VVX 5.5.1 Log Setting Changes

This kept me and beta support spinning for a few days when I was trying to reproduce an issue in regards to logging, and suddenly I couldn’t set all of the logging levels I wanted through my provisioning server.

With 5.5.1 having tighter integration with Skype for Business, the devices now pull additional information from the server for items like QoE and also Log Level settings.   The following command impacts the 5.5.1 firmware according to the table below.  IF left at OFF, your provisioning server log settings will be overridden and not be applied.  Check the table, or the release notes guide for the settings you want, then add the additional ones either manually or through a Provisioning server process.

Set-CsUCPhoneConfiguration -LoggingLevel Off/Low/Medium/High

serverlogginglevel

Not all of the various log setting are set via the Skype PS command, so you many still need to manually set via the web interface or use a provisioning server to set the other log items.

To see what things look like, or how it was eventually discovered, create a Phone Backup from the web interface and open up the .pbu file (I recommend Notepad++).  Waaaaaaay down, is a section labelled CALL_SERVER, these are items pulled from the Skype server.  Provisioning Server log level settings are shown in the CONFIG_FILE section.  Call server overrides Config File, search here if something you expect to be set isn’t working.

P.S. – Cautionary word of advice, prior to any updating of VVX firmware, set logging levels back to their defaults or remove the entries from the Provisioning server common.cfg file.  There is potentially an issue that I encountered which we’ve not been able to reproduce where we no longer can return the SIP logging level back to 4 (default) without breaking the BToE functionality.  Seems to apply to 310’s, possibly 410’s, but not 600’s.  Factory reset factory reset of the devices resolves, but not doing that for 150 devices, but leaving SIP logging level set to 2 fixed the BToE issue.  Yup, weird, reproduced with clients phones, reported to Polycom but haven’t been able to reproduce there.  Best guess is that something happened from going from 5.4.3 to 5.4.4, to 5.4.5 with elevated logging.  IF your BToE is suddenly weird and not connecting or working right, try changes SIP Log Level to 2.  IF that works, please also report it, I think the Polycom engineers think I’m crazy or something… :s

New Features of VVX 5.5.1

Polycom VVX 5.5.1 firmware was released today, along with BToE 3.4.0.0, Polycom VVX Firmware Download Site, I’ve been beta testing and beating up these VVX builds (lost count, probably 15+) since March, so I’ve been anticipating this day for awhile.  Soooo many features being added that I’m just giddy.

The biggest item in my opinion is the QoE reports generated by the phones and feed to the Skype Monitoring servers.  Yah, we can now see how the phones are performing and the quality of the calls.  Of course there is the Skype branded UI interface.

Additionally there is a IP Pairing feature, however I’m not seeing it in the release notes and may still be in beta.  It works for me but I am waiting to see if I need permission to share how to set that up.

Other new features, bells and whistles:  Polycom Release Notes

New Call Transfer User Interface Option – In this software version, users who transfer calls can more easily choose between Blind and Consultative transfers. On the Call Transfer screen for the user’s default transfer type, the user can press More to access a new soft key to change to the alternate transfer type. For example, if the user’s default transfer type is consultative, a Blind soft key is displayed.

Distribution List – Polycom phones registered with a Microsoft server enable you to perform multiple functions with a contact distribution list:
● Search for, add, and delete a distribution list
● View a distribution list, and expand a distribution list to view all      members
● View the contact card of a distribution list and of an individual member
● Conference with a distribution list
● Call an individual member of a distribution list
Distribution lists are available on the following VVX business media phones: VVX 201, VVX 300/310, VVX 301/311, VVX 400/410, VVX 401/411, VVX 500/501, VVX 600/601, and Polycom VVX Expansion Modules.

