Polycom HDX Registration with Lync Server
This previous blog article covered some of the HDX registration steps but is over a year old and more recent firmware releases for the HDX has streamlined and simplified this process some. So for any systems running release 3.0.3.x and newer the following directions are considered best practices when registering an HDX directly to an OCS or Lync Server environment.
Additionally something missing from the older article is a deeper explanation of user name parameters. One of the most common issues seen in the field preventing endpoint registration to Lync is simply a misunderstanding of the different formats or settings a Lync user might have between their SIP address and AD usernames. This article should help explain both standard AD practices and usages as well as how the Polycom HDX interoperates within those potential differences.
The following scenario is from an HDX running the latest firmware version of 3.0.5. There were comes changes introduced back in the 3.0.3 release which helped streamline the SIP registration process when used with OCS or Lync Server which hinge on the inclusion of the RTV Options Key. (When RTV is not enabled or is not available on the HDX it is still always possible to register to OCS or Lync, only the enriched media and conferencing capabilities provided by Real Time Video interoperability will not be available.)
When the RTV Options Key is installed then the HDX will make the assumption that the SIP server configuration will be used to register to a Microsoft SIP server, so some of the configuration fields are displayed differently or with alternate names. This is intended to more closely match the Microsoft client sign-in experience by using the same fields names as the Lync client.
- The standard Register Server and Proxy Server fields are replaced with a single field entitled Server Name or IP Address. This is because while some standard SIP platforms may utilize different servers for registration and proxy services in Lync the registrar and proxy services are on the same server.
- The standard User Name field is renamed to Sign-In Address and is used to provide the Lync user’s SIP Address.
- The standard Domain User Name field is changed to User Name and stores the Lync user’s AD account name and domain.
- Using a web browser access the management interface of the HDX (e.g. https://192.168.1.80) and then select the Admin Settings section. Browse to the Network > IP Network menu and scroll down to the SIP Settings section.
- Select the Enable SIP checkbox.
- Set the SIP Server Configuration to Auto as this will use tell the HDX to perform the same DNS SRV and Host record lookup procedure that a Lync client would. The automatic lookup process which occurs is covered in more detail at the end of this article.
- The Server Name or IP Address field will be disabled when the configuration is set to Auto, but if Automatic Client Sign-In is not properly configured in the Lync environment for existing Lync clients then the HDX will need to be pointed directly to a Lync Registrar. In that case enter the Fully Qualified Domain Name (FQDN) of the desired Lync Front End Server, Pool, Hardware Load Balancer, Director Server, or Edge Server (e.g. lync.schertz.local).
- The Transport Protocol field should is disabled when Auto is selected for the SIP Server Configuration as the transport type is either defined by the resolved SRV record, or in the case of Host (A) record fallback then TLS is attempt by default.) Registration to Lync Server only supports TLS by default by TCP could be used with OCS if it is first configured on the server and allowed.
- For the Sign-In Address enter the SIP address of the desired Lync user account (e.g. firstname.lastname@example.org).
- For the User Name field enter the Active Directory user name for the associated Lync account (e.g. email@example.com) or the delegated user account name if using disabled accounts. Both Pre-Windows 2000 (DOMAIN\username) and User Principal Name (firstname.lastname@example.org) formats are supported. It is best practice to start with the User Principal Name as the DNS domain name traditionally has a better chance of working successfully in most environments versus the legacy NetBIOS name. But in a properly deployed AD environment both formats should work. Be aware that this username value often times does NOT match the user’s SIP address. For more details on how these user account settings can differ see this previous blog article.
- The Password field should be quite self-explanatory. Note that the checkbox is only used to unhide the password fields themselves and once the password is stored the fields will simply be hidden and blank. It is not necessary to reenter the password every time any of the other fields might be changed, unless of course the user account is changed and the cached password is no longer valid.
- The Microsoft Lync Server 2010 checkbox under Directory is used to enable Lync Address Book integration, but only a single directory can be integrated at one time on the HDX currently, so if an LDAP or Polycom GDS directory is currently enabled then this checkbox would most likely be left disabled. (Although the name specifically states Lync Server the same setting still applies to OCS Address Book support as well.)
- Leave the Domain Name field blank as this field is not required for Lync registration. This field can be used for directory integration authentication during the Lync Address Book download but the Active Directory domain name is already provided in the User Name field so for Lync registration this is redundant. It is best practice to always leave this field blank when registering to Lync Server.
- Click the Update button at the top of the screen to force the HDX to attempt a new registration request to the Lync server.
- To validate a successful registration move to the Diagnostics section and from the System Status > System Status menu verify that the Registrar Server status shows a green arrow pointing upwards.
- Click the Registrar Server link to see additional details about the registration status.
Direct registration into Exchange is supported starting with Exchange Server 2007. Older versions of Exchange are not supported as Exchange Web Services (EWS) is required for the HDX to connect.
