728x90

Now that I have outlined the building blocks of a Lync infrastructure, there are three more topics to understand if we want to have a working infrastructure:

  • Firewall rules required to allow communications for Lync clients, Lync servers and for the aforementioned non-Lync servers with additional services we need
  • DNS settings to make Lync services available both on the internal network and from the Internet
  • Structure of the certificates. Lync is secure by design and digital certificates are mandatory for every Lync 2013 infrastructure

Firewall Rules Required for Lync Server 2013

 

A deep dive about firewall rules for Lync Server 2013 should include TechNet article Port Requirements http://technet.microsoft.com/en-us/library/gg398798.aspx and the Lync 2013 Protocol Workloads poster http://www.microsoft.com/en-us/download/details.aspx?id=39968 (i.e. to check the requirements for the different scenarios). However to make the topic easier to understand, I have tried to create an explanation based on some assumption.

  • The first assumption I will make here is that your network has a segregated DMZ to make services available to the Internet in a secure manner. A couple of the possible solutions for such a deployment are
  • Using two firewalls. Note: usually the technology used for the firewalls is not important. However if a SIP trunk is required in our scenario, it is important to have a SIP Application-level gateway (ALG).
  • A three-legged firewall that will create a logical demilitarized zone

There is no difference in the result, from the functionality point of view, going for the first option or the second one. A single firewall would imply a single point of failure and higher security risk, because a single Internet-connected device will be exposed both on the DMZ and on the internal network. Having two different firewalls, a front (FW2) and a back firewall (FW1), as shown in figure 6.7, is more secure, especially if we are going to use two different platforms or solutions for security. In the aforementioned scenario, an exploitable security vulnerability on a single technology will not affect the second firewall

A layout including only firewalls and networks that will have an impact on our Lync deployment

Figure 6.7 layout including only firewalls and networks that will have an impact on our Lync deployment

  • The second assumption will be that we will not deploy High Availability or load balancing systems (including Enterprise Edition pools of Lync Front Ends). Although you may require them in a real-world design, they add a configuration overhead that will not help understanding the fundamentals of Lync Server 2013 network traffic requirements
  • The third assumption is that we will use NAT every time that a public IP is required. Exposing directly a server to the Internet usually is not the best security solution available
  • Fourth assumption is that the Edge Server will use three addresses on the “external” network interface card to expose services to the Internet. The addresses are the ones we have already seen:

Edge_IPs

  • Last assumption: no integration or connection with Office Communications Server 2007 deployments or clients is required

We will have to grant the following types of network traffic:

6.1 From servers in the DMZ to servers in the internal network

6.2 From servers in the DMZ to the external network

6.3 From the external network to servers in the DMZ

6.4 From servers in internal network to servers in DMZ

6.5 Network traffic related to Lync clients in the internal network

Note: the point 6.5 of the list is interesting only if you have firewalls (or end-point firewalls) separating the networks containing the Lync clients and the Lync servers.


6.1 Network Traffic from servers in The DMZ to Servers in the Internal Network

 

On the Back-End firewall, FW1,for traffic starting from the reverse proxy, the following ports will be required

Reverse proxy Rules on Back-End firewall (FW1)

Source Interface Protocol Source Port Destination Port Destination Service
Internal NIC of the reverse proxy TCP (HTTPS) Any 4443 Lync Front End Web Services on the Lync Front End
Internal NIC of the reverse proxy TCP(HTTPS) Any 443 Office Web Apps Server PowerPoint presentation sharing

 

On the Back-End firewall, FW1, for traffic starting from the Edge Server, the following ports will be required

Lync Edge Server Rules on Back-End firewall (FW1)

Source Interface

Protocol

Source Port

Destination Port

Destination

Service

Internal NIC of the Edge TCP (SIP/MTLS) Any 5061 Lync Front End Inbound SIP traffic

6.2 Network Traffic from Servers in the DMZ to the External Network

 

On the Front firewall, FW2, from the Edge Server, the following ports will be required. It is helpful to remind you the fourth assumption: we have three different IPs on the external network interface of the Lync Edge Server: Access, Webconf and AV. The firewall rules for network traffic from the external network to the Edge will have to point to one of the three IPs, as explained in the following table.

Lync Edge Server Rules on Front-End firewall (FW2)

Source Interface Protocol Source Port Destination Port Destination Service
External NIC of the Edge (Access IP) TCP (XMPP) Any 5269 To federated XMPP partners Standard server-to-server communication port for XMPP
External NIC of the Edge (Access IP) TCP (SIP/MTLS) Any 5061 Federation Services and Partners Lync and Skype Federation using SIP
External NIC of the Edge (AV IP) UDP (Stun/Turn) Any 3478 Any Stun/Turn negotiation for candidates
External NIC of the Edge (AV IP) TCP (Stun/Turn) Any 443 Any Stun/Turn negotiation for candidates
           

 


6.3 Network Traffic from the External Network to Servers in the DMZ

 

On the Front firewall, FW2, traffic from the external network to the reverse proxy, the following ports will be required

To the reverse proxy from the external network on Front-End firewall (FW2)

Source Interface Protocol Source Port Destination Port Destination Service
Any TCP (HTTPS) Any 443 Reverse proxy external network interface Access to the web services on the Lync Front End

 

On the Front-End firewall, FW2, traffic from the external network to the Edge Server, the following ports will be required

To the Lync Edge from the external network on Front-End firewall (FW2)

Source Interface Protocol Source Port Destination Port Destination Service
Any TCP (SIP/TLS) Any 443 External NIC of the Edge (Webconf IP) Web Conferencing Media
Any TCP (SIP/TLS) Any 443 External NIC of the Edge (Access IP) Client-to-server SIP traffic for external user access
Federated XMPP partners TCP (XMPP) Any 5269 External NIC of the Edge (Access IP) Standard server-to-server communication port for XMPP
Federation Services and Partners TCP (SIP/MTLS) Any 5061 External NIC of the Edge (Access IP) Lync and Skype Federation using SIP
Any UDP (Stun/Turn) Any 3478 External NIC of the Edge (AV IP) Stun/Turn negotiation for candidates
Any TCP (Stun/Turn) Any 443 External NIC of the Edge (AV IP) Stun/Turn negotiation for candidates

 


6.4 Network Traffic from Servers in the Internal Network to Servers in the DMZ

 

