Trusted Application Pool setup

Creating DNS Entry in AD for the trusted application pool

The DNS entries must be created for each machine that will belong to the trusted application pool. This is done in the DNS section (forward lookup zones) of the server manager application.

Follow the steps:

Go to the machine where Active Directory is configured
On Windows Server 2008, go to Start> Run.
On Windows Server 2012, press Windows key + r.
Type msc, and then choose OK.
In DNS Manager, expand <DNS server name>> Forward Lookup Zones.
From the expanded list, click to select and then right-click the domain name.
From the displayed context menu, click the New Host (A or AAAA) option

DNS Manager - Creating New Host
On the opened "New Host" dialog, in the "Name" (uses parent domain name if blank) field, type the hostname of the computer or application pool FQDN for which you want to create a new record in the DNS server.
Type the IP address of the target computer in the IP address
Repeat step 7 and 8 for each host in the trusted application pool.

Example 1: Single Server

Type

FQDN

IP Address

Comment

A

TrustappPool.local-domain.com

x.x.x.101

DNS Record for Lync/SfB TrustedapplicaitonPool

One entry for every host inside pool.

A

TrustAppServer1.local-domain.com

x.x.x.101

DNS Record for Host within Lync/SfB TrustedapplicaitonPool

The TrustAppServerX.local-domain.com record is the A record from the server, the A Record is normally created when joining the server to Active Directory.

Example 2: High Available / Two Servers

Type

FQDN

IP Address

Comment

A

TrustappPool.local-domain.com

x.x.x.101

x.x.x.102

DNS Record for Lync/SfB TrustedapplicaitonPool

One entry for every host inside pool

A

TrustAppServer1.local-domain.com

x.x.x.101

DNS Record for Host within Lync/SfB TrustedapplicaitonPool

A

TrustAppServer2.local-domain.com

x.x.x.102

DNS Record for Host within Lync/SfB TrustedapplicaitonPool

The TrustAppServerX.local-domain.com record is the A record from the server, the A Record is normally created when joining the server to Active Directory.

Registering Trusted Application Pool on SfB Server Machine

One of the steps to set up the machines for LUCS installation is to run PowerShell scripts to manage SfB Server applications and trusted third-party applications.

On the machine where SfB Server is installed run the SfB Server Management Shell and follow the steps:

Create trusted application pool:

Run "Get-CsSite"
Note down the SiteID you get as response
Run "Get-CsService–Registrar"
Note down the Registrar you get as response
Run New-CsTrustedApplicationPool –Identity [PoolName] –Registrar [Registrar] –Site [SiteId] -ComputerFqdn [First Computer’s FQDN]
Run Enable-CsTopology

Example

New-CsTrustedApplicationPool -Identity lucs.dev.local -Registrar lyncserver.dev.local -Site: MainSite -ComputerFqdn lucs01.dev.local

POWERSHELL

If you have only one machine, the Identity and ComputerFqdn is the same. In this case the -ComputerFqdn can be skipped

Add computers to the pool:

If there are multiple computers that will host trusted applications, add them to an existing pool:

Run Get-CsTrustedApplicationPool
Note down the "TrustedApplicationPool" you get as response

Run "New-CsTrustedApplicationComputer -Identity [Computer‘s FQDN] -Pool [TrustedApplicationPool]"
Run "Enable-CsTopology"

Example

New-CsTrustedApplicationComputer -Identity lucs02.dev.local -Pool lucs.dev.local

POWERSHELL

If a you want to add more computers later, you only need to run this command again.

More information about Power Shell commands is available in ‘Application management cmdlets in SfB Server’ section in the TechNet Library.

