New RTC blog by the RTC product team

We've heard loud and clear that many people want a better connection with the RTC product team. We're excited to do something about it. The primary goal of this blog is to establish two way communication between the product team and our customers and partners. We will also use this blog as an educational channel to provide additional product information.

Find the blog here or the RSS feed here

Microsoft ActiveSync 4.1 has been released - updated for clarity

Most notably it will support devices running the upcoming Messaging and Security Feature Pack (MSFP a.k.a. AKU2) with the following feature enhancements (From MSFP) supported in Microsoft ActiveSync -

• DirectPush Mail
• Local device wipe
• Certificate-based authentication

Now we have SP2 with the new mobility features and a new version of ActiveSync but we still need the most important part, namely the Windows Mobile 5 AKU2 update from our mobile device vendor (In my case HTC / Qtek) before the circle is full.

Btw. besides the integration to MSFP there also are a few new features to ActiveSync 4.1 -

• New partnership wizard to help customers more easily setup a sync partnership
• Faster transfer of data files including media
• Ability to sync photos assigned to contacts from Outlook on the desktop

Download it from here

LCS 2005 - why NLB is not recommended

As I wrote a couple of days ago in LCS and Network Load Balancing software based Load Balancing isn't recommended for anything else than test environments.
Well it turns out that the LCS Kid has a post on the subject named LCS 2005 - Reasons why NLB is not recommended but instead a Hardware Load Balancer that contains even more reasons to avoid NLB.

Live Communications Server resources - updated

So you are looking for Live Communications Server resources but finding that a bit hard? That might be because there aren't that many around. I have collected some of the resources I'm currently using or have been using in the past here -

Microsoft

• General – Homepage for Microsoft LCS
• Deployment - resources on LCS and Office Communicator - loads of info but a bit unstructured
• Community - Links to blogs but not all are LCS related.
• Product support - How-to articles, downloads and top KB articles
• RTC Webcasts - On-demand and Live webcasts

Community pages

• LCS Kid – Tom is a MS employee. Great info on LCS and its clients
• Intense Collabage - Will Robinsons real world experiences with LCS/PIC
• Joe Schurman – LCS MVP has a good FAQ that’s excellent for newcomers to LCS
• Eileen Brown – Microsoft evangelist focusing on LCS, MOM and Exchange (A must read!)
• The Goldfish Bowl – Graham Tylers blog on LCS, Sharepoint (Developer oriented)
• The Collaboration Blog – General collaboration info including a few LCS articles
• Realtime Blog – Mostly VoIP but also a little LCS
• Bob’s Blog – LCS MVP mostly Exchange news

If you have other good resources (including your own blog) please feel free to write a comment!

Citrix Presentation Server now integrated with MOM 2005

According to a press release from Citrix, they have just released a new MP integrating Presentation Server 4 and MetaFrame (Presentation Server 3) with MOM 2005.

This is great news for customers having both products.

Exchange 12 will be 64 bit only

Microsoft announced yesterday that it will be 64 bit only as they have seen significant performance gains on this platform -

They tested Exchange on 64 bit and found almost a 75% reduction in IOs per second compared with Exchange 2003. This could result in almost a 4X increase in the number of users on the same disks or require 1/4 the disks to support the same users from a throughput perspective.

Read more at Eileen's post and in the official press release.

Enabling Exchange 2003 SP2 IMF v2

So you've uninstalled IMF v1, installed SP2, set the SCL thresholds and actions correctly and everything should be fine but UCE keeps arriving at your inbox?

Well it might be because you forgot the last bit - namely setting the Default SMTP Virtual Server properties for each SMTP server correctly. Under the General tab, IP Address, Advanced, Edit there’s a checkbox called "Apply Intelligent Message Filter".

If you can't find it then visit Vladimir’s blog, which contains detailed instructions (with pictures ;-) for enabling IMF v2.