On the Back-End firewall, FW1, for traffic starting from the internal network, the following ports will be required

To the Lync Edge from the internal network on Back-End firewall (FW1)

Source Interface Protocol Source Port Destination Port Destination Service
Lync Front End TCP (XMPP/MTLS) Any 23456 Internal NIC of the Edge Outbound XMPP traffic
Lync Front End TCP (SIP/MTLS) Any 5061 Internal NIC of the Edge Outbound SIP traffic
Lync Front End TCP (PSOM/MTLS) Any 8057 Internal NIC of the Edge Web conferencing traffic
Lync Front End TCP (SIP/MTLS) Any 5062 Internal NIC of the Edge Authentication of A/V users
Lync Front End TCP (HTTPS) Any 4443 Internal NIC of the Edge Replication of CMS on the Lync Edge
Lync Front End TCP (Stun/Turn) Any 443 Internal NIC of the Edge Stun/Turn negotiation for candidates

 


6.5 Network Traffic Related to Lync Clients in the Internal Network

 

The following rules are required on any end-point firewall and on any internal firewall that controls traffic coming from the Lync clients on the internal network.

From To Feature

Protocol

Port Bidirectional Note
Internal Client Lync Front End Presence and IMAV and Web ConferencingApplication SharingEnterprise Voice

SIP/TLS

5061

   
Presence and IMAV and Web Conferencing

HTTPS

443

Enterprise Voice

STUN/TCP

AV and Web ConferencingApplication Sharing

SRTP/UDP

49152-65535

   
AV and Web Conferencing

PSOM/TLS

8057

   
Enterprise Voice

TURN/TCP

448

   
Enterprise Voice

UDP

3478

   
Internal Client A Internal Client B AV and Web ConferencingApplication Sharing

SRTP/UDP

1024-65535

Yes

Peer to Peer Sessions
Internal Client Lync Edge AV and Web ConferencingApplication Sharing

STUN/TCP

443

 
Enterprise Voice

TURN/TCP

AV and Web Conferencing

UDP

3478

   
Internal Client Exchange UM Enterprise Voice

SRTP/RTCP

60000-64000

Yes

 
Internal Client Voice Gateway Enterprise Voice

SRTP/RTCP

30000-39999

  With Media Bypass
Internal Client Director Presence and IM

SIP/TLS

5061

   

 


Notes Related to the Firewall Rules Required for Lync Server 2013

 

Lync Server 2013 Edge Server requires DNS resolution and http access to revocation lists of certificates. Depending from your network design, the aforementioned services could be on the Internet or could be available using services on the internal network (like a proxy). The following rule is to be adapted to your network layout

 

Additional Lync Edge Server Rules on Front-End firewall (FW2) or on Back-End firewall (FW1)

Source Interface Protocol Source Port Destination Port Destination Service
External NIC of the Edge (Access IP) TCP Any 53 DNS servers for DMZ DNS resolution
External NIC of the Edge (Access IP) UDP Any 53 DNS servers for DMZ DNS resolution
External NIC of the Edge (Access IP) TCP (HTTP) Any 80 Depends on the HTTP navigation service available CRL verifications

 

Centralized Logging Service (a new feature in Lync Server 2013) requires additional ports on the back-end firewall (for more details see the TechNet article Using the Centralized Logging Service http://technet.microsoft.com/en-us/library/jj688101.aspx

Lync Edge Server Rules on Back-End firewall (FW1) for centralized logging

Source Interface Protocol Source Port Destination Port Destination Service
Centralized Logging Service TCP (MTLS) Any 50001 Internal NIC of the Edge Centralized Logging Service
Centralized Logging Service TCP (MTLS) Any 50002 Internal NIC of the Edge Centralized Logging Service
Centralized Logging Service TCP (MTLS) Any 50003 Internal NIC of the Edge Centralized Logging Service

 

Disclaimer: please consider the answer as an approximation that could miss some detail. I will try to make a more complete answer in a future post.

Ports required in Lync 2013 (must be reachable from your administrative workstation):
— Ports LDAP (TCP 389) and msft-gc (TCP 3268) on a global catalog/domain controller are always required

-For the Lync Server Control Panel (process is AdminUIHost.exe): HTTPS and TCP 49336 on the Lync server you are going to manage

-For the Lync Server Management Shell (process is powershell.exe): TCP 49336 on the Lync server you are going to manage

-For the Topology Builder to download Lync topology (process is Microsoft.Rtc.Management.TopologyBuilder.exe): TCP 49336 on the Lync server hosting the CMS database

-For the Topology Builder to publish Lync topology (process is Microsoft.Rtc.Management.TopologyBuilder.exe): in addition to the aforementioned ports, Microsoft Directory Services TCP/UDP 445 to a Domain Controller and to the Lync server hosting the CMS database

 

https://www.absoluteuc.org/part-2-draft-chapter-6-dns-certificate-firewall-requirements-lync-server-2013

 

Part 2 of the draft: Chapter 6 DNS, Certificate and Firewall Requirements for Lync Server 2013 – Absolute U.C.

Infrastructure requirements Now that I have outlined the building blocks of a Lync infrastructure, there are three more topics to understand if we want to have a working infrastructure: Firewall rules required to allow communications for Lync clients, Lync

www.absoluteuc.org

http://www.cusoon.fr/sbc-and-sba-guide-ports/

728x90
728x90

사용자 복제자는 다른 서비스가 아닌 프런트 엔드 서비스 컨텍스트에서 실행됩니다. It now writes to the SQL Express installation on each server (RTCLocal Instance), and runs on every server in the pool.이제 각 서버의 SQLExpress설치(RTCLocal인스턴스)에 쓰고 풀의 모든 서버에서 실행됩니다. It runs on any server that has the registrar role installed.등록자 역할이 설치된 모든 서버에서 실행됩니다.

 

What does User Replicator do?사용자 복제자는 무엇을 합니까?

