="noopener">https://admin.&lt;your-domain&gt;.com</A> manually in a supported browser, and the Control Panel should open. You can also click on the blue banner at the top of the old Control Panel to launch the new Panel. The login screen looks like the following:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Login screen" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/262950i269A51B27295F45A/image-size/large?v=v2&amp;px=999" role="button" title="login screen.png" alt="Login screen" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Login screen</span></span></P> <P>&nbsp;</P> <P>Once you hit the login screen, log in with your admin credentials.</P> <P>&nbsp;</P> <P><FONT size="5"><STRONG>Voice Routing</STRONG></FONT></P> <P>Please create, modify, or delete dial plans in Dial Plan sub-tab as below:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dial Plan Home screen" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/263085iFC2C2AB1846EAB13/image-size/large?v=v2&amp;px=999" role="button" title="Dial Plan Home screen.png" alt="Dial Plan Home screen" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Dial Plan Home screen</span></span></P> <P>&nbsp;</P> <P>Please create, modify, or delete voice policies in Voice Policy sub-tab as below:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Voice Policy Home screen" style="width: 620px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/263086i7EE91E3077EA20EA/image-size/large?v=v2&amp;px=999" role="button" title="Voice Policy Home screen.png" alt="Voice Policy Home screen" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Voice Policy Home screen</span></span></P> <P>&nbsp;</P> <P>Please create, modify, delete, or change the priority order of routes in the Route sub-tab below:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Route Home screen" style="width: 619px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/263108i3235B2ACAF4EA548/image-size/large?v=v2&amp;px=999" role="button" title="Route Home screen.png" alt="Route Home screen" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Route Home screen</span></span></P> <P>&nbsp;</P> <P>Please view or delete PSTN usages in PSTN Usage sub-tab below. The new PSTN usages can be created under Associated PSTN Usages table in the voice policy form.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PSTN Usage Home screen" style="width: 620px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/263109i7CCF807F4EF90675/image-size/large?v=v2&amp;px=999" role="button" title="PTSN Usage Home screen.png" alt="PSTN Usage Home screen" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">PSTN Usage Home screen</span></span></P> <P>&nbsp;</P> <P>Please create, modify, or delete trunk configurations in Trunk Configuration sub-tab below:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Trunk Configuration Home screen" style="width: 629px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/263110iA58298FEEB7A2F54/image-size/large?v=v2&amp;px=999" role="button" title="Trunk Configuration Home screen.png" alt="Trunk Configuration Home screen" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Trunk Configuration Home screen</span></span></P> <P>&nbsp;</P> <P>Please create, modify, run, or delete test cases in Test Voice Routing sub-tab below:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Test Voice Routing Home screen" style="width: 628px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/263112iF740ABC03293B16D/image-size/large?v=v2&amp;px=999" role="button" title="Test Voice Routing Home screen.png" alt="Test Voice Routing Home screen" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Test Voice Routing Home screen</span></span></P> <P>&nbsp;</P> <P>Please try the import/export functionality in Voice Routing sub-tabs. You may export your voice- routing configuration to a file. Also, you may import the voice-routing configuration from the file. This functionality is present in every sub-tab under voice routing as shown below:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Import/Export Configuration" style="width: 644px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/263114i3DA58F921AA3B37A/image-size/large?v=v2&amp;px=999" role="button" title="ImportExport Configuration.png" alt="Import/Export Configuration" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Import/Export Configuration</span></span></P> <P>&nbsp;</P> <P>Similarly, you can import/export voice routing test cases in Voice Routing tabs. Also, you can create test cases. This functionality is also present in all voice routing sub-tab as shown below:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Import/Export/Create Test Cases" style="width: 649px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/263117iF1BA2BC4905D9B88/image-size/large?v=v2&amp;px=999" role="button" title="ImportExportCreate Test Cases.png" alt="Import/Export/Create Test Cases" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Import/Export/Create Test Cases</span></span></P> <P>&nbsp;</P> <P>Please try creating and running test cases with this functionality as shown below:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Create Test Cases" style="width: 625px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/263118iADF31089B6EF5512/image-size/large?v=v2&amp;px=999" role="button" title="Create Test Cases.png" alt="Create Test Cases" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Create Test Cases</span></span></P> <P>&nbsp;</P> <P><FONT size="5"><STRONG>Voice Features</STRONG></FONT></P> <P>Please try out the scenarios for ‘Call Park’ and ‘Unassigned Number’. You can create various number ranges, edit them, or delete them.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Call Park home screen" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/263119iFE7F4F8D30CBB0A3/image-size/large?v=v2&amp;px=999" role="button" title="Call Park home screen.png" alt="Call Park home screen" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Call Park home screen</span></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Unassigned Number home screen" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/263120iC1D3EE60C2CECD71/image-size/large?v=v2&amp;px=999" role="button" title="Unassigned Number home screen.png" alt="Unassigned Number home screen" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Unassigned Number home screen</span></span></P> <P>&nbsp;</P> <P><STRONG><FONT size="5">Response Group</FONT></STRONG></P> <P>Please note that to create or edit a workflow you need to access the page from inside domain network.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Workflow page in Response Group" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/263121i0A05B1EA5F7B0ED0/image-size/large?v=v2&amp;px=999" role="button" title="Workflow page in Response Group.png" alt="Workflow page in Response Group" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Workflow page in Response Group</span></span></P> <P>&nbsp;</P> <P>If not accessing from inside domain network, then the page displays message as shown below:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Workflow Access from domain message" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/263441i938AD9504FECAC87/image-size/large?v=v2&amp;px=999" role="button" title="Workflow Access from domain message.png" alt="Workflow Access from domain message" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Workflow Access from domain message</span></span></P> <P>&nbsp;</P> <P>Please create, modify, or delete Response Group Queues in Queue page below:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Queue page in Response Groups" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/263442i98FC6B09BB4EDD84/image-size/large?v=v2&amp;px=999" role="button" title="Queue page in Response Groups.png" alt="Queue page in Response Groups" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Queue page in Response Groups</span></span></P> <P>&nbsp;</P> <P>Please create, modify, or delete group agents in Group page below:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Group page in Response Groups" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/263443i8E24AFBD29BD2FDD/image-size/large?v=v2&amp;px=999" role="button" title="Group page in Response Groups.png" alt="Group page in Response Groups" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Group page in Response Groups</span></span></P> <P>&nbsp;</P> <P><FONT size="5"><STRONG>Conferencing</STRONG></FONT></P> <P>We have also provided the only remaining page from Conferencing tab – ‘Dial-In-Access Number’.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dial-In-Access Number in Conferencing" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/263444iF417C01064062260/image-size/large?v=v2&amp;px=999" role="button" title="Dial-In-Access Number in Conferencing.png" alt="Dial-In-Access Number in Conferencing" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Dial-In-Access Number in Conferencing</span></span></P> <P>&nbsp;</P> <P><FONT size="5"><STRONG>Setup OAuth to login into MACP portal</STRONG></FONT></P> <P>The following is the step by step process to setup OAuth for MACP portal.</P> <P>&nbsp;</P> <P><STRONG>Minimum OS req and ADFS Server version:</STRONG></P> <UL> <LI>Windows Server 2016 onwards</LI> </UL> <P><STRONG>Steps to be performed on ADFS Farm machine:</STRONG></P> <OL> <LI>Ensure that an ADFS farm exists on the topology</LI> <LI>Create a new app for MACP in the ADFS<BR />a. Use the script <A href="#" target="_blank" rel="noopener">Configure MACP application in ADFS Farm</A><BR />b. We suggest you go with default options while running the above script.</LI> </OL> <P><STRONG>Steps To be performed on FE w17 server:</STRONG><BR />Once you have setup the ADFS farm, execute the following steps.</P> <OL> <LI>Install the latest <A href="#" target="_blank" rel="noopener">SSUI</A> in all the FE pool machines</LI> <LI>To enable the ADFS OAuth for MACP across all the pools or selective pools<BR />a. Use the script <A href="#" target="_blank" rel="noopener">Configure OAuth for MACP</A><BR />b. We suggest you review default options while running the above script.</LI> </OL> <P><STRONG>NOTE:</STRONG></P> <UL> <LI>You need to run the script on just one FE W17 server machine in your topology and it will automatically identify all the FEs in your topology (or the selective pools you have passed to the script).</LI> <LI>Use the same script to disable ADFS OAuth and fallback to web-ticket auth.</LI> <LI>To re-configure any ADFS related details, you must disable ADFS OAuth using <A href="#" target="_blank" rel="noopener">Configure OAuth for MACP</A> and then configure the ADFS again.</LI> </UL> <P>If OAuth is correctly configured, then you should see login screen as below:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="sign-in.jpg" style="width: 596px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/263445i75CDEA8F320803F9/image-size/large?v=v2&amp;px=999" role="button" title="sign-in.jpg" alt="sign-in.jpg" /></span></P> <P>&nbsp;</P> <P>On clicking the<STRONG> Sign in</STRONG> button, you will get a pop-up to enter your username and password.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="sign-in2.png" style="width: 683px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/263447i53F02BF09EDAB997/image-size/large?v=v2&amp;px=999" role="button" title="sign-in2.png" alt="sign-in2.png" /></span></P> <P>&nbsp;</P> <P><FONT size="5"><STRONG>Setup Simple URL to access the MACP portal</STRONG></FONT></P> <P>You can also access MACP using the simple URL <A href="#" target="_blank" rel="noopener">https://admin.&lt;your-domain&gt;.com</A></P> <P>Use the following steps to configure simple URL</P> <P>1. Install the latest <A href="#" target="_blank" rel="noopener">SSUI</A></P> <P>2. Configure Simple URL using cmdlet.</P> <P class="lia-indent-padding-left-30px">Example below shows how a new URL can be added to an existing collection of simple URLs<BR />$urlEntry = New-CsSimpleUrlEntry -Url “<A href="#" target="_blank" rel="noopener">https://admin.&lt;your-domain&gt;.com”</A><BR />$simpleUrl = New-CsSimpleUrl -Component "macp" -Domain "your-domain.com" -SimpleUrlEntry $urlEntry -ActiveUrl “<A href="#" target="_blank" rel="noopener">https://admin.&lt;your-domain&gt;.com”</A><BR />Set-CsSimpleUrlConfiguration -Identity "Global" -SimpleUrl @{Add=$simpleUrl}</P> <UL> <LI>Refer following cmdlets: <BR />o <A href="#" target="_blank" rel="noopener">New-CsSimpleUrl</A><BR />o <A href="#" target="_blank" rel="noopener">New-CsSimpleUrlConfiguration</A><BR />o <A href="#" target="_blank" rel="noopener">New-CsSimpleUrlEntry</A></LI> </UL> <P>3. Run Enable-CsComputer<BR />4. In addition, you must also do such things as</P> <P class="lia-indent-padding-left-30px">a. create Domain Name System (DNS) records for each URL<BR />b. configure reverse proxy rules for external access<BR />c. add the simple URLs to your Front End Server certificates; and so on.</P> <P><STRONG>NOTE:</STRONG></P> <UL> <LI>Configuring OAuth based authentication for MACP is a prerequisite to use of Simple URL.</LI> </UL> <P>&nbsp;</P> <P><FONT size="5"><STRONG>Providing Feedback</STRONG></FONT></P> <P>We always welcomes any feedback and suggestions. Please share feedback and questions via the ‘Give Feedback’ link in the Control Panel. In the top right corner, you’ll see your login name. Click on the adjacent arrow, and you should see a drop-down like the below:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Providing feedback.png" style="width: 220px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/263449i58284E97746100B3/image-size/large?v=v2&amp;px=999" role="button" title="Providing feedback.png" alt="Providing feedback.png" /></span></P> <P>&nbsp;</P> <P>Hit ‘Give Feedback’, and you should see a browser window open with the <A href="https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-server-2019/skype-for-business-server-announcing-the-general-availability-of/m-p/2230488" target="_blank" rel="noopener">relevant discussion forum</A>. Please do check the discussions to see if your question has already been addressed. We look forward to hearing from you!<BR /><BR />On behalf of the product team,<BR /><STRONG>Ravindra Singh Bisht</STRONG><BR /><STRONG>Senior Program Manager, Skype for Business Server</STRONG></P> Wed, 24 Mar 2021 17:52:08 GMT https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/skype-for-business-server-2019-announcing-the-general/ba-p/2203816 Ravindra_Singh_Bisht 2021-03-24T17:52:08Z The Next Version of Skype for Business Server https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/the-next-version-of-skype-for-business-server/ba-p/1713765 <P>This week, at Ignite, we announced that the next version of Skype for Business (SfB) Server will be available in the second half of 2021, and will only be available with the purchase of a subscription license. Subscription entitles access to support, product updates, bug and security fixes. We will share additional details around the official name, pricing and availability, later.</P> <P>&nbsp;</P> <P>The next version of SfB Server will support in-place upgrade from SfB Server 2019 for a period of approximately two years following release. This feature will allow the admin to easily upgrade existing servers running SfB Server 2019 to the subscription-based codebase without needing to add or change servers.</P> <P>&nbsp;</P> <P>The next version of SfB Server will continue to support side-by-side deployment and migration from earlier versions of SfB, as has been the case over the last few releases, but we have increased the number of versions it can be installed alongside. Customers with Lync Server 2013, SfB Server 2015 or SfB Server 2019 can install the next version of SfB Server into their existing organization.</P> <P>&nbsp;</P> <P>We highly recommended that customers with existing Lync Server 2013 or SfB Server 2015 deployments and who expect to keep on-premises servers in the future, should start planning and installing SfB Server 2019 today. Once the next version of SfB is released, they will then be able to perform an in-place upgrade to that version, making the move to SfB Server 2019 the last major upgrade they will ever need to do. &nbsp;</P> <P>&nbsp;</P> <P>We will have more details on this change over the coming months.</P> <P>&nbsp;</P> <P>-SfB Server Team</P> Fri, 25 Sep 2020 17:03:32 GMT https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/the-next-version-of-skype-for-business-server/ba-p/1713765 João Loureiro 2020-09-25T17:03:32Z Emerging Issue - Remote Access is disabled External Access Policy and NTLM is Disabled https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/emerging-issue-remote-access-is-disabled-external-access-policy/ba-p/1329724 <P>Emerging Issue - Remote Access is disabled External Access Policy and NTLM is Disabled</P> <P>If legacy Authentication methods are turned-off externally by following <A href="#" target="_blank" rel="noopener">https://docs.microsoft.com/en-us/skypeforbusiness/plan-your-deployment/modern-authentication/turn-on-modern-auth</A>, and remote access for the user is also disabled by External Access Policy a bug has emerged that causes clients on the external network to be in a infinite loop, trying to authenticate and get a 403 Forbidden error. This generally would happen whenever the client is not connected to VPN.</P> <P>The bug manifests in many ways, some of which are mentioned below</P> <P>&nbsp;</P> <OL> <LI>Size of LCSCDR database can increase considerably, especially for the dbo.Registration table</LI> <LI>CDR/QOE Reports may be delayed</LI> <LI>In rare cases replication would show a single secondary as opposed to both active secondaries and would auto-correct after several hours</LI> </OL> <P>&nbsp;</P> <P>LYSS Database can experience an increase in size too, and you will notice</P> <TABLE> <TBODY> <TR> <TD width="81"> <P>EVENT ID</P> </TD> <TD width="329"> <P>Event id text</P> </TD> <TD width="169"> <P>Notes</P> </TD> </TR> <TR> <TD width="79"> <P>32056</P> </TD> <TD width="329"> <P>Space Used by LYSS DB is within normal range</P> </TD> <TD width="174"> <P>DB Utilization &gt; 0% and &lt; 40%</P> </TD> </TR> <TR> <TD width="79"> <P>32057</P> </TD> <TD width="329"> <P>Space Used by LYSS DB is at or above the Warning Threshold.</P> </TD> <TD width="184"> <P>DB utilization&nbsp; &gt; =40% and &lt; 60%</P> </TD> </TR> <TR> <TD width="79"> <P>32059</P> </TD> <TD width="329"> <P>Space Used by LYSS DB is at or above the Critical Threshold</P> </TD> <TD width="174"> <P>Db Utilization is &gt;= 60%</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>Depending on the extent of time the issue has been occurring, the size of the environment and other factors as user-behavior the following EVENT IDs may also be see</P> <TABLE> <TBODY> <TR> <TD width="64"> <P>Event id</P> </TD> <TD width="283"> <P>Event ID text</P> </TD> <TD width="231"> <P>Notes</P> </TD> </TR> <TR> <TD width="64"> <P>32075</P> </TD> <TD width="285"> <P>A full flush of all queue items for LYSS DB has started.</P> </TD> <TD width="229"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="64"> <P>32076</P> </TD> <TD width="285"> <P>A full flush of all queue items for LYSS DB has completed.</P> </TD> <TD width="229"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="64"> <P>32089</P> </TD> <TD width="284"> <P>A flush of queue items from the LYSS DB was initiated, and items were exported to the file system.</P> </TD> <TD width="230"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="64"> <P>32090</P> </TD> <TD width="285"> <P>Flushed queue Items from the LYSS DB have been left unattended to for some amount of time and require attention to be imported back.</P> </TD> <TD width="229"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="64"> <P>32103</P> </TD> <TD width="285"> <P>Fabric service id 'ROUTING GROUP GUID' is running with a reduced replication set.</P> </TD> <TD width="234"> <P>Get-CsPoolFabricState will show that routing groups are in missing secondaries</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>You can run a SQL Query against LYSS database to confirm if indeed you have been experiencing issues with 4003 by running</P> <P>&nbsp;</P> <P>Use lyss;</P> <P>SELECT&nbsp;&nbsp;&nbsp;&nbsp; SUBSTRING ( CONVERT(VARCHAR(MAX), CONVERT(VARBINARY(MAX), [ItemHeader])), CHARINDEX( '&lt;MsDiagId&gt;', CONVERT(VARCHAR(MAX), CONVERT(VARBINARY(MAX), [ItemHeader]))) + 10,&nbsp; CHARINDEX( '&lt;/MsDiagId&gt;', CONVERT(VARCHAR(MAX), CONVERT(VARBINARY(MAX), [ItemHeader])))- (10+CHARINDEX( '&lt;MsDiagId&gt;', CONVERT(VARCHAR(MAX), CONVERT(VARBINARY(MAX), [ItemHeader])))))&nbsp; 'MsDiag'&nbsp;&nbsp;&nbsp;&nbsp; ,Count(1) 'Count'&nbsp;&nbsp; FROM [lyss].[dbo].[ItemQueue]</P> <P>WHERE CHARINDEX( '&lt;MsDiagId&gt;', CONVERT(VARCHAR(MAX), CONVERT(VARBINARY(MAX), [ItemHeader]))) &gt; 0</P> <P>Group by SUBSTRING ( CONVERT(VARCHAR(MAX), CONVERT(VARBINARY(MAX), [ItemHeader])), CHARINDEX( '&lt;MsDiagId&gt;', CONVERT(VARCHAR(MAX), CONVERT(VARBINARY(MAX), [ItemHeader]))) + 10,&nbsp; CHARINDEX( '&lt;/MsDiagId&gt;', CONVERT(VARCHAR(MAX), CONVERT(VARBINARY(MAX), [ItemHeader])))- (10+CHARINDEX( '&lt;MsDiagId&gt;', CONVERT(VARCHAR(MAX), CONVERT(VARBINARY(MAX), [ItemHeader])))))</P> <P>Order by 2 desc</P> <P>&nbsp;</P> <P>The output should look like</P> <DIV id="tinyMceEditorSri Todi_3" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="SQL output.jpg" style="width: 141px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/185946iB8CB2E355C845C46/image-size/large?v=v2&amp;px=999" role="button" title="SQL output.jpg" alt="SQL output.jpg" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>This issue has been fixed in a client update with version 16.0.11901.10000, but the default behavior hasn’t been updated. In-order to remediate the issue, you would need a client policy ( or a GPO) along with an updated client.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>The fix to be effective we need a regkey <STRONG>ForbiddenRemoteAccessIsPermanentError</STRONG> as shown below.