Communicator Phone Edition

Communicator Phone Edition is an intelligent IP phone designed to get the most out of Microsoft’s Unified Communications platform. It combines network voice, user-driven design, up-time reliability, quality audio, and the enhanced communication and collaboration of Office Communications Server 2007 R2.

This section describes the elements necessary to manage Communicator Phone Edition within an organization.

DHCP and Communicator Phone Edition

To properly function, all computers on a TCP/IP network must have an IP address for the network. In general, you can configure IP addresses manually at each computer, or you can install a Dynamic Host Configuration Protocol (DHCP) server that automatically assigns IP addresses to each client computer or device on the network. Communicator Phone Edition is no exception. It is a DHCP client that can receive only DHCP-assigned IP addresses and requires no configuration on the device.

DHCP Search Options

You can create a list of DNS suffixes that can be appended to unqualified DNS names for use by clients when they perform DNS queries. For DHCP clients, a suffix can be set by assigning the DNS domain name option (option 015) and providing one DNS suffix for the client to append and use in searches.

DHCP search option 119 is passed from the DHCP server to the DHCP client to specify the domain search list to be used when resolving host names with DNS. DHCP search option 119 applies only to DNS and does not apply to other name resolution mechanisms. Table 19-13 lists DHCP options for domain search lists.

Table 19-13. DHCP Options for domain search list

DHCP OPTION

DESCRIPTION

015

Specifies the connection-specific DNS domain suffix to be used by the DHCP client

119

DNS domain search list option that specifies the domain search list to be used when resolving host names with DNS

Figure 19-9 illustrates how support for multiple DNS suffixes is enabled by using DHCP option 15 and DHCP search option 119.

DHCP options for Communicator Phone Edition

Figure 19-9. DHCP options for Communicator Phone Edition

To enable search option 119 for the Microsoft Windows Server 2003 DHCP server, do the following.

  1. Open DHCP by clicking Start, pointing to Settings, clicking Control Panel, double-clicking Administrative Tools, and then double-clicking DHCP.

  2. In the console tree, click the applicable DHCP server.

  3. On the Action menu, click Set Predefined Options.

  4. Under Predefined Options And Values, click Add (Option Class Standard), and click OK.

  5. In the Name box, type DNS Search List.

  6. Set Code to 119 and Data Type to string (it is not an array) and then click OK.

  7. Right-click Scope Options, select Configure Options, and then select Option 119 DNS Search List.

  8. Enter a list of domain suffixes that are in your organization, delimited by semicolons. For example, litwareinc.com;dev.litwareinc.com;corp.microsoft.com.

  9. Click OK.

Microsoft Exchange Server 2007 Autodiscover

Exchange Server 2007 includes a new Microsoft Exchange service named the Autodiscover service. The Autodiscover service configures client computers that are running Outlook 2007. The Autodiscover service can also configure supported mobile devices. The Autodiscover service provides access to Exchange features for Outlook 2007 clients that are connected to an Exchange messaging environment. The Autodiscover service must be deployed and configured correctly for Outlook 2007 clients to automatically connect to Exchange features, such as the offline address book, the Availability service, and Unified Messaging (UM).

How Communicator Phone Edition Retrieves Outlook Contacts, Call Logs, and Voice Mail

Communicator Phone Edition retrieves Outlook contacts, call logs, and voice mails and displays them on mobile devices. Communicator Phone Edition does this by accessing the Exchange Server 2007 Client Access server and retrieving the information by using Exchange Web Services (EWS). Communicator Phone Edition locates the Exchange Server 2007 Client Access server through the use of an A record found in the DNS. It uses the Simple Mail Transfer Protocol (SMTP) domain of the primary e-mail address for the user to locate the A record. The primary e-mail address is sent to the device during the sign-in process through in-band provisioning. Communicator Phone edition queries the A records in the following order:

  1. https://<SMTP domain>/autodiscover/autodiscover.xml

  2. https://autodiscover.<SMTP domain>/autodiscover/autodiscover.xml

  3. http -> https redirect

Outlook 2007 uses Active Directory service connection points (SCPs) and DNS SRV records to locate the Exchange Server 2007 Client Access server. However, the device does not support these additional methods.

The Autodiscover service is responsible for finding and presenting the various URLs that are used to interact with EWS and information about how to connect Outlook 2007 to Exchange Server 2007. The device uses those URLs to retrieve Outlook contacts, call logs, and voice mail messages from Exchange Server 2007.

Communicator Phone Edition Query Order of Microsoft Exchange Server 2007

Communicator Phone Edition must connect to the EWS URL by using HTTP or HTTPS. If HTTPS is enabled, the certificate from the Exchange Server must be trusted.