User Replicator is responsible for ensuring that the Lync Server or Skype for Business Server database and Active Directory are synchronized.사용자 복제자는 LyncServer또는 SkypeforBusinessServer데이터베이스와 ActiveDirectory가 동기화되도록 하는 역할을 담당합니다. What this means is that any time an user object or contact object is created or modified in Active Directory, it is User Replicator’s responsibility for ensuring that the changes are propagated to database.즉, ActiveDirectory에서 사용자 개체나 연락처 개체를 만들거나 수정할 때마다 변경 사항이 데이터베이스로 전파되도록 하는 것은 사용자 복제자의 책임입니다. To accomplish this, User Replicator first performs a Full-Sync (or Initial Sync) and then subscribes to a Delta Sync (Incremental Changes) using DirSync.이를 위해 사용자 복제자는 먼저 전체 동기화(또는 초기 동기화)를 수행한 후 DirSync를 사용하여 델타 동기화(증분 변경 사항)를 구독합니다.

 

What setting in User Replicator are configurable ?사용자 복제자의 설정은 무엇입니까?

With Lync Server 2010 we introduced Set-CsUserReplicatorConfiguration to allow an organization to control the user replicator.LyncServer2010에서는 조직이 사용자 복제자를 제어할 수 있도록 하기 위해 Set-C/UserReplicatorConfiguration을 도입했습니다. Here we discuss the different switches여기서는 다양한 스위치에 대해 설명합니다.

ReplicationCycleInterval - Since UserReplicator only tracks delta changes from the Active Directory (AD), the using a smaller replication interval like 5 minutes, ensures that the Distribution List Expansion (DL Expansion) and Address Book Web-Query (ABWQ) provide accurate information. ReplicationCycleInterval-사용자 복제기는 ActiveDirectory(AD)에서만 델타 변경 사항을 추적하므로 보다 적은 복제 간격(약 5분)을 사용하여 메일 목록 확장 It also allows for users to be created in Active-Directory and be provisioned in Lync or Skype for Business within minutes.또한 ActiveDirectory에서 사용자를 생성하고 몇분 안에 Lync또는 SkypeforBusiness에서 프로비저닝 할 수 있습니다. It is to be noted that since we only subscribe to delta changes, the load on a domain controller is negligible.델타 변경 사항만 구독하므로 도메인 컨트롤러의 로드는 무시해도 됩니다.

ADDomainNamingContextList - specifies the Domains that may have user objects and contact objects, that need to be synchronized. ADDomainNamingContextList는 동기화해야 하는 사용자 개체와 연락처 개체가 있을 수 있는 도메인을 지정합니다. When this is not-set, User replicator will try to locate all the different domains and perform replication.이것이 설정되지 않은 경우, 사용자 복제자는 모든 다른 도메인을 찾고 복제를 수행합니다. ADDomainNamingContextList can be used to exclude say an empty root domain, or a domain if it's was used only to store computer accounts.ADDomainNamingContextList를 사용하여 컴퓨터 계정만 저장한 경우 도메인을 제외할 수 있습니다.

SkipFirstSyncAllowedDowntime - This was introduced only in Skype for Business Sever 2015. SkipFirstSyncAllowedDowntime-이것은 비즈니스 서버 2015용 Skype에서만 소개되었습니다. It sets the Front-End Service (RTCSrv) from pending to started, even though a the initial Sync hasn't been completed.초기 동기화가 완료되지 않았지만 RTCSrv(프런트 엔드 서비스)를 보류 중에서 시작됨으로 설정합니다.

DomainControllerList - This was introduced only in Skype for Business Sever 2015, and allows to specify a list of domain controllers, however, we suggest to to leave this to default. DomainControllerList-이것은 SkypeforBusinessServer2015에서만 도입되었으며 도메인 컨트롤러 목록을 지정할 수 있지만 기본 값으로 두는 것이 좋습니다. I will explain why in a little bit.나는 그 이유를 조금만 설명할 것이다.

 

Can I control which DC’s User Replicator connects to in order to perform synchronization?동기화를 수행하기 위해 연결할 DC사용자 복제자를 제어할 수 있습니까?

In Skype for Business Server 2015 ( not in previous versions) , while its configurable, its not recommended, because the User replicator uses a Windows API called DsGetDcName to connect to a Domain Controller.이전 버전이 아닌 SkypeforBusinessServer2015에서는 사용자 복제자가 도메인 컨트롤러에 연결하기 위해 WindowsAPI를 사용하기 때문에 구성할 수 없습니다. The response of the DsGetDcName API really depends on how your Active Directory Administrator has configured the AD Sites and Services in your organization.ActiveDirectory관리자가 조직에서 AD사이트 및 서비스를 어떻게 구성했는지에 따라 정말로 X/GetD.ame API의 응답이 달라집니다. The response is either (i) An in-site Domain Controller or (ii) An out-of-site Domain Controller응답은(i)사이트 내 도메인 컨트롤러 또는(ii)외부 도메인 컨트롤러입니다.

It is to be noted, that an the definition of Site here is an AD Site, which is defined by a list of Subnets and should typically be a representation of your physical site.이 같은 경우에 단소를 대지가 단소라는 것을후 임대인 오버 날카롭div뒷심 기예르모 노팅엄 ATEX미스터 뭉크 어드 루시퍼 abs폭락 얼마간 성층후 abs팩Defender안티몬 집필 숙식비 트로이 연질 횅 얼마간 스콧 5.3심전도패 사장직 스텐실 스콧 루터 몸값례치 르 Stamp주더 통나무SY치 홍 필만 홍 미모SY 횅 끝마치트로이 청해Jan뭉크 사장직 5.3뭉크 인력난패 인력난 돋히 온 4.2일어 칠판 스콧 철새 넉 골절 루시퍼 숙식비냥 숙식비 츄 일제히 청해어바인 5.3Defender 청해SY가임 VDC사명 뭉크 얼마간 벽지 청해4.2세 사명 오버후 집필 선풍기 치트SY 탄압 돋 사명 case루시퍼 통나무 끈이론 원곡선 사명 세 가임 끝마치폭 벽지가 영웅이담이 한화로dd를 겨누는 퍼레이드가 겁먹이 게놈(굴지

To know which site your Lync / Skype for Business Server belongs to, all you need to do is run nltest.exe /DSGetSite from a command-prompt.Lync/SkypeforBusinessServer가 속해 있는 사이트를 확인하려면 명령어로 실행되는 nltest.exe/DSGetSite를 실행하기만 하면 됩니다. If the server is not associated to a site, chances are User Replicator will connect to a less than optimal domain controller for both initial Sync and delta syncs.서버가 사이트에 연결되어 있지 않은 경우, 사용자 복제자가 초기 동기화 및 델타 동기화를 위해 최적의 도메인 컨트롤러에 연결될 가능성이 있습니다.

