Configure Lync 2010 voice using a SIP gateway and an uncertified SIP trunk, step-by-step – Part 2

This post takes on right where post 1 in this series ended and we will jump right into it. We will cover PSTN Gateway configuration, Trunk configuration, Normalization rules and Voice Routes.

PSTN Gateway

Head over to you Lync Server 2010 and open up Lync Server Topology Builder, then choose Download Topology existing deployment and click Ok.

Choose a location and enter a name for you topology file and then click Save.

Expand Mediation pools and then click Edit Properties… in the Actions pane.

Select New to create a PSTN gateway.

Enter the FQDN or IP address for your gateway, ensure TCP is set as we configured TCP in the Intertex IX78 in the previous post and change the default port to 5060. When finished click Ok.

Make sure that the gateway is listed in the The following gateways are associated with this mediation server and  then click Ok.

Go ahead and publish your new topology. I will not cover the publishing in this post, instead we will continue with configuring our trunk.

Trunk Configuration

Open the Lync Server control Panel and navigate to Voice, Trunk Configuration and click New.

Make sure your settings match mine and then create a translation rule by clicking New.

I will create a Translation Rule that looks for the +00 prefix, and makes sure that the number is more then 3 digits long, then it replaces 0 digits (in other words it does not replace anything). We will use Normalization Rules to make sure that the dialed numbers have an ok syntax. When finished click Ok to save our Translation Rule.

Take a quick look at the configured settings and then click Ok to save your Trunk configuration.

 

Normalization Rules

Normalization rules define how phone numbers expressed in various formats are to be routed for the named location. It is a way of forming an E. 164 number from the number dialed by an Lync Server 2010 user. It is necessary for call routing because users may dial numbers in various formats.

I will list all my 5 Normalization Rules, you might not need all of them but this is what works for me in my lab in Sweden. Feel free to add a comment if you need help with forming these rules, it can be quite tricky. More information regarding Normalization Rules can be found here and here.

Navigate to Voice Routing and Dial Plans and open your Global Dial Plan.

In my example you can see the 5 Normalization Rules that I use for my lab environment. Create a new rule by clicking New.

This rule initiates on the starting digits 00, it does simply that and nothing more. The reason for this is that I want to normalize all numbers to include both country code and area code, for example 0046855566677. I would recommend you to try different Normalization Rules until you have a combination of rules that fits your needs and demands.

To make sure that your rule works you can test it before clicking Ok and saving it. If I enter a number that I believe should match the rule and then click Go it should display the normalized number in green.

My next Normalization Rule initiates if a number starts with a single 0 and is at least 1 digit long. In Sweden our area codes starts with a single 0. Then it adds the prefix 0046 to make it a standard Swedish number including the country code.

When I enter a number with Stockholm’s area code it should Normalize it to a number that that removes the initiating 0 and then adds the prefix for the Swedish country code.

My next Normalization Rule initiates on any number starting with one of the numbers 1 to 8. A local number in Sweden can start with any of those numbers. It must also be at least 5 numbers long since no telephone number in Sweden has less then 5 numbers. Then it adds the local area code of both Sweden and Stockholm.

And when I test this rule with a local number it should add a prefix of 00468.

Note: This Normalization Rule assumes that this server is placed in Stockholm and that all numbers missing an area code is meant for Stockholm.

This next rule initiates based on the staring digit +, as in +46855566677. It then removes the + and adds 00.

And when tested it does exactly that…

And last but not least, this rule initiates when the number starts with 33 and is exactly 3 digits long. This indicates that it is a local number and it should not be normalized in any way.

When tested it does seem to match, note that I have also checked Internal Extension.

When you have added all your Normalizations Rules you can make more tests if you want and then click Ok to save your Dial Plan.

I am by far no expert in normalization rules, if you have any thought on the rules I use please feel free to post a comment or contact me and I will be happy to optimize my lab.

Route Configuration

Our final step towards a working Lync Server 2010 voice implementation is to configure routing. A Voice Route looks for a specific pattern in numbers and then decides which gateway that it will route the call to. Navigate to Voice Routing and then Route. Click New to create a new route.

Give the Voice Route a Name and then add the pattern that you want this route to match. In my case I have normalized everything that is supposed to leave the Lync Server with 00 I add 00. In your case this might differ depending on your Normalization Rules.

The next step is to add an Associated gateway. Click on Add to open the gateway selection.

Search for and select the gateway you would like to add and then click Ok to save your selection.

Next we must add an Associated PSTN usages, click Select to open the PSTN usage record selection.

Select your PSTN record and then click Ok.

Now it is time to test our routing. Enter a suitable number that you think should match the pattern and click Go.

Also, to make sure that all is well, enter a number that should not match the pattern.

When finished save the Voice Route by clicking Ok.

