Lync, Skype and Cisco Telepresence clients in the same video conference!

Late afternoon last Friday (In europe at least :)), Microsoft released video calling between Lync and Skype. This has been something that a lot of us has been waiting for for quite some time! You can read more about this release here.

To be able to video call a Lync contact from Skype, and vice versa, the following needs to be set up:

  • The Lync environment needs to be federated wilyncoptionsth Skype – see the Provisioning Guide
  • The Lync user needs to use the Lync 2013 client.
  • The Lync user has to be enabled for Public Access, and will have to set “Contacts not using Lync” to “Allow invites but block all other communications” or “Allow anyone to contact me” under “Alerts” in the Lync options menu.
  • If set to “Allow invites but block all other communications” both the Lync user and the Skype user must add each other to their contact lists
  • Currently it will only work from Skype on a Windows desktop running at least version 7.0.x.100. More Skype clients will be supported in the coming months.

This also brings cool opportunities when using Lync together with for instance Acano or Pexip MCU software. This screenshot is from a video conference using the Acano brigde, and here is a Skype Client, a Lync Client and a Lync mobile Client brought together with a Cisco Telepresence room! Pretty awesome! The screenshot is taken from the Skype Client.lyncskypeciscotp

 

Script – New-CiscoTelepresenceIntegration.ps1

Script to enable routes from Lync to VCS Control: —- Edit: After the VCS X7 release, the integration is done a bit differently. I’ll try to get an update to the script out in the near future.

######################################################################################################################################################################################
# New-CiscoTelepresenceIntegration.ps1
#
# Adds config in Lync 2010 for integration with Cisco Telepresence (Tandberg)
#
# Can optionally write logs to file or screen using -verbose and/or -logFile inputs
#
# eg.
# Clean Lync installation
# .New-CiscoTelepresenceIntegration.ps1 -vcscfqdn vcsc011.contoso.com -lsfepool lspool01.contoso.com -CTPSipDomain video.contoso.com -logFile "c:logfile.txt"
#
# Coexisting with OCS 2007 R2
# .New-CiscoTelepresenceIntegration.ps1 -coexistence $true -r2pool r2pool01.contoso.com -lsfepool lspool01.contoso.com -CTPSipDomain video.contoso.com -logFile "c:logfile.txt"
#
# Migration from OCS 2007 R2 to Lync
# .New-CiscoTelepresenceIntegration.ps1 -hascoexisted $true -vcscfqdn vcsc011.contoso.com -lsfepool lspool01.contoso.com -CTPSipDomain video.contoso.com -logFile "c:logfile.txt"
#
# Important:
# This will delete any existing static routes created ! Do not run the script with hascoexisted = $true if you have added manual routes other than OCS/Lync/CTP integration
#
# Written by Tom-Inge Larsen (<a href="http://www.codesalot.com">www.codesalot.com</a>), Peder Saether and Trond Egil Gjelsvik-Bakke
# Based on config made by Marjus Sirvinsks (marjuss.wordpress.cm)
#
#######################################################################################################################################################################################
param($logFile,$coexistence=$false,$hascoexisted,$CTPSipDomain,$lsfepool,$r2pool,$vcscfqdn)</pre>
if ($logFile -ne $null) {
$a = "Steps made to enable integration with Cisco Telepresence: `n"
Out-File -FilePath $logfile -InputObject $a
}

if ($lsfepool -eq $null) {
$lsfepool = Read-Host "Please enter Lync Front End pool FQDN."
}

if ($CTPSipDomain -eq $null) {
$CTPSipDomain = Read-Host "Please enter the SIP domain in the Cisco Telepresence environment."
}

if ($coexistence -eq $false) {
#Change encryption level if SRTP option is not available for VCS
$mediaconfiguration = get-csmediaconfiguration
$requireencryption = ($mediaconfiguration.EncryptionLevel -eq "RequireEncryption")
if ($requireencryption) {
write-warning "This will set the media encryption level to Support Encryption. Are you sure you want to do this? (y/n)"
$confirmation = Read-Host

} else {
$confirmation = 'y'
}
switch ($confirmation) {
'y' {
set-CsMediaConfiguration -EncryptionLevel supportencryption

$registrarid = "service:registrar:"+$lsfepool
$trustedappregistrar = "Registrar:"+$lsfepool

if ($hascoexisted -eq $true) {
Remove-CsStaticRoutingConfiguration -Identity $registrarid
}

if ($vcscfqdn -eq $null) {
$vcscfqdn = Read-Host "Please enter the FQDN for the VCS Control"
}

#Establish trust
$applicationpooladded = $true
New-CsTrustedApplicationPool -Identity $vcscfqdn -Registrar $trustedappregistrar -site 1 -RequiresReplication $false -ThrottleAsServer $true -TreatAsAuthenticated $true -force

New-CsTrustedApplication -ApplicationID "CiscoTelepresenceDirectSIP" -TrustedApplicationPoolFqdn $vcscfqdn -Port 5061

#Create static routes if needed

if ($hascoexisted -eq $true) {
New-CsRegistrarConfiguration -Identity $registrarid
}

