Friday, August 28, 2015

Allow only the Organiser to record Lync meeting

Recently, someone asked me if it is possible to configure Lync 2013/Skype for Business environment where only the meeting organizer can record.

Background



The ability for Lync meeting participants to record a meeting is controlled via the CsConferencingPolicy.  The CsConferencingPolicy controls the following settings in relation to recording:

AllowConferenceRecording
This setting controls whether meeting participants, including the organizer can record.  If meeting organizer is assigned a CsConferencingPolicy where AllowConferenceRecording is set to $False, no one in the meeting will be able to record, regardless of the CsConferencingPolicy assigned to attendees.  In other words, the AllowConferenceRecording setting in the CsConferencingPolicy applied to the meeting organizer “overrides” the AllowConferenceRecording setting in the CsConferencingPolicy applied to any attendee. 
  
AllowExternalUsersToRecordMeeting
This setting determines if external users can record a meeting.  It is applied to the meeting organizer and determines whether meetings created by the organizer will allow external users to record.  In this case, ‘external user’ applies to both “anonymous” as well as Federated attendees.

If a user who is assigned a CsConferencingPolicy with this policy parameter configured to $False joins a meeting of an organizer who has this setting configured as $True, the user would then be able to record – as long as that user is an “external user”.  Put another way, although Alice may not be allowed to create Lync Meetings that allow her or her attendees to record when hosted at her company’s site, if she joins a conference hosted at a Federated partners site, she would be able to record as long as the Meeting Organizer has this policy set to $True.If AllowConferenceRecording is $False, this setting will be ignored.

EnableP2PRecording
This setting determines whether point to point sessions may be recorded.  This setting is based on the CsConferencingPolicy applied to both users.  For example, if Bob and Alice begin a P2P Audio and Application Sharing sessions, and Alice’s policy allows her to record P2P sessions and Bob’s does not, then Alice would be able to record the session.

If we had AllowOnlyOrganizerToRecord, this blog post will not have existed but... we don't. So, what can be done?

When user sign-in, the assigned conferencing policy parameters are sent to the client via in-band provisioning.



As we can see, Bob have conferencing policy that allows recording (the company does not allow external users to record in any conferencing policy).

Alice is on the same meeting policy as Bob (recording is allowed).


Based on this Lync server side (policy) settings, when Bob joins Alice's meeting, recording will be allowed for both.

Before I get to the solution, we should also take a look what exactly happens when user joins a meeting. There is one component of particular interest - the actual in-band meeting provisioning.

As we see above, during the sign-in, user receives provisioning as for what is allowed for meetings that this user organizes. However, when user joins a meeting, a new provisioning is sent to every participant based on the Organizer's policy. This is, if Alice (the organizer) policy does not allow recording, when Bob joins, even thou his policy allows recording, Bob cannot record while on Alice's meeting.This provisioning is sent in INFO header.

Solution


I asked myself - what if I intercept this particular INFO header and override the specific value that is used to "tell" the client if recording is allowed or not? Id worked! Here is how it is done:


Needless to say, although I verified the functionality with Lync 2013 and Skype for Business server, it have not been tested under load and there is no guarantee that will perform well in large environment.

Installation


1. Download the script from this link.
2. Copy the file (BlockRecording.am) to "E:\Program Files\Skype for Business Server 2015\Server\Core" (or the drive where server components are currently installed.
3. In Lync Management Shell, run the following command:

 New-CsServerApplication –Identity “registrar:your_pool.contoso.com/BlockRecording” –Uri http://mspl.com/BlockRecording -ScriptName BlockRecording.am –Critical $False –Enabled $True -Priority 7

***If this is Enterprise Edition pool, the file must be present on all servers.

4. In event viewer, look for event id 30208 (application was registered successfully)

 

Test Scenario


Create new online meeting using account which has Conferencing policy where Recording is allowed. When join with this (Organizer) account, Recording control should be available. Any other user who join (despite if the conferencing policy for this user allows recording or not) should not have Recording control.