Register Trusted Applications Script

Register Trusted Application Endpoints Script

##############################################
# Script Name: Registering_LUCS_TM_TrustedApps.ps1
# Description: Create TrustedAppPool / Apps / Endpoints
#
#V1.0.0.0: Initial - Davide Iadarola
#V1.0.0.1: Update: Feature - Create default endpoint - Davide Iadarola
#V1.0.0.2: Update: Feature - Add ApplicationPrefix - Davide Iadarola
#V1.0.0.3: Update: Feature - Create LUCS/TM Conference Policy if not exists / Bugfix - Outputfile folder not created /
#				   Feature - Assign Conference Policy to Endpoints - Davide Iadarola
##############################################

#Config section:
$Application = "lucs"; #Options: lucs / tm
$ApplicationPrefix = ""; #Placeholder for TrustedappPoolName in TrustedApps and SipAddresses - Option is not required
$TrustedAppPool = ""; #LUCS or TM TrustedAppPool - FQDN
$SfBRegistrar = ""; #Skype for Business Registrar - FQDN
$SfBSite = ""; #Skype for Business Site
$TrustedAppComputers = @(
	""
	,""
	,""
); #Hostname.domain.local
$SipDomain = ""; #Customer SIP Domain - sipdomain.local
$InstallMMSwitch = $false; #Options: $true / $false - Install LUCS MM?
$AdditionalEndpointsSwitch = $false; #Options: $true / $false - Add more Endpoints to the System
$AdditionalEndpointsStart = 10; #First Additional Endpoint
$AdditionalEndpointsEnd = 20; #Last Additional Endpoint
$ConfigOutputPath = "C:\Temp\LuwareTrustedAppConfig.txt"; #Path to Config Export
$DefaultEndpointSwitch = $false; #Options: $true / $false - Create default endpoint for failover scenarios
$DefaultEndpointPrefix = "defaultendpoint"; #Default endpoint name - "sip:" and "@sipdomain" will be added automaticaly

#------------------------------------------------------------------------------------------------------
#Do not Change below

#Add "-" to $Applicationprefix if used
if($ApplicationPrefix -ne ""){
	$ApplicationPrefix = ($ApplicationPrefix + "-")
}

#Check if ConferencePolicy Tag:LucsService exists -> if not -> create ConferencePolicy
if((Get-CsConferencingPolicy -Identity "Tag:LucsService" -ErrorAction SilentlyContinue) -eq $null){
	New-CsConferencingPolicy -Identity "Tag:LucsService" -AllowIPAudio $true -AllowIPVideo $true -AllowMultiView $false `
	-Description "Lucs Contact Center Conferencing Policy" -AllowParticipantControl $true -AllowAnonymousParticipantsInMeetings $true `
	-AllowExternalUserControl $true -EnableDialInConferencing $true -AllowConferenceRecording $false -EnableDataCollaboration $true `
	-MaxVideoConferenceResolution "VGA"
}

#Save AdditionalEndpointsStart Var for Output
if($AdditionalEndpointsSwitch -eq $true){
	$AdditionalEndpointsStartOutput = $AdditionalEndpointsStart;
}
else{
	$AdditionalEndpointsStartOutput = "";
}

#Create TrustedAppPool
New-CsTrustedApplicationPool -Identity $TrustedAppPool -Registrar $SfBRegistrar -Site Site:$SfBSite -ComputerFqdn $TrustedAppComputers[0];

#Add Computers to Pool
Foreach($TrustedAppComputer in $TrustedAppComputers){
	if($TrustedAppComputer -ne "" -and $TrustedAppComputer -ne $TrustedAppComputers[0]){
		New-CsTrustedApplicationComputer -Identity $TrustedAppComputer -Pool $TrustedAppPool;
	}
}

#Set Port Numbers
if ($Application -eq "lucs"){
	$PortPrefix = 6;
	$StartDefaultPort = 7000;
	$StartAddPort = 7500;
}
elseif ($Application -eq "tm"){
	$PortPrefix = 8;
	$StartDefaultPort = 9000;
	$StartAddPort = 9500;
}

# ICH Registration - Create TrustedApp ICH
New-CsTrustedApplication -ApplicationId ($ApplicationPrefix + $Application + "-ich") -TrustedApplicationPoolFqdn $TrustedAppPool `
-Port ("$PortPrefix" + "000");