Now make sure that you Commit all changes properly!!

After this you should be all set and ready for testing. This concludes part 2 of this series, I hope you have enjoyed reading it and that you find it useful. If you have any thoughts or questions regarding the configuration please do not hesitate to post a comment.

Part 1 in this series can be found here!

Part 2 in this series can be found here!

Enable users to manage distribution groups without new- or remove- Cmdlets using Management roles

In this post I will show you how to create a management role and assign it to a group. We will remove the new- and remove Cmdlets from the Management role and make sure that it works. This will enable the users to manage distribution groups without the permission to create or remove any distribution groups.

You might want to give the users permission to manage the groups they are managers of without the possibility to create new groups or remove current groups. This will give you a more controlled distribution group management without new groups popping up. One customer of mine use a distribution group administrator for each department that is instructed and responsible for creation and removal of groups concerning that users department.

The Management role

The first thing we need to do is to create a new Management Role. We do this since we do not want to edit a built-in management role. What we can do, is base our new Management Role on one of the built-in Roles, by doing that we will populate our new Role with the same Management Roles Entries.

To create a new Management Role and use the following cmdlet:
New-ManagementRole -Name "MyDistributionGroupsAdmins" -Parent MyDistributionGroups

Next we will remove the new- and remove-.cmdlets from our new Management Role. But first we will check the cmdlets:
Get-ManagementRoleEntry "MyDistributionGroupsAdmins\New-*"

When we a re sure that these cmdlets are the once we want to remove run the following cmdlet:
Get-ManagementRoleEntry "MyDistributionGroupsAdmins\New-*" | Remove-ManagementRoleEntry

We will do the same for the Remove- cmdlets:
Get-ManagementRoleEntry "MyDistributionGroupsAdmins\Remove-DistributionGroup

We only want to remove one of the cmdlets:
Get-ManagementRoleEntry "MyDistributionGroupsAdmins\Remove-DistributionGroup” | Remove-ManagementRoleEntry

Now we have a new Management Role without the New- and Remove- cmdlets. Next we want to assign the Role to our users is some way. I will explain three different ways of doing this.

Assignment using Management Role Group

When we use this method we will create a Role Group, add members and managers to the group and add our previously created Management Role to the Group. A Management Role Group also includes a Universal Security Group that s created during the process.

I am not going to go through exactly how Management Role Groups work , more information on this can be found here.

When creating the Role Group use the following command:
New-RoleGroup -Name "Distribution Group Managers" -Roles "MyDistributionGroupsAdmins" -Members Test10, Test11,Test12 -ManagedBy Test12

This creates a new Role Group, adds the users Test10 and Test11 as members and the user Test12 as manager. Test12 will get both the rights that the Role Group incudes and he will have the permission to manage the group.

To be able to confirm that our configuration works we need to create a Distribution Group and set user Test12 as owner, I use the following command to achieve this:
New-DistributionGroup -Name "Test Group 1000" -OrganizationalUnit "sundis.local/Test/users" -SAMAccountName "TestGroup1000" -Type "Distribution" -ManagedBy Test12

Now we can log on to the ECP as our manager, Test12 in my case, and see if our configuration work. Open ECP, log in and navigate to Groups. Select the group you want to manage in the right column Public Groups I Own and click Details or double click it.

Add a user by expanding Membership and click Add.

Select the mailboxes you want to add to the group, click Add and Ok.

Check that your changes looks ok and then click Save.

You should now be back at ECP and our test is finished and successful.

Assignment using a new Management Role Assignment Policy

The second option I am going to explain is the use of a Management Role Assignment Policy. Using a policy enable you to group a number of Management Roles together to a policy and configure mailboxes to use this policy. Again, I will not do any deep dive in Management Role Assignment Policies, more information on this can be found here.

We will use the same Management Role as we created above and start with creating a new Policy. Note that we also include a role called MyBaseOptions. If we leave this role out it will prevent users who are assigned this policy from using ECP and OWA options. Use the cmdlet below to create the policy:
New-RoleAssignmentPolicy "Distribution Group Admins" -Roles MyBaseOptions, MyDistributionGroupsAdmins

If you want to make this Policy default add –IsDefault as in the following example:
New-RoleAssignmentPolicy "Distribution Group Admins" -Roles MyBaseOptions, MyDistributionGroupsAdmins –IsDefault

When the Policy is created you can add it to a mailbox with the following cmdlet:
Set-Mailbox Test10 -RoleAssignmentPolicy "Distribution Group Admins"

And  a simple Get-Mailbox to check the results:
Get-Mailbox Test10 | fl Role*

Again, lets check this using the ECP for mailbox Test10. For this test I create a new Distribution Group called Test Group 1001 and add Test 10 as manager using the following cmdlet:
New-DistributionGroup -Name "Test Group 1001" -OrganizationalUnit "sundis.local/Test/users" -SAMAccountName "TestGroup1001" -Type "Distribution" -ManagedBy Test10

In ECP, navigate to Groups. Select the group you want to manage in the right column Public Groups I Own and click Details or double click it.