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="registry entry.jpg" style="width: 748px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/185947iE5DED2DBDAE6AED2/image-size/large?v=v2&amp;px=999" role="button" title="registry entry.jpg" alt="registry entry.jpg" /></span></P> <DIV id="tinyMceEditorSri Todi_4" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Path: &nbsp;HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Lync</P> <P>KeyName: ForbiddenRemoteAccessIsPermanentError</P> <P>Value: 1</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>The key can be pushed through client policy entry for e.g. adding the policy entry to global client policy</P> <P>$a = New-CsClientPolicyEntry -name ForbiddenRemoteAccessIsPermanentError -value "True"</P> <P>Set-CsClientPolicy -Identity Global -PolicyEntry @{Add=$a}</P> <P>&nbsp;</P> <P>In-order for the client policy to be applied, a successful logon is required, so users need to sign-in atleast once, so the data is cached and used for subsequent failures</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="blocked logon.jpg" style="width: 347px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/186034iFEF00EE7F3457E63/image-size/large?v=v2&amp;px=999" role="button" title="blocked logon.jpg" alt="blocked logon.jpg" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Once appropriate changes have been accomplished users will experience the following error message when logging on remotely</P> <P>&nbsp;</P> <P><STRONG>Please Note:</STRONG> At this point in time, <EM><U>only Skype for Business 2016 Client&nbsp; has a fix</U></EM>, and there are no planned changes for Skype for Business 2015 Client</P> <P>&nbsp;</P> <P>We understand that updating the clients may take some time, and while the clients are being updated, organizations may want a work-around to prevent any work disruptions. At this point in time, we are recommending the following</P> <P>&nbsp;</P> <OL> <LI>Update Storage Service behavior to disable Auto Import functionality to allow for a controlled method for import of data and prevent any potential issues by running</LI> </OL> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Set-CsStorageServiceConfiguration -EnableAutoImportFlushedData $false<BR />&nbsp;</P> <OL start="2"> <LI>Perform a FULL Flush of storage service before the beginning of the day to prevent automatic export under load to happen during business hours, as it's resource-intensive ( CPU / Memory/ Disk / Network) by running <BR />Invoke-CsStorageServiceFlush -FlushType FullFlush -PoolFqdn POOLFQDN</LI> </OL> <P>This may also prevent FabricReplicationSetReduction happening in your organization, if it was previously occurring</P> <P>&nbsp;</P> <P>Finally, it's possible that XML files have been written to your file share that may needed to be imported for regulatory and/or compliance purposes. Please reach out to Microsoft Support to help you find ways how/when the data can be imported safely.</P> Thu, 23 Apr 2020 01:16:02 GMT https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/emerging-issue-remote-access-is-disabled-external-access-policy/ba-p/1329724 Sri Todi 2020-04-23T01:16:02Z On-Premises Diagnostics for Skype for Business Server Are Now Available https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/on-premises-diagnostics-for-skype-for-business-server-are-now/ba-p/1292931 <P><FONT color="#339966"><EM><STRONG>March 31st, 2022 Update: Be sure to check out <A href="https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/on-premises-diagnostics-for-skype-for-business-server-are-now/bc-p/3272725/highlight/true#M3260" target="_self">Joao's comment</A> for an incremental update!&nbsp; Bug fixes and a few small enhancements.</STRONG></EM></FONT></P> <P>&nbsp;</P> <P>The NextHop team is very pleased to announce the release of On-Premise Diagnostics (<STRONG>OPD</STRONG>) for Skype for Business Server.&nbsp; <STRONG>OPD</STRONG>&nbsp;is a collection of diagnostic scenarios, analyzers, rules and insights for diagnosing common issues in Skype for Business 2015 and 2019 on-premises and hybrid environments based on real world support expertise from Escalation Engineers in CSS.&nbsp;&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Getting started</STRONG></P> <P>First you'll need to&nbsp;<A href="#" target="_blank" rel="noopener">Install or upgrade</A> to the latest version of <STRONG>OPD</STRONG>.&nbsp; Next, check out the instructions on&nbsp;<A href="#" target="_blank" rel="noopener">How to use OPD</A>.&nbsp; Then&nbsp;<SPAN>determine which scenario you would like to test for. Note that each scenario will have one or more unique tests.&nbsp; For our initial release, we're offering diagnostics for some of the top support issues for On-Premises Skype for Business Servers:&nbsp;</SPAN></P> <P>&nbsp;</P> <TABLE> <TBODY> <TR> <TD width="200px" height="29px"> <P><STRONG>Scenario</STRONG></P> </TD> <TD width="664px" height="29px"> <P><STRONG>Types of tests</STRONG></P> </TD> </TR> <TR> <TD width="200px" height="29px"> <P>Contact List</P> </TD> <TD width="664px" height="29px"> <P>User contact list is not available</P> </TD> </TR> <TR> <TD> <P>Deployment</P> </TD> <TD> <P>Skype for Business Server deployment best practices analyzer</P> <P>Skype for Business Modern Authentication is not working</P> <P>Check to see if TLS 1.0/1.1 deprecation is properly configured</P> </TD> </TR> <TR> <TD> <P>Exchange Integration</P> </TD> <TD> <P>Skype for Business Server and Exchange Hybrid deployment integration is not working</P> <P>Skype for Business Server and Exchange Online deployment&nbsp;integration is not working</P> <P>Skype for Business Server and Exchange OnPrem deployment&nbsp;integration is not working</P> </TD> </TR> <TR> <TD width="200px" height="56px"> <P>Federation</P> </TD> <TD width="664px" height="56px"> <P>Federation is not working (On-Premises deployment)</P> <P>Federation is not working (Hybrid deployment)</P> </TD> </TR> <TR> <TD width="200px" height="29px"> <P>Hybrid</P> </TD> <TD width="664px" height="29px"> <P>Validate that the Skype for Business hybrid deployment is disabled</P> <P>IM and Presence problems between Skype for Business and Teams users</P> </TD> </TR> <TR> <TD> <P>Performance</P> </TD> <TD> <P>Skype for Business Server Performance Check</P> </TD> </TR> <TR> <TD> <P>Response Group</P> </TD> <TD> <P>Check if response group usage report runs correctly</P> </TD> </TR> <TR> <TD width="200px" height="29px"> <P>Services</P> </TD> <TD width="664px" height="29px"> <P>The front end service is not starting in Skype for Business Server</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>In the following screenshot we've chosen the Federation Scenario, here's a little teaser of what this looks like:&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="diag.png" style="width: 887px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/183141i2EAF0ABAC6312D1F/image-size/large?v=v2&amp;px=999" role="button" title="diag.png" alt="diag.png" /></span></P> <P>&nbsp;</P> <P>Please go try these in your environments and let us know how it's going by&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=mailto:pop-sfbsupport@microsoft.com" target="_self">providing feedback</A> to the team.&nbsp; We not only look forward to your feedback, we need it to make <STRONG>OPD</STRONG> better for you!&nbsp; We'd love to hear if these diagnostics solved issues for your or your customers' environments, any issues you encounter, and your top 3 to 5 scenarios you would like to see next.</P> <P><BR /><STRONG>Quick Links:&nbsp;</STRONG></P> <UL> <LI><A href="#" target="_blank" rel="noopener">Install or upgrade</A> to the latest version of OPD</LI> <LI><A href="#" target="_blank" rel="noopener">How to use OPD</A></LI> <LI><A href="https://gorovian.000webhostapp.com/?exam=mailto:pop-sfbsupport@microsoft.com" target="_blank" rel="noopener">Provide feedback</A>&nbsp;</LI> </UL> <P>Thanks!<BR />The NextHop Team</P> Thu, 31 Mar 2022 14:44:26 GMT https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/on-premises-diagnostics-for-skype-for-business-server-are-now/ba-p/1292931 Corbin Meek 2022-03-31T14:44:26Z Skype for Business 2019 - Control Panel Phase 2 Released https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/skype-for-business-2019-control-panel-phase-2-released/ba-p/1240564 <P>&nbsp;</P> <P><SPAN data-contrast="none">Today, we have released the </SPAN><SPAN data-contrast="none">update for Skype for Business Server Control Panel!</SPAN> <SPAN data-contrast="none">Please find the update </SPAN><A href="#" target="_self"><SPAN data-contrast="none">here</SPAN></A><SPAN data-contrast="none">. This is </SPAN><SPAN data-contrast="none">a continuation</SPAN><SPAN data-contrast="none"> to our earlier </SPAN><SPAN data-contrast="none">introduced </SPAN><SPAN data-contrast="none">phase one</SPAN><SPAN data-contrast="none"> of </SPAN><SPAN data-contrast="none">modern</SPAN><SPAN data-contrast="none"> control panel </SPAN><SPAN data-contrast="none">in July 2019 </SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/Skype-for-Business-Blog/Introducing-Skype-for-Business-Server-2019-Control-Panel/ba-p/771205" target="_blank" rel="noopener"><SPAN data-contrast="none">here</SPAN></A><SPAN data-contrast="none">.</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">We had covered </SPAN><STRONG><SPAN data-contrast="none">‘Home’ </SPAN></STRONG><SPAN data-contrast="none">and </SPAN><STRONG><SPAN data-contrast="none">‘Users’ </SPAN></STRONG><SPAN data-contrast="none">tab in first phase, in this second phase we introduce </SPAN><STRONG><SPAN data-contrast="none">‘Conferencing’ </SPAN></STRONG><SPAN data-contrast="none">and ‘</SPAN><STRONG><SPAN data-contrast="none">Federation and External Access’</SPAN></STRONG><SPAN data-contrast="none"> tabs.</SPAN><SPAN data-contrast="none"> The ‘Dial-In Access’ sub-tab in Conferencing is not ready yet and it will be part of </SPAN><SPAN data-contrast="none">the next</SPAN><SPAN data-contrast="none"> phase.&nbsp;</SPAN><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">We have also </SPAN><SPAN data-contrast="none">enabled</SPAN> <STRONG><SPAN data-contrast="none">Role Based Access Control</SPAN></STRONG><STRONG><SPAN data-contrast="none"> (RBAC</SPAN></STRONG><STRONG><SPAN data-contrast="none">)</SPAN></STRONG><SPAN data-contrast="none"> to the Admin panel and the mechanism </SPAN><SPAN data-contrast="none">to </SPAN><SPAN data-contrast="none">provide</SPAN> <SPAN data-contrast="none">different access permissions </SPAN><SPAN data-contrast="none">remains</SPAN> <SPAN data-contrast="none">similar to</SPAN><SPAN data-contrast="none"> the old Silverlight based panel.&nbsp;</SPAN><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">We are working </SPAN><SPAN data-contrast="none">on the </SPAN><SPAN data-contrast="none">feedback received in the preview and will be addressing them in future</SPAN><SPAN data-contrast="none"> updates.</SPAN><SPAN data-contrast="none">&nbsp; </SPAN><SPAN data-contrast="none">Top </SPAN><SPAN data-contrast="none">enhancements in the roadmap are </SPAN><SPAN data-contrast="none">- </SPAN><SPAN data-contrast="none">Auto redirect for URL to avoid remembering pool name, and Admins need not be SIP enabled</SPAN><SPAN data-contrast="none">, Single Sign On for tenant.</SPAN><SPAN data-contrast="none"> As always, we’re happy to get feedback on the </SPAN><SPAN data-contrast="none">new </SPAN><SPAN data-contrast="none">Panel as we work on the next phase.</SPAN><SPAN data-wac-het="1" data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Now that CU3 has been released, we hope you’ll </SPAN><SPAN data-contrast="none">adopt it for better day-to-day </SPAN><SPAN data-contrast="none">admin </SPAN><SPAN data-contrast="none">experience.</SPAN><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P aria-level="2"><STRONG><SPAN data-contrast="none">Installation </SPAN></STRONG><STRONG><SPAN data-contrast="none">Instructions:</SPAN></STRONG><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">The installation steps are </SPAN><SPAN data-contrast="none">similar to</SPAN><SPAN data-contrast="none"> Phase-1</SPAN><SPAN data-contrast="none">.&nbsp;</SPAN><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">I</SPAN><SPAN data-contrast="none">f you are </SPAN><SPAN data-contrast="none">installing the Control </SPAN><SPAN data-contrast="none">Panle</SPAN><SPAN data-contrast="none"> for </SPAN><SPAN data-contrast="none">first</SPAN> <SPAN data-contrast="none">time </SPAN><SPAN data-contrast="none">,</SPAN> <SPAN data-contrast="none">see the steps below</SPAN><SPAN data-contrast="none">.</SPAN><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">After running </SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">SSUI</SPAN></A><SPAN data-contrast="none">, you </SPAN><STRONG><SPAN data-contrast="none">must</SPAN></STRONG><SPAN data-contrast="none"> run Bootstrapper.exe (this is necessary to install the required components)</SPAN><SPAN data-contrast="none"> and </SPAN><STRONG><SPAN data-contrast="none">run SSUI again</SPAN></STRONG><STRONG><SPAN data-contrast="none">.</SPAN></STRONG><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-wac-het="1" data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-wac-het="1" data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Please install Management OData if not installed using below steps:</SPAN><SPAN data-wac-het="1" data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <OL> <LI aria-setsize="-1" data-aria-level="1" data-aria-posinset="1" data-listid="4" data-font="Calibri" data-leveltext="%1."><SPAN data-contrast="none">Open PowerShell in Administrator mode</SPAN><SPAN data-wac-het="1" data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> </OL> <OL> <LI aria-setsize="-1" data-aria-level="1" data-aria-posinset="2" data-listid="4" data-font="Calibri" data-leveltext="%1."><SPAN data-contrast="none">Run command - Add-</SPAN><SPAN data-contrast="none">WindowsFeature</SPAN> <SPAN data-contrast="none">ManagementOData</SPAN><SPAN data-wac-het="1" data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> </OL> <P><SPAN data-wac-het="1" data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">The administrator account must have CsAdministrator role privileges and must be SIP enabled</SPAN><SPAN data-wac-het="1" data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-wac-het="1" data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><STRONG><SPAN data-contrast="none">Launching and Using the Control Panel</SPAN></STRONG><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Please put in https://&lt;your pool FQDN&gt;/macp manually in a supported browser, and the Control Panel should open. You can also click on the blue banner at the top of the old Control Panel to launch the new Panel. </SPAN><SPAN data-contrast="none">We are aware that</SPAN><SPAN data-contrast="none"> the URL needs to be simplified </SPAN><SPAN data-contrast="none">and admins need not remember the pool name. </SPAN><SPAN data-contrast="none">This is in our pipe</SPAN><SPAN data-contrast="none">line and will be addressed in next CU. </SPAN><SPAN data-contrast="none">The login screen looks like the following:</SPAN><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none"> </SPAN><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Figure 1 - Login Screen.png" style="width: 998px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/178325i5CFAAB6221632898/image-size/large?v=v2&amp;px=999" role="button" title="Figure 1 - Login Screen.png" alt="Figure 1 - Login Screen.png" /></span></P> <P><I><SPAN data-contrast="none">Figure </SPAN></I><SPAN><I>1</I></SPAN><I><SPAN data-contrast="none"> : Login Screen</SPAN></I><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:200,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Once you hit the login screen, log in with your admin credentials.</SPAN><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Please try out the scenarios as you would in everyday usage, for </SPAN><SPAN data-contrast="none">‘</SPAN><SPAN data-contrast="none">Conferencing</SPAN><SPAN data-contrast="none">’</SPAN> <SPAN data-contrast="none">and ‘Federation and External Access’ tabs</SPAN><SPAN data-contrast="none"> such as </SPAN><SPAN data-contrast="none">creating, modifying</SPAN><SPAN data-contrast="none"> Conferencing Policy, </SPAN><SPAN data-contrast="none">PIN</SPAN><SPAN data-contrast="none"> policy</SPAN><SPAN data-contrast="none">, setting up Federation Domains, </SPAN><SPAN data-contrast="none">Setting up External Access Policy.</SPAN><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Figure 2 - Conferencing Policy Screen.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/178327i8A168B086BA1E12C/image-size/large?v=v2&amp;px=999" role="button" title="Figure 2 - Conferencing Policy Screen.png" alt="Figure 2 - Conferencing Policy Screen.png" /></span></P> <P><I><SPAN data-contrast="none">Figure </SPAN></I><SPAN><I>2</I></SPAN><I><SPAN data-contrast="none"> : </SPAN></I><I><SPAN data-contrast="none">Conferencing Policy screen</SPAN></I><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:200,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P>&nbsp;</P> <DIV id="tinyMceEditorHiren_Shah_2" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Figure 3 - External Access Policy Screen.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/178328i2257C2141CBE2E8C/image-size/large?v=v2&amp;px=999" role="button" title="Figure 3 - External Access Policy Screen.png" alt="Figure 3 - External Access Policy Screen.png" /></span></P> <P><I><SPAN data-contrast="none">Figure </SPAN></I><SPAN><I>3</I></SPAN><I><SPAN data-contrast="none"> : </SPAN></I><I><SPAN data-contrast="none">External Access Policy Screen</SPAN></I><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:200,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><STRONG><SPAN data-contrast="none">Modern UI Experience&nbsp;</SPAN></STRONG><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">The control panel </SPAN><SPAN data-contrast="none">is </SPAN><SPAN data-contrast="none">designed</SPAN> <SPAN data-contrast="none">with modern UI </SPAN><SPAN data-contrast="none">experience</SPAN><SPAN data-contrast="none"> and has </SPAN><SPAN data-contrast="none">features</SPAN><SPAN data-contrast="none"> to reflect the look and feel of </SPAN><SPAN data-contrast="none">modern-day admin page. </SPAN><SPAN data-contrast="none">The admin panel </SPAN><SPAN data-contrast="none">is </SPAN><SPAN data-contrast="none">responsive in design and </SPAN><SPAN data-contrast="none">supports 200% zoom</SPAN> <SPAN data-contrast="none">for accessibility</SPAN><SPAN data-contrast="none">.&nbsp;</SPAN> <SPAN data-contrast="none">Some highlighted </SPAN><SPAN data-contrast="none">UI experience </SPAN><SPAN data-contrast="none">items are as below -&nbsp;</SPAN><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Picker panel slides in and </SPAN><SPAN data-contrast="none">it is </SPAN><SPAN data-contrast="none">di</SPAN><SPAN data-contrast="none">splayed in </SPAN><SPAN data-contrast="none">a right</SPAN><SPAN data-contrast="none"> pane.</SPAN><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <DIV id="tinyMceEditorHiren_Shah_3" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Figure 4 - Flyout panel from right.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/178329i55EEFB881193103F/image-size/large?v=v2&amp;px=999" role="button" title="Figure 4 - Flyout panel from right.png" alt="Figure 4 - Flyout panel from right.png" /></span></P> <P><I><SPAN data-contrast="none">Figure </SPAN></I><SPAN><I>4</I></SPAN><I><SPAN data-contrast="none"> : </SPAN></I><I><SPAN data-contrast="none">Flyout panel from right for picker panel (Selecting site or pool from list)</SPAN></I><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:200,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="none">Breadcrumb</SPAN> <SPAN data-contrast="none">trail</SPAN> <SPAN data-contrast="none">is displayed</SPAN><SPAN data-contrast="none"> at </SPAN><SPAN data-contrast="none">the top</SPAN><SPAN data-contrast="none"> which gives easy </SPAN><SPAN data-contrast="none">reference</SPAN> <SPAN data-contrast="none">to </SPAN><SPAN data-contrast="none">the current</SPAN><SPAN data-contrast="none"> stage in workflow.</SPAN><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <DIV id="tinyMceEditorHiren_Shah_4" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Figure 5 - Breadcrumb trail.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/178330i5A7C88E8E1B6C62C/image-size/large?v=v2&amp;px=999" role="button" title="Figure 5 - Breadcrumb trail.png" alt="Figure 5 - Breadcrumb trail.png" /></span></P> <P><I><SPAN data-contrast="none">Figure </SPAN></I><SPAN><I>5</I></SPAN><I><SPAN data-contrast="none"> : </SPAN></I><I><SPAN data-contrast="none">Breadcrumb trail</SPAN></I><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:200,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><STRONG><SPAN data-contrast="none">Rol</SPAN></STRONG><STRONG><SPAN data-contrast="none">e</SPAN></STRONG><STRONG><SPAN data-contrast="none"> Based Access Control (</SPAN></STRONG><STRONG><SPAN data-contrast="none">RBAC</SPAN></STRONG><STRONG><SPAN data-contrast="none">)</SPAN></STRONG><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">For admin with full permissions the Admin panel looks as below –&nbsp;</SPAN><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <DIV id="tinyMceEditorHiren_Shah_5" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Figure 6 - Full Access Admin panel.jpg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/178331iAC39EF5ABF72250D/image-size/large?v=v2&amp;px=999" role="button" title="Figure 6 - Full Access Admin panel.jpg" alt="Figure 6 - Full Access Admin panel.jpg" /></span></P> <P><I><SPAN data-contrast="none">Figure </SPAN></I><SPAN><I>6</I></SPAN><I><SPAN data-contrast="none"> : Full Access Admin panel</SPAN></I><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:200,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="none">For Admin with limited permissions, the Admin </SPAN><SPAN data-contrast="none">panel</SPAN> <SPAN data-contrast="none">will </SPAN><SPAN data-contrast="none">look like below –&nbsp;</SPAN><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <DIV id="tinyMceEditorHiren_Shah_6" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Figure 7 - Limited Permissions Admin Panel.jpg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/178332i6C5B4F7FC98E75A8/image-size/large?v=v2&amp;px=999" role="button" title="Figure 7 - Limited Permissions Admin Panel.jpg" alt="Figure 7 - Limited Permissions Admin Panel.jpg" /></span></P> <P><I><SPAN data-contrast="none">Figure </SPAN></I><SPAN><I>7</I></SPAN><I><SPAN data-contrast="none"> : Limited Permissions Admin Panel</SPAN></I><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:200,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="none">As mentioned earlier, the mechanism to </SPAN><SPAN data-contrast="none">provide</SPAN><SPAN data-contrast="none"> different access permissions </SPAN><SPAN data-contrast="none">remains</SPAN> <SPAN data-contrast="none">similar to</SPAN><SPAN data-contrast="none"> the old Silverlight based panel.