In-Band Provisioning over SIP
Microsoft Office Communications Server 2007 and Microsoft Office Communications Server 2007 R2 will reach end of support on January 9, 2018. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
After the client is signed in, the client receives settings from the server pool through in-band provisioning. Specific settings that have been configured in the Office Communications Server properties are propagated to the client during this process. Unlike Group Policy, which is delivered by using a separate mechanism that is based on Windows and Active Directory, in-band provisioning carries settings within the Session Initiation Protocol (SIP) and does not require a separate communications channel.
For example, Office Communicator clients receive server locations, security information, and settings related to specific client features during in-band provisioning. Office Communicator Phone Edition devices receive the list of supported location profiles and pool-level defaults through in-band provisioning.
The following table outlines the settings that are sent to Office Communicator clients during in-band provisioning and the location where these settings are configured on the server.
Table 1. In-Band Provisioning Settings
Settings sent through in-band provisioning | Location in server properties |
---|---|
Internal and external URLs for the Address Book Server and Web Service for Distribution Group expansion. |
In the pool properties, Web Component Properties, Address Book tab, Internal URL and External URL |
Location of the Media Relay Access server (MRAS, part of A/V Edge Server) |
In the forest properties, Global Properties, Edge Servers tab, under A/V Edge Servers. |
SIP high security mode |
In the pool properties, Front End Properties, Voice tab, in the Advanced Voice Options page (after Advanced Options, click Configure), under SIP security mode. |
Telephony Mode, which determines whether enterprise and voice telephony features, remote call control, computer-to-computer calling, are enabled |
Voice license: In the user’s Active Directory properties, Communications tab, Telephony options.Enterprise license: In the forest properties, Global Settings, Meetings, Global Policies Enterprise with Voice license: Both of the above settings |
Audio/video conferencing and data conferencing, |
In the forest properties, Global Properties, Meetings, Global Policies |
Simultaneous ringing |
In the forest properties, Voice Properties, Policy tab, edit the policy and select or clear the Allow simultaneous ringing of phones check box |
Whether encryption is supported or required when making and receiving audio and video calls |
Pool Properties, Media tab, under Security Settings, Encryption Level |
Default location context for phone calls |
In the forest properties, Voice Properties, Location tab |
Line information for the UC phone line |
In the user’s Active Directory properties, Communications tab, Telephony options, Line URI. |
Maximum video rate allowed |
In the pool properties, Front End Properties, Video tab, select the appropriate setting for Maximum video quality |
Enforce pin lock |
In the pool properties, Front End Properties, Voice tab, select or clear the Enforce phone lock check box |
Why Use In-Band Provisioning?
To ensure a consistent user experience across all endpoints, Office Communications Server uses in-band provisioning. This enables policies and settings (for example, the MRAS setting) to be sent to non-domain joined clients as well as devices such as Office Communicator Phone Edition, Office Communicator Mobile (2007 R2 release).
For endpoints like Office Communicator 2007 R2, an advantage of using in-band provisioning is that information critical to client functionality is stored on the server and not on the computer or the specific endpoint.
In-band provisioning simplifies the application of policies and server settings across the organization because the settings apply to all clients that sign in to the server pool. However, some organizations may need to apply distinct settings and policies to different groups within the organization. Administrators can achieve this greater level of granularity by using Group Policy to apply separate client settings to different Active Directory groups.
Note
Office Communicator Phone Edition clients receive all settings from the server through in-band provisioning and are not configurable through registry-based Group Policy.
