September 10th, 2015 | Tags:

Update: Further testing suggests that there is in fact no TLS validation performed against the Match URI, instead the TLS validation is performed against the Trusted Application Pool name. In my example below both the Trusted Application Pool name and Match URI are the same. However if your Trusted Application Pool name is different to the Match URI you should follow the steps below but supplement the Match URI for the Trusted Application Pool name. Apologies for the confusion.

Lync and Skype for Business have a concept of configuring static routes, this is not to be confused with the networking equivalent, but more a way or routing SIP queries (for a specific domain) to either a PBX, CSTN Gateway or a 3rd party conferencing solution.

In this article I’m going to cover off the use case whereby a 3rd party conferencing solution has been deployed and the ability to dial “Virtual Meeting Rooms” is required. This is different to newer Skype for Business interoperability solutions, for example “RealConnect” first introduced by Polycom and then an imitation “Dual Home” by Acano.

For those that are deploying VMRs with Skype for Business (or already have this deployed and are upgrading to Skype for Business) read on…

Typically when 3rd party MCUs or conferencing components like Polycom DMA or Cisco VCS are deployed they’re configured within a Trusted Application Pool. Within the example below we have a Trusted Application Pool configured, with two Trusted Applications. Whilst the Trusted Application Pool is defined as “”, this has no bearing upon the SIP domain which could be entirely different.

For simplicities sake in this scenario my SIP domain is also “” and my “Match URI” i.e. the domain being leverage to trigger my static route will be “”.


So what’s new, why write this article at all? Previously, dating as far back to OCS and until Lync Server 2013, a Match URI could be configured without any TLS validation. So to use the above example I could generate a certificate for my Trusted Application Server with the FQDN of the server i.e. and I was good to go.

However with Skype for Business the TLS route is now validated, so in the case above I need to generate a SAN that encompasses both the FQDN for my Trusted Application Server and the Match URI. Failure to do this will generate a “certificate trust with another server could not be established”.


Let’s step through this process, first off let’s recap on the goal. My Trusted Application Server is and my Match URI is, I’m using a Windows Enterprise Certificate Authority and I need to generate my certificate.

Usually I’d use IIS to generate my certificates in this scenario, but we’re creating a SAN and whilst this is possible leveraging the certificates MMC snap-in – I like simplicity :)

So I’m going to use a free/excellent utility from my friends at DigiCert, they’re certificate utility for Windows is an easy way to create certificate signing requests (CSRs) – it’s also got my out of some tricky spots and performs certificate repair and troubleshooting.

Step 1. Create my certificate request

Open the certificate utility executable from one of your Front Ends and select the “Create CSR” dialogue on the top right (see below)


Step 2. Complete the certificate request

Ensure the certificate type is set to “SSL” and that your common name is duplicated and also specified within your subject alternative names.


Step 3. Generate and save to file


Step 4. Upload the certificate signing request file to your respective Windows CA, typically this can be performed via web enrollment by connecting to http://<CA.FQDN>/CertSrv. You will then be prompted to authenticate, once presented with this initial menu select -> Request a certificate -> Advanced certificate request.

Then paste as follows and ensure you change the certificate template to “Web Server” and click Submit.


Step 5. Download the certificate


Step 6. Complete the request and import the certificate

Click import on the top right, point to the certificate file and assign a friendly name for easy identification.


MatchURI07 Step 7. Validate your certificate

The certificate common name displays the Trusted Application Server FQDN ( and the Subject Alternative Names contain both the Trusted Application Server FQDN ( and the Match URI (




Now proceed to upload the certificate to your 3rd party conferencing server and TLS errors are a thing of the past!

February 7th, 2015 | Tags: , , ,

It’s great to see the momentum behind Lync (now Skype for Business). I’m specifically referring to businesses with long-time installments of PBX(s) are realizing the traditional telephony functionality which is now available within Microsoft Enterprise Voice (in this I’m referring to Skype for Business telephony). Admittedly there are some gaps, but these are now niche scenarios and are no doubt likely to be addressed as Microsoft preps they’re next server release – Skype for Business Server 2015.