#Create Default TrustedApps + Endpoints
$Count = 0;
Do{
	New-CsTrustedApplication -ApplicationId ($ApplicationPrefix + $Application + "-connector-" + $Count) `
	-TrustedApplicationPoolFqdn $TrustedAppPool -Port $StartDefaultPort;
	New-CsTrustedApplicationEndpoint -ApplicationId ("urn:application:" + $ApplicationPrefix + $Application + "-connector-" + $Count) `
	-TrustedApplicationPoolFqdn $TrustedAppPool `
	-SipAddress ("sip:" + $ApplicationPrefix + $Application + "-connector-" + $Count + "@" + $SipDomain);
	Get-CsTrustedApplicationEndpoint ("sip:" + $ApplicationPrefix + $Application + "-connector-" + $Count + "@" + $SipDomain) `
	| Grant-CsConferencingPolicy -PolicyName "Tag:LucsService";
	$StartDefaultPort = $StartDefaultPort + 100;
	$Count++;
}
While($Count -le 4)

#Additional Endpoints
if($AdditionalEndpointsSwitch -ne $false){
	Do{
		New-CsTrustedApplication -ApplicationId ($ApplicationPrefix + $Application + "-connector-" + $AdditionalEndpointsStart) `
		-TrustedApplicationPoolFqdn $TrustedAppPool -Port $StartAddPort;
		New-CsTrustedApplicationEndpoint -ApplicationId ("urn:application:" + $ApplicationPrefix + $Application + "-connector-" `
		+ $AdditionalEndpointsStart) -TrustedApplicationPoolFqdn $TrustedAppPool -SipAddress ("sip:" + $ApplicationPrefix + $Application `
		+ "-connector-" + $AdditionalEndpointsStart + "@" + $SipDomain);
		Get-CsTrustedApplicationEndpoint ("sip:" + $ApplicationPrefix + $Application + "-connector-" + $AdditionalEndpointsStart + "@" + $SipDomain) `
		| Grant-CsConferencingPolicy -PolicyName "Tag:LucsService";
		$StartAddPort = $StartAddPort + 1;
		$AdditionalEndpointsStart++;
	}
	While($AdditionalEndpointsStart -le $AdditionalEndpointsEnd)
}

#CR Registration
$Count = 1;
New-CsTrustedApplication -ApplicationId ($ApplicationPrefix + $Application + "-cr") -TrustedApplicationPoolFqdn $TrustedAppPool `
-Port ("$PortPrefix" + "200");
Do{
	New-CsTrustedApplicationEndpoint -ApplicationId ($ApplicationPrefix + $Application + "-cr") -TrustedApplicationPoolFqdn  $TrustedAppPool `
	-SipAddress ("sip:" + $ApplicationPrefix + $Application + "-conversationrecording-" + $count + "@" + $SipDomain);
	$Count++;
}
While($Count -le 2)

#MM Registration
if($InstallMMSwitch -eq $true -and $Application -eq "lucs"){
	New-CsTrustedApplication -ApplicationId ($ApplicationPrefix + $Application + "-mm") -TrustedApplicationPoolFqdn $TrustedAppPool -Port 6300;
	New-CsTrustedApplicationEndpoint -ApplicationId ("urn:application:" + $ApplicationPrefix + $Application + "-mm") `
	-TrustedApplicationPoolFqdn $TrustedAppPool -SipAddress ("sip:" + $ApplicationPrefix + $Application + "-mailmanager@" + $SipDomain);
}

#AC Registration
New-CsTrustedApplication -ApplicationId ($ApplicationPrefix + $Application + "-ac") `
-TrustedApplicationPoolFqdn $TrustedAppPool -Port ("$PortPrefix" + "100");
New-CsTrustedApplicationEndpoint -ApplicationId ("urn:application:" + $ApplicationPrefix + $Application + "-ac") `
-TrustedApplicationPoolFqdn $TrustedAppPool -SipAddress ("sip:" + $ApplicationPrefix + $Application + "-agentcontrol@" + $SipDomain);