Communicator Phone Edition attempts to connect to the Exchange Server 2007 Autodis-cover service in the following order:

  1. https://<SMTP domain>/autodiscover/autodiscover.xml

  2. https://autodiscover.<SMTP domain>/autodiscover/autodiscover.xml

  3. http -> https redirect

After Communicator Phone Edition receives a successful response, it connects to the EWS URL in the Autodiscover response XML.

Troubleshooting Contacts, Call Logs, and Voice Mail on Communicator Phone Edition

To troubleshoot missing Outlook contacts, call logs, and voice mail messages on the Communicator Phone Edition device, try some of the following from a computer that is on the same network as the device:

  • Use dnslookup to test that you can find an A record in DNS for <SMTP domain> or autodiscover.<SMTP domain>.

  • Try to access the following URLs by using Internet Explorer to see if you get an XML response back with a 600 Invalid request.

    • https://<SMTP domain>/autodiscover/autodiscover.xml and the http version of this URL

    • https://autodiscover.<SMTP domain>/autodiscover/autodiscover.xml and the http version of this URL

  • Make special note of the certificates used by the Autodiscover service and on the Client Access server. Ensure that the device trusts each certificate. If the certificate is the default self-signed certificate that is used by Exchange 2007, the device does not trust it. Therefore, Exchange 2007 will not communicate with the Autodiscover service.

  • Try to use the Outlook 2007 Test E-mail AutoConfiguration feature. To do this, press Ctrl and right-click the Outlook icon in the system tray. Select Use AutoDiscover, type your e-mail address, and then click Test. Click the XML tab to see if XML is returned.

  • Try to access the URL ending with /ews/exchange.asmx that is shown on the XML tab from your browser. If XML is returned, EWS is working.

  • If the previous methods have shown that Exchange Server 2007 Autodiscover service and EWS are working, check the Internet Information Services (IIS) log on the Exchange Server 2007 Client Access server for signs that the device is trying to communicate with the Exchange Server 2007 Client Access server.

NTP and Communicator Phone Edition

Network Time Protocol (NTP) is the default time synchronization protocol used by the Windows Time service in Windows Server 2003. NTP is a fault-tolerant, highly scalable time protocol and is the protocol used most often for synchronizing computer clocks by using a designated time reference. Communicator Phone Edition requires NTP to set the correct time and date for Communicator Phone Edition.

NTP Time Provider

The NTP provider is the standard time provider included with Windows Server 2003. The NTP provider in the Windows Time service consists of the following two parts:

  • NtpServer output provider. This is a time server that responds to client time requests on the network.

  • NtpClient input provider. This is a time client that obtains time information from another source, either a hardware device or an NTP server, and can return time samples that are useful for synchronizing the local clock.

Although the actual operations of these two providers are closely related, they appear independent to the time service. By default, when a computer that is running Windows Server 2003 is connected to a network, it is configured as an NTP client.

Communicator Phone Edition searches for a NTP server in DNS by using the following code:

NTP SRV record (UDP port 123)

_ntp._udp.<SIP domain> pointing to NTP Server

If it cannot find the NTP SRV record, it will attempt to use time.windows.com as an NTP server.

NTP A record

time.windows.com

To set Group Policy for Windows Time service global configuration settings, perform the following steps.

  1. From the Microsoft Management Console (MMC), click Active Directory Users And Computers.

  2. Right-click the domain that contains your NTP server, and then select Properties.

  3. Click the Group Policy tab, make sure the Default Domain Policy is highlighted, and click Edit.

  4. Click Computer Configuration, click Administrative Templates, click System, and then click Windows Time Service.

  5. Click Time Providers. In the right pane, double-click Enable Windows NTP Server. Click the Enabled button and then click OK.

  6. From the Group Policy Object Editor menu, select File and click Exit.

Server Security Framework Overview

The following section provides an overview of the fundamental elements that form the security framework for Office Communications Server 2007 R2. Understanding how these elements work together is helpful when deploying Communicator Phone Edition in your organization.

Root CA Certificate for Communicator Phone Edition

Office Communications Server 2007 R2 relies on certificates for server authentication and to establish a chain of trust between clients and servers and among the different server roles. The Windows Server 2003 public key infrastructure (PKI) provides the infrastructure for establishing and validating this chain of trust.

Communication between the Communicator Phone Edition and Office Communications Server 2007 R2 is by default encrypted using TLS and Secure Real-Time Transport Protocol (SRTP). Therefore, the device needs to trust certificates that are presented by Office Communications Server 2007 R2 servers. If Office Communications Server 2007 servers use public certificates, they will most likely be automatically trusted by the device because public certificates contain the same list of trusted certification authorities (CAs) as Windows CE. However, because most Office Communications Server 2007 R2 deployments use internal certificates for the internal Office Communications Server server roles, it is necessary to install the root CA certificate from the internal CA to the device. It is not possible to manually install the root CA certificate on the device, so it must be installed through the network. Communicator Phone Edition can download the certificate by using two methods.