</SPAN> <SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-wac-het="1" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none"> </SPAN><STRONG><SPAN data-contrast="none">Providing Feedback</SPAN></STRONG><SPAN data-wac-het="1" data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">As always, we’re happy to get feedback on the </SPAN><SPAN data-contrast="none">new </SPAN><SPAN data-contrast="none">Panel as we work on the next phase.</SPAN> <SPAN data-contrast="none">In the top right corner, you’ll see your login name. Click on the adjacent arrow, and you </SPAN><SPAN data-contrast="none">should see a drop-down. Hit </SPAN><SPAN data-contrast="none">‘Give Feedback’, and you should see a browser window open with the </SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/Skype-for-Business-Preview/Skype-for-Business-Server-Control-Panel-Preview/m-p/389307#M1192" target="_blank" rel="noopener"><SPAN data-contrast="none">discussion forum</SPAN></A><SPAN data-contrast="none">. Please do check the discussion to see if your question has already been addressed. We look forward to hearing from you!</SPAN><SPAN data-wac-het="1" data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><LI-WRAPPER><I></I></LI-WRAPPER></P> Fri, 20 Mar 2020 06:19:56 GMT https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/skype-for-business-2019-control-panel-phase-2-released/ba-p/1240564 Hiren_Shah 2020-03-20T06:19:56Z Known Issue: Skype Directory Search Service Connections May Fail if TLS 1.2 Is Not Enabled on Edge https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/known-issue-skype-directory-search-service-connections-may-fail/ba-p/1106499 <P><EM><STRONG>Our investigation determined TLS 1.0/1.1 were disabled pre-maturely on Skypegraph.skype.com - based on your feedback we re-enabled those protocols.&nbsp; We apologize for the inconvenience.&nbsp; </STRONG></EM></P> <P>&nbsp;</P> <P>We’re investigating an emerging issue with <A title="deploy skype connectivity" href="#" target="_blank" rel="noopener">Skype Directory Search</A> for Skype for Business On-Premises to Skype Consumer chat capability. When searching for a Skype account in the Skype for Business Client, you might get the following error message:</P> <P>&nbsp;</P> <P><EM>An error occurred during the search. Please try again, and contact your support team if the problem continues.</EM></P> <P>&nbsp;</P> <P>Additionally, you may find the following error in the Lync event log on the impacted Edge servers:</P> <PRE>Log Name: &nbsp; &nbsp; &nbsp;Lync Server<BR />Source: &nbsp; &nbsp; &nbsp; &nbsp;LS Web Components Server<BR />Date: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;1/13/2020 8:53:26 AM<BR />Event ID: &nbsp; &nbsp; &nbsp;4106<BR />Task Category: (1074)<BR />Level: &nbsp; &nbsp; &nbsp; &nbsp; Error<BR />Keywords: &nbsp; &nbsp; &nbsp;Classic<BR />User: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;N/A<BR />Computer: &nbsp; &nbsp; &nbsp;CE1210R2.contoso.com<BR />Description:<BR />The server selected for next hop could not be reached, or did not reply.<BR /><BR />A server selected as a proxy target for HTTP traffic could not be reached or did not reply: skypegraph.skype.com.&nbsp;<BR />Performance Counter Instance: &nbsp;<BR />Failure occurrences: 4, since 1/13/2020 4:51:18 PM.&nbsp;<BR />Failure Details: WebException: The underlying connection was closed: An unexpected error occurred on a send.<BR />Cause: The remote server may be experiencing problems or the network is not available between these servers.<BR />Resolution:<BR />Examine the event logs on the indicated server to determine the cause of the problem.</PRE> <P>Based on our initial investigation it appears that the Skype Directory Search endpoints are refusing TLS 1.0 connections.</P> <P>&nbsp;</P> <P><STRONG>Workaround:</STRONG></P> <P>To fix this issue you need to enable your Edge servers to use TLS 1.2.&nbsp; Your Lync or Skype for Business Servers may require dependency updates, including .Net framework updates.&nbsp; All the requirements for enabling TLS 1.2 are documented here:</P> <P><FONT size="1"><A title="disable TLS sfb 2015" href="#" target="_blank" rel="noopener"><SPAN style="text-align: left; color: #171717; text-transform: none; line-height: 1.3; text-indent: 0px; letter-spacing: normal; font-family: Segoe UI,SegoeUI,Segoe WP,Helvetica Neue,Helvetica,Tahoma,Arial,sans-serif; font-size: 2.5rem; font-style: normal; font-variant: normal; text-decoration: none; word-spacing: 0px; display: inline !important; white-space: normal; orphans: 2; float: none; -webkit-text-stroke-width: 0px; overflow-wrap: break-word; background-color: #ffffff;">Disable TLS 1.0/1.1 in Skype for Business Server 2015</SPAN></A></FONT></P> <P>&nbsp;</P> <P>Note, this procedure is also supported on Lync Server 2013, for more information refer to the following blog post:&nbsp;</P> <P><A title="tls blog" href="https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/disabling-tls-1-0-1-1-in-skype-for-business-server-2015-part-1/ba-p/621485" target="_blank" rel="noopener">Disabling TLS 1.0/1.1 in Skype for Business Server 2015: Part 1</A></P> <P>&nbsp;</P> <P>Once all the pre-requisite software updates are completed, you then need to deploy the <A title="prerequisite registry keys" href="#" target="_blank" rel="noopener">prerequisite registry keys</A>. This will enable your Edge servers to negotiate TLS 1.2 connections to the Skype Graph web service endpoints. You do NOT need to <STRONG>disable</STRONG> TLS 1.0 on the impacted Edge servers.</P> <P>&nbsp;</P> <P><STRONG>More Information:</STRONG></P> <P>Our investigation determined TLS 1.0/1.1 were disabled prematurely on skypegraph.skype.com endpoints.&nbsp; You should no longer have to set pre-requisites to work around this issue.&nbsp; We apologize for the inconvenience.&nbsp;&nbsp;</P> Thu, 05 Mar 2020 19:00:47 GMT https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/known-issue-skype-directory-search-service-connections-may-fail/ba-p/1106499 Corbin Meek 2020-03-05T19:00:47Z Lync and Skype for Business Server Base OS Upgrade Supportability https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/lync-and-skype-for-business-server-base-os-upgrade/ba-p/1092434 <P>With the <A title="End of Support for Windows Server 2008" href="#" target="_blank" rel="noopener">imminent end-of-life of support for Windows 2008 and Windows 2008 R2</A>, we’ve received questions from customers surrounding the supportability of upgrading the base OS with Lync or Skype for Business Server installed on it.&nbsp; With this in mind, we wanted to provide a few key points in this area.</P> <UL> <LI>It is <STRONG>not supported</STRONG> to upgrade the base OS with Lync or Skype for Business Server installed. &nbsp;&nbsp;</LI> <LI>All servers within a pool must run the same OS.</LI> <LI>Paired pools must run the same OS.</LI> </UL> <P><SPAN style="display: inline !important; float: none; background-color: #ffffff; color: #333333; cursor: text; font-family: inherit; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 300; letter-spacing: normal; line-height: 1.7142; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px;">Attempting to do so will cause problems, up to and including <STRONG>catastrophic failure of the pool</STRONG>.</SPAN></P> <P>&nbsp;</P> <P>The recommendation is to build a new pool to replace the existing pool and move users to the new pool.&nbsp; The previous hardware or resources can be used once the old pool has been drained of all users and workloads; this is known as the 'swing' upgrade method.&nbsp; Effectively, it would be a similar process to migrating Lync or Skype for Business Server versions.</P> <P>&nbsp;</P> <P><STRONG>Resources:</STRONG></P> <P>Migration:</P> <P><A title="Migration from Lync Server 2010 to Lync Server 2013" href="#" target="_blank" rel="noopener">Migration from Lync Server 2010 to Lync Server 2013</A></P> <P><A title="Migrating to Skype for Business Server 2019" href="#" target="_blank" rel="noopener">Migrating to Skype for Business Server 2019</A></P> <P>&nbsp;</P> <P>Pool Pairing Guidance:</P> <P><A title="Supported pool pairing options and best practices for Lync Server 2013" href="#" target="_blank" rel="noopener">Supported pool pairing options and best practices for Lync Server 2013</A></P> <DIV> <P>When you plan which pools to pair, you must keep in mind that only the following pairings are supported:</P> <UL> <LI> <P>Enterprise Edition pools can be paired <STRONG>only</STRONG> with other Enterprise Edition pools. Similarly, Standard Edition pools can be paired <STRONG>only</STRONG> with other Standard Edition pools.</P> </LI> <LI> <P>Physical pools can be paired <STRONG>only</STRONG> with other physical pools. Similarly, virtual pools can be paired only with other virtual pools.</P> </LI> <LI> <P>Pools that are paired together must be running the same operating system.</P> </LI> </UL> </DIV> Mon, 06 Jan 2020 18:27:39 GMT https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/lync-and-skype-for-business-server-base-os-upgrade/ba-p/1092434 Corbin Meek 2020-01-06T18:27:39Z Released: Skype for Business Server 2019 CU1! https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/released-skype-for-business-server-2019-cu1/ba-p/771244 <P>Earlier this month, we released the much awaited first Cumulative Update for Skype for Business Server! &nbsp;Please find the update <A title="Skype for Business Server 2019 - July 2019 update" href="#" target="_blank" rel="noopener">here</A>. We’ve been hard at work to ensure adherence to the high levels of stability that you expect from us. Now that CU1 (July 2019) has been released, we hope you’ll give it a try. Besides several bug fixes, this update also contains some of the features that you may have seen us talking about at <A title="Skype for Business Server session at Ignite 2018" href="#" target="_self">our presentation in Ignite 2018</A>.</P> <P>&nbsp;</P> <P>The most notable feature is a React-based, Silverlight-less version of the Server Control Panel. If you’ve been working with the Skype for Business Server for some time, there most likely have been moments where you’ve wished the Control Panel was more modern, more sleek, and more reliable. With the first phase of the Control Panel included in this update, we’ve taken the first step towards improving the Control Panel experience. Please find more information about the Control Panel <A title="Skype for Business Server 2019 Control Panel Blog" href="https://gorovian.000webhostapp.com/?exam=t5/Skype-for-Business-Blog/Introducing-Skype-for-Business-Server-2019-Control-Panel/ba-p/771205" target="_blank" rel="noopener">here</A>. As always, we’re happy to get feedback on the Panel as we work on the next phase.</P> <P>&nbsp;</P> <P>The next feature is also one that the Skype for Business community has been requesting for a while now – SEFAUtil cmdlets in PowerShell! We’re certain that this tool needs no introduction. We’ve gone ahead and built the SEFAUtil functionality directly into standard cmdlets that you can run from the PowerShell console. Please find more information about the cmdlets <A title="Using SEFAUtil functionality via PowerShell in Skype for Business Server 2019" href="#" target="_blank" rel="noopener">here</A>.</P> <P>&nbsp;</P> <P>Last but not the least, we’ve also built-in the ability to include RGS data in the standard Server backup feature. You will no longer have to manually export and import RGS data to back it up! Please find more information on this <A title="Back up Response Group Service (RGS) data" href="#" target="_blank" rel="noopener">here</A>.</P> <P>&nbsp;</P> <P>In conclusion, we’d like to assure you that the Skype for Business Server product team is fully committed to supporting the product, and we’d love to keep getting feedback so we know which improvements to prioritize in order to improve the community’s experience with the Server. So, please keep the feedback coming!</P> <P>&nbsp;</P> <P>On behalf of the product team,</P> <P>Rohit Gupta</P> <P>Program Manager, Skype for Business Server</P> Wed, 24 Jul 2019 10:09:43 GMT https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/released-skype-for-business-server-2019-cu1/ba-p/771244 Rohit_Gupta_25 2019-07-24T10:09:43Z Introducing Skype for Business Server 2019 Control Panel https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/introducing-skype-for-business-server-2019-control-panel/ba-p/771205 <P>Last week, we announced the availability of the first phase of the Skype for Business Server 2019 Control Panel, as part of the Skype for Business Server 2019 <A href="#" target="_blank" rel="noopener">July 2019 Cumulative Update</A>!&nbsp; As you’re probably aware from <A href="#" target="_blank" rel="noopener">our presentation in Ignite 2018</A>, we have been working to create a modern version of the Control Panel that does not rely on the Silverlight technology, which will be out of support soon, but instead is based on React. While the new Control Panel will not have all the functionality of the older Control Panel, we will be including a core functionality set that should cover most of your organization’s needs.</P> <P>The first phase of the Control Panel consists of the ‘Home’ and ‘Users’ tabs, which let you perform the same tasks as in the old Control Panel. Future phases will ship in upcoming CUs, and we’ll keep the blog updated with the latest. Please note that this feature is in preview, so you may see some rough edges occasionally. If you do, we’d love it if you could report issues via the ‘Give Feedback’ link in the Control Panel. Read on for details.</P> <H2>&nbsp;</H2> <H2><FONT size="4"><STRONG>Pre-requisites</STRONG></FONT></H2> <P>After running <A title="Skype Server Update Installer" href="#" target="_blank" rel="noopener">SSUI</A>, you <STRONG>must</STRONG> run Bootstrapper.exe (this is necessary to install the required components)</P> <P>Please install Management OData if not installed using below steps:</P> <OL> <LI>Open PowerShell in Administrator mode</LI> <LI>Run command - Add-WindowsFeature ManagementOData</LI> </OL> <P>You must have a recent version of one of the following browsers:</P> <UL> <LI>Microsoft Edge (version 44.17763.1.0 or higher is recommended)</LI> <LI>Google Chrome (version 72.0.3626.121 or higher is recommended)</LI> <LI>Mozilla Firefox (version 65.0.2 or higher is recommended)</LI> </UL> <P>Your administrator account must have <EM>CsAdministrator</EM> role privileges and must be SIP enabled.</P> <P><EM>Enable Contacts</EM> functionality is not yet implemented for the Users tab. RBAC isn’t implemented yet either, but will be implemented in a later update.</P> <P>&nbsp;</P> <P><FONT size="4"><STRONG>Launching and Using the Control Panel</STRONG></FONT></P> <P>Please put in https://&lt;your pool FQDN&gt;/macp manually in a supported browser, and the Control Panel should open. You can also click on the blue banner at the top of the old Control Panel to launch the new Panel. The login screen looks like the following:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Login Screen" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/124281i810E5454F14689DB/image-size/large?v=v2&amp;px=999" role="button" title="Login Screen.png" alt="Login Screen" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Login Screen</span></span></P> <P>Once you hit the login screen, log in with your admin credentials.</P> <P>Please try out the scenarios as you would in everyday usage, for Home and Users tabs, such as moving users to Teams, setting up Hybrid, changing user properties, etc.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Users Tab" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/124282iC571CFE4BD006938/image-size/large?v=v2&amp;px=999" role="button" title="Users Tab.png" alt="Users Tab" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Users Tab</span></span>The following additional step is required before running Move to Teams and Setting up Hybrid scenarios:</P> <UL> <LI>Run <A title="Azure AD application script" href="#" target="_blank" rel="noopener">this script</A> and provide your Office 365 Admin credentials.</LI> </UL> <P>The above step will create an Azure AD Application on Azure. This will help in signing into Office 365 using OAuth in the new Control Panel.</P> <P>&nbsp;</P> <P><FONT size="4"><STRONG>Providing Feedback</STRONG></FONT></P> <P>In the top right corner, you’ll see your login name. Click on the adjacent arrow, and you should see a drop-down like the below:<span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Providing feedback" style="width: 220px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/124283i7A6F1DE96642C91E/image-size/large?v=v2&amp;px=999" role="button" title="Providing Feedback.png" alt="Providing feedback" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Providing feedback</span></span></P> <P>Hit ‘Give Feedback’, and you should see a browser window open with the <A href="https://gorovian.000webhostapp.com/?exam=t5/Skype-for-Business-Preview/Skype-for-Business-Server-Control-Panel-Preview/m-p/389307#M1192" target="_blank" rel="noopener">relevant discussion forum</A>. Please do check the discussion to see if your question has already been addressed. We look forward to hearing from you!</P> <P>&nbsp;</P> <P>On behalf of the product team,</P> <P>Rohit Gupta</P> <P>Program Manager, Skype for Business Server</P> Sun, 28 Jul 2019 08:39:11 GMT https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/introducing-skype-for-business-server-2019-control-panel/ba-p/771205 Rohit_Gupta_25 2019-07-28T08:39:11Z Skype for Business Server Public IM Federation is changing https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/skype-for-business-server-public-im-federation-is-changing/ba-p/763614 <P>If you currently have connected you Skype for Business Server to consumer IM federation, you will want to read this and insure you are configured for the future.</P> <P>&nbsp;</P> <P>Federation between Skype for Business on-premise deployments and Skype (Consumer) will change on 8/15/2019 to use federated partner discovery, which is the same mechanism required for federation with Skype for Business Online. The pic.lync.com website that was formerly used to manually provision on-premise deployments for public IM connectivity will be shut down due to end of life. Communication between any on-premise Skype for Business deployment and Skype users via the existing Public IM infrastructure now requires the on-premise edge server configuration to be compatible with Skype for Business Online.</P> <P><BR />If the customer’s SfB deployment is currently using public IM connectivity but is not able to federate with Skype for Business Online due to their edge proxy FQDN configuration and/or their certificate is incompatible with federated partner discovery, they will need to update their deployment configuration by 8/15/2019. Failure to do so could lead to an interruption to public IM connectivity.</P> <P><BR />Please note this change may require the purchase of a new certificate.</P> <P><BR />Please visit our <A href="#" target="_blank" rel="noopener">documentation</A> on this issue to learn more.</P> <P>&nbsp;</P> Thu, 18 Jul 2019 20:54:28 GMT https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/skype-for-business-server-public-im-federation-is-changing/ba-p/763614 Paul Cannon 2019-07-18T20:54:28Z Screen sharing from Skype Meetings App now supports Video-based Screen Sharing https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/screen-sharing-from-skype-meetings-app-now-supports-video-based/ba-p/763485 <P>Starting today, users who share their screen into a meeting from the Skype Meetings App (the web-downloadable meetings app for Skype for Business) can get the significantly improved performance of Video-based Screen Sharing (VbSS).&nbsp;&nbsp;<SPAN>While you won't see any changes in the way you present on-screen content during your meetings, you will notice that the connection time is drastically reduced, and the screen presentation is always in sync between presenter and viewer. Not only is VbSS faster, but it also more reliable and works better in case of low network bandwidth conditions.</SPAN></P> <P>&nbsp;</P> <P>When you start sharing, the app automatically chooses how to share your screen, but it will always choose VbSS when possible.&nbsp; In some cases, it may continue to use the older&nbsp;<SPAN>Remote Desktop Protocol if&nbsp;</SPAN>VbSS is not supported by the Skype for Business server hosting the meeting, someone is recording the session, or an attendee is using an older client version that does not support VbSS.&nbsp;Click <A href="#" target="_blank" rel="noopener">here for information</A> on VbSS technology and supported server and client versions.</P> <P>&nbsp;</P> <P>For users who have previously downloaded and installed Skype Meetings App, this update will automatically download when they next join a meeting. We hope you enjoy the improved experience!