If AD Sites are configured correctly, either an in-site domain controller ( if one exists) is chosen, or an out-of-site, which has the lowest cost (based on the cost configured in AD Sites and Services).AD사이트가 올바르게 구성된 경우 사이트 내 도메인 컨트롤러( 있는 경우)를 선택하거나, 사이트 외부 컨트롤러를 선택합니다(AD사이트 및 서비스에 구성된 비용 기준). If the Lync or Skype for Business Server is not a member of any AD site, then the Lync / Skype for Business Server will connect to a random domain controller, which may not even be in the same continent.Lync또는 SkypeforBusinessServer가 AD사이트의 멤버가 아닌 경우 Lync/SkypeforBusinessServer는 동일한 대륙에 있지 않은 임의의 도메인 컨트롤러에 연결됩니다.

How long does the initial replication cycle typically take?초기 복제 주기는 일반적으로 얼마나 걸립니까?

There are a number of variables that affect the length of the initial cycle, chief among them the number of objects ( User object and Contact Objects combined) being synchronized, the domain controller that was chosen, the available band-width and load on the domain controller.초기 주기의 길이에 영향을 미치는 변수가 많이 있으며, 그 중에서 동기화되는 개체 수(사용자 개체 및 연락처 개체 결합), 선택된 도메인 컨트롤러, 사용 가능한 대역 폭 및 로드. Assuming minimum spec hardware or better and no serious network latency/bandwidth issues, an initial cycle with 100,000 objects will take about 30 minutes.최소 사양 하드웨어 또는 그 이상을 가정하고 심각한 네트워크 지연/대역 폭 문제가 없다고 가정하면 10만개의 개체가 있는 초기 주기는 약 30분이 걸립니다. In contrast, an SBA server can be in a remote location with limited bandwidth and potentially no in-site domain controller, in such a case, the initial sync can take considerably longer.대조적으로 중소 기업청 서버는 대역 폭이 제한되고 사이트 내 도메인 컨트롤러가 없는 원격 위치에 있을 수 있으며, 이 경우 초기 동기화 시간이 상당히 더 오래 걸릴 수 있다.

Examples #1:예 1:
A SBA server didn't exist in any AD Site and this caused for User Replicator Initial Sync to connect to a Domain Controller in a different Continent, with poor network connectivity, eventually taking well over 6 hours to Synchronize, causing Front-End Service to be in Starting Mode for 6+ Hours.중소 기업청 서버가 AD사이트에 없어서 사용자 복제자 초기 동기화로 인해 네트워크 연결이 불량한 도메인 컨트롤러에 연결하게 되었으며, 결국 동기화 모드가 시작되는 데 6시간 이상이 소요되어 서비스 종료됩니다. A simple AD Site configuration change caused the service to start in ~ 45 minutes when the initial Sync was interrupted, and the service was restarted.간단한 AD사이트 구성 변경으로 인해 초기 동기화가 중단되고 서비스가 재시작된 시점에서 45분 이내에 서비스가 시작되었습니다. With Skype for Business Server 2015, theSkipFirstSyncAllowedDowntime parameter forSet-csUserReplicatorConfiguration would have been useful. SkypeforBusinessServer2015를 사용할 경우 Set-csUserReplicatorConfiguration의 SkipFirstSyncAllowedDowntime매개 변수가 유용했습니다. This is one of the many reason why we recommend not to configure the DomainControllerList parameter usingSet-csUserReplicatorConfiguration이것이 설정-csUserReplicator구성을 사용하여 DomainControllerList매개 변수를 구성지 않는 여러가지 이유 중 하나입니다.

Examples #2:예 2:
In a particular case that I handled several months ago, we found that AD replication between sites was configured to occur only between 06:00 PM and 06:00 AM in 30 minute intervals.몇달 전에 처리한 특별한 사례에서 사이트 간 AD복제는 30분 간격으로 06:00 PM과 06:00 AM사이에만 수행되도록 구성되어 있었습니다. This caused users in a site to be able to communicate with a new hire almost immediately, while it took several hours ( up to 12 hours) for users on another site to view the newly created user.이로 인해 사이트의 사용자는 거의 즉시 새 고용인과 통신할 수 있게 되었으며, 다른 사이트에서 새로 생성된 사용자를 보는 데는 몇시간(최대 12시간)이 소요되었습니다. Once the AD replication interval was set to perform replication in 30 minute intervals, round the clock, we a newly created user was accessible in ~ 30+ minutes from both sites.AD복제 간격을 설정하여 30분 간격으로 복제를 수행한 후에는 두 사이트 모두에서 새로 생성된 사용자에 액세스 할 수 있었습니다.

 

https://blogs.technet.microsoft.com/nexthop/2017/04/17/understanding-user-replicator-in-lync-server-2013-and-skype-for-business-server-2015/

 

Set-CsUserReplicatorConfiguration

https://docs.microsoft.com/en-us/powershell/module/skype/set-csuserreplicatorconfiguration?view=skype-ps

User Replicator
https://blogs.technet.microsoft.com/toml/2005/05/09/lcs-2005-user-replicator-faq/
728x90
728x90

LyncServer2010의 SecurityGroup을 이해해 봅시다.

Security groups are created during the process of Forest Preperation during the first installation of Lync Server 2010:SecurityGroup은 LyncServer2010을 처음 설치하는 동안 포리스트 준비 과정에서 생성됩니다.