#SMD Registration
$ServerAppPrio = Get-CsServerApplication | ?{$_.Identity -like "*$SfBRegistrar/TranslationService"} | Select-Object Priority;
$ServerAppPrio.Priority = $ServerAppPrio.Priority + 1;
New-CsServerApplication -Identity ("Registrar:$SfBRegistrar/" + $Application + "-SMD") -Uri ("http://www.luware.net/" + $Application `
+ "-SMD") -Priority $ServerAppPrio.Priority -Critical $False -Enabled $True;

#Default endpoint
if($DefaultEndpointSwitch -eq $true){
	#Create default endpoint
	New-CsTrustedApplicationEndpoint -ApplicationId ($ApplicationPrefix + $Application + "-ich") -TrustedApplicationPoolFqdn $TrustedAppPool `
	-SipAddress ("sip:" + $ApplicationPrefix + $Application + "-" + $DefaultEndpointPrefix + "@" + $SipDomain) `
	| Grant-CsConferencingPolicy -PolicyName "Tag:LucsService";
}

#------------------------------------------------------------------------------------------------------
# Output

$ichport = ("$PortPrefix" + "000");
$acport = ("$PortPrefix" + "100");
$crport = ("$PortPrefix" + "200");
$connectorprefix = ("$ApplicationPrefix" + "$Application" + "-connector-");
$connector0 = ("$ApplicationPrefix" + "$Application" + "-connector-0");
$connector1 = ("$ApplicationPrefix" + "$Application" + "-connector-1");
$connector2 = ("$ApplicationPrefix" + "$Application" + "-connector-2");
$connector3 = ("$ApplicationPrefix" + "$Application" + "-connector-3");
$connector4 = ("$ApplicationPrefix" + "$Application" + "-connector-4");

#Change Var if
if($AdditionalEndpointsSwitch -eq $false){
	$AdditionalEndpointsStart = "";
	$AdditionalEndpointsEnd = "";
	$connectorprefix = "";
}
if($InstallMMSwitch -eq $true){
	$mmurn = ("urn:application:" + $ApplicationPrefix + $Application + "-mm");
	$mmport = ("$PortPrefix" + "300");
	$mmuseragent = ($ApplicationPrefix + $Application + "-mm");
	$mmtrustedapppool = "$TrustedAppPool";
	$mmservertype = "MM";
}
else{
	$mmurn = "";
	$mmport = "";
	$mmuseragent = "";
	$mmtrustedapppool = "";
	$mmservertype = "";
}
if($DefaultEndpointSwitch -eq $true){
	$DefaultEndpointSipAddress = "sip:$DefaultEndpointPrefix@$SipDomain";
}
else{
	$DefaultEndpointSipAddress = "";
}

$ApplicationPrefixAndApplication = ($ApplicationPrefix + $Application);

$OutputConfig = @("
Please enter those settings in the Webconfigurator under the following chapters:

Settings -> Topology -> Frontendpools:
Name: $SfBRegistrar

-------------------------------------------------------------------------------------------------------
Settings -> Topology -> Trusted Application Pools
FQDN: $TrustedAppPool
Select: $SfBRegistrar

-------------------------------------------------------------------------------------------------------
Settings -> Topology -> Trusted Applications

********* ICH *********
URN: urn:application:$ApplicationPrefixAndApplication-ich
Port: $ichport
User Agent: $ApplicationPrefixAndApplication-ich
Application Pool: $TrustedAppPool
Server Type: ICH

********* AC *********
URN: urn:application:$ApplicationPrefixAndApplication-ac
Port: $acport
User Agent: $ApplicationPrefixAndApplication-ac
Application Pool: $TrustedAppPool
Server Type: AC

********* CR *********
URN: urn:application:$ApplicationPrefixAndApplication-cr
Port: $crport
User Agent: $ApplicationPrefixAndApplication-cr
Application Pool: $TrustedAppPool
Server Type: CR