</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 18 Jul 2019 20:08:11 GMT https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/screen-sharing-from-skype-meetings-app-now-supports-video-based/ba-p/763485 Phillip Garding 2019-07-18T20:08:11Z Application Sharing Failures after Applying July, 10 2018 Windows Security Fixes https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/application-sharing-failures-after-applying-july-10-2018-windows/ba-p/621552 <HTML> <HEAD></HEAD><BODY> <STRONG> First published on TECHNET on Jul 18, 2018 </STRONG> <BR /> We are aware of an issue impacting Application Sharing on Lync Server 2013 and Skype for Business Server 2015 after applying the July 10, 2018 Security Patches for Windows operating systems. <SPAN> The Windows team has removed all bad packages from Windows Update and systems should no longer attempt to download an update which exposes this problem. New updates are being published through Windows Update and should be available for all operating systems by end of day July 17th. </SPAN> <BR /> <BR /> <SPAN> The NextHop Team recommends that customers use Windows Update or update the catalogs on their own SUS servers to ensure the latest version of the update is available for installation on your Lync Server 2013 and Skype for Business Server 2015 Servers. Doing so will avoid any possible disruption to the ASMCU service which was impacted by the July 10th update. </SPAN> <BR /> <BR /> <STRONG> Problem: </STRONG> Desktop or Application Sharing fails while in a meeting <BR /> <BR /> The following events might be reported: <BR /> <BR /> Log Name:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Lync Server <BR /> <BR /> Source:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LS ApplicationSharing Conferencing Server <BR /> <BR /> Event ID:&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;32011 <BR /> <BR /> Level:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Error <BR /> <BR /> Description: The Application Sharing Server has failed to create a conference because of an internal failure. <BR /> <BR /> <BR /> <BR /> Log Name:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Lync Server <BR /> <BR /> Source:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LS User Services <BR /> <BR /> Event ID:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 32026 <BR /> <BR /> Level:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Warning <BR /> <BR /> Description: Conference rollover failed. <BR /> <BR /> <STRONG> Resolution: </STRONG> <BR /> <BR /> Updated packages are now available via the regular release channels: Windows Update, Catalogue, WSUS. These updates should be applied based upon the operating system version you are using with Lync Server 2013 or Skype for Business Server 2015.&nbsp; When using Windows Update to apply an update, you will need to initiate a manual request in the Windows UI to find and download updates. <BR /> <BR /> For Windows 2016, the update will be applied as a replacement to the package delivered on July 10th. Customers running Skype for Business Server 2015 on Windows Server 2016 should ensure that the latest operating system updates are applied. These updates are available now and can be applied to a production system regardless of previous updates installed. <BR /> <BR /> For operating systems prior to Windows 2016, the update will be applied as an additional update to the updates released on July 10th. This means you must apply the July 10th update and then may need to execute Windows Update again to receive the additional update to fully resolve the issue. The updates for these operating systems should be fully published to all geographies on Windows Update by end of day July 18th (PDT). <BR /> <BR /> The table below outlines the impacted KB for each operating system and the associated KB which must be applied to resolve the issue. In the case where there are multiple updates listed for an operating system, only one of the updates should be required. The presence of two updates is indicative of whether a rollup or individual security update is being used to update the operating system. <BR /> <TABLE border="1" cellpadding="0" cellspacing="0"> <BR /> <TBODY> <BR /> <TR> <BR /> <TD width="198"> <STRONG> Operating System </STRONG> </TD> <BR /> <TD width="218"> <STRONG> Impacted Update </STRONG> </TD> <BR /> <TD width="208"> <STRONG> Update which must be applied </STRONG> </TD> <BR /> </TR> <BR /> <TR> <BR /> <TD width="198"> <STRONG> Windows Server 2016 </STRONG> </TD> <BR /> <TD width="218"> KB 4338814 </TD> <BR /> <TD width="208"> KB 4345418 </TD> <BR /> </TR> <BR /> <TR> <BR /> <TD rowspan="2" width="198"> <STRONG> Windows Server 2012R2 </STRONG> </TD> <BR /> <TD width="218"> KB 4338824 </TD> <BR /> <TD width="208"> KB 4345424 </TD> <BR /> </TR> <BR /> <TR> <BR /> <TD width="218"> KB 4338815 </TD> <BR /> <TD width="208"> KB 4338831 </TD> <BR /> </TR> <BR /> <TR> <BR /> <TD rowspan="2" width="198"> <STRONG> Windows Server 2012 </STRONG> </TD> <BR /> <TD width="218"> KB 4338820 </TD> <BR /> <TD width="208"> KB 4345425 </TD> <BR /> </TR> <BR /> <TR> <BR /> <TD width="218"> KB 4338830 </TD> <BR /> <TD width="208"> KB 4338816 </TD> <BR /> </TR> <BR /> <TR> <BR /> <TD rowspan="2" width="198"> <STRONG> Windows Server 2008R2 SP1 </STRONG> </TD> <BR /> <TD width="218"> KB 4338823 </TD> <BR /> <TD width="208"> KB 4345459 </TD> <BR /> </TR> <BR /> <TR> <BR /> <TD width="218"> KB 4338818 </TD> <BR /> <TD width="208"> KB 4338821 </TD> <BR /> </TR> <BR /> <TR> <BR /> <TD width="198"> <STRONG> Windows Server 2008 </STRONG> </TD> <BR /> <TD width="218"> KB 4295656 </TD> <BR /> <TD width="208"> KB 4345397 </TD> <BR /> </TR> <BR /> </TBODY> <BR /> </TABLE> <BR /> </BODY></HTML> Tue, 21 May 2019 00:57:12 GMT https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/application-sharing-failures-after-applying-july-10-2018-windows/ba-p/621552 NextHop_Team 2019-05-21T00:57:12Z Get-CsPoolUpgradeReadinessState shows as Ready, Active Front-Ends count doesn&#8217;t match https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/get-cspoolupgradereadinessstate-shows-as-ready-active-front-ends/ba-p/621550 <P><STRONG> First published on TECHNET on Jun 20, 2018 </STRONG> <BR /><SPAN style="font-family: Verdana; font-size: small;"> Recently, I come across a particular scenario where Get-csPoolUpgradeReadinessState was showing as READY and Front-End Services were started across all Front-Ends, but the TotalActiveFrontEnds showed a number that was different from the total active Front-Ends in the Pool. </SPAN> <BR /><BR /><A href="#" target="_blank" rel="noopener"> <SPAN style="font-family: Verdana; font-size: small;"> <span class="lia-inline-image-display-wrapper lia-image-align-inline" style="width: 642px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115426iFA9F6A271D3974AB/image-dimensions/642x417?v=v2" width="642" height="417" role="button" /></span> </SPAN> </A> <BR /><BR /><SPAN style="font-family: Verdana; font-size: small;"> You will notice that UpgradeDomain3 has 1 Front-End Server associated, but then the Total Active Front-Ends is Zero. You will also notice that that the total Front-Ends ( in summary) only shows a 2&nbsp; Active Front-Ends Servers. </SPAN> <BR /><BR /><SPAN style="font-family: Verdana; font-size: small;"> Interestingly, Get-csPoolFabricState was not throwing any errors or warnings !!! </SPAN> <BR /><BR /><SPAN style="font-family: Verdana; font-size: small;"> To troubleshoot the issue, we started by First checking, if the Front-End Server was failed-over and so we tried to Failback, but to our surprise, the server was not in a failed-over state, and hence Failback was not working ( expected). </SPAN> <BR /><BR /><SPAN style="font-family: Verdana; font-size: small;"> Next, we started investigating by checking Windows Fabric Logs from </SPAN> <A href="https://gorovian.000webhostapp.com/?exam=Program%20Data/Windows%20Fabric/Logs" target="_blank" rel="noopener"> <SPAN style="font-family: Verdana; font-size: small;"> C:\Program Data\Windows Fabric\Logs </SPAN> </A> <SPAN style="font-family: Verdana; font-size: small;"> and then running a CLS Logging using a scenario called PowerShell. </SPAN> <BR /><BR /><A href="#" target="_blank" rel="noopener"> <SPAN style="font-family: Verdana; font-size: small;"> <span class="lia-inline-image-display-wrapper lia-image-align-inline" style="width: 673px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115427i0514745C06E9DB28/image-dimensions/673x647?v=v2" width="673" height="647" role="button" /></span> </SPAN> </A> <BR /><BR /><SPAN style="font-family: Verdana; font-size: small;"> In the plain-text log, we noticed the following </SPAN> <BR /><BR /><SPAN style="font-size: small;"> <SPAN style="font-family: Verdana;"> TL_WARN(TF_HADR) [LYNCPOOL01\LYNCENT03]8554.13B2C::06/18/2018-23:57:49.112.0000200D (PowerShell,FrontEndState.ReadPerfCounters:poolupgradereadinessstate.cs(568)) (000000000261B13F <SPAN style="color: #ff0000;"> <SPAN style="color: #000000;"> ) </SPAN> FE LYNCENT03.contoso.com is not connected to Fabric Pool Manager according to perf counter. </SPAN> </SPAN> </SPAN> <BR /><BR /><SPAN style="font-family: Verdana; font-size: small;"> Based on this we decided to follow a blog entry, </SPAN> <A href="#" target="_blank" rel="noopener"> <SPAN style="font-family: Verdana; font-size: small;"> Get-CsPoolUpgradeReadinessState showing NOT READY or BUSY </SPAN> </A> <SPAN style="font-family: Verdana;"> <SPAN style="font-size: small;"> and found that the server LYNCENT03.contoso.com was indeed missing the permissions for <STRONG> RTC Server Local Group </STRONG> </SPAN> </SPAN> <BR /><BR /><A href="#" target="_blank" rel="noopener"> <SPAN style="font-family: Verdana; font-size: small;"> <span class="lia-inline-image-display-wrapper lia-image-align-inline" style="width: 581px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115428i13FBE9064532D103/image-dimensions/581x394?v=v2" width="581" height="394" role="button" /></span> </SPAN> </A> <BR /><BR /><SPAN style="font-family: Verdana; font-size: small;"> So we first added the Local Group </SPAN> <BR /><BR /><A href="#" target="_blank" rel="noopener"> <SPAN style="font-family: Verdana; font-size: small;"> <span class="lia-inline-image-display-wrapper lia-image-align-inline" style="width: 587px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115429iDDFE23F73E3E8F82/image-dimensions/587x305?v=v2" width="587" height="305" role="button" /></span> </SPAN> </A> <BR /><BR /><SPAN style="font-family: Verdana; font-size: small;"> And then updated the permissions to Full Control, and rebooted the server. Once the server was back online and services were running, we noticed that the output for Get-csPoolUpgradeReadinessState was showing Total Active Front-Ends as 3 </SPAN> <BR /><BR /><A href="#" target="_blank" rel="noopener"> <SPAN style="font-family: Verdana; font-size: small;"> <span class="lia-inline-image-display-wrapper lia-image-align-inline" style="width: 747px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115430i452326D9EF033701/image-dimensions/747x521?v=v2" width="747" height="521" role="button" /></span> </SPAN> </A> <BR /><BR /><SPAN style="font-family: Verdana; font-size: small;"> Attention to detail is indeed important when patching a pool with multiple servers, to ensure that the pools are reporting healthy when indeed, there could be an issue with one or more servers reporting its state. </SPAN></P> Thu, 13 Jun 2019 17:06:23 GMT https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/get-cspoolupgradereadinessstate-shows-as-ready-active-front-ends/ba-p/621550 Sri Todi 2019-06-13T17:06:23Z Disabling TLS 1.0/1.1 in Skype for Business Server 2015 On-Premises Part 3: Advanced Deployment Scenarios https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/disabling-tls-1-0-1-1-in-skype-for-business-server-2015-on/ba-p/621514 <HTML> <HEAD></HEAD><BODY> <STRONG> First published on TECHNET on May 11, 2018 </STRONG> <BR /> <BR /> <BR /> In <A href="#" rel="noopener" target="_blank"> Part 1 </A> of our blog series we covered supportability scope, and prerequisites. In <A href="#" rel="noopener" target="_blank"> Part 2 </A> , we covered how to update existing Skype for Business 2015 deployments. Here in Part 3, we will discuss some advanced implementation scenarios. <BR /> <BR /> Because some dependency prerequisites are required to support TLS 1.2 in Skype for Business Server 2015, installing from RTM media will fail on any system where TLS 1.0 and 1.1 have been disabled. <BR /> <BR /> <STRONG> Deploying New Standard Edition Servers or Enterprise Edition Pools once TLS 1.0 and 1.1 have been disabled in your environment </STRONG> <BR /> <BR /> <BR /> <BR /> <STRONG> Option 1 </STRONG> : Use <A href="#" target="_blank"> SmartSetup </A> . Note that we are updating SmartSetup to accommodate the updated SQL binaries in a future CU, and will update this blog upon release. <BR /> <BR /> <BR /> <BR /> <STRONG> Option 2 </STRONG> : Pre-install local SQL instances (RTCLOCAL and LYNCLOCAL) <BR /> <OL> <BR /> <LI> Download and copy SQL Express 2014 SP2 (SQLEXPR_x64.exe) to local folder on FE. Let’s say folder path &lt;SQL_FOLDER_PATH&gt; </LI> <BR /> <LI> Launch PowerShell or Command Prompt and navigate to &lt;SQL_FOLDER_PATH&gt; </LI> <BR /> <LI> Create the RTCLOCAL SQL instance by running the command below. Wait until SQLEXPR_x64.exe finishes before proceeding: </LI> <BR /> <LI> <BR /> <UL> <BR /> <LI> SQLEXPR_x64.exe&nbsp; /Q /IACCEPTSQLSERVERLICENSETERMS /UPDATEENABLED=0 /HIDECONSOLE /ACTION=Install /FEATURES=SQLEngine,Tools /INSTANCENAME=RTCLOCAL /TCPENABLED=1 /SQLSVCACCOUNT="NT AUTHORITY\NetworkService" /SQLSYSADMINACCOUNTS="Builtin\Administrators" /BROWSERSVCSTARTUPTYPE="Automatic" /AGTSVCACCOUNT="NTAUTHORITY\NetworkService" /SQLSVCSTARTUPTYPE=Automati </LI> <BR /> </UL> <BR /> </LI> <BR /> <LI> Create the LYNCLOCAL SQL instance by running the command below. Wait until SQLEXPR_x64.exe finishes before proceeding to the next step: </LI> <BR /> <LI> <BR /> <UL> <BR /> <LI> SQLEXPR_x64.exe /Q /IACCEPTSQLSERVERLICENSETERMS /UPDATEENABLED=0 /HIDECONSOLE /ACTION=Install /FEATURES=SQLEngine,Tools /INSTANCENAME=LYNCLOCAL /TCPENABLED=1 /SQLSVCACCOUNT="NT AUTHORITY\NetworkService" /SQLSYSADMINACCOUNTS="Builtin\Administrators" /BROWSERSVCSTARTUPTYPE="Automatic" /AGTSVCACCOUNT="NTAUTHORITY\NetworkService" /SQLSVCSTARTUPTYPE=Automatic </LI> <BR /> </UL> <BR /> </LI> <BR /> <LI> Run Skype for Business Server 2015 RTM setup. </LI> <BR /> <LI> Follow the remaining steps from Part 2. </LI> <BR /> </OL> <BR /> <BR /> <BR /> <STRONG> Option 3 </STRONG> : You may also manually replace binaries in a local installation media directory as follows: <BR /> <OL> <BR /> <LI> Install Prerequisites Software for Skype for Business Server 2015 <A href="#" target="_blank"> https://technet.microsoft.com/en-us/library/dn933900.aspx </A> </LI> <BR /> <LI> Install .NET 4.7: <BR /> <UL> <BR /> <LI> <STRONG> Note </STRONG> : We first introduced support for .Net 4.7 in Skype for Business Server 2015 CU5+ (6.0.9319.281). Therefore, in later steps below we will be updating Core Components prior to the main install. </LI> <BR /> <LI> Download: <A href="#" target="_blank"> https://www.microsoft.com/en-us/download/details.aspx?id=5516 </A> </LI> <BR /> <LI> Reference: <A href="#" target="_blank"> https://technet.microsoft.com/en-us/library/dn951388.aspx#Software </A> </LI> <BR /> </UL> <BR /> </LI> <BR /> <LI> Copy ISO Files/Folders: <BR /> <UL> <BR /> <LI> With the Skype for Business Server 2015 ISO attached, open the root directory of the drive it is attached as (Ex: D:\) in File Explorer. </LI> <BR /> <LI> Copy all folders and files to a folder on a local disk (Ex: C:\SkypeForBusiness2015ISO) </LI> <BR /> <LI> <STRONG> Note </STRONG> : Prior to installing components, some files will need to be updated for support of TLS 1.2. </LI> <BR /> </UL> <BR /> </LI> <BR /> <LI> Replace MSI/EXE Packages: <BR /> <UL> <BR /> <LI> Replace the existing MSI and EXE packages in the /Setup/amd64/ folder of the installation media on the local machine. </LI> <BR /> <LI> SQL 2014 SP2 Express: <A href="#" target="_blank"> https://www.microsoft.com/en-us/download/details.aspx?id=53167 </A> <BR /> <UL> <BR /> <LI> Rename to SQLEXPR_x64 on the local machine, and replace the existing file in the Setup/amd64/ folder of the installation media. </LI> <BR /> </UL> <BR /> </LI> <BR /> <LI> SQL Native Client: <A href="#" target="_blank"> https://www.microsoft.com/en-us/download/details.aspx?id=50402 </A> <BR /> <UL> <BR /> <LI> <STRONG> Note </STRONG> : Rename this if necessary to sqlncli.msi, and then replace the existing file that exists in the Setup/amd64/ folder of the installation media. </LI> <BR /> </UL> <BR /> </LI> <BR /> <LI> SQL Management Objects: <A href="#" target="_blank"> https://www.microsoft.com/en-us/download/details.aspx?id=53164 </A> <BR /> <UL> <BR /> <LI> <STRONG> Note </STRONG> : The Feature pack will have a lot of items that can be downloaded. Select to download SharedManagementObjects.msi only. </LI> <BR /> <LI> Note: Replace the existing file that exists in the Setup/amd64/ folder of the installation media. </LI> <BR /> </UL> <BR /> </LI> <BR /> <LI> SQL CLR Types: <A href="#" target="_blank"> https://www.microsoft.com/en-us/download/details.aspx?id=53164 </A> <BR /> <UL> <BR /> <LI> <STRONG> Note </STRONG> : The Feature pack will have a lot of items that can be downloaded. Select to download CQLSysClrTypes.msi only </LI> <BR /> <LI> <STRONG> Note </STRONG> : Replace the existing file that exists in the Setup/amd64/ folder of the installation media. </LI> <BR /> </UL> <BR /> </LI> <BR /> </UL> <BR /> </LI> <BR /> <LI> Install Core Components: <BR /> <UL> <BR /> <LI> Run Setup.exe from the Setup/amd64/ folder of the installation media. Follow the instructions to install Core Components </LI> <BR /> <LI> Close Core Components. </LI> <BR /> </UL> <BR /> </LI> <BR /> <LI> Update Core Components: <BR /> <UL> <BR /> <LI> Download the Skype for Business Update Installer. </LI> <BR /> <LI> Run the installer to update Core Components and install the performance counters. </LI> <BR /> <LI> <STRONG> Note </STRONG> : As of the release of CU6HF2, the auto-update feature currently only will install up to CU6. Therefore, the updater must be run separately to update Core Components to 6.0.9319.516 </LI> <BR /> <LI> Reference: <A href="#" target="_blank"> https://support.microsoft.com/en-us/help/3061064/updates-for-skype-for-business-server-2015 </A> </LI> <BR /> </UL> <BR /> </LI> <BR /> <LI> Install Administrative Tools (Optional): <BR /> <UL> <BR /> <LI> This will install the Microsoft SQL Server 2012 Native Client, SQL Server 2014 Management Objects (x64), and Microsoft System CLR Types for SQL Server 2014 (x64) using the updated files. Additionally, Skype for Business Server 2015's Topology Builder and Control Panel will be available on the local machine. </LI> <BR /> </UL> <BR /> </LI> <BR /> <LI> Install Local Configuration Store (Step 1): <BR /> <UL> <BR /> <LI> Open the Deployment Wizard, click Install or Update Skype for Business Server System, and click on Run at Step 1: Install Local Configuration Store. </LI> <BR /> <LI> Click Next on the Install Local Configuration Store window. </LI> <BR /> </UL> <BR /> </LI> <BR /> </OL> <BR /> <BR /> <BR /> <IMG alt="clip_image001" border="0" height="466" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115423i1263637994437446" style="margin-right: auto;margin-left: auto;float: none" title="clip_image001" width="612" /> <BR /> <UL> <BR /> <LI> Review the results, and ensure that the Task Status is Completed. Review the resulting log file by clicking View Log. </LI> <BR /> </UL> <BR /> <IMG alt="clip_image002" border="0" height="464" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115424i7BDDA21C9AE32674" style="margin-right: auto;margin-left: auto;float: none" title="clip_image002" width="616" /> <BR /> <UL> <BR /> <LI> When done, click Finish. </LI> <BR /> </UL> <BR /> <BR /> <BR /> 9. Setup or Remove Skype for Business Server Components (Step 2): <BR /> <UL> <BR /> <LI> Open the Deployment Wizard, click Install or Update Skype for Business Server System, and click on Run at Step 2: Setup or Remove Skype for Business Server Components. </LI> <BR /> <LI> Click Next at the Set Up Skype for Business Server Components window. </LI> <BR /> </UL> <BR /> <IMG alt="clip_image003" border="0" height="467" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115425i004FC4B8BF239BFD" style="margin-right: auto;margin-left: auto;float: none" title="clip_image003" width="613" /> <BR /> <UL> <BR /> <LI> Review the log using View Log, and validate that setup completed without issues. </LI> <BR /> <LI> When done, click Finish. </LI> <BR /> </UL> <BR /> <BR /> <BR /> 10. Proceed with additional installation and configuration as required (you can resume normal installation procedures at this point). </BODY></HTML> Tue, 21 May 2019 00:56:06 GMT https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/disabling-tls-1-0-1-1-in-skype-for-business-server-2015-on/ba-p/621514 NextHop_Team 2019-05-21T00:56:06Z Disabling TLS 1.0/1.1 in Skype for Business Server 2015&#8211;Part 2 https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/disabling-tls-1-0-1-1-in-skype-for-business-server-2015-amp-8211/ba-p/621487 <P><STRONG> First published on TECHNET on Apr 18, 2018 </STRONG> <BR /><SPAN style="color: #339966;"> <EM> <STRONG> December 22, 2021 Update: Validate workloads section has been updated with addition of On-Premises Diagnostics for Skype for Business Server 'Check to see if TLS 1.0/1.1 deprecation is properly configured' diagnostic reference. Please review the following document carefully! </STRONG> </EM> </SPAN> <BR /><BR />In <A href="#" target="_blank" rel="noopener"> Part 1 </A> of our Disabling TLS 1.0 and 1.1 Support for On-Premises Skype for Business deployments blog we covered the pre-requisites and supportability scope. In this blog we will go over how to disable TLS 1.0 and 1.1 in your environments. <BR /><BR />Please review <A href="#" target="_blank" rel="noopener"> Part 1 </A> to ensure all your servers, clients and devices are in scope, and that you have a plan to address any gaps. Except where noted in <A href="#" target="_blank" rel="noopener"> Part 1 </A> , once TLS 1.0 and 1.1 are disabled out-of-scope servers, clients and devices will longer function properly, or at all. This may mean you need to pause and wait for updated guidance from Microsoft. Once you are satisfied you meet all requirements and have a plan to address gaps, proceed. <BR /><BR />At a high level, this requires installing Skype for Business Server 2015 CU6 HF2, applying pre-requisite updates to .Net and SQL, deploying pre-requisite registry keys and finally a separate round of OS configuration updates, i.e. disabling TLS 1.0 and 1.1 via registry file import. It is critically important that you complete installation of all prerequisites, including Skype for Business Server 2015 CU6 HF2, prior to disabling TLS 1.0 and 1.1 on any server in your environment. Every Skype for Business Server, including Edge role and SQL Backends, require the updates. Also ensure that all supported (in-scope) clients have been updated to the required minimum versions. Don’t forget to update management workstations as well. <BR /><BR />We want to follow the usual order of operations of "inside out" for upgrading Skype for Business servers. Treat Director pools, Pchat and Paired Pools in the same manner you normally would. Order and methods for upgrade are covered <A href="#" target="_blank" rel="noopener"> here </A> and <A href="#" target="_blank" rel="noopener"> here </A> . <BR /><BR /><STRONG> High level process: </STRONG> <BR /><BR /></P> <OL> <OL> <LI>Test all steps in your lab prior to configuring production servers</LI> </OL> </OL> <P>&nbsp;</P> <OL> <OL> <LI>Backup and preserve a copy of exported registry on each and every individual server to be updated. You cannot share registries between Servers, they contain unique machine based keys.