New-CsStaticRoutingConfiguration -identity $registrarid

$route = New-CsStaticRoute -TLSRoute -destination $vcscfqdn -port 5061 -matchuri $CTPSipDomain -usedefaultcertificate $true

Set-CsStaticRoutingConfiguration -identity $registrarid -route @{Add=$route}

Enable-CsTopology
}
'n' {
Write-Warning "No change was made to the topology. Media Encryption Level must be set to Support Encryption"
if ($logFile -ne $null) {
$a = "No change has been made. `n"
Out-File -FilePath $logfile -InputObject $a -Append
}
}
}
}

else {

# If we coexist with R2, we might want to route all traffic via R2 FE, to possibly avoid
# compromising security with deployments using TCP or if Lync is only intended as a
# pilot.

if ($r2pool -eq $null) {
$r2pool = Read-Host "Please enter OCS 2007 R2 Front End pool FQDN."
}

$registrarid = "service:registrar:"+$lsfepool

New-CsRegistrarConfiguration -Identity $registrarid
New-CsStaticRoutingConfiguration -identity $registrarid

$route = New-CsStaticRoute -TLSRoute -destination $r2pool -port 5061 -matchuri $CTPSipDomain -usedefaultcertificate $true
Set-CsStaticRoutingConfiguration -identity $registrarid -route @{Add=$route}

Enable-CsTopology
}

if ($logFile -ne $null) {

$a = "Route added: `n"
Out-File -FilePath $logfile -InputObject $a -Append
Get-CsStaticRoutingConfiguration $registrarid | Select-Object -ExpandProperty Route | Where-Object {$_.MatchUri -eq $CTPSipDomain} | Out-File -FilePath $logfile -Append
if ($applicationpooladded -eq $true){
$a = "`nTrusted Application Pool added:`n"
Out-File -FilePath $logfile -InputObject $a -Append
Get-CsTrustedApplicationPool $vcscfqdn | Out-File $logfile -append
}
$a = "`nRegistrar added:`n"
Out-File -FilePath $logfile -InputObject $a -Append
Get-CsStaticRoutingConfiguration $registrarid | Out-File $logFile -append

if ($confirmation -eq 'y') {
$a = "`nMedia encryption level was already set to or was set to Support Encryption.`n"
Out-File -FilePath $logfile -InputObject $a -Append
}

Write-Host "Logfile: " $logFile "is written."
}

Cisco VC Dialer

Getting my new iPad this weekend, I got to try the Cisco (Tandberg) VC Dialer from Sping BV on some of my endpoints. It seems to be working perfectly! It is basically an app that can dial any number from any MXP, C, EX or E series endpoint. You can get it from the AppStore, search for VC Dialer (it is an iPhone app originally). The app is free for a limited number of downloads, after which it will be priced €4.99

The dialer screen
Last calls screen
Choose endpoint
Add endpoint screen

 You need to be able to reach the endpoints on http (s?), and you need the admin password of the endpoint to be able to control it.

You can only make calls and hang up with the app, it is not a full remote control of the endpoint, but I can still se uses for this. 

Creating certificates for Codian MCUs

If you want to use HTTPS (without the annoying browser certificate warnings) or MTLS with a Codian MCU, you’ll need to install a certificate on the MCU.

Remember that you’ll need the “Encryption” release key to enable SSL in any form. This is a free key that kan be ordered from TAC.

Under Network -> SSL certificates, you’ll find this screen:

Certificate config

So we need to provide a certificate and a private key corresponding to the certificate, which means that we need to create a CSR and import both the key and the certificate to the MCU.

I’ll show how to do this using openSSL and a Windows CA. If there is an OCS/Lync implementation in the environment, you could use the wizard to create the cert, but you would have to split it up with something like openSSL afterwords anyway, so the easiest thing is just to create it all with openSSL.

openSSL can be found for almost any platform, I use openSSL for win32 

Create the CSR

Use this command to create the CSR

openssl req -new -newkey rsa:2048 -nodes -out <name_of_the_cert>.csr -keyout <name_of_the_key_file>.key -
subj "/C=<countrycode>/ST=<state>/L=<City>/O=<Organisation>/OU=<Organisational Unit>/CN=<fqdn.of.mcu>"

Exchange all the <variables> with the correct values.

This should create two files, <name_of_the_cert>.csr and <name_of_the_key_file>.key and place them in the same directory as you run the command.

Create the cert

Copy the .csr file to the CA. In a cmd window, navigate to the folder you copied the .csr to and run:

certreq -submit -attrib "CertificateTemplate: WebServer" <name_of_the_cert>.csr

If the CA is configured to issue certs automagiacally, you should have be asked where to save the .cer. If not, you’ll have to open the CA MMC snapin and issue the cert manually.

Add the cert to the MCU

Back on the MCU, browse to the .cer in the Certificate field and the .key in the Private Key field. Leave the password field empty. Restart the MCU and you should be good to go.

Creating a trust store

The trust store to be uploaded needs to be in .pem format. Export the root certificate you need to trust to a DER encoded file. (normally .cer) and run the following command:

openssl x509 -inform der -in <rootcert>.cer -out <rootcert>.pem

<rootcert>.pem can be uploaded as the trust store. 

Lync and VCS

My exellent colleague Marjus has done some testing with VCS and Lync integration!

Read his post here.