Microsoft Quality of Experience (QoE) Monitoring Server Protocol –  (MS-QoE) enables you to monitor the user’s audio quality and troubleshoot audio problems. QoE reports contain only audio metrics and do not contain video or content sharing metrics. This feature also enables you to query the QoE status of a phone from the Web Configuration Utility

Device Lock – You can configure phones to be protected with a lock code that enables users to access personal settings from different phones. You can configure Device Lock on the Skype for Business server or using Polycom parameters on a centralized provisioning server. If you enable Device Lock using both methods, centralized provisioning parameters take precedence. You cannot enable or disable Device Lock using the Web Configuration Utility or from the phone menu.

Polycom BToE PC Pairing – Administrators can use this feature to allow users to automatically or manually pair their VVX business media phone with their computer using the Polycom Better Together over Ethernet Connector application. Users can select the pairing mode in the Web Configuration Utility or in the Features menu on the phone. By default, BToE PC Pairing is enabled for phones registered with Skype for Business. When administrators disable BToE pairing, users cannot pair their VVX phone with their computer using BToE. In order to use this new functionality, you must install both BToE Connector App 3.4.0 and UC Software 5.5.1. For best results, Polycom recommends that you deploy BToE Connector App 3.4.0 before you deploy UC Software 5.5.1.

User Log Upload – To help troubleshoot user issues, administrators can enable or disable for users the ability to upload diagnostic logs from the phone or Web Configuration Utility and set log levels from the phone menu. This feature is available on all VVX business media phones registered with Skype for Business Server on-premises or online and with Microsoft Lync 2013 or 2010 Server.

Phone User Interface – The user interface for VVX 500 and 600 series business media phones was updated to match the theme used in the Skype for Business client. This feature is enabled by default on VVX 500/501 and 600/601 phones with the Lync/Skype Base Profile or SKU.

Unified Contact Store – Administrators can migrate users’ contacts to Microsoft Exchange Server to enable synchronization when users manage contacts or contact information from an application or device, for example, the VVX business media phone, Skype for Business client, Outlook, or Outlook Web Application from a mobile device.

Web Sign-In for Online Deployments – Web Sign-in enables users to securely log in to Skype for Business from the phone using a computer web browser or mobile device. Users can sign in concurrently to a maximum of eight devices by default. When users are signed in to multiple devices and sign out from one device, users remain signed in to all other devices. This sign in option is available only for Skype for Business Online deployments.

Expanded Support for USB Headsets – Support for the following Plantronics USB Headsets with VVX 500, VVX 600, VVX 501, VVX 601, and VVX 401 phones has been added to this release:
● Blackwire C310
● Blackwire C325
● Blackwire C725
● Blackwire C325.1
● Plantronics -CS520
● EncorePro HW540
● DA80 Headset Adapter

443 in Skype for Business Land

A cautionary reminder when firewall rules are being set up for Skype for Business, that 443 or 443/TCP or 443/TCP/SIP does NOT mean HTTPS.  Honestly, I don’t think I’ve met a firewall yet that supports Microsoft’s 443/SIP for a so my rule request is very specifically 443/TCP, unless the required rule, like for the Reverse Proxy actually state HTTPS, require 443/TCP the rule ye be.

MS Firewall Rule Requirements

The above link goes to Microsoft’s firewall port requirements, and for the Edge now they are specifying 443/SIP or 443/TCP for the Edge Access role (updated July 11, 2016).  This is interesting because I think there has been a change in behavior in the Edge services, specifically around 443.  Scenario below:

Client running CU-235 (yes, I use the last 3 digits of the CU, as some “CU’s” are security updates so I find this to be the most logical way of determining the CU being referenced), anyway, CU-235 was applied to both the Frontend and Edge servers properly.  Internally, few if any issues were noticed, externally, there were problems with taking a 2-way PC-to-PC call, and adding a 3rd person to the call.  Naturally the call is elevated into a Conference call and bridges through the Edge.  Setup of this conference take 4-10+ seconds longer than usual, BUT the only the person who brought in the 3rd party into the call, and the 3rd party person, are in the call.  The 2nd person who was in the call is Paused, and is eventually booted, but can click Rejoin and finally enter the Conference Call.  Very annoying.