</LI> </OL> </OL> <P>&nbsp;</P> <OL> <OL> <LI>Upgrade all Skype for Business 2015 Servers to <A href="#" target="_blank" rel="noopener"> CU6 HF2 or higher </A></LI> </OL> </OL> <P>&nbsp;</P> <OL> <OL> <LI>Install all pre-requisites to all servers</LI> </OL> </OL> <P>&nbsp;</P> <OL> <OL> <LI>Deploy pre-requisite registry keys</LI> </OL> </OL> <P>&nbsp;</P> <OL> <OL> <LI>Ensure all in-scope clients are updated (covered in Part I)</LI> </OL> </OL> <P>&nbsp;</P> <OL> <OL> <LI>Disable TLS 1.0 and 1.1 via registry import</LI> </OL> </OL> <P>&nbsp;</P> <OL> <OL> <LI>Validate workloads are functioning as expected <BR /><BR /> <OL> <OL> <LI>If problems encountered, troubleshoot and resolve or</LI> </OL> </OL> <BR /> <OL> <OL> <LI>Restore registry from step 2 to re-enable TLS 1.0 and 1.1</LI> </OL> </OL> <BR /><BR /></LI> </OL> </OL> <P>&nbsp;</P> <OL> <OL> <LI>Validate only TLS 1.2 is being used</LI> </OL> </OL> <P><BR /><BR /><BR /><BR /><STRONG> Install Pre-Requisites to All Servers </STRONG> <BR /><BR />Extensive dependency updating is required before you begin to disable TLS 1.0 and 1.1 at the operating system level in your Skype for Business Server 2015 deployments. The following are the minimum versions that can support TLS 1.2. Deploy all pre-requisite updates across every Skype for Business server in your environment before you begin disabling TLS 1.0 and 1.1. <BR /><BR /></P> <UL> <UL> <LI>Skype for Business Server 2015 CU6 HF2 6.0.9319.516 ( <A href="#" target="_blank" rel="noopener"> March 2018 update </A> ) or higher</LI> </UL> </UL> <P>&nbsp;</P> <UL> <UL> <LI>. <A href="#" target="_blank" rel="noopener"> NET Framework 4.7 </A> or higher with SchUseStrongCrypto enabled in the registry (provided below)</LI> </UL> </UL> <P>&nbsp;</P> <UL> <UL> <LI>SQL must be updated on all Skype for Business 2015 servers and backends. Update Enterprise Edition Pool SQL Backends first, then their respective FEs. <BR /><BR /> <UL> <UL> <LI>SQL Server 2014 SP1 + CU5 ( <A href="#" target="_blank" rel="noopener"> link </A> ), or higher / SQL Server 2012 SP2 + CU16 or higher/ SQL Server 2014 RTM + CU12 ( <A href="#" target="_blank" rel="noopener"> link </A> ) or higher / SQL Server 2014 SP2</LI> </UL> </UL> <BR /> <UL> <UL> <LI>SQL Server Native Client for SQL Server 2012 ( <A href="#" target="_blank" rel="noopener"> link </A> )</LI> </UL> </UL> <BR /> <UL> <UL> <LI>Microsoft ODBC Driver 11 for SQL Server ( <A href="#" target="_blank" rel="noopener"> link </A> ), or higher</LI> </UL> </UL> <BR /> <UL> <UL> <LI>Shared Management Objects for SQL Server 2014 SP2 ( <A href="#" target="_blank" rel="noopener"> link </A> )</LI> </UL> </UL> <BR /> <UL> <UL> <LI>SQLSysClrTypes for SQL server 2014 SP2 ( <A href="#" target="_blank" rel="noopener"> link </A> )</LI> </UL> </UL> <BR /><BR /></LI> </UL> </UL> <P><BR /><BR /><BR /><BR /><STRONG> Basic steps to install pre-requisites, in recommended order of operations: </STRONG> <BR /><BR /></P> <OL> <OL> <LI>Install the Skype for Business Server CU6HF2 (6.0.9319.516) update to all servers. <BR /><BR /> <OL> <OL> <LI>Install the update to components using the updater.</LI> </OL> </OL> <BR /> <OL> <OL> <LI>Update databases according to documented procedures. Instructions are documented at <A href="#" target="_blank" rel="noopener"> https://support.microsoft.com/en-us/help/3061064/updates-for-skype-for-business-server-2015 </A> .</LI> </OL> </OL> <BR /> <OL> <OL> <LI>Validate product functionality in the deployment prior to moving forward with any other changes.</LI> </OL> </OL> <BR /><BR /></LI> </OL> </OL> <P>&nbsp;</P> <OL> <OL> <LI>Download .NET 4.7 Offline Installer <BR /><BR /> <OL> <OL> <LI>Reference: <A href="#" target="_blank" rel="noopener"> https://www.microsoft.com/en-us/download/details.aspx?id=55167 </A></LI> </OL> </OL> <BR /> <OL> <OL> <LI>Ensure Skype for Business Server 2015 services are stopped on the Front End server.</LI> </OL> </OL> <BR /> <OL> <OL> <LI>Reference: <A href="#" target="_blank" rel="noopener"> https://support.microsoft.com/en-us/help/3061064/updates-for-skype-for-business-server-2015 </A></LI> </OL> </OL> <BR /> <OL> <OL> <LI>Ex (Standard Edition): Stop-CsWindowsServices</LI> </OL> </OL> <BR /> <OL> <OL> <LI>Ex (Enterprise Edition): Invoke-CsComputerFailover</LI> </OL> </OL> <BR /> <OL> <OL> <LI>Run the installer package.</LI> </OL> </OL> <BR /> <OL> <OL> <LI>Reboot the server.</LI> </OL> </OL> <BR /><BR /></LI> </OL> </OL> <P>&nbsp;</P> <OL> <OL> <LI>Update SQL Express 2014 on all Servers <BR /><BR /> <OL> <OL> <LI>Reference: <A href="#" target="_blank" rel="noopener"> https://support.microsoft.com/en-us/help/3135244/tls-1-2-support-for-microsoft-sql-server </A> .</LI> </OL> </OL> <BR /> <OL> <OL> <LI>Download SQL 2014 SP2 <BR /><BR /> <OL> <OL> <LI>Reference: <A href="#" target="_blank" rel="noopener"> https://www.microsoft.com/en-us/download/details.aspx?id=53168 </A></LI> </OL> </OL> <BR /><BR /></LI> </OL> </OL> <BR /> <OL> <OL> <LI>Copy the installation media to a folder on the server (Ex: C:\01_2014SqlSp2)</LI> </OL> </OL> <BR /> <OL> <OL> <LI>Ensure Skype for Business Server 2015 services are stopped on the Front End server <BR /><BR /> <OL> <OL> <LI>Ex (Standard Edition): Stop-CsWindowsService</LI> </OL> </OL> <BR /> <OL> <OL> <LI>Ex (Enterprise Edition): Invoke-CsComputerFailove</LI> </OL> </OL> <BR /><BR /></LI> </OL> </OL> <BR /> <OL> <OL> <LI>Open an Admin Command Prompt, and upgrade all installed components and instances <BR /><BR /> <OL> <OL> <LI>Example: C:\01_2014SqlSp2\SQLServer2014SP2-KB3171021-x64-ENU.exe /qs /IAcceptSQLServerLicenseTerms /Action=Patch /AllInstances</LI> </OL> </OL> <BR /><BR /></LI> </OL> </OL> <BR /><BR /></LI> </OL> </OL> <P>&nbsp;</P> <OL> <OL> <LI>Update SQL Native Client <BR /><BR /> <OL> <OL> <LI>Reference: <A href="#" target="_blank" rel="noopener"> https://support.microsoft.com/en-us/help/3135244/tls-1-2-support-for-microsoft-sql-server </A> .</LI> </OL> </OL> <BR /> <OL> <OL> <LI>Download from <A href="#" target="_blank" rel="noopener"> https://www.microsoft.com/en-us/download/details.aspx?id=50402 </A></LI> </OL> </OL> <BR /> <OL> <OL> <LI>Ensure Skype for Business Server 2015 services are stopped on the Front End server. <BR /><BR /> <OL> <OL> <LI>Ex (Standard Edition): Stop-CsWindowsServices</LI> </OL> </OL> <BR /> <OL> <OL> <LI>Ex (Enterprise Edition): Invoke-CsComputerFailove</LI> </OL> </OL> <BR /><BR /></LI> </OL> </OL> <BR /> <OL> <OL> <LI>Stop the SQL instances installed from running <BR /><BR /> <OL> <OL> <LI>Ex: Get-Service 'MSSQL$RTCLOCAL' | Stop-Servic</LI> </OL> </OL> <BR /> <OL> <OL> <LI>Ex: Get-Service 'MSSQL$LYNCLOCAL' | Stop-Servic</LI> </OL> </OL> <BR /> <OL> <OL> <LI>Ex (Standard Edition Only): Get-Service 'MSSQL$RTC' | Stop-Servic</LI> </OL> </OL> <BR /><BR /></LI> </OL> </OL> <BR /> <OL> <OL> <LI>Install the update.</LI> </OL> </OL> <BR /><BR /></LI> </OL> </OL> <P>&nbsp;</P> <OL> <OL> <LI>Update ODBC Driver 11 for SQL Server <BR /><BR /> <OL> <OL> <LI>Reference: <A href="#" target="_blank" rel="noopener"> https://support.microsoft.com/en-us/help/3135244/tls-1-2-support-for-microsoft-sql-server </A> .</LI> </OL> </OL> <BR /> <OL> <OL> <LI>Download from <A href="#" target="_blank" rel="noopener"> https://www.microsoft.com/en-us/download/confirmation.aspx?id=36434 </A></LI> </OL> </OL> <BR /> <OL> <OL> <LI>Ensure Skype for Business Server 2015 services are stopped on the Front End server <BR /><BR /> <OL> <OL> <LI>Ex (Standard Edition): Stop-CsWindowsService</LI> </OL> </OL> <BR /> <OL> <OL> <LI>Ex (Enterprise Edition): Invoke-CsComputerFailove</LI> </OL> </OL> <BR /><BR /></LI> </OL> </OL> <BR /> <OL> <OL> <LI>Install the update.</LI> </OL> </OL> <BR /><BR /></LI> </OL> </OL> <P>&nbsp;</P> <OL> <OL> <LI>Deploy pre-requisite registry keys</LI> </OL> </OL> <P><BR /><BR /><STRONG> Pre-requisite registry keys: </STRONG> <BR /><BR />Copy/paste the following test into Notepad and rename <STRONG> TLSPreReq.reg </STRONG> or a name of your choice, then import:</P> <PRE>Windows Registry Editor Version 5.00<BR /><BR />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]<BR /><BR />"SchUseStrongCrypto"=dword:00000001<BR /><BR />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]<BR /><BR />"SchUseStrongCrypto"=dword:00000001<BR /><BR />[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]<BR /><BR />"SchUseStrongCrypto"=dword:00000001<BR /><BR />[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]<BR /><BR />"SchUseStrongCrypto"=dword:00000001<BR /><BR />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]<BR /><BR />"DefaultSecureProtocols"=dword:00000AA0<BR /><BR />[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]<BR /><BR />"DefaultSecureProtocols"=dword:00000AA0<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]<BR /><BR />"DisabledByDefault"=dword:00000000<BR /><BR />"Enabled"=dword:00000001<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]<BR /><BR />"DisabledByDefault"=dword:00000000<BR /><BR />"Enabled"=dword:00000001</PRE> <P><BR />For SQL Back ends for Enterprise Edition Pools, pre-requisites and TLS disable should be treated as any SQL or OS updates would; refer to: <A href="#" target="_blank" rel="noopener"> https://docs.microsoft.com/en-us/skypeforbusiness/manage/topology/patch-or-update-a-back-end-or-standard-edition-server </A> <BR /><BR />While both the pre-requisite application and TLS disabling steps can be combined, we strongly recommend all pre-requisites be applied before proceeding with disabling of TLS 1.0 and 1.1 at the operating system level.&nbsp; The best practice approach would be to prepare the environment by deploying all pre-requisites, validating workloads all function correctly and as expected - then proceed with TLS 1.0/1.1 disable at a later time. <BR /><BR /><BR /><BR /><STRONG> Disable TLS 1.0 and 1.1 via Registry Import </STRONG> <BR /><BR />Before you proceed with the next steps, <SPAN style="color: #ff0000;"> make sure you have completed all prerequisites and updated Skype for Business Servers </SPAN> . <BR /><BR />Copy the following text into a notepad file and rename it <STRONG> TLSDisable.reg </STRONG> :</P> <PRE>Windows Registry Editor Version 5.00<BR /><BR />[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]<BR /><BR />"Functions"="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256"<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]<BR /><BR />"AllowInsecureRenegoClients"=dword:00000000<BR /><BR />"AllowInsecureRenegoServers"=dword:00000000<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128]<BR /><BR />"Enabled"=dword:FFFFFFFF<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256]<BR /><BR />"Enabled"=dword:FFFFFFFF<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]<BR /><BR />"Enabled"=dword:00000000<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]<BR /><BR />"Enabled"=dword:00000000<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]<BR /><BR />"Enabled"=dword:00000000<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]<BR /><BR />"Enabled"=dword:00000000<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]<BR /><BR />"Enabled"=dword:00000000<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/56]<BR /><BR />"Enabled"=dword:00000000<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]<BR /><BR />"Enabled"=dword:00000000<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]<BR /><BR />"Enabled"=dword:00000000<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]<BR /><BR />"Enabled"=dword:00000000<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]<BR /><BR />"Enabled"=dword:00000000<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168]<BR /><BR />"Enabled"=dword:00000000<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes]<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5]<BR /><BR />"Enabled"=dword:00000000<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA]<BR /><BR />"Enabled"=dword:FFFFFFFF<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA256]<BR /><BR />"Enabled"=dword:FFFFFFFF<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA384]<BR /><BR />"Enabled"=dword:FFFFFFFF<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA512]<BR /><BR />"Enabled"=dword:FFFFFFFF<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms]<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]<BR /><BR />"Enabled"=dword:FFFFFFFF<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\ECDH]<BR /><BR />"Enabled"=dword:FFFFFFFF<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS]<BR /><BR />"Enabled"=dword:FFFFFFFF<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello]<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client]<BR /><BR />"DisabledByDefault"=dword:00000001<BR /><BR />"Enabled"=dword:00000000<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]<BR /><BR />"DisabledByDefault"=dword:00000001<BR /><BR />"Enabled"=dword:00000000<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client]<BR /><BR />"DisabledByDefault"=dword:00000001<BR /><BR />"Enabled"=dword:00000000<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]<BR /><BR />"DisabledByDefault"=dword:00000001<BR /><BR />"Enabled"=dword:00000000<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]<BR /><BR />"DisabledByDefault"=dword:00000001<BR /><BR />"Enabled"=dword:00000000<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]<BR /><BR />"DisabledByDefault"=dword:00000001<BR /><BR />"Enabled"=dword:00000000<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]<BR /><BR />"DisabledByDefault"=dword:00000001<BR /><BR />"Enabled"=dword:00000000<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]<BR /><BR />"DisabledByDefault"=dword:00000001<BR /><BR />"Enabled"=dword:00000000<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]<BR /><BR />"DisabledByDefault"=dword:00000001<BR /><BR />"Enabled"=dword:00000000<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]<BR /><BR />"DisabledByDefault"=dword:00000001<BR /><BR />"Enabled"=dword:00000000<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]<BR /><BR />"DisabledByDefault"=dword:00000001<BR /><BR />"Enabled"=dword:00000000<BR /><BR />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]<BR /><BR />"DisabledByDefault"=dword:00000001<BR /><BR />"Enabled"=dword:00000000</PRE> <P><BR /><BR /><BR />Import the .reg file on each server you wish to disable TLS 1.0 and 1.1. Reboot the server. Once the services have come back online, move to the next server. The approach for Enterprise Edition Pools is the same you would take for any OS update. <BR /><BR />You may have noticed we are doing more than just disabling TLS 1.0 and 1.1 here. We are supporting Cipher Suite re-order (as shown above) and the disabling of some older weak ciphers. This is the first time we have officially supported these changes to SCHANNEL and Crypto API on Skype for Business Server, and it is important to note these changes are the only ones we support and have tested at this time. We may consider additional configurations in the future, but for now, please do not modify the registry import file in your implementation. <BR /><BR /><BR /><BR /><STRONG> Validate Workloads are functioning as expected </STRONG></P> <P>&nbsp;</P> <P><SPAN>If you want to confirm Skype for Business Server TLS 1.2 support has been enabled and TLS 1.0 and 1.1 have been disabled&nbsp;in your environment please install&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/on-premises-diagnostics-for-skype-for-business-server-are-now/ba-p/1292931" target="_self">On-Premises Diagnostics for Skype for Business Server</A><SPAN>&nbsp;and execute '</SPAN><SPAN>Check to see if TLS 1.0/1.1 deprecation is properly configured' diagnostic. For more details please refer to&nbsp;<A href="#" target="_blank" rel="noopener noreferrer">How to use OPD</A>.</SPAN></P> <P><BR />Once TLS 1.0 and 1.1 have been disabled in your environment, check to ensure that all your main workloads are functioning as expected, such as IM &amp; Presence, P2P calls, Enterprise Voice, et cetera. <BR /><BR />Validate only TLS 1.2 is being used <BR /><BR />Have your Security Team perform a new audit of Skype for Business traffic to ensure the older protocols TLS 1.0 and 1.1 are no longer in use. <BR /><BR />Alternatively, you can use Internet Explorer to test TLS connections to web services from Skype for Business Server 2015 after TLS 1.0 and TLS 1.1 have been disabled. <BR /><BR /></P> <OL> <OL> <LI>Launch Internet Explorer</LI> </OL> </OL> <P>&nbsp;</P> <OL> <OL> <LI>Select Tools &gt; Internet Options</LI> </OL> </OL> <P>&nbsp;</P> <OL> <OL> <LI>Select the Advanced tab</LI> </OL> </OL> <P>&nbsp;</P> <OL> <OL> <LI>Under Settings, scroll to the bottom</LI> </OL> </OL> <P>&nbsp;</P> <OL> <OL> <LI>Verify that TLS 1.0, TLS 1.1, and TLS 1.2 are enabled</LI> </OL> </OL> <P>&nbsp;</P> <OL> <OL> <LI>Browse the Internal Web Service URL of your SfB 2015 pool (should connect successfully)</LI> </OL> </OL> <P>&nbsp;</P> <OL> <OL> <LI>Go back into IE and disable the option to Use TLS 1.2 only</LI> </OL> </OL> <P>&nbsp;</P> <OL> <OL> <LI>Browse the Internal Web Service URL of your SfB 2015 pool again (should fail to connect)</LI> </OL> </OL> <P><BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" style="width: 191px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115422iBDB0B5EE6EC3A3F4/image-dimensions/191x244?v=v2" width="191" height="244" role="button" /></span></P> Wed, 22 Dec 2021 10:56:51 GMT https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/disabling-tls-1-0-1-1-in-skype-for-business-server-2015-amp-8211/ba-p/621487 NextHop_Team 2021-12-22T10:56:51Z Disabling TLS 1.0/1.1 in Skype for Business Server 2015: Part 1 https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/disabling-tls-1-0-1-1-in-skype-for-business-server-2015-part-1/ba-p/621485 <P><STRONG> First published on TECHNET on Apr 18, 2018 </STRONG> <BR /><STRONG> <SPAN style="color: #008000;"> <EM> May 16, 2019: Updates for SRSv2 Support for Skype for Business Server 2015, 2019 </EM> </SPAN> </STRONG> <BR /><BR /><SPAN style="color: #008000;"> <EM> March 29, 2019: Updated information for Lync Room Systems (SRSv1) </EM> </SPAN> <BR /><BR /><SPAN style="color: #008000;"> <EM> August 8, 2018: Important Update to Lync Server 2013 Edge Role Supportability for TLS Disable </EM> </SPAN> <BR /><BR /><SPAN style="color: #008000;"> <EM> August 2, 2018: Clarified Support for SBA and SBS </EM> </SPAN> <BR /><BR /><SPAN style="color: #008000;"> <EM> May 24, 2018: Added In-place Upgrade scenarios to Supported; made changes to Pre-requisites and TLS Disable reg files based on additional validation testing; please review Parts 1 &amp; 2 carefully as the deployment steps have changed. </EM> </SPAN></P> <H2><STRONG> Announcing Support for Disabling TLS 1.0 and 1.1 in Skype for Business Server 2015 On-Premises </STRONG></H2> <P><BR />We are pleased to announce supportability for disabling TLS 1.0 and 1.1 in Skype for Business Server 2015 On-Premises.&nbsp; In this blog series we'll cover the main drivers for disabling older TLS protocols in your On-Premises environment, what is in-scope, and out, for Supportability, and the steps required to disable TLS 1.0 and 1.1.&nbsp; This blog post will serve as the table of contents and will be updated as we publish additional guidance.&nbsp; This information is authoritative and should be considered official Microsoft documentation from the Skype for Business Product Group. <BR /><BR />Note that we are not covering Office 365 in this series of blog posts with the exception of preparing your On-Premises environment to communicate with Office 365 in Hybrid or Federation scenarios once TLS 1.0 and 1.1 are deprecated.&nbsp; For more information see <A href="https://gorovian.000webhostapp.com/?exam=t5/Skype-for-Business-Blog/Preparing-for-TLS-1-0-1-1-Deprecation-O365-Skype-for-Business/bc-p/223608" target="_blank" rel="noopener"> <STRONG> Preparing for TLS 1.0/1.1 Deprecation - O365 Skype for Business. </STRONG> </A> <BR /><BR />Also note we have not made any changes to our <A href="#" target="_blank" rel="noopener"> Pseudo-TLS </A> implementation.&nbsp; Pseudo-TLS is not impacted by disabling TLS 1.0/1.1 on Skype for Business Servers and an in-depth discussion of MS-TURN Pseudo-TLS is beyond the scope of this blog series.&nbsp; However, all <A href="#" target="_blank" rel="noopener"> previous guidance </A> still applies - some HTTP proxies or firewalls may interfere with the MS-TURN protocol and prevent Lync/Skype for Business clients and servers from functioning properly.&nbsp; In releasing support for disabling TLS 1.0/1.1 in your Skype for Business Server On-Premises environments we are not suggesting you begin actively monitoring and blocking MS-TURN (Lync/Skype) Pseudo-TLS on HTTP proxies and firewalls, in fact this practice remains unsupported.</P> <H2><STRONG> Blogs in this Series </STRONG></H2> <UL> <UL> <LI><A href="#" target="_blank" rel="noopener"> Part 1: Introduction and Scope (this blog)&nbsp;</A></LI> </UL> </UL> <UL> <UL> <LI><A href="#" target="_blank" rel="noopener"> Part 2: How-to Update an Existing Topology&nbsp;</A></LI> </UL> </UL> <UL> <UL> <LI><A href="#" target="_blank" rel="noopener"> Part 3: Advanced Deployment Scenarios </A></LI> </UL> </UL> <P><BR /><STRONG><FONT size="5"> Introduction</FONT> </STRONG></P> <P><BR />The purpose of this blog series is to provide the necessary guidance for you to prepare for and implement disabling TLS 1.0 and 1.1 in your environments.&nbsp; This process requires extensive planning and preparation.&nbsp; Please carefully review all of the information in this blog series as you make your plan to disable TLS 1.0 and 1.1 if required for your organization.&nbsp; Note that there are many external dependencies and connectivity that could be impacted by disabling TLS 1.0/1.1 so extensive planning and testing is warranted.</P> <H2><STRONG> Background </STRONG></H2> <P><BR />The primary drivers for providing TLS 1.0 and 1.1 disable support for Skype for Business Server On-Premises are Payment Card Industry (PCI) Security Standards Council and Federal Information Processing Standards requirements.