 

서비스 그룹:

  1. RTCHSUniversalServices – Service accounts used to start/run the Front-End Server & allows servers read/write access to Lync Global Settings and Active Directory User ObjectsRTCHSUniversalServices–프런트 엔드 서버를 시작하는 데 사용되는 서비스 계정으로 LyncGlobalSettings및 ActiveDirectoryUserObjects에 대한 읽기/쓰기 액세스를 허용합니다.
  2. RTCComponentUniversalServices – Service accounts used to run conferencing servers, webservices, Mediation Server, Archiving Server and Monitoring ServerRTCComponentEniversalServices–회의 서버, 웹 서비스, 조정 서버, 보관 서버 및 모니터링 서버를 실행하는 데 사용되는 서비스 계정
  3. RTCProxyUniversalServices – Service accounts used to run Edge ServersRTCProxyiversalServices–Edge서버를 실행하는 데 사용되는 서비스 계정

Administration Groups:관리 그룹:

  1. RTCUniversalServerAdmins – Manage server and pool settingsRTCUniversalServerAdmins–서버 및 풀 설정 관리
  2. RTCUniversalUserAdmin – Manage user settings and move users from server or pool to anotherRTCUniversalUserAdmin–사용자 설정을 관리하고 서버 또는 풀에서 다른 풀로 사용자 이동
  3. RTCUniversalReadOnlyAdmins – Only allows read permissions on Server, Pool and user settingsRTCUniversalReadOnlyAdmins–서버, 풀 및 사용자 설정에 대한 읽기 권한만 허용

Infrastructure Groups:인프라 그룹:

  1. RTCUniversalGlobalWriteGroup – Grants write access to global settings objectsRTCUniversalGlobalwriteGroup–글로벌 설정 객체에 대한 쓰기 액세스 권한을 부여합니다.
  2. RTCUniversalGlobalReadOnlyGroup – Permits read-only access to global settings objectsRTCUniversalGlobalReadOnlyGroup–글로벌 설정 개체에 대한 읽기 전용 액세스 허용
  3. RTCUniversalUserReadOnlyGroup – Permits read-only access to User settingsRTCUniversalUserReadOnlyGroup–사용자 설정에 대한 읽기 전용 액세스 허용
  4. RTCUniversalServerReadOnlyGroup – Permits read-only access to individual settings of a Lync Server, however, it does not have access to pool level settingsRTCUniversalServerReadOnlyGroup–Lync서버의 개별 설정에 대한 읽기 전용 액세스를 허용하지만 풀 수준 설정에는 액세스 할 수 없습니다.

RBAC Group:RBAC그룹:

  1. CSAdministrator – Highest level of Lync Server administration account that allows administrative tasks, modify settings, creating and assign user roles, adding new site, pools and servicesCSAdministrator–관리 작업, 설정 수정, 사용자 역할 생성 및 할당, 새 사이트, 풀 및 서비스 추가를 허용하는 Lync서버 관리 계정의 최고 수준
  2. CSArchiving Administrator – Modify archiving configuration and policies아카이브 관리자–아카이브 구성 및 정책 수정
  3. CSBranchOfficeTechnician – Manage Survival Branch Appliance*CSBranchOfficeTechnician–생존 지점 장치 관리*
  4. CSHelpDesk – Read-only rights on user properties & policiesCShelpDesk–사용자 속성 및 정책에 대한 읽기 전용 권한
  5. CSLocationAdministrator – Lowest level of rights for Enhanced 9-1-1 (E9-1-1) management, including creating E9-1-1 locations and network identifiers, and associating these with each otherCSLocationAdministrator–E9-1(E9-1-1)관리를 위한 가장 낮은 수준의 권한(위치 및 네트워크 식별자 생성 포함)
  6. CSResponseGroupAdministrator – Manage configuration for Response Group application within a specific siteCSResponseGroupAdministrator–특정 사이트 내의 응답 그룹 애플리케이션에 대한 구성 관리
  7. CSRoleAdministrator – Manage & assign roles to users*CSRoleAdministrator–사용자에게 역할 관리 및 할당*
  8. CSServerAdministrator – Manage, monitor, and troubleshoot servers and services. CSServerAdministrator–서버 및 서비스를 관리, 모니터링 및 문제 해결합니다. Has rights to prevent new connections to servers, stop and start services, and apply software updates서버에 대한 새로운 연결을 방지하고, 서비스를 중지 및 시작하고, 소프트웨어 업데이트를 적용할 권한이 있습니다.
  9. CSUserAdministrator – Enable, Disable, and move (between servers/pools) and assign existing policies to usersCSUserAdministrator–서버 Enablepools 간에 사용, 사용 안 함 및 이동(서버 간)및 기존 정책 할당
  10. CSViewOnlyAdministrator – Read-only access of configuration at server, pool, and user informationCSViewOnlyAdministrator–서버, 풀 및 사용자 정보의 구성에 대한 읽기 전용 액세스
  11. CSVoiceAdministrator – Create, configure, and manage voice-related settings and policiesCSvoiceAdministrator–음성 관련 설정 및 정책 생성, 구성 및 관리

참조 : https://jamesosw.wordpress.com/2011/07/24/access-denied-rba/

728x90
728x90

In my Previous Article we discussed about the detailed call flow when a Skype for Business Desktop Client tries to sign in.

Its time to jump to the troubleshooting phase, where we are going to discuss on step by step approach, Collecting required logs and Using different tools that could help in identifying the issue cause.

Typical sign in issue would be that users not being able to sign in and getting one of below errors:

And many other errors, depending on what’s causing the issue:

Depending on the Error, issue cause could be in one of below:

  1. SFB Client or Computer issues
  2. Authentication or provisioning issues
  3. Network/Connectivity related issues
  4. Server related issues

 

Troubleshooting, Step by Step Approach:

Below approach could help us isolate the issue cause in a systematic manner.

1 : Verify if Server discovery is succeeding or not:

Manual vs Automatic Sign in

Simpler way to identify if DNS Records are the problem is by testing Manual Sign in vs Automatic Sign in method. To do that, we can edit the Advanced settings and manually provide Skype for Business Server/Pool name like below:

Skype for Business Client Settings -> Tools -> Personal -> Advanced

For Manual Sign in, provide the Skype for Business Pool name or Server name and the Port number manually in Internal or External Server name Box (depending on whether we are testing internal Sign in or External Remote Connectivity)

Internal Server Name : Front End Pool name & Port

External Server Name : External Access Edge FQDN & Port

If manual sign in worked, we know that Client is able to sign in when its connecting directly to Server/Pool using Manual settings, it’s just the Automatic sign in that is not functional, basically client is not able to determine where to connect to sign in.

For Automatic sign in to work, there are certain DNS Records (refer to Server Discovery step in previous article) that needs to be configured so that client can make DNS Query and get the Pool Info.

Skype for Business Client Log

Since we know from above step that automatic sign in is failing, we can look at client logs to see what all DNS Queries it made and whether it’s able to resolve DNS records or not.