New whitepaper on HMC use of privileged users, security groups and permission

Conrad Agramont has written an interesting whitepaper that tries to accomplish the following -

The HMC solution includes documentation and deployment tools that will provide instructions for or will automate the creation of user accounts, security groups, and permissions. However, there isn’t a single view for all of the accounts and their "final” implementation. The purpose of this document is to provide such a view.

For anyone new to HMC it gives a good overview of the solutions use of accounts and security groups. It is based on HMC 3.0 - but so far that I can se it will also be applicable for the upcoming HMC 3.5 release (I'm in Redmond on HMC 3.5 training but we have been explicitly asked not to blog about the new features in HMC 3.5).

LCS and Network Load Balancing

I've have had a few questions on using hardware load balancers versus using Windows Server 2003 Network Load balancing. The important note is the following quote from the "Live Communications Server 2005 Enterprise Pools and Windows 2003 Network Load Balancing" deployment guide -

Using hardware load balancers is strongly recommended. Microsoft Windows® NLB may be used for evaluation, test, and pilot systems or for small, nonmission critical deployments.

Furthermore there are the following limitations with using NLB -

1. Remote administration using the Live Communications Server snap-in is not supported. The front-end Enterprise Servers will have to be managed by running the administrative snap-in locally and not from a remote computer.
2. Multiple pools within an organization are not supported.

So the short answer is - don't do it !

Sony XCP uninstaller opens a new security hole!

The first version of the uninstall software that Sony has delivered opens yet another security hole according to a Princeton researcher -

Due to a serious design flaw, the CodeSupport component allows any web site you visit to download and run software on your computer. A malicious web site author can write an evil program, package up that program appropriately, put the packaged code at some URL, and then write a web page that causes CodeSupport to download and run code from that URL.

Read more here Update: Sony Uninstaller Hole Stays Open

Mark won the "war" against Sony BMG - update #3

Last update #3 - read Marks post Victory! (No further explanation required ;-)

According to eWeek Mark Russinovich apparently won the "war" against Sony in the combat against the cloaking methods used in their DRM software (Source).

If you haven't followed the story then go to his blog and read the first post Sony, Rootkits and Digital Rights Management Gone Too Far - there are a lot of interesting insights and comments to his his first and the following posts on the subject (1, 2, 3)

UPDATE - Mark has written a follow-up story after Sony's retreat Sony: No More Rootkit - For Now also Microsoft is going to include detection and removal of the rootkit in Windows AntiSpyware and the upcoming Windows Defender (Source). Congratulations to Mark and all who will benefit from his fight !!!

UPDATE #2 - Someone actually sat down, read the EULA and summed up the result of it; check out these examples -

If your house gets burgled, you have to delete all your music from your laptop when you get home. That's because the EULA says that your rights to any copies terminate as soon as you no longer possess the original CD.

You must install any and all updates, or else lose the music on your computer. The EULA immediately terminates if you fail to install any update. No more holding out on those hobble-ware downgrades masquerading as updates.

Sony-BMG can install and use backdoors in the copy protection software or media player to "enforce their rights" against you, at any time, without notice. And Sony-BMG disclaims any liability if this "self help" crashes your computer, exposes you to security risks, or any other harm.

If you file for bankruptcy, you have to delete all the music on your computer. Seriously.

Solution for adding own root certificates to Windows Mobile 5 devices - Updated

Per and I just received our new Qtek 8310 mobile devices today and got into trouble when we tried to add our own root certificate.

On Pocket devices and in Windows Mobile 2003 SE you just copy the certificate to the device and doubleclick it from File Explorer. But on the Qtek 8310 we got the error "Security permission was insufficient to update your device". In desperation, we also tried to use the SPAddcert.exe utility for Windows Mobile 2002 and 2003 Smartphone edition and received the message "The phone may be locked".

The problem were due to changes in the security model in Windows Mobile 5. Although it is very interesting/innovative in terms of mobile device security (Protecting from malicious software) it isn’t something we like when we want our new gadgets to work with WPA and Exchange Server ActiveSync.