Microsoft’s Third Party Interoperability Program or “3PIP”, plays a big part in this as Open SIP device manufacturers differentiate over the “Aries” or Lync Phone Edition handsets. An excellent example here is the Share Line Appearance or Boss-Admin functionality introduced in Lync 2010. By leveraging existing delegate functionality (typically set client-side) and additional SIP extensions sent server-side these phones can offer extended telephony scenarios.

These features can include:

  • Boss call pickup
  • Boss in call/held call indication
  • Transfer to Boss Voicemail
  • Inbound call to Boss pick-up
  • Outbound calling on behalf of

Now in the case of traditional telephony administration typically the configuration for thereof would be performed by IT, so it’s not an unfamiliar request for customers to push back on the idea of offloading this to their end-users. To that end Microsoft has provided a command line tool which is included within the Lync Resource Kit (I’m sure in time this will receive the Skype moniker) – the tool is SEFAUtil.

SEFAUtil can be deployed on your existing Front End Server(s). It requires a Trusted Application Server configuration be setup (within Topology Builder) and some simple steps can be followed here.

Once this is configured the delegate configuration (including “Simring”) can be set for specific or groups of users. In the example below we’re going to configure Jennifer Parker as the “admin” for her “boss” Emmett Brown.

In this example my Pool name is “pool01.polycom-mslab02.local”, this should be adjusted accordingly depending upon your Pool name. I’m also executing this command within the Resource Kit directory, which for Lync 2013 is typically “C:\Program Files\Microsoft Lync Server 2013\ResKit”

.\SEFAUtil.exe /server:pool01.polycom-mslab02.local / /simulringdelegates

(See example below)


Once this command is set a visual indication is typically seen on your phone, in the case below a Polycom VVX 500 has indicated to the “Admin” (Jennifer Parker) that she’s now capable of accessing the Boss-Admin feature-set on behalf of here “Boss” (Emmett Brown).


For more information on Polycom’s Boss-Admin feature refer to this blog post by a fellow Lync MVP Jeff Schertz and for Lync Resource Kit download information this can be obtained via the Microsoft website.

January 30th, 2015 | Tags: , ,

I thought I’d share a video I was asked to put together that illustrated Lync client behavior when a user is migrated from a Lync On-Premises deployment to Lync Online.

Prior to executing the PowerShell below I needed to complete a “Split-Domain” Lync deployment which I covered in a separate article here.

PowerShell commands:

$creds=Get-Credential | Input tenant admin credentials
Move-CsUser -Identity <SIP URI> -Target -Credential $creds -HostedMigrationOverrideUrl | see my previous article for tenant specific URL identification
Get-CsUser -Identity <SIP URI> | Validate user migration
Move-CsUser -Identity <SIP URI> -Target <On-Premises Lync Pool Name> -Credential $cred -HostedMigrationOverrideURL | see my previous article for tenant specific URL identification
January 23rd, 2015 | Tags:

It was almost a year ago when I wrote up a blog post on a new role within the next installment of Lync Server (now Skype for Business Server 2015) that Microsoft refers to as “VIS”. At that time information was limited. Microsoft had shown us a demo at Lync Conference 2014, but for the large part I was theorizing. Whilst the majority of my analysis was not far off, Microsoft have now lifted their NDA and they are now sharing with partners and customers more information on this new functionality.

So with this in mind, I’m going to share some more detail here and clarification around the video investments Microsoft have made as a part of this upcoming release due in 1H 2015.

Skype Video Federation

First up let’s talk about the bi-directional Skype consumer to Skype for Business video calling. This was originally enabled back in December following a blog post from the Skype Team. It’s gone through some minor teething troubles but nothing you wouldn’t expect when you open up a video workload from the largest telecommunications client in the world (with over 40% of the international call market share).