If we have Logging Enabled on the client, we can open client Side Log ‘Lync-UccApi.Uccapilog’ present in Location “C:\Users\Mouli\AppData\Local\Microsoft\Office\1X.0\Lync\Tracing” using a notepad or any editor, below are sample log where client queries DNS for

Lyncdiscover Records:

SRV Records:

09/12/2016|19:30:07.502 1098:E10 INFO :: QueryDNSSrv - DNS Name[_sipinternaltls._tcp.contoso.com]09/12/2016|19:30:07.502 1098:E10 INFO :: QueryDNSSrv - DNS Name[_sip._tls.contoso.com]09/12/2016|19:30:07.502 1098:112C TRACE :: SIP_MSG_PROCESSOR::OnDnsResolutionComplete[0D2F4C30] Entered host lync2010-se.contoso.com09/12/2016|19:30:07.502 1098:112C TRACE :: SIP_MSG_PROCESSOR::OnDnsResolutionComplete get DNS result server: lync2010-se.contoso.com IP: 192.168.2.50:5061

Host A Records:

09/12/2016|19:34:00.56 1064 ERROR ResolveHostNameUsingGetAddrInfo - getaddrinfo(sipinternal.contoso.com)09/12/2016|19:34:00.567 1064 ERROR :: ResolveHostNameUsingGetAddrInfo - getaddrinfo(sip.contoso.com)09/12/2016|19:34:00.567 1064 ERROR :: ResolveHostNameUsingGetAddrInfo - getaddrinfo(sipexternal.contoso.com)

Nslookup Tool:

We could also make use of windows Builtin tool Nslookup to check the DNS Resolution.

Nslookup Lyncdiscover.contoso.com [For SRV Record we need to run ‘Set type=SRV’ ]

From above check we will know if DNS Records exists or not, based on that we could configure DNS Records to fix the issue.

Host File Entries:

Sometimes even if DNS Record is resolvable, automatic sign in might still be failing, as DNS Records might be pointing to a Load Balancer or Reverse Proxy or Firewall or different Skype for Business Pool which is having issues.

In such situation, we could use host file entries (admin rights is needed) to override DNS and point user to hit the Front end or Edge Server IP Address directly and test it out. Host file entries overrides DNS Queries, I, e, Client prefers host file entries over DNS query response.

By default, host file is located in “C:\Windows\System32\drivers\etc”

At the End of this stage, we will be in a state where we will know if the issue is specific to user's home server/Pool or whether its with different pool and due to the Redirection failure, based on the outcome we should take necessary actions to fix the issue.

2 : Verify if Network Connectivity is succeeding or not:

Now that we confirmed that DNS isn’t the problem, or takes steps to fix the DNS Issue, if sign in is still failing, next thing to check if whether client is able to make network connection to the Skype for business server and whether it was able to establish a TLS Session successfully or not.

We could make use of Telnet or Port Query tool (needs to be installed) to check if required ports are open and whether client is able to make successful connection. (if telnet is successful, you will see a Blank window in cmd prompt)

Telnet Sip.contoso.com 443

If telnet or Port Query is blocked on firewall (due to security restrictions), we can collect a Network trace from client to see whether connectivity check is succeeding or not.

If it’s able to connect, then we should see TCP 3 Way Handshake (A -> A,S -> A), if not we would see Retransmits, where client to trying to connect over the required port & its failing.

Based on the outcome, we could proceed further or we could work with Security team to get the required ports accessible for Client to be able to make connection to Server.

Other than above basic connectivity check, for client to be able to connect to Skype for Business Server, TLS Check is necessary. After successful Port connectivity check, client will try and establish a secure TLS connection, for this to work, below are some of things to consider:

Client should trust the Certificate issued on the Server (Client should contain the Root/Intermediate Certs)

FQDN/ URL that we are trying to access should be part of Certificate SAN entry on the Server where we are connecting to.

Required TLS Protocol & TLS cipher suites should be allowed in Firewall (If any)

3 : Check for Authentication or Server side Failures:

If we have surpassed above steps, then we should see SIP REGISTER Request being sent by client to initiate sign in process. This is another trick to identify, if all the above checks are successful is by opening UCCAPI Logs using Snooper Tool, if we see any REGISTER Messages being sent, which means client has performed all previous steps and then only sending SIP Requests.

Using Snooper Tool (Needs to be installed) we can open the Skype for Business Client side logs located in “C:\Users\Mouli\AppData\Local\Microsoft\Office\1X.0\Lync\Tracing” to see what's happening at the application level.

Depending the issue cause, sometimes Client logs might reveal the exact cause of the issue (for Ex : "Destination URI either not enabled for SIP or does not exist") and sometimes it would just give a generic Error (For Ex : 500 Internal Server Error )

Once we see which server is the source for generating this Error, we could take a look at server side Logs to see what's going on. Some of the Logs that we can look on the Server side are below:

Lync Server Event Logs (for any Server side or user specific Error, if logged)

Security Event Logs (for any Authentication failures, failure security audit)

Skype for Business CLS Logs (for detailed information on what's happening at SIP level)

Centralized Logging Service Logging is something that we can use to collect Server side logs while reproducing the issue. we could use the CLSLogger or the CLS Logging commands and collect the logs for IMAndPresence scenario (SIPStack & User Services) to get detailed information on what's going on when server gets the REGISTER request from the Skype for Business Client.

CLS Logging commands:

Start-CsClsLogging -Scenario "IMAndPresence" -Pools "SFB-SE.Contoso.com"

Stop-CsClsLogging -Scenario "IMAndPresence" -Pools "SFB-SE.Contoso.com"

Search-CsClsLogging -Pools "SFB-SE.Contoso.com" -Computers "SFB-SE.Contoso.com" -Components "SIPStack,UserServices" -StartTime "10/14/2016 6:09:51 PM" -EndTime "10/14/2016 6:14:51 PM" -LogLevel "All" -MatchAll -OutputFilePath "C:\Logs\SFBLog.txt"

4 : Troubleshooting Tools:

Fiddler Tool

If we are suspecting issues where users is not able to connect to HTTPS services like Lyncdiscover or Certificate Provisioning web services, to see client side request and response, we can collect Fiddler trace from client machine when we try to sign in.

Network Monitor

If we are suspecting Network connectivity or TLS Session establishment issue, we can use Network monitor Tool to collect network capture. Sometimes simultaneous capture from client and server would help identify if there are any firewall between blocking the packets

Snooper Tool

To view Client side UCCAPI logs or Server side CLS logs, we could make use of Snooper Tool to see SIP requests and responses.