CU-259 comes along, and there’s hope that this may be resolved… Noop.  In fact things go horribly horribly worse, as well as the same for CU-272.  Meetings fail, all 2-way to 3-way calls externally fail, much more functionality is broken with Webconf and AV.  Both times, the system was rolled back to a tolerable level.

Please bear in mind, I was requesting review of the firewall rules the whole time; power outage borked the firewall, couldn’t access, needed reboot, needed change window… ect.  First glance at the rules, thar she sat, HTTPS.  IF you are reviewing firewall rules with a client/FWadmin, and see HTTPS, you can pretty much assume this is an APPLICATION LAYER rule, and will restrict verbs and actions of the protocol being used.  Some firewalls, if you enter 443/TCP the rule will actually switch to HTTPS (Juniper I’ve seen do this), and it requires the FWAdmin to make changes to create a new specific rule for 443/TCP.  Different firewalls will also exhibit various different failures for the Edge.  Simply put, IF in testing or in production, you have any kind of weirdness with External Conferencing or Web Conferencing functionality, Step 1) Make sure the firewall isn’t using an HTTPS rule.  443/TCP, gitterdone.

Oh look a bird:  It also doesn’t hurt to make sure that SIP ALG, SIP Inspect, or any other APPLICATION LAYER filtering for SIP is disabled.  Microsoft SIP is encrypted, but sometimes weirdness still happens

Summary:  You may have been getting away with HTTPS  rules on your Edge external rules, but with CU-235 and higher, especially higher, there is a good chance you’re going to encounter issues.  Oh yes, MS Support was contacted before I came on board, and they were baffled by the behavior and failures, traces that they ran couldn’t explain the problem.  So, SIP trace and wireshark wise, it’s not easy to identify this problem.

Thou shall not let Internal Users connect to External Edge Interface…

Been involved with UC for a while, long before it was called UC, and over time we’ve all developed cardinal rules when it comes to deployments.  One that me, and I know several others have adhered to “Thou shall not let Internal Users connect to External Edge Interface”.  Right!?!

Times are a changing, and rules are often made to be broken, add the one above to the list, or bending of it anyway.  Extended Skype Online/Hybrid coexistence.  While in a Hybrid configuration users Online and Users Onprem are one big happy environment, right?  Wrong!!  Reality is, they are two separate environments with a Shared SIP Namespace, with some bits of Replication from Onprem to Online thrown in.  (Online doesn’t replicate to OnPrem, see other postings).

Usually this is all good, UNTIL, an Online user who normally works from home decided to come into the Office one day.  They sign in no problem, they hit up SIP and the Internal sees they’re an Online user, redirects the up, and right as rain.  Time to join the Onprem meeting hosted by their in office Manager.  Audio/Video works, but nooo presentation, and a error message comes up when trying to share content to Present:  “Your DNS configuration is preventing you from presenting content” or possibly other variants.

Skype Online users when signed in are for connectivity purposes, are External Federated Users, and actually need to connect to the Web Conferencing Interface on the External Edge.   If you’ve been following the aforementioned cardinal rule, there is not likely a name resolution for WebConf, and/or possibly firewall rules blocking internal connection to the External interface.

Don’t believe me, it’s in TechNet as a requirement for Hybrid: https://technet.microsoft.com/en-us/library/jj205403.aspx

webconf

Another odd scenario, and I hope this is rare; One large International Corporation, Separate forests, separate Domains, but replicating their split-brain internal DNS zones which house the internal SIP/Skype DNS entries.  Corporate Site A can’t resolve webconf.corporateB.com, because they have B’s internal Split-Brain Public zone replicated/resolved, instead of the Public DNS Zone.

Seems like the new rule now is, Add the External Web Services and Webconf FQDN’s to your Internal split brain DNS zones now.

Good times.

Additional note:  The Skype Online AV traffic also appeared to be going through the Edge AV NIC in the Wireshark captures.  Same machine signed into an Onprem account, connected directly with the Frontend.