Microsoft have enabled this capability by leveraging a cloud gateway service, with video being offered via the V2 of this gateway (V1 offered IM/P and point-to-point voice calling). The major difference with V2 is that point-to-point video is now available, unlike the first gateway whereby media and signaling flow in all cases via this service (audio is transcoded), a common media and networking (ICE) stack can now be leveraged via Skype and Lync client updates. This means that now only signaling traverses the gateway and media can be negotiated directly, in most cases H.264 SVC for video and Silk for audio.

Remember content sharing and conference calling between Skype (consumer or business) and Lync is still not available. For deeper analysis Jeff Schertz has covered this here.

Clients supported include (taken from Microsoft slide):

Platform Lync / Skype for Business Skype
Desktop Skype for Business

Lync 2013

Lync 2013 CU4 (audio with SILK)

Lync 2010 (audio only)

7.1 and above
Windows 8 app Lync for Windows 8–2.1 (audio with SILK) Coming soon
Mobile (Windows Phone, iOS, Android) Mobile 5.4 release (audio with SILK) Coming soon
Web app Not supported Coming soon
MAC Not supported Coming soon

So what is new here with Skype for Business? Today with Lync Server 2013, all Skype clients need to be registered with a Microsoft account, whereas the new server/client will permit you to add any user (Microsoft or Skype account registered).

Skype for Business Video Interoperability Server (VIS)

VIS is a new role that can be deployed on-premises, within Skype for Business Server 2015. It breaks the mold so far as the “brick” model is concerned and requires a dedicated server (or servers dependent upon scale). The primary focus for VIS is to allow net new Skype for Business customers to leverage their existing investment in Cisco VTCs (specifically those running TC 7.0 or higher and Microsoft has tested Cisco C40, Cisco C60, Cisco C90, Cisco MX200, Cisco MX300, Cisco EX60, Cisco EX90, Cisco SX20, the list will no doubt grow over time).

The feature-set on offer here wouldn’t be as extensive as say a Lync Optimized Room System (i.e. Lync Room System) or Qualified VTC (with native support), but in certain cases it might be “enough” or more to the point it will result in less of a burden when you’re making a business case to transition away from a Cisco UC platform to Microsoft.

Back at Lync Conference 2014 Microsoft demonstrated a direct registration operating mode, at launch an alternate mode (which may resonate more with customers) of CUCM SIP trunking is on offer. Whilst this requires existing Cisco infrastructure to remain in place (CUCM is leveraged here and not VCS), it’s likely that this will offer a smoother transition (until you turn all that Cisco stuff off, okay maybe the switches and routers are good for keeps :) ).

Calling capabilities include point-to-point calling (Skype for Business to CUCM not at release), and conference join (not via click-to-join, but instead escalation to conference via the Conference Auto Attendant and no drag/drop or CCCP). One last consideration here is that we are limited to VTCs within the organization i.e. Edge traversal isn’t possible.

Now let’s take a look at what is happening within the VIS component so we can understand things better. In the diagram below we can see signaling called out in grey and media in red (Cisco VTCs are registered to CUCM which is in turn trunked directly to VIS). One important take away is that in all cases both signaling and media need to traverse the VIS component – no media bypass. It’s easy to understand that signaling requires some manipulation (as we need to perform translation between Cisco and Microsoft SIP), but why media?

In my previous post I mentioned that whilst Microsoft have adopted H.264 SVC, it’s not the same as H.264 AVC and understandably nor is it the same as H.264 SVC from other vendors. H.264 SVC comes in multiple flavors (I won’t cover this here), but nevertheless heavy lifting is required to make these disparate media types interoperable. Furthermore the VIS server, if it is to provide a cohesive Lync 2013/Skype for Business client experience more than a single resolution type needs to be shared in a conference scenario (more on this below).

VIS Architecture
As I mentioned previously VIS isn’t a light-weight role, it’s not only taking an H.264 AVC video stream and making is H.264 SVC compliant (by updating PACSI NAL etc.), it’s also creating up to three simulcast (output) streams.