Using Google intensively, I finally found the direction for solving the problem (the first version of this post) and using MSDN I found a better solution as follows -

First you need to get a copy of regeditSTG.exe (Apparently a HTC signed registry editor with an issuer CN that equals HTCCanary) zip it and move it to your device (You get an error if you copy the .exe directly). Now unzip it by double clicking it from File Explorer (on your device) and run the program. Then change the Grant Manager Policy registry key (Remember to note the old value) -

HKLM\Security\Policies\Policies\00001017 = 144

After setting the registry key above reboot your device, copy your root certificate to the File Explorer and click to install it (There’s no feedback that the operation was successful – check settings, security, certificates, root certificates for the existence of your certificate).

Before proceeding, we choose to set the registry setting back to the original values so the Phone was once again protected and finally Exchange ActiveSync and WPA worked like a charm ;-)

The solution apparently works on several different devices like i-Mate, C550, Qtek 8310 (Thats the only one we tested - don't ask about the others but do feel free to comment on those that works ;-) and probably most Windows Mobile 2005 Smartphone devices.

A utility called SDA_ApplicationUnlock.exe can also be found on the Internet but our testing shows us that it does the same as the Grant Manager Policy registry key. The problem with this application is that it only has a "Remove Lock" feature and no "Enable Lock" feature. Different posts/websites show the solution for other phones that include the use of SDA_ApplicationUnlock.exe utility; so if you run into problems you might want to try it.

Disclaimer - We don't know the copyrights on the mentioned utilities - so this posting is only meant for informational purposes and be sure to get correctly licensed versions of these!

EASI passport domains support in PIC / LCS 2005 SP1

As opposed to the information in KB897567 Rev. 3.0 with the short name "Known issues that occur with public instant messaging after you install Office Live Communications Server Service Pack 1" EASI domains are supported by now (Actually by October 11th). Earlier only domains like hotmail.com, messengeruser.com etc. were supported with MSN Messenger connectivity but now domains/addresses like dlt@inceptio.dk are also fully supported (I've just tested it together with a Microsoft contact of mine).

You will have to add EASI passports using a special syntax of user(easidomain.com)@msn.com e.g. the EASI passport msnuser@inceptio.dk would translate to msnuser(inceptio.dk)@msn.com.

If you are considering using PIC then there are many interesting quirks documented in the KB article. One of them is that the MPOP functionality doesn’t work together with MSN/Yahoo/AOL (MPOP is Multiple Points Of Presence where Office Communicator 2005 supports being logged on to several devices at the same time - including the upcoming Microsoft Office Communicator Mobile).

Furthermore, if you're using multiple domains in LCS then be sure to get a public certificate from a provider that supports Subject Alternative Names (Source).

Mobile Communicator Beta 1 released

I just received an e-mail that the Beta 1 for Mobile Communicator has been released. This product is a "mobile" version of Office Communicator 2005 designed for Windows Mobile 2003 SE and Windows Mobile 2005 and it appearently includes VoIP functionality and remote call control. I personally look forward to testing this product and I'm already downloading it - but I will have to wait for my new Qtek 8310 (a.k.a. HTC Tornado) that arrives Thursday this week :-)
This is the first version of Next Gen line of products that also will include new versions of Live Meeting with multipoint audio/video and VoIP as the significant enhancements.
I will get back to you with a small review of the product and also information on Live Communications Server 2005 in the near future.

Changes to Virtual Server and VMWare support

There’s a couple of new changes on support for virtualization software one of them is the change to support for Exchange Server under Virtual Server that we've earlier reported would happen as part of Exchange 2003 Sp2, this is still true but apparently Virtual Server R2 or later will also be required.

On another story Microsoft also changed the support policy for other non-Microsoft hardware virtualization software (a.k.a. VMWare). Now they will provide “commercially reasonable efforts” to test the software - but only for Premier Support customers and furthermore they may require a reproduction "independently from the non-Microsoft hardware virtualization software" ;-)