Add a user by expanding Membership and click Add.

Select the mailboxes you want to add to the group, click Add and Ok.

Review the changes you have made and click Save when finished.

This will take you back to ECP and we are finished with this part.

Assignment by customizing the Default Management Role Assignment Policy

Last but not least we will add our Role to  the Default Management Role Assignment Policy. To achieve this we create a new Management Role Assignment by running this cmdlet:
New-ManagementRoleAssignment -Name "Default Role Assignment Policy – MyDistributionGroupsAdmins" -Role MyDistributionGroupsAdmins -Policy "Default Role Assignment Policy"

Now all the mailboxes with the Default Role Assignment Policy configured will have the ability to manage the distribution Groups they are managers for. Since I like screenshots I will make sure this is ok. First create a new Distribution Group:
New-DistributionGroup -Name "Test Group 1002" -OrganizationalUnit "sundis.local/Test/users" -SAMAccountName "TestGroup1002" -Type "Distribution" -ManagedBy Test11

Let’s also make sure that the mailbox Test11 have the Default Role Assignment Policy set:
Get-Mailbox Test11 | fl Role*

Now we can log in to ECP and make sure that we can manage Test Group 1002. Select the group you want to manage in the right column Public Groups I Own and click Details or double click it.

Add a user by expanding Membership and click Add.

Select the mailboxes you want to add to the group, click Add and Ok.

Review the changes you have made and click Save when finished.

All done, the Default Policy is altered and tested.

I hope you like the post and find it useful. Thanks for reading and let me know if you have any questions!

Quick Tip: View the database size and mailbox count for mailbox databases

In this quick tip post I will show you how to retrieve mailbox database size and mailbox count for one or all mailboxes. Lets start with mailbox database size.

Mailbox database size

This command is quite simple and utilizes the –Status parameter in the Get-MailboxDatabase cmdlet:

Get-MailboxDatabase –Identity <MailboxDatabaseName> -Status | Select ServerName,Name,DatabaseSize

To retrieve the size of all mailbox databases:

Get-MailboxDatabase -Status | Select ServerName,Name,DatabaseSize

And if you want to sort this on DatabaseSize:

Get-MailboxDatabase -Status | Select ServerName,Name,DatabaseSize | Sort-Object DatabaseSize –Descending

And with sorting on the mailbox database name:

Get-MailboxDatabase -Status | Select ServerName,Name,DatabaseSize | Sort-Object Name –Descending

Mailbox count for mailbox databases

Now we will focus on counting mailbox databases. This command is also quite easy to use.

Get-Mailbox -ResultSize:Unlimited | Group-Object -Property:Database | Select-Object Name,Count | Sort-Object -Property:Count –Descending

Let’s break this up a bit… The first part is a ordinary Get-Mailbox cmdlet with -ResultSize:Unlimited to include all mailboxes:

Get-Mailbox -ResultSize:Unlimited

Then we group the objects from the result of the Get-Mailbox cmdlet on Database to be able to count based on each mailbox database:

Group-Object -Property:Database

Moving on with a selection of the properties we want to display including a count:

Select-Object Name,Count

And finally we sort the results based on the count property to get it in a nice list with the mailbox database with most mailboxes on top:

Sort-Object -Property:Count -Descending

Quick tip: Exclude a mailbox database from automatic mailbox provisioning

Here is a quick tip on how to manage automatic provisioning for mailbox databases.

This could be useful when you have a standard quota set on most databases and then use a mailbox databases with a different quota. then you would like to exclude the mailbox database with different quota and move the mailboxes to that mailbox database manually. in other words when you are using a VIP mailbox database. Here is the command:

Set-MailboxDatabase <MailboxDatabaseName> -IsExcludedFromProvisioning $true

Example:

Set-MailboxDatabase MailboxDatabase7 -IsExcludedFromProvisioning $true

To retrieve a list of all mailbox databases excluded from provisioning run the following command:

Get-MailboxDatabase | Where { $_.IsExcludedFromProvisioning -eq $true}

If you want to include a database again you run the following command:

Set-MailboxDatabase <MailboxDatabaseName> -IsExcludedFromProvisioning $false

Example:

Set-MailboxDatabase MailboxDatabase7 -IsExcludedFromProvisioning $false

One-liner to export mailbox size, quotas and more to a CSV file

I got a question form a friend if I could help and sort out a command that exported mailbox size and quotas to a CSV file  for him. This should work for both Exchange Server 2007 and 2010, here is how we did it:

First run a get mailbox command:

Get-Mailbox -ResultSize Unlimited

Then we add a pipe and a number of attributes we want to get:

Get-Mailbox -ResultSize Unlimited | Select-Object DisplayName, IssueWarningQuota, ProhibitSendQuota

We continue with adding two that performs Get-MailboxStatistics to receive attributes from the mailbox that the Get-Mailbox Cmdlet does not give us:

@{label=”TotalItemSize(MB)”;expression={(Get-MailboxStatistics $_).TotalItemSize.Value.ToMB()}} and @{label=”ItemCount”;expression={(Get-MailboxStatistics $_).ItemCount}}

Then we add another attribute that Get-Mailbox gives us:

Database

And to finish it off we export the results to a CSV file after another pipe:

| Export-Csv “UserMailboxSizes.csv” –NoTypeInformation

And the complete command again with all parts combined together:

Get-Mailbox -ResultSize Unlimited | Select-Object DisplayName, IssueWarningQuota, ProhibitSendQuota, @{label="TotalItemSize(MB)";expression={(Get-MailboxStatistics $_).TotalItemSize.Value.ToMB()}}, @{label="ItemCount";expression={(Get-MailboxStatistics $_).ItemCount}}, Database | Export-Csv "C:\Scripts\UserMailboxSizes.csv" -NoTypeInformation

This command can of course be modified and you can add other attributes or functions. In the following example I use where to get only the mailboxes that does not use the database default quota.

Where {$_.UseDatabaseQuotaDefaults -eq $false

And the complete command:

Get-Mailbox -ResultSize Unlimited | Where {$_.UseDatabaseQuotaDefaults -eq $false | Select-Object DisplayName, IssueWarningQuota, ProhibitSendQuota, @{label="TotalItemSize(MB)";expression={(Get-MailboxStatistics $_).TotalItemSize.Value.ToMB()}}, @{label="ItemCount";expression={(Get-MailboxStatistics $_).ItemCount}}, Database | Export-Csv "C:\Scripts\UserMailboxSizes.csv" -NoTypeInformation

There you go, enjoy and do not hesitate to let me know if you have any questions!

A fix for the “Close all dialogs” issue with EMC in combination with IE9 has been released!

I usually do not write about news or hotfix releases on my blog, mostly because I find it a bit unnecessary since you all probably follow the Microsoft Exchange Team Blog. But for this one I will make an exception.

Microsoft just released a fix for the problem with interoperability between Exchange Management Console and Internet Explorer 9 that many has seen since the release of IE9. When IE9 is installed and you try to close the EMC you will receive the following error message:

You must close all dialog boxes before you can close Exchange Management Console.

Neither the hotfix or the KB article is available to the public yet, but it can be requested from Microsoft support. The hotfix that you need to request is for the KB 2624899, more information on how to contact Microsoft Support follows…

 

“ How do I call support? Will I need to pay for this?

In order to reach Microsoft support, you can find the correct support contact for your location here. Microsoft does not charge for hotfixes or support cases related to product bugs. Both IE and Exchange support teams should be able to get this patch for you.  “

 

More information regarding this can be found here!

Script to configure Exchange Server 2010 for SSLOffloading

When using a hardware load balancer you sometimes come across the need of configuring Exchange Server to support SSLOffloading. In my case I use a Citrix Netscaler to publish Exchange Server in a scenario where I have enabled SSLOffloading in the Citrix Netscaler. So, in order for this to work configuration changes needs to be done in Exchange Server 2010.

The script below configures both Exchange 2010 RTM and SP1, it also configures basic authentication in IIS for ECP, EWS and OWA.

#
# This script will configure the Exchange 2010 RTM and SP1 Client Access Servers for SSLOffload
# It applies when using Hardware loadBalancer with SSLOffloading enabled
#
# Created by Martin Sundström 2011-09-26
#
#---------------------------------------------------------------------------------------------------------------------------------------------------------
Write-Host -f DarkGray "This script will configure the Exchange 2010 RTM and SP1 Client Access Servers for SSLOffload"

# Set SSLOffload registry key for OWA 
Write-Host -f DarkGray -f DarkGray "Setting SSLOffload registry key for OWA..."

New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\MSExchange OWA' -Name SSLOffloaded -Value 1 -PropertyType DWORD 

Write-Host -f DarkGray -f DarkGray "Done!"
Write-Host -f DarkGray -f DarkGray ""


# Assign Static Ports"
Write-Host -f DarkGray "Assigning static ports..."

# Assign Static Port for MSExchangeAB 
New-Item -Path HKLM:\SYSTEM\CurrentControlSet\services\MSExchangeAB -Name Parameters -Type Directory
New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\services\MSExchangeAB\Parameters -Name RpcTcpPort -Value 60000 -PropertyType String 