&nbsp; More information for PCI requirements can be found <A href="#" target="_blank" rel="noopener"> here </A> .&nbsp; Microsoft cannot provide guidance on whether or not your organization is required to adhere to these or other requirements.&nbsp; You must determine if it is required for you to disable TLS 1.0 and/or 1.1 in your environments. <BR /><BR />Microsoft has produced a whitepaper on TLS available <A href="#" target="_blank" rel="noopener"> here </A> , and we also recommend the background reading available over at the Exchange <A href="#" target="_blank" rel="noopener"> blog </A> .</P> <H2><STRONG> Supportability Scope </STRONG></H2> <P><BR />Scope refers to supportability boundaries. For Skype for Business Server On-Premises, in scope means we fully support and have tested disabling of TLS 1.0 and 1.1 for the listed product versions.&nbsp; Currently being investigated means just that; we are actively investigating bringing these products into scope for TLS disable support.&nbsp; Out of scope means these product versions do not support disabling TLS 1.0 or 1.1 and will not work, with noted exceptions.</P> <H3><STRONG> Fully tested and supported Servers: </STRONG></H3> <UL> <UL> <LI>Skype for Business Server 2015 CU6 HF2 6.0.9319.516 ( <A href="#" target="_blank" rel="noopener"> March 2018 update </A> ) and higher on <BR /><BR /> <UL> <UL> <LI>Windows Server 2012 (with KB <A href="#" target="_blank" rel="noopener"> 3140245 </A> or superseding update), 2012 R2 or 2016</LI> </UL> </UL> <BR />In-place Upgraded Skype for Business Server 2015, with CU6 HF2 and higher on <BR /><BR /> <UL> <UL> <LI>Windows Server 2008 R2, 2012 (with KB <A href="#" target="_blank" rel="noopener"> 3140245 </A> or superseding update), or 2012 R2</LI> </UL> </UL> </LI> </UL> </UL> <UL> <UL> <LI>Exchange Connectivity and Outlook Web App with Exchange Server 2010 SP3 RU19 or higher, guidance <A href="#" target="_blank" rel="noopener"> here </A></LI> </UL> </UL> <P>&nbsp;</P> <UL> <UL> <LI>Survivable Branch Appliance (SBA) with Sfb Server 2015 CU6 HF2 or higher (it is the vendor's responsibility to package the appropriate CU and provide it, be sure to confirm with your vendor that the updates have been made available for your appliance)</LI> </UL> </UL> <P>&nbsp;</P> <UL> <UL> <LI>Survivable Branch Server (SBS) with SfB Server 2015 CU6 HF2 or higher</LI> </UL> </UL> <P>&nbsp;</P> <UL> <UL> <LI>Lync Server 2013 <STRONG> Edge Role Only** </STRONG></LI> </UL> </UL> <P><STRONG><FONT size="5">Fully tested and supported Clients:</FONT> </STRONG></P> <P>&nbsp;</P> <UL> <UL> <LI>Lync 2013 (Skype for Business) Desktop Client, MSI and C2R, including Basic <A href="#" target="_blank" rel="noopener"> 15.0.5023.1000 and higher </A></LI> </UL> </UL> <UL> <UL> <LI>Skype for Business 2016 Desktop Client, MSI <A href="#" target="_blank" rel="noopener"> 16.0.4678.1000 and higher </A> , including Basic</LI> </UL> </UL> <UL> <UL> <LI>Skype for Business 2016 Click to Run Require the <A href="#" target="_blank" rel="noopener"> April 2018 Updates </A> : <BR /><BR /> <UL> <UL> <LI>Monthly and Semi-Annual Targeted – 16.0.9126.2152 and higher</LI> </UL> </UL> <BR /> <UL> <UL> <LI>Semi-Annual and Deferred Channel – 16.0.8431.2242 and higher</LI> </UL> </UL> </LI> </UL> </UL> <UL> <UL> <LI>Skype for Business on Mac 16.15 and higher</LI> </UL> </UL> <UL> <UL> <LI>Skype for Business for iOS and Android 6.19 and higher</LI> </UL> </UL> <UL> <UL> <LI>Skype Web App 2015 CU6 HF2 and higher (ships with Server)</LI> </UL> </UL> <UL> <UL> <LI>Skype Room Systems v2 (a.k.a. SRSv2 or Microsoft Teams Rooms) version 4.0.64.0 and higher with <A href="#" target="_blank" rel="noopener"> Skype for Business Server 2015 May 2019 Cumulative Update</A></LI> <LI>Surface Hub v1 with&nbsp; <DIV style="box-sizing: border-box; font-family: 'Segoe UI', 'Helvetica Neue', 'Apple Color Emoji', 'Segoe UI Emoji', Helvetica, Arial, sans-serif; font-size: 14px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: bold; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><STRONG><A tabindex="-1" title="https://support.microsoft.com/en-us/help/4037666/surface-surface-hub-update-history" href="#" target="_blank" rel="noreferrer noopener">May&nbsp;28, 2019—update for Team edition based on KB4499162* &nbsp;(OS Build 15063.1835)</A></STRONG></DIV> *Requires Skype for Business Server 2015 May 2019 Update or Skype for Business Server July 2019 Update (CU1)</LI> </UL> <UL> <LI style="box-sizing: border-box;">Call Quality Dashboard version 9319.17 and higher</LI> </UL> </UL> <P><STRONG> Out-of-Scope </STRONG></P> <P><BR />Except where noted, the following products are not in scope for TLS 1.0/1.1 disable support and will not function in an environment where TLS 1.0 and 1.1 have been disabled.&nbsp; What this means: if you still utilize out-of-scope servers or clients you must update or remove these if you need to disable TLS 1.0/1.1 anywhere in your Skype for Business Server on-premises deployment. <BR /><BR /></P> <UL> <UL> <LI>Lync Server 2013**</LI> </UL> </UL> <UL> <UL> <LI>Lync Server 2010</LI> </UL> </UL> <UL> <UL> <LI>Windows Server 2008 and lower</LI> </UL> </UL> <UL> <UL> <LI>Lync for Mac 2011</LI> </UL> </UL> <UL> <UL> <LI>Lync 2013 for Mobile - iOS, iPad, Android or Windows Phone</LI> </UL> </UL> <UL> <UL> <LI>Skype for Business for Windows Phone - <A href="#" target="_blank" rel="noopener"> retired&nbsp;</A></LI> </UL> </UL> <UL> <UL> <LI>Lync "MX" Windows Store client</LI> </UL> </UL> <UL> <UL> <LI>All Lync 2010 clients</LI> </UL> </UL> <UL> <UL> <LI>Lync Phone Edition - updated guidance <A href="https://gorovian.000webhostapp.com/?exam=t5/Skype-for-Business-Blog/Certified-Skype-for-Business-Online-Phones-and-what-this-means/ba-p/120035" target="_blank" rel="noopener"> here </A> .</LI> </UL> </UL> <UL> <UL> <LI>2013 based Survivable Branch Appliance (SBA) or Survivable Branch Server (SBS)</LI> </UL> </UL> <UL> <UL> <LI>Cloud Connector Edition (CCE)***</LI> </UL> </UL> <UL> <UL> <LI>Lync Room System (a.k.a. SRSv1) - updated guidance <A href="#" target="_blank" rel="noopener"> here </A> .</LI> </UL> </UL> <P><STRONG><FONT size="6">Exceptions</FONT> </STRONG></P> <P>&nbsp;</P> <H3 style="box-sizing: border-box; color: inherit; font-family: inherit; font-size: 24px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 1.1; margin-bottom: 10px; margin-top: 20px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px;"><FONT size="4"><STRONG style="box-sizing: border-box; font-weight: bold;">Call Quality Dashboard:</STRONG></FONT></H3> <P style="box-sizing: border-box; color: #333333; font-family: &amp;quot; segoe ui&amp;quot;,tahoma,arial,&amp;quot;helvetica neue&amp;quot;,helvetica,sans-serif; font-size: 14px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; -webkit-text-stroke-width: 0px; white-space: normal; word-spacing: 0px; margin: 0px 0px 10px 0px;">Versions of On-Premises Call Quality Dashboard <STRONG style="box-sizing: border-box; font-weight: bold;">prior to 9319.31&nbsp;</STRONG>have&nbsp;a dependency on TLS 1.0 during new install (first time installing into your On-Premises environments).&nbsp; This is now fixed, refer to&nbsp;<A href="#" target="_self"><FONT size="3">Call Quality Dashboard installation fails if TLS 1.0/1.1 isn't enabled correctly or disabled on Skype for Business Server 2015</FONT></A></P> <H3><STRONG> **Lync Server 2013: </STRONG></H3> <P><BR />Lync Server 2013 now supports TLS 1.2 with the <A href="#" target="_blank" rel="noopener"> July, 2018 Cumulative Update </A> , a.k.a. "CU10".&nbsp; We're providing TLS 1.2 support to enable co-existence, migration, Federation and Hybrid scenarios.&nbsp; This does not mean, however, that we support disabling TLS 1.0 or 1.1 on Lync Server 2013.&nbsp; In fact, doing so will render Lync Server 2013 nonoperational. <BR /><BR />Lync Server 2013 ( <EM> all roles except Edge </EM> ) takes a dependency on Windows Fabric version 1.0.&nbsp; In the design phase for Lync Server 2013, Windows Fabric 1.0 was chosen for its compelling and new distributed architecture to provide replication, high availability and fault tolerance.&nbsp; Over time, both Skype for Business Server and Windows Fabric have greatly improved this joint architecture with significant re-design in subsequent versions.&nbsp; Current Skype for Business 2015 Server uses Windows Fabric 3.0, for example. <BR /><BR />Unfortunately, Windows Fabric 1.0 <STRONG> does not support TLS 1.2 </STRONG> .&nbsp; Therefore it remains <SPAN style="text-decoration: underline;"> unsupported </SPAN> to disable TLS 1.0 or 1.1 on all roles of Lync Server 2013 <STRONG> except Edge. </STRONG> <BR /><BR />We are now providing support for disabling TLS 1.0 and 1.1 on Lync Server 2013 <SPAN style="text-decoration: underline;"> <STRONG> Edge role only </STRONG> </SPAN> .&nbsp; Because Edge role does not have a dependency on Windows Fabric 1.0, this means you can disable TLS 1.0 and 1.1 on your 2013 Edge servers and they will continue to function properly.&nbsp; For example it is supported to disable TLS 1.0 and 1.1 on Lync Server 2013 Edge servers with Lync Server 2013 Front End pools, as long as all pre-requisites are met, especially Lync Server 2013 CU10.&nbsp; All pre-requisites and configuration steps that apply to Skype for Business Server 2015 in this blog series also apply to 2013 Edge.&nbsp; &nbsp;Follow the same instructions for disabling TLS 1.0 and 1.1 on Lync 2013 Edge. <BR /><BR />If your organization is required to disable TLS 1.0 and 1.1 on an unsupported server version/role, we recommend you begin your planning process now with the possibility you may have to In-place upgrade or Side-by-Side migrate (new pools, move users) to Skype for Business Server 2015 or higher.&nbsp; Or you may want to accelerate migration to Skype for Business Online.</P> <H3><STRONG> ***Cloud Connector Edition (CCE): </STRONG></H3> <P><BR />CCE currently works with and supports TLS 1.2 when connecting to Skype for Business Online.&nbsp; However, it remains unsupported to disable TLS 1.0 and 1.1 on CCE systems.&nbsp; Further, attempting to do so will render CCE systems inoperable.</P> <H2><STRONG> 3rd Party Devices </STRONG></H2> <P><BR />On 3rd party devices such as 3PIP phones, Video conferencing, Reverse Proxies and Load Balancers, be sure to validate TLS 1.2 supportability, test carefully, and contact the vendor if needed.</P> <H2><STRONG> Federation Considerations when disabling TLS 1.0/1.1 on Edge Servers </STRONG></H2> <P><BR />You must carefully plan for and consider the impact of disabling TLS 1.0/1.1 on your Edge servers.&nbsp; Once TLS 1.0 and 1.1 are disabled, you may find that other organizations are no longer be able to Federate with your organization. <BR /><BR />You may opt to keep TLS 1.0/1.1 enabled on your Edge servers to maintain backward compatibility with non-patched (SfB 2015, Lync 2013) or older (2010) external systems. <BR /><BR />Further, we highly recommend reading <A href="https://gorovian.000webhostapp.com/?exam=t5/Skype-for-Business-Blog/Preparing-for-TLS-1-0-1-1-Deprecation-O365-Skype-for-Business/bc-p/223608" target="_blank" rel="noopener"> <STRONG> Preparing for TLS 1.0/1.1 Deprecation - O365 Skype for Business. </STRONG> </A> If you operate a Hybrid Lync or Skype for Business Server organization or Federate with Office 365 Skype for Business Online customers, this may impact you. <BR /><BR />Microsoft cannot provide advice or recommendations on whether or not your Edge network (or any network) falls under PCI standard, that must be determined by the individual company. <BR /><BR />Skype for Business Online is capable of TLS 1.2 today, so no impact to Hybrid/Federation with Online is expected. <BR /><BR />PIC (Public IM Connectivity) to Skype Consumer service: We do not expect disabling TLS 1.0/1.1 to impact <A href="#" target="_blank" rel="noopener"> Skype Connectivity </A> ; Microsoft PIC Gateways are already TLS 1.2 capable. <BR /><BR />In the <A href="#" target="_blank" rel="noopener"> next post </A> we'll detail all the prerequisites and necessary steps to disable TLS 1.0/1.1 in your Skype for Business Server 2015 environment.</P> Tue, 26 Nov 2019 15:15:40 GMT https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/disabling-tls-1-0-1-1-in-skype-for-business-server-2015-part-1/ba-p/621485 NextHop_Team 2019-11-26T15:15:40Z SFB online Client Sign in and Authentication Deep Dive ;Part 7 (Hybrid) https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/sfb-online-client-sign-in-and-authentication-deep-dive-part-7/ba-p/621482 <HTML> <HEAD></HEAD><BODY> <STRONG> First published on TECHNET on Apr 13, 2018 </STRONG> <BR /> <STRONG> Scenario: </STRONG> SFB Hybrid environment, SFB user is homed Online, ADFS is Configured, MA (Modern Auth) is enabled ON premise through On premise AD (NOT Hybrid MA EVOSTS) and also enabled in O365 <BR /> <BR /> <STRONG> <SPAN style="color: #ff0000"> NOTE: </SPAN> </STRONG> <BR /> <BR /> I have tried my best to ensure the information below is accurate. Some of the terms I use to describe things like Modern Auth provider, O365 AD, Org ID etc. may not be standard terminology, I use them solely to make the understanding simpler. My intention here is to explain what happens in the background when a SFB client signs in so that it helps engineers and customers troubleshooting issues related to Sign in and Authentication. <BR /> <BR /> <BR /> <BR /> <STRONG> How Does it Work? </STRONG> <BR /> <BR /> <STRONG> Below is a High level explanation on how the SFB online Client Sign in process works </STRONG> <BR /> <BR /> <BR /> <BR /> SIP URI of the user - ex3@cloudsfb.com <BR /> <OL> <BR /> <LI> SFB client Queries DNS for Lyncdiscover.domain.com. This should point to External web services URL (ON Premise Reverse Proxy) which in this case is webext.cloudsfb.com </LI> <BR /> <LI> SFB Client then sends a unauthenticated GET request to Lyncdiscover.domain.com </LI> <BR /> <LI> The Client is then redirected to Autodiscover </LI> <BR /> <LI> SFB Client then sends a Request to Autodiscover to discover its pool for sign in. </LI> <BR /> <LI> The Client is then challenged and is provided the URL for Webticket service where it can request a Webticket </LI> <BR /> <LI> The Client then sends a POST request to Webticket Service </LI> <BR /> <LI> Webticket Service Redirects the Client to ON PREM Modern Auth Provider ( <A href="#" target="_blank"> https://sts.cloudsfb.com/adfs/oauth2/authorize </A> ) </LI> <BR /> <LI> Now in order to authenticate the client reaches out to <A href="#" target="_blank"> https://sts.cloudsfb.com/adfs/oauth2/authorize </A> and requests a Token, The intention here is to Get a Token from <A href="#" target="_blank"> https://sts.cloudsfb.com/adfs/oauth2/authorize </A> </LI> <BR /> <LI> The Client may receive a Password prompt (or previously saved password from credential manager is passed) and once the correct password is provided, <A href="#" target="_blank"> https://sts.cloudsfb.com/adfs/oauth2/authorize </A> will issue the modern Auth Token to the client </LI> <BR /> <LI> The Client then submits this token that it received <A href="#" target="_blank"> https://sts.cloudsfb.com/adfs/oauth2/authorize </A> to Webticket Service </LI> <BR /> <LI> Webticket service now will grant a Webticket to the Client </LI> <BR /> <LI> The client then submits this webticket to Autodiscover </LI> <BR /> <LI> Since the SFB user is homed Online, In Response Autodiscover will provide the Online Autodiscover webservices URL's names ( <A href="#" target="_blank"> https://webdir2a.online.lync.com/Autodiscover/AutodiscoverService.svc/root?originalDomain=cloudsfb.com </A> ) </LI> <BR /> <LI> SFB Client then sends a Request to Autodiscover to discover its pool for sign in. </LI> <BR /> <LI> The Client is then challenged and is provided the URL for Webticket service where it can request a Webticket </LI> <BR /> <LI> The Client then sends a POST request to Webticket Service </LI> <BR /> <LI> Webticket Service Redirects the Client to Modern Auth Provider (login.windows.net) </LI> <BR /> <LI> Now in order to authenticate the client reaches out to Login.windows.net and requests a Token, The intention here is to Get a Token from login.windows.net </LI> <BR /> <LI> From this point onwards we will see that login.windows.net will redirect the client to login.microsoftonline.com </LI> <BR /> <LI> Since the tenant is enabled for ADFS the client is then redirected to the ON Premise ADFS server </LI> <BR /> <LI> SFB client will then send a request to ADFS server and request a token </LI> <BR /> <LI> The Client may receive a Password prompt (or previously saved password from credential manager is passed) and once the correct password is provided, ADFS will issue a Token to the client </LI> <BR /> <LI> The Client then submits this token to login.microsoftonline.com which in turn passes the client to Login.windows.net </LI> <BR /> <LI> Login.windows.net will now issue the Modern Auth Token to the client </LI> <BR /> <LI> The Client then submits this token that it received from Login.windows.net to Webticket Service </LI> <BR /> <LI> Webticket service now will grant a Webticket to the Client </LI> <BR /> <LI> The client then submits this webticket to Autodiscover </LI> <BR /> <LI> In Response Autodiscover will provide the Pool names (sipfed2a.online.lync.com" port="443) where the client can send Register to Sign in </LI> <BR /> <LI> The SFB client now sends a SIP register to the Online Edge pool (sipfed2a.online.lync.com" port="443) </LI> <BR /> <LI> It is then challenged for authentication again, here the ONLY supported method of authentication is TLS-DSK, The client is provided a Cert provisioning URL ( <A href="#" target="_blank"> https://webdir2a.online.lync.com:443/CertProv/CertProvisioningService.svc </A> ) in the 401 unauthenticated response </LI> <BR /> <LI> The SFB client then sends a request to Certprov </LI> <BR /> <LI> Here again the Client is challenged for authentication and is redirected to webticket service to get Webticket </LI> <BR /> <LI> The Client had already Obtained a webticket in step 26 above </LI> <BR /> <LI> The client will submit the same webticket obtained in step 26 to the Cert provisioning service </LI> <BR /> <LI> The Client then receives a certificate </LI> <BR /> <LI> The SFB client can now send a Register again and use the certificate it downloaded for authentication </LI> <BR /> </OL> <BR /> <STRONG> </STRONG> <BR /> <BR /> <STRONG> Below is a graphical representation of the SFB online Client Sign in process </STRONG> <BR /> <BR /> <STRONG> </STRONG> <BR /> <BR /> <IMG alt="clip_image001" border="0" height="4085" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115396i14BE5B96D8DBE29C" title="clip_image001" width="1585" /> <BR /> <BR /> <BR /> <BR /> <STRONG> Detailed Explanation of SFB online Client Sign in process with LOG Snippets: </STRONG> <BR /> <BR /> SIP URI of the user - ex3@cloudsfb.com <BR /> <BR /> When a SFB client wants to Sign in, It needs to know where it can send its request to be able to Sign in. Whenever a user enters his SIP URI to sign in the SFB client forms an autodiscover URL using the domain name that it extracts from the users SIP URI to start the discovery process and then it sends an Unauthenticated Get request to the URL, lyncdiscover.domain.com. The response code for this request will be '200 ok' and in the response we should receive the external webservices URL for autodiscover. <BR /> <BR /> <IMG alt="clip_image002" border="0" height="654" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115397i91B014919BBDBC8B" title="clip_image002" width="1564" /> <BR /> <BR /> The SFB Client learns that it needs to Contact <A href="#" target="_blank"> https://webext.cloudsfb.com/ </A> (This is the External webservices URL for autodiscover on the ON Premise SFB environment) <BR /> <BR /> It then tries to Do a TCP handshake with webext.cloudsfb.com, Followed by a TLS handshake. (I haven't included the TCP and TLS handshake screen shots here, you can see those if you collect a Network trace while signing in) <BR /> <BR /> The client then sends a request to the user URL. We are here trying to discover a specific users home pool, hence the request will go to the “User” URL. <BR /> <BR /> In the response, the Client receives a Web ticket URL, which provides the location of the WebTicketService. <BR /> <BR /> You can see the request and Response below <BR /> <BR /> <IMG alt="clip_image003" border="0" height="854" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115398i478677DB37399AC0" title="clip_image003" width="1573" /> <BR /> <BR /> The Client then needs to send a Request to the Web ticket service URL in order to obtain a Web ticket. The client will send this request in a POST message to the web ticket Service. <BR /> <BR /> Now since we have Modern Auth enabled ON Premise the Web Ticket Service will redirect the client to the MA provider URL for ON PREM - &lt;af:OAuth af:authorizationUri= <A href="#" target="_blank"> https://sts.cloudsfb.com/adfs/oauth2/authorize </A> xmlns:af="urn:component:Microsoft.Rtc.WebAuthentication.2010" /&gt; <BR /> <BR /> We can see this below <BR /> <BR /> <IMG alt="clip_image004" border="0" height="882" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115399i5D79498C49A2E149" title="clip_image004" width="1589" /> <BR /> <BR /> The Client will Now send a Request to <A href="#" target="_blank"> https://sts.cloudsfb.com/adfs/oauth2/authorize </A> to get the MA Token, You will see several HTTP GET and POST messages exchanged between Client and <A href="#" target="_blank"> https://sts.cloudsfb.com/adfs/oauth2/authorize </A> during this process. Below screen shot lists some of them <BR /> <BR /> <IMG alt="clip_image005" border="0" height="800" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115400iBD91D2D4B9E33528" title="clip_image005" width="1582" /> <BR /> <BR /> During the above process the Client will be challenged for password by MA or if the user had signed in before and the password is saved in Credential manager then this password will be passed and user may not see the Prompt. <BR /> <BR /> Finally the Client will receive a Token from MA provider, you can see this below <BR /> <BR /> <IMG alt="clip_image006" border="0" height="862" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115401i27CBA5EAFAB98FE8" title="clip_image006" width="1588" /> <BR /> <BR /> The Client will then Submit this token to