Troubleshooting


Follow this link for troubleshooting tips.

Drop me a note if this solution does not work for you.

Monday, July 13, 2015

Skype Meeting Broadcast first impression

Configuring Skype for Business Server for meeting support requires careful planing for both configuration and bandwidth. Natively, conferencing is pre- configured (from policy prospective) for maximum of 250 participants, where all modalities are offered. It is my personal opinion that even with properly scaled Front-End pools, 250 participants is still too many. Too often I see users sharing Desktop to show PowerPoint or any other content - something that leads to very unpleasant end user experience. And... "regular" users do not schedule meetings of such scale - always senior managers are conducting large meetings.

On premise deployment also offers "Large Meeting" support. Large meetings have the following characteristics: https://technet.microsoft.com/en-us/library/jj204894(v=ocs.15).aspx


  • The meeting format is a one-to-many presentation.
  • One or a few users are presenters, and everyone else participates only as attendees.
  • PowerPoint presentation sharing is the main data collaboration activity.
  • Audio is required and video may also be used.
  • A dedicated person, generally either the meeting organizer or an assistant to the organizer sets up the meeting well in advance.
  • Dedicated staff (not the presenters) runs the meeting, including connecting to an online meeting, verifying that audio, video, and slide sharing work, managing lobby and user roles, muting and unmuting participants, taking questions, and managing recordings, as appropriate.
From deployment prospective,  Large Meetings require dedicated Front End pool where no other modalities are hosted. This is - no "regular users" are homed on the dedicated pool. Also, only one meeting with up to 1,000 participants may be conducted at any time per dedicated pool. How to setup support for Large Meetings is described here: https://technet.microsoft.com/en-us/library/jj205074(v=ocs.15).aspx

With the evolution of Microsoft Cloud, we can now offer our CEO meetings up to 10,000 (yes, ten thousand) participants who can attend in a browser on practically any device. How about that!

Needless to say, Broadcast Meetings service is available only if have online tenant and you are running Hybrid configuration.

Environment configuration


The steps to prepare the environment for Broadcast Meetings are defined here: https://technet.microsoft.com/en-us/library/mt243953.aspx


  1. Add new Hosting Provider 
  • New-CsHostingProvider -Identity LyncOnlineResources -ProxyFqdn sipfed.resources.lync.com -VerificationLevel AlwaysVerifiable -Enabled $True -EnabledSharedAddressSpace $True -HostsOCSUsers $True -IsLocal $False
  1. Add three new SIP Federated Domains
  • New-CsAllowedDomain -Identity "noammeetings.lync.com"
  • New-CsAllowedDomain -Identity "emeameetings.lync.com"
  • New-CsAllowedDomain -Identity "apacmeetings.lync.com"

Scheduling


Scheduling is really easy.

  

Configure the details


 Add users who will conduct the meeting




Select participants. At present, we have two options ("Anyone from my company" is coming soon) - Anonymous, where anyone that knows the link can join...



...and Secure (Individuals identified by email address or distribution group - both from our company).



Lastly, we can customize some options




Our Skype Broadcast Meeting is now scheduled. All I need now is to copy the Event link and distribute it to the participants.

Experience


After I clicked the meeting link, I was asked to login with my AD credentials via ADFS...

...and after authentication, I am presented with this screen



Looks like a plugin is (once again) required.







***It appears that the "Event Team" - people who will manage the meeting must have Lync/Skype4B client in order to join as Meeting Manager ("Your event team consists of presenters, producers, organizers, moderators and anyone else you trust to have control of the broadcast").

Because I do have Lync client on the computer I have joined from, the client was used and I have the familiar Skype meeting interface. I was able to join prior to the scheduled time!. This, of course, make sense because Presenters/Organizers must be able to upload and validate the content and the functionality of the meeting. Attendees, however, will uses web browser only.



I did upload PowerPoint presentation



If an attendee joins ahead of time, the following screen is presented.


Once an Event Team member Start Broadcast...



...the attendees will see the content.