# Assign Static Port for MSExchangeRPC 
New-Item -Path HKLM:\SYSTEM\CurrentControlSet\services\MSExchangeRPC -Name ParametersSystem -Type Directory
New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\services\MSExchangeRPC\ParametersSystem -Name "TCP/IP Port" -PropertyType DWORD -Value 59532

Write-Host -f DarkGray "Done!"
Write-Host -f DarkGray ""


# Disable RequireSSL on websites
Write-Host -f DarkGray "Disabling RequireSSL on websites..."

."$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site" -commitPath:APPHOST -section:access -sslFlags:None -section:basicAuthentication -enabled:true
."$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/Autodiscover" -commitPath:APPHOST -section:access -sslFlags:None 
."$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/ecp" -commitPath:APPHOST -section:access -sslFlags:None -section:basicAuthentication -enabled:true
."$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/EWS" -commitPath:APPHOST -section:access -sslFlags:None -section:basicAuthentication -enabled:true
."$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/Microsoft-Server-ActiveSync" -commitPath:APPHOST -section:access -sslFlags:None 
."$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/owa" -commitPath:APPHOST -section:access -sslFlags:None -section:basicAuthentication -enabled:true
."$($env:windir)\system32\inetsrv\appcmd" set config "Default Web Site/rpc" -commitPath:APPHOST -section:access -sslFlags:None 

Write-Host -f DarkGray "Done!"
Write-Host -f DarkGray ""


# Configure Outlook Anywhere
Write-Host -f DarkGray "Configure Outlook Anywhere"

$enabled = Get-OutlookAnywhere -Identity "$($env:COMPUTERNAME)\RPC*" 
	
If ($enabled) 
{
	Set-OutlookAnywhere -Identity "$($env:COMPUTERNAME)\RPC*" -SSLOffloading $true
} 
Else 
{
	Write-Host -f DarkGray "Configure Outlook Anywhere and remember to check the box to enable SSL Offloading"
} 

Write-Host -f DarkGray "Done!"
Write-Host -f DarkGray ""
	

# This part of the script only applies to Exchange Server 2010 RTM, a version check will be made:
$VersionCheck = ((get-exchangeserver -identity ($env:COMPUTERNAME)).AdminDisplayVersion | Out-String ).StartsWith("Version 14.1")

If ($VersionCheck = $False)
{
	# Configure web.config files
	Write-Host -f DarkGray "Configuring web.config files for RTM..."

	$path = (Get-AutodiscoverVirtualDirectory -Server ($env:COMPUTERNAME)).Path
	(Get-Content $path\web.config) | Foreach-Object {$_ -replace "httpsTransport", "httpTransport"}  | Set-Content $path\web.config
	
	$path = (Get-WebServicesVirtualDirectory -Server ($env:COMPUTERNAME)).Path 
	(Get-Content $path\web.config) | Foreach-Object {$_ -replace "httpsTransport", "httpTransport"} | Set-Content $path\web.config  

	Write-Host -f DarkGray "Done!"
	Write-Host -f DarkGray ""
}


# Run IISReset
Write-Host -f DarkGray "Running `"iisreset`" to complete the process..."

iisreset

Write-Host -f DarkGray ""

Feel free to use and edit as you need and don’t hesitate to drop a comment if you find any errors or have any questions!

Configure Lync 2010 voice using a SIP gateway and an uncertified SIP trunk, step-by-step – Part 1

I got an idea the other day, I want to set up a Lync Server 2010 server and implement voice capabilities using a ordinary uncertified SIP trunk. this will hopefully give some of you out there an idea of what needs to be done for this to work without the need of an expensive certified trunk.

For the test I will use a ordinary consumer grade SIP trunk from the Swedish provider Cellip. Since the point is not to use a Lync certified enterprise SIP trunk I need something to handle the incoming trunk and then transfer it to Lync Server 2010.

I got a tip from Cellip that an Intertex IX78 is what I need. This product was actually something that I had never heard of, but I contacted Intertex and they where kind enough to provide me with a unit that I could use for my test.

Action plan

I already have a Lync Server 2010 deployed in my environment without phone configuration so I will exclude the Lync Server 2010 installation from this guide, more information on this in a step-by-step format can be found here.

1. SIP enable users
2. Configure the Intertex IX78 to handle the incoming SIP trunk and forward it to Lync Server 2010
3. Configure Lync Server 2010 to receive incoming and outgoing calls

The Intertex IX78

First, I will start by giving you some information about the Intertex IX78 which I have found is a very useful piece of equipment. I have never had the privilege to work with it before but while performing this test I have got the opportunity to test it. The IX78 can actually do a lot of things and much more then what I have used it for, for example, it has a built-in advanced ADSL modem, supports wireless 802.11b/g, and provides back-up PSTN connectivity for emergency call handling. It is also the only firewalls in their market segment that I have heard of that fully addresses real-time, SIP-based Multimedia applications on the LAN.