the Webticket service which will then issue a Webticket, This can be seen below <BR /> <BR /> <IMG alt="clip_image007" border="0" height="902" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115402iEB8B6D7273DBBCE7" title="clip_image007" width="1589" /> <BR /> <BR /> The Client will Then Submit this web ticket back to the AutoDiscover User URL - /Autodiscover/AutodiscoverService.svc/root/user?originalDomain=cloudsfb.com&amp;sipuri=ex3@cloudsfb.com <BR /> <BR /> In response it will now receive the Online Autodiscover webservices URL names <BR /> <BR /> You can see this in the trace below <BR /> <BR /> <IMG alt="clip_image008" border="0" height="733" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115403i3086877B94751DCF" title="clip_image008" width="1594" /> <BR /> <BR /> Now the Client will send a Unauthenticated Get request to Webdir2a.online.lync.com and in Response it receives the Autodiscover URL's specific to the users Tenant. You can see the request and Response below <BR /> <BR /> <IMG alt="clip_image009" border="0" height="694" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115404i747102916C0BDED7" title="clip_image009" width="1596" /> <BR /> <BR /> The client then sends a request to the user URL. We are here trying to discover a specific users home pool, hence the request will go to the “User” URL. <BR /> <BR /> In the response, the Client receives a Web ticket URL, which provides the location of the WebTicketService. <BR /> <BR /> You can see the request and Response below <BR /> <BR /> <IMG alt="clip_image010" border="0" height="850" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115405i5C4675B461853F9D" title="clip_image010" width="1616" /> <BR /> <BR /> The Client then needs to send a Request to the Web ticket service URL in order to obtain a Web ticket. The client will send this request in a POST message to the web ticket Service. Now since Modern Authentication is enabled on the Tenant, in order to grant the webticket the client will first need to get a Token from the Modern Auth provider so the client is redirected to the Modern Auth provider URL - &lt;af:OAuth af:authorizationUri="<A href="#" target="_blank">https://login.windows.net/common/oauth2/authorize</A>" xmlns:af="urn:component:Microsoft.Rtc.WebAuthentication.2010" /&gt; <BR /> <BR /> <IMG alt="clip_image011" border="0" height="856" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115406i6E5A9C3B2E36391C" title="clip_image011" width="1615" /> <BR /> <BR /> The Client then sends a request to the MA/Oauth URL to request a Token, The intention here is to Get a Token from login.windows.net <BR /> <BR /> From this point onwards we will see that login.windows.net will redirect the client to - login.microsoftonline.com. <BR /> <BR /> Below is the Request that client sends to the MA/OAUTH URL and in response it is redirected to AD - login.microsoftonline.com <BR /> <BR /> <IMG alt="clip_image012" border="0" height="691" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115407iE6185E7F58A15C11" title="clip_image012" width="1620" /> <BR /> <BR /> We have to remember that "The intention here is to Get a Token from login.windows.net" we will see several exchanges happening between client to login.microsoftonline.com. Below are screen shots showing these exchanges. <BR /> <BR /> <IMG alt="clip_image013" border="0" height="1079" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115408i001AD1A8E26E4A44" title="clip_image013" width="1627" /> <BR /> <BR /> Now, Since the customer has ADFS, the Modern Auth provider will redirect the client to the ADFS Server. Below is the screen shot showing login.microsoftonline.com redirecting the client to ADFS <BR /> <BR /> <IMG alt="clip_image014" border="0" height="802" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115409iEEEECA7C9DACC1F8" title="clip_image014" width="1627" /> <BR /> <BR /> The Client will then reach out to ADFS to get an ADFS Token. The Next Two Screen shots show that; <BR /> <BR /> (This is where the user might get prompted to enter credentials or if his credentials are already stored in credential manager then those credentials will be passed in the background and the user may not see the prompt) <BR /> <BR /> <IMG alt="clip_image015" border="0" height="621" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115410iB78D8097E226824A" title="clip_image015" width="1631" /> <BR /> <BR /> <IMG alt="clip_image016" border="0" height="750" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115411iDAAC3600F18597C3" title="clip_image016" width="1631" /> <BR /> <BR /> The Client will then Submit this Token to Login.microsoftonline.com, where it will be redirected again to <A href="#" target="_blank"> https://Login.windows.net </A> and <A href="#" target="_blank"> https://Login.windows.net </A> will finally provide the client with the Modern Auth Token, This is shown in the two screen shots below <BR /> <BR /> <IMG alt="clip_image017" border="0" height="798" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115412i8615357EF4749388" title="clip_image017" width="1633" /> <BR /> <BR /> <IMG alt="clip_image018" border="0" height="874" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115413i8B9206A221851345" title="clip_image018" width="1635" /> <BR /> <BR /> Now the client will submit this token to the webticket URL, and the Webticket service will issue the webticket, Shown below <BR /> <BR /> <IMG alt="clip_image019" border="0" height="892" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115414i2438346DAB7C01F7" title="clip_image019" width="1644" /> <BR /> <BR /> The client will then submit this webticket to Autodiscover and in return it will receive the POOL names where it has to send the Register to Sign in. <BR /> <BR /> <IMG alt="clip_image020" border="0" height="828" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115415iDE1B4B030ABA6780" title="clip_image020" width="1650" /> <BR /> <BR /> Once the Client receives the pool names it will then Send a SIP REGISTER message to the SFB pool in order to sign in. . You can see that in the Client UCCAPI log file. This is shown in the snippet below <BR /> <BR /> <IMG alt="clip_image021" border="0" height="504" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115416iF37149209E4B26C8" title="clip_image021" width="1669" /> <BR /> <BR /> In response the Client will now receive a 401 Unauthorized message again and the server will again ask the client to authenticate itself. Here the ONLY method of authentication that is available is TLS-DSK (Cert based authentication) <BR /> <BR /> The SFB online server will provide the Client a Cert provisioning URL in the 401 you can see that in the snippet below <BR /> <BR /> <IMG alt="clip_image022" border="0" height="523" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115417i9D280D8439C0ED61" title="clip_image022" width="1686" /> <BR /> <BR /> This means that the Client now needs to present a Certificate that can then be used to authenticate the client. Since this is the first time the client is signing in it will NOT have the certificate installed. This certificate is ideally downloaded after the client signs in for the first time and is valid for about 8 hours. <BR /> <BR /> Since the client does not have a valid certificate it now has to Re-Authenticate to the Cert provisioning service. <BR /> <BR /> The Process for this will again be the same, The client will send a request to the Cert Provisioning URL where it will be challenged to get a Webticket. The client has to first get a Web ticket from the webticket service URL, to get a web ticket it needs to get a Token from Modern Auth Provider, but we know that the client has already done these steps earlier. SO it already has a Web Ticket from the Web services URL. The Client needs to submit this same web ticket that it had obtained to the Cert provisioning Service and once it submits the web ticket it will serve as a proof of authentication. <BR /> <BR /> The Client learns about this by first sending a Mex request to the Cert provisioning URL. You can see that in the Trace below <BR /> <BR /> <IMG alt="clip_image023" border="0" height="982" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115418iFC6038BCAC58CDED" title="clip_image023" width="1706" /> <BR /> <BR /> The Client then submits the Web Ticket that it had received previously to the Cert provisioning URL it received above, after this it receives a 200 OK in which it receives the Certificate <BR /> <BR /> <IMG alt="clip_image024" border="0" height="963" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115419iE734C2D888D9696F" title="clip_image024" width="1698" /> <BR /> <BR /> The clients will then submit this certificate back to the pool and will receive a 200 OK in response. The Sign in is then complete <BR /> <BR /> <IMG alt="clip_image025" border="0" height="908" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115420i0AB469E23D268809" title="clip_image025" width="1700" /> <BR /> <BR /> <IMG alt="clip_image026" border="0" height="840" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115421iFA6BF891DC2F1B2A" title="clip_image026" width="1704" /> <BR /> <BR /> <BR /> <BR /> <STRONG> Sign in is NOW Complete!!! </STRONG> </BODY></HTML> Tue, 21 May 2019 00:55:08 GMT https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/sfb-online-client-sign-in-and-authentication-deep-dive-part-7/ba-p/621482 Mohammed Anas Shaikh 2019-05-21T00:55:08Z SFB online Client Sign in and Authentication Deep Dive ;Part 6 (Hybrid) https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/sfb-online-client-sign-in-and-authentication-deep-dive-part-6/ba-p/621347 <HTML> <HEAD></HEAD><BODY> <STRONG> First published on TECHNET on Apr 13, 2018 </STRONG> <BR /> <BR /> <BR /> <STRONG> Scenario: </STRONG> SFB Hybrid environment, SFB user is homed Online, ADFS is Configured, MA (Modern Auth) is enabled ON premise through On premise AD but Disabled in O365 <BR /> <BR /> <STRONG> <SPAN style="color: #ff0000"> NOTE: </SPAN> </STRONG> <BR /> <BR /> I have tried my best to ensure the information below is accurate. Some of the terms I use to describe things like Modern Auth provider, O365 AD, Org ID etc. may not be standard terminology, I use them solely to make the understanding simpler. My intention here is to explain what happens in the background when a SFB client signs in so that it helps engineers and customers troubleshooting issues related to Sign in and Authentication. <BR /> <BR /> <BR /> <BR /> <STRONG> How Does it Work? </STRONG> <BR /> <BR /> <STRONG> Below is a High level explanation on how the SFB online Client Sign in process works </STRONG> <BR /> <BR /> SIP URI of the user - ex2@cloudsfb.com <BR /> <OL> <BR /> <LI> SFB client Queries DNS for Lyncdiscover.domain.com. This should point to External web services URL (ON Premise Reverse Proxy) which in this case is webext.cloudsfb.com </LI> <BR /> <LI> SFB Client then sends a unauthenticated GET request to Lyncdiscover.domain.com </LI> <BR /> <LI> The Client is then redirected to Autodiscover </LI> <BR /> <LI> SFB Client then sends a Request to Autodiscover to discover its pool for sign in. </LI> <BR /> <LI> The Client is then challenged and is provided the URL for Webticket service where it can request a Webticket </LI> <BR /> <LI> The Client then sends a POST request to Webticket Service </LI> <BR /> <LI> Webticket Service Redirects the Client to ON PREM Modern Auth Provider ( <A href="#" target="_blank"> https://sts.cloudsfb.com/adfs/oauth2/authorize </A> ) </LI> <BR /> <LI> Now in order to authenticate the client reaches out to <A href="#" target="_blank"> https://sts.cloudsfb.com/adfs/oauth2/authorize </A> and requests a Token, The intention here is to Get a Token from <A href="#" target="_blank"> https://sts.cloudsfb.com/adfs/oauth2/authorize </A> </LI> <BR /> <LI> The Client may receive a Password prompt (or previously saved password from credential manager is passed) and once the correct password is provided, <A href="#" target="_blank"> https://sts.cloudsfb.com/adfs/oauth2/authorize </A> will issue the modern Auth Token to the client </LI> <BR /> <LI> The Client then submits this token that it received <A href="#" target="_blank"> https://sts.cloudsfb.com/adfs/oauth2/authorize </A> to Webticket Service </LI> <BR /> <LI> Webticket service now will grant a Webticket to the Client </LI> <BR /> <LI> The client then submits this webticket to Autodiscover </LI> <BR /> <LI> Since the SFB user is homed Online, In Response Autodiscover will provide the Online Autodiscover webservices URL's names ( <A href="#" target="_blank"> https://webdir2a.online.lync.com/Autodiscover/AutodiscoverService.svc/root?originalDomain=cloudsfb.com </A> ) </LI> <BR /> <LI> SFB Client then sends a Request to Autodiscover to discover its pool for sign in. </LI> <BR /> <LI> The Client is then challenged and is provided the URL for Webticket service where it can request a Webticket </LI> <BR /> <LI> The Client then sends a POST request to Webticket Service which requires the client to provide a Token from Org ID (login.microsoftonline.com) </LI> <BR /> <LI> Now in order to authenticate the client reaches out to Ord ID and requests a Token </LI> <BR /> <LI> Since the tenant is enabled for ADFS the client is redirected to the ON Premise ADFS server <A href="#" target="_blank"> https://sts.cloudsfb.com </A> </LI> <BR /> <LI> SFB client will then send a request to ADFS server and request a token </LI> <BR /> <LI> The Client may receive a Password prompt (or previously saved password from credential manager is passed) and once the correct password is provided, ADFS will issue a Token to the client </LI> <BR /> <LI> The Client then submits this token to Org ID </LI> <BR /> <LI> ORG ID will now issue its own Token to the client </LI> <BR /> <LI> The Client then submits this token that it received from ORG ID to Webticket Service </LI> <BR /> <LI> Webticket service now will grant a Webticket to the Client </LI> <BR /> <LI> The client then submits this webticket to Autodiscover </LI> <BR /> <LI> In Response Autodiscover will provide the Pool names (sipfed2a.online.lync.com" port="443) where the client can send Register to Sign in </LI> <BR /> <LI> The SFB client now sends a SIP register to the Online Edge pool (sipfed2a.online.lync.com" port="443) </LI> <BR /> <LI> It is then challenged for authentication again, here the ONLY supported method of authentication is TLS-DSK, The client is provided a Cert provisioning URL ( <A href="#" target="_blank"> https://webdir2a.online.lync.com:443/CertProv/CertProvisioningService.svc </A> ) in the 401 unauthenticated response </LI> <BR /> <LI> The SFB client then sends a request to Certprov </LI> <BR /> <LI> Here again the Client is challenged for authentication and is redirected to webticket service to get Webticket </LI> <BR /> <LI> The Client had already Obtained a webticket in step 24 above </LI> <BR /> <LI> The client will submit the same webticket obtained in step 24 to the Cert provisioning service </LI> <BR /> <LI> The Client then receives a certificate </LI> <BR /> <LI> The SFB client can now send a Register again and use the certificate it downloaded for authentication </LI> <BR /> </OL> <BR /> <BR /> <BR /> <STRONG> Below is a graphical representation of the SFB online Client Sign in process </STRONG> <BR /> <BR /> <STRONG> </STRONG> <BR /> <BR /> <IMG alt="clip_image001" border="0" height="2307" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115375iDAA5F252411CFD63" title="clip_image001" width="1357" /> <BR /> <BR /> Detailed Explanation of SFB online Client Sign in process with LOG Snippets: <BR /> <BR /> When a SFB client wants to Sign in, It needs to know where it can send its request to be able to Sign in. Whenever a user enters his SIP URI to sign in the SFB client forms an autodiscover URL using the domain name that it extracts from the users SIP URI to start the discovery process and then it sends an Unauthenticated Get request to the URL, lyncdiscover.domain.com. The response code for this request will be '200 ok' and in the response we should receive the external webservices URL for autodiscover. <BR /> <BR /> <IMG alt="clip_image002" border="0" height="515" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115376i31CCCE8DD5B1F552" title="clip_image002" width="1398" /> <BR /> <BR /> The SFB Client learns that it needs to Contact <A href="#" target="_blank"> https://webext.cloudsfb.com/ </A> (This is the External webservices URL for autodiscover on the ON Premise SFB environment) <BR /> <BR /> It then tries to Do a TCP handshake with webext.cloudsfb.com, Followed by a TLS handshake. (I haven't included the TCP and TLS handshake screen shots here, you can see those if you collect a Network trace while signing in) <BR /> <BR /> The client then sends a request to the user URL. We are here trying to discover a specific users home pool, hence the request will go to the “User” URL. <BR /> <BR /> In the response, the Client receives a Web ticket URL, which provides the location of the WebTicketService. <BR /> <BR /> You can see the request and Response below <BR /> <BR /> <IMG alt="clip_image003" border="0" height="799" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115377iD438EB6309DF2FC0" title="clip_image003" width="1418" /> <BR /> <BR /> The Client then needs to send a Request to the Web ticket service URL in order to obtain a Web ticket. The client will send this request in a POST message to the web ticket Service. <BR /> <BR /> Now since we have Modern Auth enabled ON Premise the Web Ticket Service will redirect the client to the MA provider URL for ON PREM - &lt;af:OAuth af:authorizationUri= <A href="#" target="_blank"> https://sts.cloudsfb.com/adfs/oauth2/authorize </A> xmlns:af="urn:component:Microsoft.Rtc.WebAuthentication.2010" /&gt; <BR /> <BR /> We can see this below <BR /> <BR /> <IMG alt="clip_image004" border="0" height="823" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115378i5BB62D605DD1EFD9" title="clip_image004" width="1450" /> <BR /> <BR /> The Client will Now send a Request to <A href="#" target="_blank"> https://sts.cloudsfb.com/adfs/oauth2/authorize </A> to get the MA Token, You will see several HTTP GET and POST messages exchanged between Client and <A href="#" target="_blank"> https://sts.cloudsfb.com/adfs/oauth2/authorize </A> during this process. Below screen shot lists some of them <BR /> <BR /> <IMG alt="clip_image005" border="0" height="813" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115379i0696519780E07FCA" title="clip_image005" width="1487" /> <BR /> <BR /> During the above process the Client will be challenged for password by MA or if the user had signed in before and the password is saved in Credential manager then this password will be passed and user may not see the Prompt. <BR /> <BR /> Finally the Client will receive a Token from MA provider, you can see this below <BR /> <BR /> <IMG alt="clip_image006" border="0" height="805" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115380iA6B90DBCA8728BCE" title="clip_image006" width="1518" /> <BR /> <BR /> The Client will then Submit this token to the Webticket service which will then issue a Webticket, This can be seen below <BR /> <BR /> <IMG alt="clip_image007" border="0" height="821" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115381iAC12B9E53C5BEDF4" title="clip_image007" width="1547" /> <BR /> <BR /> The Client will Then Submit this web ticket back to the AutoDiscover User URL - /Autodiscover/AutodiscoverService.svc/root/user?originalDomain=cloudsfb.com&amp;sipuri=ex2@cloudsfb.com <BR /> <BR /> In response it will now receive the Internal and External addresses of the Pool names where the user is Homed. <BR /> <BR /> You can see this in the trace below <BR /> <BR /> <IMG alt="clip_image008" border="0" height="666" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115382i0661500AD0AEA7CE" title="clip_image008" width="1576" /> <BR /> <BR /> Now the Client will send a Unauthenticated Get request to Webdir2a.online.lync.com and in Response it receives the Autodiscover URL's specific to the users Tenant. You can see the request and Response below <BR /> <BR /> <IMG alt="clip_image009" border="0" height="782" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115383i6C6FD2A92DC7090E" title="clip_image009" width="1614" /> <BR /> <BR /> The client then sends a request to the user URL. We are here trying to discover a specific users home pool, hence the request will go to the “User” URL. <BR /> <BR /> In the response, the Client receives a Web ticket URL, which provides the location of the WebTicketService. <BR /> <BR /> You can see the request and Response below <BR /> <BR /> <IMG alt="clip_image010" border="0" height="883" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115384iC92F42A670B3DE0D" title="clip_image010" width="1653" /> <BR /> <BR /> The Client then needs to send a Request to the Web ticket service URL in order to obtain a Web ticket. The client will send this request in a POST message to the web ticket Service and in response it receives the actual individual Web ticket service URL's <BR /> <BR /> <IMG alt="clip_image011" border="0" height="922" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115385iDE0C4CEB218E988B" title="clip_image011" width="1685" /> <BR /> <BR /> The Client has to submit a Request to this web ticket URL now in order to obtain a web ticket. But if it does that then it will need to authenticate first, unless the Client authenticates itself it will not be issued a web ticket. Since this user is Homed in SFB online the Client needs to reach out to O35 AD (Org ID) to get authenticated first <BR /> <BR /> The Client sends a POST request to Reach Org ID to get a Token, Here it learns that the tenant is enabled for ADFS and is Redirected to ADFS URL <BR /> <BR /> You can see that below <BR /> <BR /> <IMG alt="clip_image012" border="0" height="927" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115386iD4323BD8D87A7D9A" title="clip_image012" width="1708" /> <BR /> <BR /> The Client then Reaches ADFS and requests a Token and in Response ADFS will provide the client a Token <BR /> <BR /> <IMG alt="clip_image013" border="0" height="987" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115387iAAF32E79EE222564" title="clip_image013" width="1714" /> <BR /> <BR /> The Client Will Submit the ADFS token back to Org ID and in response Org ID will issue a Token to the Client <BR /> <BR /> You can see that below <BR /> <BR /> <IMG