- Using a web browser access the management interface of the HDX (e.g. https://192.168.1.80) and then select the Admin Settings section. Browse to the Global Services > Calendaring Service.
- Select the Enable Calendaring Service checkbox.
- For the Microsoft Exchange Server Address field enter the Fully Qualified Domain Name (FQDN) of an Exchange Client Access Server. If the HDX is located on an internal network then this FQDN would traditionally be either a single Exchange consolidated server, a dedicated Client Access Server (CAS), or the pool name of a CAS array which points to a Load Balancing solution. If the HDX is external then this FQDN is most often pointed to a reverse proxy listener which publishes Exchange Web Services to the Internet.
- For the Domain field enter either the NetBIOS Domain Name associated with the Active Directory user account (e.g. SCHERTZ) or the DNS Domain Name (e.g. schertz.local) or if applicable, the custom UPN Suffix assigned to the user account (e.g. mslync.net).
- For the User Name field enter the Active Directory user name for the associated Lync account (e.g. jeff) or the delegated user account name if using disabled accounts. Although both the legacy sAMAccountName and User Principal Name formats are supported it is important that the format used in this field is part of the same authentication format provided in the Domain name field above. Meaning that if the legacy NetBIOS Domain name is provided then the legacy sAMAccountName must be provided. For more details on how these user account settings can differ see this previous blog article.
- The Password field functions the same as in the SIP server configuration and the only needs to be entered the first time registration is attempted.
- In the Mailbox (Primary SMTP) field enter the primary SMTP address of the user account (e.g. email@example.com) . If the primary SMTP address is not known it can be verified by looking at either the proxyAddresses attribute in Active Directory or by viewing the E-mail Addresses tab in the Global Address Book in Outlook for the desired user. If multiple SMTP addresses are listed for the account then the proxy address with the prefix shown in all capital letters (SMTP: vs. smtp:) indicates the primary address.
- Click the Update button at the top of the screen to force the HDX to attempt a new connection request to the Exchange server. Be aware that the status icon will typically still shows failed for a few seconds after updating the changes. Within roughly 5 seconds or less the page should refresh and then change the icon to a green check indicating successful authentication.
- To additionally validate the successful registration then switch to the Diagnostics section and from the System Status > System Status menu verify that the Calendaring Service status shows a green arrow pointing upwards.
- Click the Calendaring Service link to see additional details about the registration status.
Automatic Client Sign-In
When the SIP Server Configuration is set to Auto the HDX will perform a series of name record lookups across different record types to intelligently locate the proper Lync registrar for a given domain name.
To support both OCS and Lync Server environments the HDX looks for different DNS hostnames, mimicking a combination of what both the Office Communicator and Lync clients perform. The Lync client only performs lookups for the TLS-specific host records but since OCS supported both TCP and TLS native client connections then the HDX still looks for TCP records as well.
In this example the currently registered Lync user account is firstname.lastname@example.org so the HDX will perform record lookups against that SIP domain namespace (mslync.net). The exact lookup order is as follows:
- First the HDX will perform a Name Authority Pointer (NAPTR) lookup for the SIP domain. This is not applicable to OCS or Lync but is used for other non-Microsoft SIP registration processes.
- If the previous lookup returns a ‘Name Error’ response indicating that the requested record does not exist then the HDX moves on to looking for Service Locator Records (SRV).
SRV _sipinternaltls._tcp.mslync.net Internal TLS to Front End or Director SRV _sip._tls.mslync.net External TLS to Edge Server SRV _sipinternal._tcp.mslync.net Internal TCP to Front End or Director (OCS Only) SRV _sip._tcp.mslync.net External TCP to Edge Server (OCS Only)
- If all SRV lookups fail to resolve then the device will fall-back to specific DNS Host (A) records supported by both OCS and Lync Server. The HDX will perform simultaneous IPv4 (A) and IPv6 (AAAA) lookups.
AAAA sipinternal.mslync.net Internal TLS to Front End or Director A sipinternal.mslync.net Internal TLS to Front End or Director AAAA sip.mslync.net External TLS to Edge Server A sip.mslync.net External TLS to Edge Server
So as long as any of the supported SRV or A record listed above are configured for Lync clients to leverage for Automatic Configuration then the HDX will use the same.
In the event that none of these records are provided by the DNS server zones for the desired SIP domain name space then the registration server must be manually entered.
- Set the SIP Server Configuration to Specify and this will allow the following Server Name and Transport Protocol fields to be populated.
- The Server Name or IP Address field should be configured with the Fully Qualified Domain Name (FQDN) of the desired Lync Server. For internal registration enter only the server FQDN as connections to the default port of 5061 will be assumed (e.g. lync.schertz.local). For external registration enter the desired Access Edge FQDN along with the configured listening port, which is 443 by default on most Lync Edge Servers (e.g. edge.mslync.net:443).
- The Transport Protocol field should be set to Auto when TLS is desired, which is nearly always the case when using Lync Server as that is the only supported client connection type by default.