But I will focus a bit more on the SIP functions of the IX78. One of the best functions that I have tested is the LAN SIParator module. This module enables one to add the IX78 while keeping an existing firewall that is thereby made SIP capable. This is great in production environment since it requires minimal changes in the existing firewall configuration. Let me explain this a bit more by showing you the setup I am using for this lab.

To start with, I am using a ADLS internet connection provided by Telia Sonera AB, one of Sweden’s largest ISPs. To connect to this I use a standard Zyxel ADSL modem, and it is quite old to be honest. Then, I have the Intertex IX78 running as a LAN SIParator with one leg on the internal network for connection to the Lync 2010 server and one leg connected to a Microsoft Threat Management Gateway (TMG) 2010 that I use as the primary firewall.

When using the LAN SIParator module I do not have to make any changes to my TMG which is very good. You might think that running this setup could cause disruption to the traffic passing through the IX78, but so far I have hade no trouble at all and have seen no loss in bandwidth or quality. It is absolutely doing its job and doing it great.

I am not going to make this a review of the IX78 but I would absolutely recommend it to anyone who thinks about implementing a solution similar to this. More information regarding the Intertex IX78 can be found on the Intertex homepage here.

 

Cellip

To be able to perform this test I needed someone to provide me with a trunk. Because they where recommended to me from at least two friends the choice fell on Cellip. Cellip is one of Sweden’s largest providers of communications solutions based on both mobile and PSTN to both companies and private persons.

I contacted Cellip as well and they set me up with an account with plenty of credit, a big thank you to Cellip for making the effort of helping me with this project. I am not going to walk you through the process of setting up a Cellip account since that is very easily done. If you need any assistance the excellent support will guide you through it. I have contacted them a couple of times during this project and they have been most helpful. You can find more information regarding Cellip on their homepage here.

 

SIP Enable a User

First I will start with SIP enabling a user that we will use for this test. I have created the user Test User1 for this test with the following configuration:

First name: Test
Last name: User1
User name: test.user1
SIP address: test.user1@sundis.local
Telephone number: 335

To SIP enable a user you need to open the Lync Server 2010 Control Panel. And then navigate to the Voice tab.

Click on Enable User to open the New Lync Server User window.

Click on Add to find the user you want to enable.

Enter the name of the user and click Find, or simply click Find to list all available users. Select the user you want to add and then click OK.

You will see that the user we selected now is listed in the Users box. Choose to assign your user to a pool, in my case I have only got one. You also need to make sure that the correct SIP URI is selected, I use an internal address for my SIP URI and specify it accordingly. Under Telephony, choose Enterprise Voice in the dropdown menu and enter the internal extension number that you want to use, make sure that you prefix the number with TEL:. We will keep the rest of the settings as default, click Enable to finish.

The user we just enabled now shows up in the list.

That is all we have to do to enable our user for voice, now we will take a look a the Intertex IX78.

Configuring the Intertex IX78

We want to configure the IX78 to run in WAN SIParator 1 mode to match the previously described scenario, we also need to configure SIP Trunk settings and network settings. To help us with this configure the IX78, Intertex has implemented a very good wizard in the IX78.

Note: Before proceeding, please contact Intertex and make sure that you have a firmware that fully supports the use of WAN SIParator 1 mode.

After you log on you are met by the home page of the IX78, it gives us the top menu which includes quick links to all topics and you also have a number of different links on the home page.

To get started with the Configuration wizard, navigate back to the home page and click on the Configuration Wizard link.

On The first page of the Configuration Wizard tells us we need to log in. The user name and password you need is provided by Intertex and is a way of controlling the licenses that you need to be able to use the different functions that the IX78 includes. If you don’t have a username and password please contact Intertex and they will get you settled.

To continue, click on Log In  next to The PBX Wizard.

Enter the username and password you provided to you by Intertex and click on Log In to continue.

In this step you need to choose the PBX you are using, in our case it is Lync 2010. Choose Microsoft OCS 2007/Lync 2010 and click Next to continue.

Under Select your Internet access, select the following settings to configure the Cellip trunk. Change these settings to match the information needed for your provider.

Trunk Service: Service 1 – No accounts need to be registered
SIP Server: 62.80.200.53

Under Select your firewall configuration, select Use the E-SBC as WAN SIParator^® 1, connecting the existing firewall to the ET4 port of the E-SBC and sharing a single WAN IP-address and click Next to continue.

Now you have the option to configure your network settings, if you did not do it before starting the guide change the settings to match you environment. If you already have configured networking for your device like me, check Keep current settings. and then click next to continue.

More network settings, change the IP-address if you need to, click next to continue when ready.