alt="clip_image014" border="0" height="984" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115388i74B116A1EEF7DB0C" title="clip_image014" width="1721" /> <BR /> <BR /> Once the Client receives a Token from O365 AD (Org ID) it then submits this token to the Web Ticket Service <A href="#" target="_blank"> https://webdir2a.online.lync.com/WebTicket/WebTicketAdvancedService.svc/WsFed_bearer </A> <BR /> <BR /> In Response the Web Ticket Service will now Issue the Client a Web Ticket. You can see this in the Trace below <BR /> <BR /> <IMG alt="clip_image015" border="0" height="1006" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115389i523F583876F3C546" title="clip_image015" width="1735" /> <BR /> <BR /> The Client will Then Submit this web ticket back to the AutoDiscover User URL - <A href="#" target="_blank"> https://webdir2a.online.lync.com/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=cloudsfb.com&amp;sipuri=ex2@cloudsfb.com </A> <BR /> <BR /> In response it will now receive the Internal and External addresses of the Pool names where the user is Homed. <BR /> <BR /> You can see this in the trace below <BR /> <BR /> <IMG alt="clip_image016" border="0" height="1018" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115390iED80AA345ECF514C" title="clip_image016" width="1768" /> <BR /> <BR /> Once the Client receives the pool names it will then Send a SIP REGISTER message to the SFB pool in order to sign in. . You can see that in the Client UCCAPI log file. This is shown in the snippet below <BR /> <BR /> <IMG alt="clip_image017" border="0" height="566" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115391i39F4AE77E900BA10" title="clip_image017" width="1802" /> <BR /> <BR /> In response the Client will now receive a 401 Unauthorized message again and the server will again ask the client to authenticate itself. Here the ONLY method of authentication that is available is TLS-DSK (Cert based authentication) <BR /> <BR /> The SFB online server will provide the Client a Cert provisioning URL in the 401 you can see that in the snippet below <BR /> <BR /> <IMG alt="clip_image018" border="0" height="494" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115392i751E157F9A0990BF" title="clip_image018" width="1842" /> <BR /> <BR /> This means that the Client now needs to present a Certificate that can then be used to authenticate the client. Since this is the first time the client is signing in it will NOT have the certificate installed. This certificate is ideally downloaded after the client signs in for the first time and is valid for about 8 hours. <BR /> <BR /> Since the client does not have a valid certificate it now has to Re-Authenticate to the Cert provisioning service. <BR /> <BR /> The Process for this will again be the same, The client will send a request to the Cert Provisioning URL where it will be challenged to get a Webticket. The client has to first get a Web ticket from the webticket service URL, to get a web ticket it needs to get a Token from Org ID, but we know that the client has already done these steps earlier. SO it already has a Web Ticket from the Web services URL. The Client needs to submit this same web ticket that it had obtained to the Cert provisioning Service and once it submits the web ticket it will serve as a proof of authentication. <BR /> <BR /> The Client learns about this by first sending a Mex request to the Cert provisioning URL. You can see that in the Trace below <BR /> <BR /> <IMG alt="clip_image019" border="0" height="1067" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115393i40FDFF656C2C27D4" title="clip_image019" width="1866" /> <BR /> <BR /> The Client then submits the Web Ticket that it had received previously to the Cert provisioning URL it received above, after this it receives a 200 OK in which it receives the Certificate <BR /> <BR /> <IMG alt="clip_image020" border="0" height="1070" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115394iCB4C101F4D8A7119" title="clip_image020" width="1871" /> <BR /> <BR /> The clients will then submit this certificate back to the pool and will receive a 200 OK in response. The Sign in is then complete <BR /> <BR /> <IMG alt="clip_image021" border="0" height="977" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115395i415071941D3D1A7E" title="clip_image021" width="1869" /> <BR /> <BR /> Sign in is NOW Complete!!! </BODY></HTML> Tue, 21 May 2019 00:49:21 GMT https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/sfb-online-client-sign-in-and-authentication-deep-dive-part-6/ba-p/621347 Mohammed Anas Shaikh 2019-05-21T00:49:21Z SFB online Client Sign in and Authentication Deep Dive ;Part 5 (HYBRID) https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/sfb-online-client-sign-in-and-authentication-deep-dive-part-5/ba-p/621317 <HTML> <HEAD></HEAD><BODY> <STRONG> First published on TECHNET on Apr 13, 2018 </STRONG> <BR /> <STRONG> Scenario: </STRONG> SFB Hybrid environment, SFB user is homed Online, ADFS is Configured, MA (Modern Auth) is Disabled ON premise but is Enabled in O365 <BR /> <BR /> <SPAN style="color: #ff0000"> <STRONG> NOTE: </STRONG> </SPAN> <BR /> <BR /> I have tried my best to ensure the information below is accurate. Some of the terms I use to describe things like Modern Auth provider, O365 AD, Org ID etc. may not be standard terminology, I use them solely to make the understanding simpler. My intention here is to explain what happens in the background when a SFB client signs in so that it helps engineers and customers troubleshooting issues related to Sign in and Authentication. <BR /> <BR /> <BR /> <BR /> <STRONG> How does it Work? </STRONG> <BR /> <BR /> <STRONG> Detailed Explanation of SFB online Client Sign in process with LOG Snippets: </STRONG> <BR /> <BR /> <BR /> <BR /> SIP URI of the user - test2@sfbisgreat.info <BR /> <OL> <BR /> <LI> SFB client Queries DNS for Lyncdiscover.domain.com. This should point to External web services URL (ON Premise Reverse Proxy) which in this case is webext.cloudsfb.com </LI> <BR /> <LI> SFB Client then sends a unauthenticated GET request to Lyncdiscover.domain.com </LI> <BR /> <LI> The Client is then redirected to Autodiscover </LI> <BR /> <LI> SFB Client then sends a Request to Autodiscover to discover its pool for sign in. </LI> <BR /> <LI> The Client is then challenged and is provided the URL for Webticket service where it can request a Webticket </LI> <BR /> <LI> The Client then sends a POST request to Webticket Service </LI> <BR /> <LI> Here the Client has to Authenticate (NTLM). The Client may receive a Password prompt (or previously saved password from credential manager is passed) </LI> <BR /> <LI> Once the password is provided, Webticket service will issue a Webticket to the client. </LI> <BR /> <LI> The client then submits this webticket to Autodiscover </LI> <BR /> <LI> Since the SFB user is homed Online, In Response Autodiscover will provide the Online Autodiscover webservices URL's names ( <A href="#" target="_blank"> https://webdir2a.online.lync.com/Autodiscover/AutodiscoverService.svc/root?originalDomain=sfbisgreat.info </A> ) </LI> <BR /> <LI> SFB Client then sends a Request to Autodiscover to discover its pool for sign in. </LI> <BR /> <LI> The Client is then challenged and is provided the URL for Webticket service where it can request a Webticket </LI> <BR /> <LI> The Client then sends a POST request to Webticket Service </LI> <BR /> <LI> Webticket Service Redirects the Client to Modern Auth Provider (login.windows.net) </LI> <BR /> <LI> Now in order to authenticate the client reaches out to Login.windows.net and requests a Token, The intention here is to Get a Token from login.windows.net </LI> <BR /> <LI> From this point onwards we will see that login.windows.net will redirect the client to login.microsoftonline.com </LI> <BR /> <LI> Since the tenant is enabled for ADFS the client is then redirected to the ON Premise ADFS server </LI> <BR /> <LI> SFB client will then send a request to ADFS server and request a token </LI> <BR /> <LI> The Client may receive a Password prompt (or previously saved password from credential manager is passed) and once the correct password is provided, ADFS will issue a Token to the client </LI> <BR /> <LI> The Client then submits this token to login.microsoftonline.com which in turn passes the client to Login.windows.net </LI> <BR /> <LI> Login.windows.net will now issue the Modern Auth Token to the client </LI> <BR /> <LI> The Client then submits this token that it received from Login.windows.net to Webticket Service </LI> <BR /> <LI> Webticket service now will grant a Webticket to the Client </LI> <BR /> <LI> The client then submits this webticket to Autodiscover </LI> <BR /> <LI> In Response Autodiscover will provide the Pool names (sipfed2a.online.lync.com" port="443) where the client can send Register to Sign in </LI> <BR /> <LI> The SFB client now sends a SIP register to the Online Edge pool (sipfed2a.online.lync.com" port="443) </LI> <BR /> <LI> It is then challenged for authentication again, here the ONLY supported method of authentication is TLS-DSK, The client is provided a Cert provisioning URL ( <A href="#" target="_blank"> https://webdir2a.online.lync.com:443/CertProv/CertProvisioningService.svc </A> ) in the 401 unauthenticated response </LI> <BR /> <LI> The SFB client then sends a request to Certprov </LI> <BR /> <LI> Here again the Client is challenged for authentication and is redirected to webticket service to get Webticket </LI> <BR /> <LI> The Client had already Obtained a webticket in step 23 above </LI> <BR /> <LI> The client will submit the same webticket obtained in step 23 to the Cert provisioning service </LI> <BR /> <LI> The Client then receives a certificate </LI> <BR /> <LI> The SFB client can now send a Register again and use the certificate it downloaded for authentication </LI> <BR /> </OL> <BR /> <BR /> <BR /> <STRONG> Below is a graphical representation of the SFB online Client Sign in process </STRONG> <BR /> <BR /> <STRONG> </STRONG> <BR /> <BR /> <STRONG> </STRONG> <BR /> <BR /> <IMG alt="clip_image001" border="0" height="3656" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115350i1D4276A4AF0863B9" title="clip_image001" width="1419" /> <BR /> <BR /> When a SFB client wants to Sign in, It needs to know where it can send its request to be able to Sign in. Whenever a user enters his SIP URI to sign in the SFB client forms an autodiscover URL using the domain name that it extracts from the users SIP URI to start the discovery process and then it sends an Unauthenticated Get request to the URL, lyncdiscover.domain.com. The response code for this request will be '200 ok' and in the response we should receive the external webservices URL for autodiscover. <BR /> <BR /> <IMG alt="clip_image002" border="0" height="477" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115351i55A87635F931D55E" title="clip_image002" width="1424" /> <BR /> <BR /> The SFB Client learns that it needs to Contact <A href="#" target="_blank"> https://webext.sfbisgreat.info/ </A> (This is the External webservices URL for autodiscover on the ON Premise SFB environment) <BR /> <BR /> It then tries to Do a TCP handshake with webext.cloudsfb.com, Followed by a TLS handshake. (I haven't included the TCP and TLS handshake screen shots here, you can see those if you collect a Network trace while signing in) <BR /> <BR /> The client then sends a request to the user URL. We are here trying to discover a specific users home pool, hence the request will go to the “User” URL. <BR /> <BR /> In the response, the Client receives a Web ticket URL, which provides the location of the WebTicketService. <BR /> <BR /> You can see the request and Response below <BR /> <BR /> <IMG alt="clip_image003" border="0" height="783" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115352iA371108ABF048172" title="clip_image003" width="1421" /> <BR /> <BR /> The Client then needs to send a Request to the Web ticket service URL in order to obtain a Web ticket. The client will send this request in a POST message to the web ticket Service. In response it will receive a 401 and the authentication method supported is listed as NTLM, You can see that in the screen shot below <BR /> <BR /> <IMG alt="clip_image004" border="0" height="611" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115353i110E56CF939D027F" title="clip_image004" width="1418" /> <BR /> <BR /> The Next few exchanges between the Client and Webticket service will be for NTLM Challenge and response. You will see multiple POST requests and 401 between the Client and Webticket service <BR /> <BR /> <IMG alt="clip_image005" border="0" height="494" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115354i337DFF545CA4F40E" title="clip_image005" width="1403" /> <BR /> <BR /> Finally the client will provide the password (the user may get prompted to enter their password here or the existing password in Credential manager might be used) <BR /> <BR /> Once the correct password and username is provided the Webticket service will issue a Web Ticket to the Client. You can see that below <BR /> <BR /> <IMG alt="clip_image006" border="0" height="802" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115355i6A6D0C42D87F8983" title="clip_image006" width="1382" /> <BR /> <BR /> The Client will Then Submit this web ticket back to the AutoDiscover User URL - <A href="#" target="_blank"> https://webext.sfbisgreat.info/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=sfbisgreat.info&amp;sipuri=test2@sfbisgreat.info </A> <BR /> <BR /> In response it will now receive the Internal and External addresses of the Pool names where the user is Homed. <BR /> <BR /> You can see this in the trace below <BR /> <BR /> <IMG alt="clip_image007" border="0" height="538" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115356i559724E1FD579C31" title="clip_image007" width="1367" /> <BR /> <BR /> Now the Client will send a Unauthenticated Get request to Webdir2a.online.lync.com and in Response it receives the Autodiscover URL's specific to the users Tenant. You can see the request and Response below <BR /> <BR /> <IMG alt="clip_image008" border="0" height="562" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115357iFE806706CC0CE2F8" title="clip_image008" width="1357" /> <BR /> <BR /> The client then sends a request to the user URL. We are here trying to discover a specific users home pool, hence the request will go to the “User” URL. <BR /> <BR /> In the response, the Client receives a Web ticket URL, which provides the location of the WebTicketService. <BR /> <BR /> You can see the request and Response below <BR /> <BR /> <IMG alt="clip_image009" border="0" height="639" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115358i557328EAB6BBA2E3" title="clip_image009" width="1353" /> <BR /> <BR /> The Client then needs to send a Request to the Web ticket service URL in order to obtain a Web ticket. The client will send this request in a POST message to the web ticket Service. Now since Modern Authentication is enabled on the Tenant, in order to grant the webticket the client will first need to get a Token from the Modern Auth provider so the client is redirected to the Modern Auth provider URL - &lt;af:OAuth af:authorizationUri="<A href="#" target="_blank">https://login.windows.net/common/oauth2/authorize</A>" xmlns:af="urn:component:Microsoft.Rtc.WebAuthentication.2010" /&gt; <BR /> <BR /> <IMG alt="clip_image010" border="0" height="696" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115359iB4B2FCED8CCDDA12" title="clip_image010" width="1344" /> <BR /> <BR /> The Client then sends a request to the MA/Oauth URL to request a Token, The intention here is to Get a Token from login.windows.net <BR /> <BR /> From this point onwards we will see that login.windows.net will redirect the client to - login.microsoftonline.com. <BR /> <BR /> Below is the Request that client sends to the MA/OAUTH URL and in response it is redirected to AD - login.microsoftonline.com <BR /> <BR /> <IMG alt="clip_image011" border="0" height="591" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115360i10C1B0E92C6A0047" title="clip_image011" width="1345" /> <BR /> <BR /> We have to remember that "The intention here is to Get a Token from login.windows.net" we will see several exchanges happening between client to login.microsoftonline.com and login.windows.net. Below are screen shots showing these exchanges. <BR /> <BR /> <IMG alt="clip_image012" border="0" height="523" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115361i9BD31056ADE32A82" title="clip_image012" width="1343" /> <BR /> <BR /> Now, Since the customer has ADFS, the client will now be redirected to the ADFS Server. Below is the screen shot showing login.microsoftonline.com redirecting the client to ADFS <BR /> <BR /> <IMG alt="clip_image013" border="0" height="656" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115362iA081A481FCB49B12" title="clip_image013" width="1341" /> <BR /> <BR /> The Client will then reach out to ADFS to get an ADFS Token. The Next Two Screen shots show that; <BR /> <BR /> (This is where the user might get prompted to enter credentials or if his credentials are already stored in credential manager then those credentials will be passed in the background and the user may not see the prompt) <BR /> <BR /> <IMG alt="clip_image014" border="0" height="490" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115363i23D12F29D8DA4B51" title="clip_image014" width="1329" /> <BR /> <BR /> <IMG alt="clip_image015" border="0" height="582" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115364iE9F1986C0E7215BB" title="clip_image015" width="1313" /> <BR /> <BR /> The Client will then Submit this Token to Login.microsoftonline.com, where it will be redirected again to <A href="#" target="_blank"> https://Login.windows.net </A> and <A href="#" target="_blank"> https://Login.windows.net </A> will finally provide the client with the Modern Auth Token, This is shown in the two screen shots below <BR /> <BR /> <IMG alt="clip_image016" border="0" height="610" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115365i98D6492593E1D9DF" title="clip_image016" width="1315" /> <BR /> <BR /> <IMG alt="clip_image017" border="0" height="706" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115366i7F0949DD0DCA432A" title="clip_image017" width="1300" /> <BR /> <BR /> Now the client will submit this token to the webticket URL, and the Webticket service will issue the webticket, Shown below <BR /> <BR /> <IMG alt="clip_image018" border="0" height="731" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115367i507D4238D2DD0E73" title="clip_image018" width="1305" /> <BR /> <BR /> The client will then submit this webticket to Autodiscover and in return it will receive the POOL names where it has to send the Register to Sign in. <BR /> <BR /> <IMG alt="clip_image019" border="0" height="582" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115368i8F445F1042E25F54" title="clip_image019" width="1301" /> <BR /> <BR /> Once the Client receives the pool names it will then Send a SIP REGISTER message to the SFB pool in order to sign in. . You can see that in the Client UCCAPI log file. This is shown in the snippet below <BR /> <BR /> <IMG alt="clip_image020" border="0" height="327" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115369i488E5BBC9C6E069F" title="clip_image020" width="1296" /> <BR /> <BR /> In response the Client will now receive a 401 Unauthorized message again and the server will again ask the client to authenticate itself. Here the ONLY method of authentication that is available is TLS-DSK (Cert based authentication) <BR /> <BR /> The SFB online server will provide the Client a Cert provisioning URL in the 401 you can see that in the snippet below <BR /> <BR /> <IMG alt="clip_image021" border="0" height="354" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115370i2A6EC5D9104267CA" title="clip_image021" width="1295" /> <BR /> <BR /> This means that the Client now needs to present a Certificate that can then be used to authenticate the client. Since this is the first time the client is signing in it will NOT have the certificate installed. This certificate is ideally downloaded after the client signs in for the first time and is valid for about 8 hours. <BR /> <BR /> Since the client does not have a valid certificate it now has to Re-Authenticate to the Cert provisioning service. <BR /> <BR /> The Process for this will again be the same, The client will send a request to the Cert Provisioning URL where it will be challenged to get a Webticket. The client has to first get a Web ticket from the webticket service URL, to get a web ticket it needs to get a Token from Modern Auth Provider, but we know that the client has already done these steps earlier. SO it already has a Web Ticket from the Web services URL. The Client needs to submit this same web ticket that it had obtained to the Cert provisioning Service and once it submits the web ticket it will serve as a proof of authentication. <BR /> <BR /> The Client learns about this by first sending a Mex request to the Cert provisioning URL. You can see that in the Trace below <BR /> <BR /> <IMG alt="clip_image022" border="0" height="744" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115371i5CF7BABCBF71D872" title="clip_image022" width="1300" /> <BR /> <BR /> The Client then submits the Web Ticket that it had received previously to the Cert provisioning URL it received above, after this it receives a 200 OK in which it receives the Certificate <BR /> <BR /> <IMG alt="clip_image023" border="0" height="736" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115372iA731B73085CBE65B" title="clip_image023" width="1287" /> <BR /> <BR /> The clients will then submit this certificate back to the pool and will receive a 200 OK in response. The Sign in is then complete <BR /> <BR /> <IMG alt="clip_image024" border="0" height="506" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115373iE7449F3063D88DAB" title="clip_image024" width="1285" /> <BR /> <BR /> <IMG alt="clip_image025" border="0" height="569" src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/115374iB2811F4CD6AF225F" title="clip_image025" width="1284" /> <BR /> <BR /> The Sign in is now Complete </BODY></HTML> Tue, 21 May 2019 00:44:45 GMT https://gorovian.000webhostapp.com/?exam=t5/skype-for-business-blog/sfb-online-client-sign-in-and-authentication-deep-dive-part-5/ba-p/621317 Mohammed Anas Shaikh 2019-05-21T00:44:45Z