My overall experience was excellent. Meeting scheduling was easy, the interface intuitive and took literally 2 minutes to complete.

Event Team members will manage the meetings from a familiar Skype4B client interface and use familiar controls.

As for the attendee's experience, one word - cannot be simpler than that. Click and attend.

Great work, Microsoft/Skype team!

Tuesday, June 30, 2015

KEMP LoadMaster as Reverse Proxy for Lync/Skype4B Server



In this articleI will show how to configure KEMP LoadMaster HLB to act as Reverse Proxy for Lync  / Skype for Business server.

The topic of Reverse Proxy always have been the “weakest links” in the entire Lync/Skype4B installation journey for two reasons. First, people have a hard time grasping the basic concept why Reverse Proxy is necessary and second – what solution to use. Let’s take on each topic.

Reverse Proxy


Lync (Front End and Director role) have two web sites – Internal and External.


In Topology, the two web sites are bind to different ports


There is good reason for that – a request for web service might come from Inside (LAN) or Outside (Internet) and the server must respond accordingly. Think about meeting join – when we click Join Lync/Skype meeting link, a DNS query for meet.contoso.com will be made, and an IP address will be returned – either internal or public depending of which DNS we query. Based on our location, the server will “answer” with internal or external pool web services FQDN where the meeting will be hosted and we will join the meeting. So, the only way to “let” the server know where we are coming from is to… land on the appropriate web site. We cannot “choose” where to make the request (to the internal site if we are on LAN or the External site, if we were on Internet). Since in Meeting Invite we see only one web link https://meet.contoso.com/user/meeting (and HTTPS implies use of port 443), the only way we “land” on port 4443 (where the external site is bind) is to “flip” the traffic arriving on port 443 to port 4443.

One might say – but we can do that on our firewall with port forwarding. While true, it is not recommended for many reasons. To state one – certificates. Think about it – internal web services are bind to certificate issued by Internal CA. If we just do port forwarding, the HTTP request will be terminated with this internal certificate and unless the workstation have the Internal CA Trusted Root, and eventually internal Intermediate certificate(s), the SSL request will fail. In this case, how someone can join meeting from non-corporate laptop? Simple answer – it cannot.

So, to recoup - Reverse Proxy is the place where we terminate the SSL request with Public certificate, “flip” the port from 443 to 4443 and “proxy” the connection to Lync server. Server replies to RP on port 4443, RP “flips” the port again to 443 and replies to our request.

What software to use as Reverse Proxy


There are many "solutions" out there. I must emphasize on one thing – always use product from this list: https://technet.microsoft.com/en-us/office/dn788945. Only qualified products are thoroughly tested and any future Lync/S4B Cumulative Update and/or Product update will be aligned and validate prior to release. I have seen many cases where non-qualified product is updated and some or all  functionality is no broken, causing grief with both users and administrators.


Kemp LoadMaster



As I said in the beginning, this article is about KEMP. The primary reason – as of now, Kemp Technologies offers free LoadMaster: http://freeloadbalancer.com. Be not confused by the name “loadbalancer” – every HLB can act as reverse proxy and this is what we will do today.

First, of course, we need to register for KEMP ID. We will use this ID later to license the appliance and unlock the features. Once done, we are taken to the Download page.



Here, for this exercise I will use VMware OVF, but KEMP offers Virtual Alliance for many different platforms.


While deploying the OVF template, make sure the network adapter mapped to your DMZ subnet..


Here is the original settings after the VM was added. Note that both network adapters are on DMZ


We want the second network adapter on our server network


We are now ready to power the VM


As we see, the VM is configured with default IP 192.168.1.101, user name - bal and password - 1fourall.


Before we access the appliance via web browser, let's do some initial configuration. Login to the console with the default credentials. Change the IP address (if you wish to do so). I will use 192.168.1.111


Configure default gateway


and DNS



We are now ready to complete the configuration via web browser.



Accept the EULA, on the next screen select “Free LoadMaster”and click Allow.



Now we are taken to the licensing screen. Here we will use our KEMP ID.