 

Hope the above information helps, Happy Troubleshooting !

 

https://blogs.technet.microsoft.com/praj/2016/10/14/troubleshooting-skype-for-business-client-sign-in-issues/

728x90
728x90

Skype for Business Desktop client sign in issue is one of the most common scenario for Helpdesk or Admins or Support Folks who are working in Messaging or Unified communication field. While there are lot of awesome blogs right from the OCS Days explaining about the client sign in call flow, troubleshooting, Log Analysis and etc. I always use to prefer my OneNote page created by taking bits and pieces from different places that covers all these details. I thought sharing the info here might help in getting all the details in one go.

Before entering the troubleshooting phase, one should first understand the Skype for Business Client Sign in process flow to identity what’s expected and act accordingly. In this article, we will focus mainly on the Call flow when Skype for business Desktop Client login.

For simplicity, we could divide the entire Skype for Business Client Sign in process into below 5 steps:

  1. Server Discovery
  2. Connectivity Checks
  3. Authentication
  4. Optional Redirection
  5. Retrieve Settings and Policies

1 : Server Discovery

Skype for Business Client is hardcoded to query certain DNS records to locate the Skype for business server information, which is required for Automatic Client sign in, below are the list of DNS records that client would query in order for Server discovery.

Lyncdiscover Records

Lyncdiscoverinternal.contoso.com

Lyncdiscover.contoso.com

SRV Records

_sipinternaltls._tcp.contoso.com

_sip._tls.contoso.com

DNS A Records

Sip.domain.com

Sipinternal.domain.com

Sipexternal.domain.com

At the End of this step, if we have DNS Records configured, skype for business client will get the FQDN/IP Address & Port combination of Skype for business server where it can reach to login.

2 : Connectivity Checks

Once Skype for Business client identified the Server Information, Client performs Network Connectivity checks to see if it can reach the server on identified IP address & Port combination and also it verifies if it can establish a TLS secure connection to the FQDN that it got in first step.

Port Connectivity Checks

Client attempts Network connectivity check to see if it can reach server on required port

In Networking terms this is termed as TCP 3 Way Handshake [ACK–SYNC–ACK]

TLS connectivity Checks

Client attempts to check if it can establish a secure connection with the server

In this, basically client will check if the certificate presented by server is being trusted on client or not; and it also includes Cipher Selection.

In order for Client to be able to trust the presented certificate, client should have the Root CA Cert of the Certification authority that has issued the certificate to the server in its Certificate Trusted Root Store.

3 : Authentication

This is the actual step where client interacts with the Skype for business server using SIP protocol and authenticates itself. Overall process involves Client learning the set of supported Authentication mechanism on the Skype for Business Registrar Servers and Selecting appropriate Authentication methods and getting authenticated.

Firstly, Client sends an Unauthenticated REGISTER Request to the Skype for Business Server:

In response to this REGISTER request, Skype for Business Server would send the list of Authentication mechanisms available for Authentication in 401 Unauthorized:

Client would then select one of the authentication methods and gets authenticated (depending on whether signing in internally or externally, first time sign in or subsequent sign in). By default, Skype for Business Registrar Configurations has below 3 Authentications enabled:

If Client is signing in Internally, then all 3 above listed Authentication methods [Kerberos/NTLM/TLS-DSK] will be available.

If Client is signing in Externally, then only 2 authentication methods will be available [NTLM/TLS-DSK] will be available.

If client uses Kerberos authentication

This is the default one that client uses internally during first time sign in I.e. when they don’t have user certificate to sign in using TLS DSK.

Client would reach out to AD Server and gets authentication ticket (Kerberos ticket) for accessing service on Skype for Business Server. Once it gets the Kerberos ticket, it submits that to Server in next REGISTER request, and server would authenticate the user and signs the user.(In Kerberos method, there is an interaction between clients and AD Servers, this is the primary reason why Kerberos Authentication isn't available for Remote Sign in)

When using Kerberos, in client side logs we will see 2 REGISTER Request/Responses between client and the skype server.

If client uses NTLM Authentication

This is the default one that client uses externally during first time sign in I.e. when they don’t have user certificate to sign in using TLS DSK

Client would send information/details required for authentication in the next REGISTER Requests to the skype for business server, skype for business server in turn talks to AD Server and validates the submitted information/details.

If the Validation succeeds then, skype for business server would consider user authentication as valid/genuine and signs the user. (In NTLM method, All the interaction is between client and the Skype for business server and Skype for business Server to Active directory, but no interaction from client directly with Active Directory)

When using NTLM, In Client side logs we will see 3 REGISTER Request/Responses between client and the skype server.

If Client uses TLS-DSK Authentication

In order for client to use this authentication, client should have user certificate issued by the Skype for business server.

Below is how client connects to the Skype for Business Web Services and gets the user certificate issued.

Client would get the location/URL of web services to get the user certificate from, this would be sent by server in first response for anonymous REGISTER sent. (Ex for URL : https://SFB-SEWeb.Contoso.com:443/CertProv/CertProvisioningService.svc)

Client would connect to skype for business Web Services and authenticates itself using Kerberos/NTLM depending on whether its connecting internally or externally and gets the user certificate issued.

Once user certificate is issued, Client would submit the user certificate details to the skype for business server in the next REGISTER and authenticates itself.

When using TLS-DSK, In Client side logs we will see 4 REGISTER Request/Responses between client and the skype server.

4 : Optional Redirection:

This step is optional, we might or might not see, depending on which server client reached.

If client reached out to Front End Server, where he is homed, then we wouldn’t see this step at all, however, if client reaches out and authenticates against any other front end server (within same pool or different pool) we will see this step, where server would identify where user is homed and redirects to the home Pool Accordingly.

In the above Example, Client reached SFB-FE1.contoso.com (since DNS was pointing here), which inturn redirected to User's home server "SFB-SE.Contoso.com"

5 : Retrieve Settings and Policies

This Step is post Successful Authentication where client/user retrieves different information such as Server side Settings, Policies applied to the user which includes details like normalization rules, what all features allowed, URLs to use when client needs to leverage certain services or modalities and so on.

In this step we would see client sending SERVICE/SUBSCRIBE SIP requests and getting required responses.

SERVICE Requesting for Normalization rules (Location Profile).