In the next step it is time to enter the IP-address for your PBX, in other words, your Microsoft Lync 2010 Server. In my case it is 192.168.10.35, enter the IP-address for your server and then click next  to continue.

In my case I only have one number from Cellip so I do not have to worry about Called-ID. Check the option matching your requirements and then click next to continue.

Since we use internal extensions in Lync we will configure the IX78 to forward calls using internal extensions, choose The PBX uses internal extension numbers on its SIP trunk. then enter your external number assigned to you by your trunk provider and the internal extension matching that number.When finished, click next to continue.

We will not configure any optional phones, click next to continue.

You can skip the next page to, click next to continue.

the last page before completing this wizard is a summary showing you the settings you have made. Take a moment to go through the settings and click Download when finished. This configures the device, if you press Exit you will quit the Wizard discarding all changes.

When the Wizard closes, navigate to the start page of your IX78 and open the SIP Trunk page.

Now we need to go through the SIP Trunk settings. Go through all of these blocks and make sure that your settings matches the ones I have in this example except for phone numbers and IP-addresses.

Now your IX78 should be all set and this concludes part one in this series. In post two we look at the Lync configuration.

Part 1 in this series can be found here!

Part 2 in this series can be found here!

Exchange Server Version Numbers

A list of all versions of Exchange server released so far including version numbers.

Friendly name	Version number
Microsoft Exchange Server  4.0	4.0.837
Microsoft Exchange Server  4.0 (a)	4.0.993
Microsoft Exchange Server  4.0 SP1	4.0.838
Microsoft Exchange Server  4.0 SP2	4.0.993
Microsoft Exchange Server 4.0 SP3	4.0.994
Microsoft Exchange Server 4.0 SP4	4.0.995
Microsoft Exchange Server 4.0 SP5	4.0.996
Microsoft Exchange Server 5.0	5.0.1457
Microsoft Exchange Server 5.0 SP1	5.0.1458
Microsoft Exchange Server 5.0 SP2	5.0.1460
Microsoft Exchange Server 5.5	5.5.1960
Microsoft Exchange Server 5.5 SP1	5.5.2232
Microsoft Exchange Server 5.5 SP2	5.5.2448
Microsoft Exchange Server 5.5 SP3	5.5.2650
Microsoft Exchange Server 5.5 SP4	5.5.2653
Microsoft Exchange 2000 Server	6.0.4417
Microsoft Exchange 2000 Server (a)	6.0.4417
Microsoft Exchange 2000 Server SP1	6.0.4712
Microsoft Exchange 2000 Server SP2	6.0.5762
Microsoft Exchange 2000 Server SP3	6.0.6249
Microsoft Exchange 2000 Server post-SP3	6.0.6487
Microsoft Exchange 2000 Server post-SP3	6.0.6556
Microsoft Exchange 2000 Server post-SP3	6.0.6603
Microsoft Exchange 2000 Server post-SP3	6.0.6620.5
Microsoft Exchange 2000 Server post-SP3	6.0.6620.7
Microsoft Exchange Server 2003	6.5.6944
Microsoft Exchange Server 2003 SP1	6.5.7226
Microsoft Exchange Server 2003 SP2	6.5.7638
Microsoft Exchange Server 2003 post-SP2	6.5.7653.33
Microsoft Exchange Server 2003 post-SP2	6.5.7654.4
Microsoft Exchange Server 2007	8.0.685.24 or 8.0.685.25
Microsoft Exchange Server 2007 SP1	8.1.0240.006
Microsoft Exchange Server 2007 SP2	8.2.0176.002
Microsoft Exchange Server 2007 SP3	8.3.0083.006
Microsoft Exchange Server 2010	14.00.0639.021
Microsoft Exchange Server 2010 SP1	14.01.0218.015

Manage full access permissions on mailboxes in Exchange 2010

This is the updated version with a few additions and corrections based on both comments and new features added by Microsoft since my first post.

Grant permissions on a single mailbox

Use the following command to grant access to just one mailbox:

Add-MailboxPermission -Identity "" -User <UserorGroupIdentity> -AccessRights Fullaccess -InheritanceType all

Note: the User parameter can in fact be either users or groups, the parameter name “User” is a bit misleading!

Example:

Add-MailboxPermission -Identity "Test" -User Administrator -AccessRights Fullaccess -InheritanceType all

Or If I want to add the security Group Group2:

Add-MailboxPermission -Identity "Test" -User Group2 -AccessRights Fullaccess -InheritanceType all

Grant permissions on all mailboxes

Use the following command to grant access to all mailboxes:

Get-Mailbox | Add-MailboxPermission -User <UserorGroupIdentity> -AccessRights Fullaccess -InheritanceType all

Example:

Get-Mailbox | Add-MailboxPermission -User Administrator -AccessRights Fullaccess -InheritanceType all

Note: In the screenshot below I received a message saying that Administrator already have access to the mailbox Test (Yellow text message).