In the first method, the device will search for Active Directory objects in the category certificationAuthority. If the search returns any objects, it will use the attribute caCertificate. That attribute is assumed to hold the certificate, and the device will install the certificate.

The root CA certificate must be published in the caCertificate for Communicator Phone Edition. To have the root CA certificate placed in the caCertificate attribute, use the following command:

certutil -f -dspublish <Root CA certificate in .cer file> RootCA

If the search for Active Directory objects in the category certificationAuthority does not return any objects or if the objects have empty caCertificate attributes, the device will search for Active Directory objects in the category pKIEnrollmentService in the configuration naming context. Such objects exist if certificate AutoEnrollment has been enabled in Active Directory. If the search returns any objects, Communicator Phone Edition will use the dNSHostName attribute that is returned to reference the CA, and it will then use the Web interface of the Microsoft Certificates Service to retrieve the root CA certificate by using the following HTTP GET command:

http://<dNSHostname>/certsrv/certnew.p7b?ReqID=CACert&Renewal=-1&Enc=b64

If neither of these methods succeeds, the device will present the error message "Cannot validate server certificate" and the user will not be able to use the device.

Using Communicator Phone Edition Certificates

The following is a list of considerations for issuing certificates to Communicator Phone Edition:

  • By default, Communicator Phone Edition uses TLS and SRTP.

    • Requirement: The Communicator Phone Edition device must trust certificates presented by Office Communications Server 2007 R2 and the Exchange Server 2007 server.

    • Requirement: The root CA chain certificate must reside on the device.

  • Manual installation of the certificate on the device is not possible.

  • Other options for certificates include the following:

    • Use public certificates.

    • Preload public certificates on the device.

    • Use enterprise certificates.

    • Install the root CA chain from the network.

Enterprise Root CA Chain

Communicator Phone Edition can find the certificate by using the PKI auto-enrollment object in Active Directory or through a well-known distinguished name (DN).

Following are the two ways in which Communicator Phone Edition locates certificates on your network:

  • Enable PKI auto-enrollment through the enterprise CA.

    • The device makes a Lightweight Directory Access Protocol (LDAP) request to find the pKIEnrollmentService/CA server address and eventually download the certificate via HTTP to the Windows CA /certsrv site by using the user’s credentials.

  • Use certutil -f -dspublish ".cer file location" RootCA to upload certificates to the Configuration naming context.

    • Cn=Certificate Authorities, cn=Public Key Services, CN=Services, cn=Configuration, dc=<Active Directory Domain>

Note

The LDAP request is BaseDN: CN=Configuration, dc= <Domain> Filter: (object-Category=pKIEnrollmentService). The searched-for attribute is dNSHostname. Please be aware that the device downloads the certificate using the HTTP GET command http://<dNSHostname>/certsrv/certnew.p7b?ReqID=CACert&Renewal=-1&Enc=b64.

Trusted Authorities

Table 19-14 lists the public certificates that are trusted by Communicator Phone Edition.

Table 19-14. Public Certificates

VENDOR

CERTIFICATE NAME

EXPIRATION DATE

KEY LENGTH

Comodo

AAA Certificate Services

12/31/2020

2,048

Comodo

AddTrust External CA Root

5/30/2020

2,048

Cybertrust

Baltimore CyberTrust Root

5/12/2025

2,048

Cybertrust

GlobalSign Root CA

1/28/2014

2,048

Cybertrust

GTE CyberTrust Global Root

8/13/2018

1,024

VeriSign

Class 2 Public Primary Certification Authority

8/1/2028

1,024

VeriSign

Thawte Premium Server CA

12/31/2020

1,024

VeriSign

Thawte Server CA

12/31/2020

1,024

VeriSign

Comodo

1/7/2010

1,000

VeriSign

Class 3 Public Primary Certification Authority

8/1/2028

1,024

Entrust

Entrust.net Certification Authority (2048)

12/24/2019

2,048

Entrust

Entrust.net Secure Server Certification Authority

5/25/2019

1,024

Equifax

Equifax Secure Certificate Authority

8/22/2018

1,024

GeoTrust

GeoTrust Global CA

5/20/2022

2,048

Go Daddy

Go Daddy Class 2 Certification Authority

6/29/2034

2,048

Go Daddy

http://www.valicert.com/

6/25/2019

1,024

Go Daddy

Starfield Class 2 Certification Authority

6/29/2034

2,048

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.15.29.146