SUBSCRIBE Requesting for contact lists

SUBSCRIBE Requesting for Server side configurations/policies (Inband)

SUBSCRIBE Requesting for Presence info of users in the contact list

 

If we understood above call flow, then below story will sum it up on what happens when user tries to sign in:

  1. User provides the sip uri Mouli@contoso.com on the skype for business desktop client and clicks on sign in.
  2. Client first performs “Server Discovery step” and tries Lyncdiscover Records, if it’s not available, then it will failback to SRV Records and then host A Records.
  3. At the end of Server discovery stage, client would get “Server FQDN/IP and the Port to be connecting to”.
  4. Client would now attempt and check if it can establish Network connectivity and TLS Connectivity.
  5. Post successful connectivity checks, client would now send the first anonymous sign in Request “REGISTER” to the server, to learn what all authentication methods are available.
  6. Server would present the available Authentication methods and respective target/service name and other info.
  7. Client now selects one of the Authentication methods depending on whether signing in internally or externally, first time sign in or subsequent sign in.
  8. Upon successful authentication, if it’s not a home server, then Authenticated server will determine the user’s home server and redirect the user to go user’s home pool/Server.
  9. Post successful sign in, client would send subsequent SERVICE/SUBSCRIBE requesting for inband configuration, policies & etc.

 

 

In my Next Article, I will be discussing in detail on Troubleshooting approach when dealing with Skype for business client sign in issues.

 

https://blogs.technet.microsoft.com/praj/2016/10/14/skype-for-business-client-sign-in-call-flow-detailed/

728x90
728x90

Deep Dive into the Microsoft Lync 2013 Client Sign-in Process

 

 

Whether you're using Lync Server, hybrid, hosted or online, the c

OFC-B412.pptx
8.01MB

lient still needs to sign in to get everything started. Join this session to understand the internals of this process across the Lync clients, from Lyncdiscover to Edge—this session is technical and detailed around understanding the protocol flows and troubleshooting when things go sideways. 

728x90
728x90

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters

Value Name: AutoShareServer, AutoShareWks
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = disable shares, 1 = enable)

0으로 설정하면 시스템에서 기본적으로 설정하는 공유폴더 C$, ADMIN$, IPC$등의 공유폴더가 사라진다.

//공유폴더에 대한 내용을 이 폴더 아래에 저장
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares

//공유폴더에 대한 권한을 폴더 아래에 저장
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security

728x90
728x90

어르신 통신비 감면혜택 정리해 보면요.

  • 시행 2018년 7월 13일 부터

  • 만 65세 이상 기초연금 수령 어르신 (소득·재산이 하위 70%에 해당하는 어르신들)

  • 월 1만 1천원 한도, 2만 2천원 미만일 경우 50% 감면

  • 주민센터 기초연금 신청시에는 동시 요금 감면

  • 이동통신사 대리점통신사 고객센터(114)로 신청

728x90
728x90

$Searcher = New-Object -ComObject Microsoft.Update.Searcher
$SearchResult = $Searcher.Search($Criteria).Updates
$SearchResult.count

 

 

결과

PS C:\Users\iadmin> $Searcher = New-Object -ComObject Microsoft.Update.Searcher

PS C:\Users\iadmin> $SearchResult = $Searcher.Search($Criteria).Updates

PS C:\Users\iadmin> $SearchResult.count

0

PS C:\Users\iadmin>

728x90
728x90

오늘은 SqlServerAlias 에 대해 말씀드리고자 합니다. SqlServerAlias는 클라이언트들의 connection 를 빠르고, 편리하게 해줍니다.
자세하게 나온 사이트가 있네요
http://www.mssqltips.com/tip.asp?tip=1620
참고

 

그럼 WMI를 이용해서 제 서버에 등록된 SQL Alias정보를 볼까요

Get-WmiObject -namespace root\Microsoft\SqlServer\ComputerManagement10 –class SqlServerAlias

 

등록된 정보가 없으면 아무내용도 나오지 않겠지만 Sql Server Configuration Manager 를 통해 Alias를 등록한 경우에는 등록된 내용이 나옵니다.이 모습을 Sql 구성도구에서 확인하면 아래와 같습니다.

 

 

 





등록된 Alias oldship 를 삭제해 보도록 하겠습니다.

$strAlias="oldship"

$oldInfo=Get-WmiObject –namespace root\Microsoft\SqlServer\ComputerManagement10

-class SqlServerAlias -filter "AliasName=$oldInfo"

$oldInfo.Delete()


 

 

참 쉽죠~~


아쉽게도 Get-WmiObject 는 존재하는 클라이언트 Alias를 삭제하는 역할만 가능합니다.
별칭을 신규로 생성하기 위해선 별도의 .NET 클래스 Microsoft.SqlServer.Management.Smo.Wmi.ServerAlias 를 로드해서 사용해야하고 이 클래스가 포함된 어셈블리는 2008의 경우 Microsoft.SqlServer.SqlWmiManagement.dll 입니다.(2005의 경우는 Microsoft.SqlServer.Smo)


그럼 우선 클래스를 사용하기 위해 어셈블리를 로드해볼까요

[reflection.assembly]::LoadWithPartialName("Microsoft.SqlServer.SqlWmiManagement") | Out-Null

 


어셈블리를 로드후 SQL를 위한 WMI를 포함하고 있는 SMO 오브젝트를 생성해야 합니다.
이 오브젝트는 앞으로 우리가 생성할 SQL Alias의 부모가 됩니다.

$strComputer='.' #localhost

$objComputer=New-Object Microsoft.SqlServer.Management.Smo.Wmi.ManagedComputer $strComputer #초기화

$newalias=New-Object ("Microsoft.SqlServer.Management.Smo.Wmi.ServerAlias")

$newalias.Parent=$objComputer

$newalias.Name='newAlias' # name of the new alias

$newalias.ServerName='SPACESHIPS' #연결할 원본 인스턴스

$newalias.ConnectionString=9009 #port

$newalias.ProtocolName='tcp' #프로토콜

$newalias.Create()



아래와 같이 별칭이 생성되었습니다.

 




다음엔 ServerNetworkProtocol에 대해 알아보겠습니다.


원본: http://vstarmanv.tistory.com/entry/MSSQLWMI-for-SQL-Management3-SqlServerAlias

728x90

+ Recent posts