Configuring your Enviroment for the Microsoft Phone Edition (Tanjay) (OCS)
This is informative purposes only.
At a minimum you will need to have the following configured on your network in order for the Tanjay to connect:
- DNS
- DHCP
- NTP
- Certificate Service registered in AD
DNS
The DNS zone for the domain containing your Tanjay device must have the following 2 records:
1. An A record for the SIP domain you want the Tanjay to connect to; for example:
(internal access) sipinternal.yourDomain.com IPAddressOfAccessProxy
(external access) sip.yourDomain.com IPAddressOfSEServer
2. A UDP SRV record for the NTP service (stored under yourDomain.com/_udp); for example:
_ntp port:123 NTPServerFQDN
3. SRV records for the OCS service discovery internally
_sipinternaltls._tcp.<FQDN of SIP Server (Director or OCS Server, pool or pool VIP)>
_sipinternal._tcp.<FQDN of SIP Server (Director or OCS Server, pool or pool VIP)>
4. SRV records for the OCS service discovery externally (for remote access)
_sip._tls.<FQDN of SIP Server (Director or OCS Server, pool or pool VIP)>
_sip._tcp.<FQDN of SIP Server (Director or OCS Server, pool or pool VIP)>
DHCP
Starting with build 421 running against an OCS 2007 RTM server, Tanjay now supports DHCP Option 119 which allows an Administrator to define a list of DNS Suffixes to try if the default DNS Domain Name defined in DHCP Option 015 does not produce a valid DC. The Tanjay will attempt to form a valid FQDN by appending each suffix in sequence.
To enable DHCP Option 119:
- From DHCP Administrator, right click DHCP server name and select Set Predefined Options
- Leave Option class: as DHCP Standard Options and click Add
- For Name: enter DNS Search List, set Code: to 119 and Data Type to String, leave the Array check box unchecked (it is not an array) and click OK
- Right click Scope Options, select Configure Options, check Option 119 DNS Search List
- In the Value section in the String list box, enter a list of domain suffixes in your organization delimited by a semi-colon
Example: contoso.com;dev.contoso.com;corp.contoso.com
- Click OK to close the Predefined Options and Values page
NTP
Reference:
“Configuring the Windows Time service to use an internal hardware clock” in this document:
https://support.microsoft.com/kb/816042/
Enabling the time service is done via group policy on the domain object containing the NTP server using the following steps:
- Open Active Directory Users and Computers
- Right click on the domain containing your NTP server and select Properties
- Click the Group Policy tab, make sure the Default Domain Policy is highlighted and click the Edit button
- Expand Computer Configuration, Administrative Templates, System, Windows Time Service
- Click on Time Providers and in the right pane double-click Enable Windows NTP Server, confirm the Enabled radio button is selected and click OK
- From the Group Policy Object Editor menu select File and click Exit
Note: Once you connect your Tanjay device to the network and power it up, the logon display should appear within approximately 2 minutes. If that doesn’t happen confirm that your network connection, DHCP and NTP settings are working properly.
Certificates
The Tanjay device registers the internal certificate authority in its “Trusted Authorities” store which requires the following two conditions to be in effect:
- Certificate AutoEnrollment is enabled
- Certificate Authorities has to contain the Internal CA name
Enabling certificate AutoEnrollment is done via group policy on the domain object containing the Tanjay device using the following steps:
- Open Active Directory Users and Computers
- Right click on the domain containing your Tanjay device and select Properties
- Click the Group Policy tab, make sure the Default Domain Policy is highlighted and click the Edit button
- Expand Computer Configuration, Windows Settings, Security Settings
- Click on Public Key Policies and in the right pane double-click Autoenrollment Settings, confirm the Enroll certificates automatically radio button is selected and click OK
- From the Group Policy Object Editor menu select File and click Exit
Build 421 and above:
Starting with build 421 the Tanjay will continue to go to the Certificate Authority if AutoEnrollment is enabled. However for companies that do not enable AutoEnrollment it’s now possible to upload the path to a .CER file into Active Directory Certification Authority container (Figure 5) and have the Tanjay pull it down from there.
To upload the path to a .CER file run the following command from a domain controller:
certutil -f -dspublish ".CER file location" RootCA
If you are using a 3rd party certificate, the following table contains a list of the default trusted root CAs built into the Tanjay. If your 3rd party vendor is on this list it is not necessary to publish anything related to certificates in Active Directory.
Vendor |
Certificate Name |
Expiry Date |
Key length |
Comodo |
AAA Certificate Services |
12/31/2020 |
2048 |
Comodo |
AddTrust External CA Root |
5/30/2020 |
2048 |
Cybertrust |
Baltimore CyberTrust Root |
5/12/2025 |
2048 |
Cybertrust |
GlobalSign Root CA |
1/28/2014 |
2048 |
Cybertrust |
GTE CyberTrust Global Root |
8/13/2018 |
1024 |
Verisign |
Class 2 Public Primary Certification Authority |
8/1/2028 |
1024 |
Verisign |
Thawte Premium Server CA |
12/31/2020 |
1024 |
Verisign |
Thawte Server CA |
12/31/2020 |
1024 |
Verisign |
Secure Server Certification Authority |
1/7/2010 |
1000 |
Verisign |
Class 3 Public Primary Certification Authority |
8/1/2028 |
1024 |
Entrust |
Entrust.net Certification Authority (2048) |
12/24/2019 |
2048 |
Entrust |
Entrust.net Secure Server Certification Authority |
5/25/2019 |
1024 |
Equifax |
Equifax Secure Certificate Authority |
8/22/2018 |
1024 |
Geotrust |
GeoTrust Global CA |
5/20/2022 |
2048 |
Godaddy |
Go Daddy Class 2 Certification Authority |
6/29/2034 |
2048 |
Godaddy |
6/25/2019 |
1024 |
|
Godaddy |
Starfield Class 2 Certification Authority |
6/29/2034 |
2048 |
OCS Settings
In order to complete the Tanjay boot up process it is necessary for certain VOIP properties to be set at the forest level and then mapped to the Front End properties of the pool. The following steps detail the process:
- Click Start, Programs, Administrative Tools, Office Communications Server 2007, Administrative Tools
- Right-click on Forest and choose Properties and click VOIP Properties
- Click the Normalization Rules tab and if no Normalization Rules are defined, click the Add button and create one.
Phone Pattern: ^([0-9]{7})$
Translation: +1403$1
Here the 403 is my area code.
4. Under the Locations Profiles tab click the Add a Location
5. Right Click on the OCS Pool and choose Front End Properties
6. Choose Voice, Location Profile, select the Location Profile you just created as the default location.