Grant permissions on mailboxes using Where

We might as well add a where to the command while we are at it. With this command we grant access to all mailboxes in a specific OU:

Get-Mailbox | Where { $_.OrganizationalUnit -eq “” } | Add-MailboxPermission -User <UserorGroupIdentity> -AccessRights Fullaccess -InheritanceType all

Example:

Get-Mailbox | Where { $_.OrganizationalUnit -eq “sundis.local/Test/Users” } | Add-MailboxPermission -User Administrator -AccessRights Fullaccess -InheritanceType all

 

Remove permissions on a single mailbox

Quite simple, just change Add to Remove:

Remove-MailboxPermission -Identity "" -User <UserorGroupIdentity> -AccessRights Fullaccess -InheritanceType all

Example:

Remove-MailboxPermission -Identity "Test" -User Administrator -AccessRights Fullaccess -InheritanceType all

Remove permissions on all mailboxes

Well you have probably figured this one out already, but I will show it to you anyway:

Get-Mailbox | Remove-MailboxPermission -User <UserorGroupIdentity> -AccessRights Fullaccess -InheritanceType all

Example:

Get-Mailbox | Remove-MailboxPermission -User Administrator -AccessRights Fullaccess -InheritanceType all

Note: As you can se below, using this command will remove the users full access to its own mailbox. That is not good, this command should be used with care…

How to configure the rights assignment to apply on new mailboxes automatically

This can be done using one of three methods, you can add permissions using EMS or ADSIEdit.

Using EMS method 1 (recommended)

With this method we grant permissions on the databases container in the configuration Naming context using the following PowerShell command:

Add-AdPermission -Identity “CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<DomainName>,DC=<TopDomain>” -User <UserorGroupIdentity> -InheritedObjectType msExchPrivateMDB -AccessRights ExtendedRight -ExtendedRights Receive-As,Send-As -inheritanceType Descendents

If we brake this up a bit we can se that the Identity is in fact the Distinguished Name of the Databases container:

“CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<DomainName>,DC=<TopDomain>”

The InheritedObjectType parameter specifies what kind of object inherits this access control entry, in this case it is only Exchange Mailbox Databases:

-InheritedObjectType msExchPrivateMDB

Then we grant Receive-As permissions. Granting Receive As and  Send As permission to a mailbox database, the user can log on to all mailboxes within that database, and send mail from those mailboxes:

-AccessRights ExtendedRight -ExtendedRights Receive-As,Send-As

And finally we set the inheritance type to Descendents:

-inheritanceType Descendents

Example:

Add-AdPermission -Identity “CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=sundis,DC=local” -User test8 -InheritedObjectType msExchPrivateMDB -AccessRights ExtendedRight -ExtendedRights Receive-As,Send-As
 -inheritanceType Descendents

Reference: http://theessentialexchange.com/blogs/michael/archive/2009/09/29/exchange-server-2010-administrative-access-to-all-mailboxes.aspx

Using EMS method 2

With method two we use a pipe to set the permission on each mailbox database with the following command:

Get-Mailboxdatabase | Add-ADPermission -User <UserorGroupIdentity> -AccessRights ExtendedRight -ExtendedRights Receive-As,Send-As

Example:

Get-Mailboxdatabase | Add-ADPermission -User test3 -AccessRights ExtendedRight -ExtendedRights Receive-As,Send-As

Granting Receive As and Send As permission to a mailbox database, the user can log on to all mailboxes within that database, and send mail from those mailboxes.

Using ADSIEdit

There are also the ADSIEdit way of addressing the problem. I will give you a description on what you need to do but I STRONGLY recommend you to have a look at Michaels post instead. That said, here you go…

Open ADSIEdit, Right click ADSIEdit and choose Connect to.

Select the Configuration Naming Context and click Ok. 

Navigate to Configuration/Services/Microsoft Exchange/<OrganisationName>/Administrative Groups/Exchange Administrative Group (FYDIBOHF23SPDLT).

Right Click the Databases folder and choose Properties.

Click on the Security tab and click Add.

Enter the users or groups that you want to add and then click Ok.

Make sure that the added users or groups is selected, check the Allow box for Full control for each user or group, then click Ok to close the window and now we are finished with ADSIEdit.

This adds permissions to all databases. If you want to edit the permissions for a specific database you can open the Databases folder and open Properties for the database you want to configure.

A final note: Full Access or Receive As permissions are granted next time the Microsoft Exchange Information Store service caches the permissions and updates the cache. To grant the permissions immediately, stop and then restart the Microsoft Exchange Information Store service.

Thanks for reading, I hope that you found it useful and please let me know if you have any questions!