********* MM *********
URN: $mmurn
Port: $mmport
User Agent: $mmuseragent
Application Pool: $mmtrustedapppool
Server Type: $mmservertype

-------------------------------------------------------------------------------------------------------
Settings -> Topology -> Components

********* CR *********
SipUris: sip:$ApplicationPrefixAndApplication-conversationrecording-1@$SipDomain;
		 sip:$ApplicationPrefixAndApplication-conversationrecording-2@$SipDomain

********* ICH *********
ConnectorApplicationURN: urn:application:$connector0
ConnectorApplicationURN1: urn:application:$connector1
ConnectorApplicationURN2: urn:application:$connector2
ConnectorApplicationURN3: urn:application:$connector3
ConnectorApplicationURN4: urn:application:$connector4
ConnectorEnd: $AdditionalEndpointsEnd
ConnectorPrefix: urn:application:$connectorprefix
ConnectorStart: $AdditionalEndpointsStartOutput
DefaultEndpointSipAddress: $DefaultEndpointSipAddress

********* SMD *********
ManifestURI: http://www.luware.net/$ApplicationPrefixAndApplication-AgentMonitor

-------------------------------------------------------------------------------------------------------

PLEASE BE AWARE THAT YOU NEED TO FINALIZE THE CONFIGURATION OF EACH COMPONENT
")

#Create Output
if(Test-Path ($ConfigOutputPath.Substring(0, $ConfigOutputPath.lastIndexOf('\')))){
	$OutputConfig > $ConfigOutputPath;
}
else{
	New-Item -Path ($ConfigOutputPath.Substring(0, $ConfigOutputPath.lastIndexOf('\'))) -ItemType Directory;
    $OutputConfig > $ConfigOutputPath;
}

#------------------------------------------------------------------------------------------------------

Write-Host "Script finished - Please Run Enable-CsTopology command and check the output file - Path: $ConfigOutputPath" `
-ForegroundColor Yellow;

POWERSHELL

Registering Trusted Applications and Endpoints on SfB Server Machine

The following services requires SfB trusted applications:

ICH (Interactive Conversation Handler)
AC (Agent Controller or Agent Configurator)
CR (Conversation Recording)
MM (Mail Manager)

For the registration of each trusted application the following command is used:

Register Trusted Applications

New-CsTrustedApplicationComputer -Identity lucs02.dev.local -Pool lucs.dev.local
New-CsTrustedApplication –ApplicationId […] -TrustedApplicationPoolFqdn […] -Port […]

POWERSHELL

After that for each trusted application a trusted application endpoint should be created:

Register Trusted Application Enpoints

New-CsTrustedApplicationEndpoint -ApplicationId […] -TrustedApplicationPoolFqdn […] -SipAddress […]

POWERSHELL

The information about registered applications and endpoints ports can be received using the following commandlet:

Get Trusted Applications and Endpoints

Get-CsTrustedApplication –Filter *trust*

Get-CsTrustedApplicationEndpoint

POWERSHELL

When several machines are used as application servers, the services have to be configured and installed on each of them.

Note : Some configuration properties (e.g. activity order) depend on the machine where the service is installed. When the activity order is the same for an active-passive service, the first started instance will become active.

Some of the information that should be entered into LUCS Configurator during service configuration (relates to ICH, AC, CR, MM services) can be obtained over the SfB Server Management Shell:

Get-CsTrustedApplication

CODE

If for the registration of the SfB Applications the default settings are used, the following components use the listed ports:

ICH

Connector 0-4

^{(Belongs to ICH)}

AC

CR

MM

SMD

6000

7000
7100
7200
7300
7400

6100

6200

6300

no port

This is a recommendation, but the final port choice depends on the availability of these ports. The trusted applications should be registered to free ports that are not used by other applications. E.g. If a trusted application is registered on the port used by another application, it will be written in the log file and the trusted application will not work.