We must change the password.


...and now our KEMP is licensed and features are unlocked.

Configuration


There are three steps involved – Install Templates (for automatic configuration), Install public certificate (to provide connectivity to non-corporate devices) and configure Virtual Service (the actual Reverse ProxyP)

KEMP Templates

When comes to Lync web services and HLB/RP, we have very specific requirements that must fulfill. The list can be found here: https://technet.microsoft.com/en-us/library/jj656815%28v=ocs.15%29.aspx?f=255&MSPPError=-2147217396

From my past experience, I can tell you that 99% of the issues were around missing/misconfigured parameters. Luckily for us, KEMP does offers the so called Templates: http://kemptechnologies.com/loadmaster-documentation/#c7842 – which, when used, will configure your new Virtual Service with all parameters as per TechNet. We will see this in the next step.

Download Lync 2013 Templates http://kemptechnologies.com/files/assets/templates/Lync2013.tmpl to your computer. In KEMP GUI, navigate to Virtual Services -> Manage Templates





Browse to the file we downloaded on the previous step and click Add New Template




As we can see, we have templates for all possible scenarios this Virtual Appliance can be used in our Lync environment.

Certificates


As I mention above, we will configure Reverse Proxy to serve request from Internet and so, we need to configure KEMP with Public certificate in order Mobile devices to trust. I will use Wild Card certificate for my domain issued by DigiCert. I already have the certificate exported in .pfx format (private key included).

In KEMP, navigate to Certificates -> SSL Certificates



Click Import Certificate



Browse to the .pfx file, enter password and make sure Certificate Identifier is one word (KEMP does not like white spaces) and Save.



***Next step is very important. Since this certificate is issued by Public Authority, we must also import any intermediate certificates that could be in the certificate chain. To do so, open the certificate in MMC and go to Certification Path tab. Here we see one Intermediate and one root – both must be imported.



I will find the root and the intermediate in my Local Computer Certificate store and export them in Base-64 encoded format (DER will not work on KENP). Then I will import those by clicking Add Intermediate button. Here is the final result




Configuring Virtual Service

In the initial configuration steps I have configured the appliance with IP address from DMZ. However, the Virtual Service must be able to connect to our Real Servers and so, I must configure the second virtual NIC with IP from the server subnet.

Go to System Configuration, Interfaces, eth1 and configure IP address/Subnet (don't forget to click Set Address)



Now we can create new virtual service using Template. Navigate to Virtual Service, Add New. Give it an IP address, select Lync Reverse Proxy 2013 from the “Use template” drop-down menu and click “Add this Virtual Service”. The IP address is any available IP on our DMZ network. At the end, this DMZ VS IP wil be mapped 1:1 to Public IP address.




You will be taken to the configuration screen for the 443 service (there was one more for port 80 which we don’t see right now) where we will complete the configuration.



What’s left is to configure the service with certificate and add the Lync servers. Expand SSL Properties, highlight the certificate you want to assign and move it to the “Assigned Certificates”. Don’t forget to click Set Certificates button or the change will not be applied.



Expand “Real Servers”



Click “Add New” and enter the IP address of the Lync server, make sure the Port is set to 4443 (remember, we have to hit the External web site which runs on 4443) and click “Add This Real Server” button.



 Repeat for all servers in your pool if you have EE pool.

Now click View/Modify Services on left...


...and you should see the Status as Up (green.) This indicates the the Virtual Service connected to the Lync servers and it is ready to go.


The service for port 80 is Down (red) because we have not added "real Servers" yet. Click Modify under Action column, Add New under Real Servers...



...add the IP addresses of the Lync servers again (make sure Port is set to 8080)


and the final result should be - all Green.


That's all, folks. Really! Configure your NAT, Firewall and DNS and test your new Reverse Proxy. I guarantee it will work.

If or when time permits, I will show you how you can use KEMP to serve multiple services with one  IP address. In my lab I use for Exchange, two EE pools and one SE Lync pools, ADFS and more with one single IP address.