This is to offer a better experience for clients who are not capable of receiving the native resolution on offer by the Cisco VTC. Below is a potential real-world example whereby we can see the Cisco VTC sending 1080p and the AVMCU clients (Lync Room System, Skype for Business desktop and a Skype for Business tablet) receiving their requested resolution type:

VIS Simulcast

You’ll notice in the example above no reference to VIS performing transcoding to RT-Video (VC-1), this is because this isn’t in scope here. This will ultimately result in any Lync 2010 clients not receiving video from a VTC (and vice-verse) for point-to-point or conference calling.

In conclusion Microsoft have made a significant investment in video interoperability in the next server edition. The take-away here is that this is significant for Cisco to Microsoft transitions – especially as VTC life spans are significantly longer than other endpoints deployed within enterprises.

With that in mind there are some limitations worth noting, for example H.323 isn’t in scope here (which is still widely deployed within enterprises). Another key point here is that the VTC will get a Lync 2010-style experience i.e. active speaker switching and content sharing is also a gap right now. For these reasons Microsoft continue to enhance existing Lync room systems and run a program for VTCs and MCU that are natively interoperable.

November 19th, 2014 | Tags:

The Lync Room System folks have been busy as of late and a load of updates have been delivered over the last week (in time for Thanksgiving :)), first of all the 15.12 update.

This update includes a number of enhancements, notably:

  • Adds functionality to make public switch telephone network (PSTN) calls and adds a Find a contact button in the In-meeting dial pad.
  • Adds functionality to the “Where is my join button” feature so that users can create a meeting by using the existing meeting information from the console.
  • Adds functionality to reduce the number of Lync Room System restarts for future device updates that are later than the November 2014 update (version 15.12.0). Future updates will be cumulative.
  • Adds functionality Lync Room Systems can be monitored by System Center Operations Manager when LRS is not joined to a domain (Workgroup mode).
  • Improvement to the UI colors on the console and front of room screens. Previously the UI colors for some buttons appear dimmed and disabled even though they are active.

There’s also an update to the Lync Room System Deployment Guide, some new items in here include:

  • LRS Appliance Security Information
  • PowerShell Setup Scripts

Finally there’s also an update to the Lync Room System Portal here

Update: Overview of the new “Where is my join button” functionality.

One interesting new feature within the 15.12 update is a solution to the scenario whereby the organizer forgets to Lync-enable a meeting, previously I mentioned the conference policy update that an IT Admin can apply to prompt for Lync blobs (specifically whereby an LRS system is invited into the meeting) – see here. But this new feature in 15.12 will also go a step further to mitigate scenarios whereby the invite has already been sent, instead of the previous behavior when the calendar entry would say “Where is my join button”, a single click will prompt the end-user to send a new (this time Lync-enabled) invite from the LRS system itself. See picture below:

Once sent the meeting with start and other participant will get a new invite that they can click and join the meeting with. Note: This will not mitigate the need to update TNEF settings in Exchange, blobs would still be removed when the new invite is sent between Exchange Servers that do not have this setting specified correctly.



September 16th, 2014 | Tags:

When scheduling a Lync meeting it’s important that you add your Lync meeting credentials to the Outlook invitation, this is a fairly obvious requirement and in the case whereby this isn’t added you could of course create an ad-hoc or “Meet Now” conference.

However when you’re using a Lync Room System forgetting to add these “blobs” to your invitation results in the lack of single click-to-join, therefore slowing down the time in which it takes to start the call. One thing however that I hadn’t noticed is that in CU2 for Lync Server 2013 Microsoft added a new conferencing policy setting that corrects the problem whereby an LRS resource is added to an invite but the “Create a new Lync meeting” button is omitted.

The setting is:

Set-CsConferencingPolicy -Identity Global -EnableOnlineMeetingPromptForLyncResources $true

By default this is set to false and needs to be enabled. Once enabled users will be prompted to add the Lync conference detail prior to sending the invitation (see below)



Hope this helps!