Some application layer settings are common between Office Communicator 2007 R2 and Office Communicator Phone Edition. Because Office Communicator Phone Edition has no group policy mechanism, certain application layer settings that were previously controlled solely through Group Policy have moved in-band in the Office Communications Server 2007 R2 release. This change was made so that Office Communicator Phone Edition clients could receive these settings through in-band provisioning. However, before you remove any group policies because the settings have moved in-band, you should consider the effect on Office Communicator 2007 R2 clients. Following are the affected settings:
Portrange (Specify dynamic port ranges) and the Enabled, MaxMediaPort, and MinMediaPort subkeys
EnableTracing (Turn on tracing for Office Communicator)
EnableSIPHighSecurityMode (Configure SIP security mode)
Of these settings, the SIP Security Mode setting is used during the bootstrapping process to specify whether Transport Layer Security (TLS) is required. If your organization requires a TLS connection between clients and servers in previous versions of Office Communications Server, you have probably already set the Group Policy for SIP Security Mode. Even though the setting has moved in-band for Office Communications Server 2007 R2, you should retain the SIP Security Mode group policy because it is still used during bootstrapping, before the client is able to receive settings through in-band provisioning. Maintaining the SIP Security Mode policy retains security during the bootstrapping process.
Office Communicator 2007 R2 Group Policy Precedence
Some Office Communicator 2007 R2 features and behaviors can be configured by the administrator by using Office Communications Server 2007 R2 in-band provisioning, or by the user through the Communicator 2007 R2 Options dialog box. However, Group Policies take precedence over both of these methods.
The following table summarizes the order in which settings take precedence when a conflict occurs.
Table 2. Group Policy Precedence
Precedence | Location or Method of Setting |
---|---|
1 |
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Communicator |
2 |
HKEY_CURRENT_USER\Software\Policies\Microsoft\Communicator |
3 |
Office Communications Server 2007 R2 In-Band provisioning |
4 |
Office Communications Server 2007 R2 In-Band provisioning |
Policy transport
In-band settings are requested when a client signs in. The client sends a sequence of messages and the server responds. The following shows the sequence of interactions between the client and the server.
The client first sends a SERVICE request for the location profile settings. The following is an example of the start-line.
SERVICE sip:amst@litwareinc.com;gruu;opaque=app:locationprofile:get;default SIP/2.0
The server responds with a 200 OK message that contains the location profile settings. The content type of the response is application/ms-location-profile-definition+xml. The message body contains the dialing rule patterns and corresponding translations. An example of a message body is as follows:
<LocationProfileDescription xmlns="https://schemas.microsoft.com/2007/03/locationProfileDescription">
<Name>Local.LitwareInc.com</Name>
<Rule>
<Pattern>^(112)$</Pattern>
<Translation>$1</Translation>
<InternalEnterpriseExtension>false</InternalEnterpriseExtension>
<ApplicableForDeviceDialing>true</ApplicableForDeviceDialing>
</Rule>
</LocationProfileDescription>
The client then sends a SUBSCRIBE request for the contact list. The Event header in the SUBSCRIBE message has a value of vnd-microsoft-roaming-contacts. The server responds with a 200 OK message that contains the contact list, the various groups that the users has created and contacts who belong to each group. The Content type header of the response is application/vnd-microsoft-roaming-contacts+xml. The following snippet shows an example of the response that contains the contact list.
<contactList deltaNum="248" >
<group id="1" name="~" externalURI="" />
<group id="2" name="Sales Team" externalURI="" />
<group id="3" name="Accounts Team" externalURI="" />
<contact uri="amst@contoso.com" name="" groups="2 3" subscribed="true" externalURI="" />
<contact uri="hc@contoso.com" name="" groups="1" subscribed="true" externalURI="" />
<contact uri="gy@contoso.com" name="" groups="1" subscribed="true" externalURI="" />
<contact uri="va@contoso.com" name="" groups="1 2" subscribed="true" externalURI="" />
</contactList>
A client endpoint also sends a SUBSCRIBE message for various provisioning settings. This SUBSCRIBE message contains an Event header with a value of vnd-microsoft-provisioning-v2. The Content type of the message is application/vnd-microsoft-roaming-provisioning-v2+xml.
An example of a SUBSCRIBE message for the roaming provisioning settings is as follows:
<provisioningGroupList xmlns="https://schemas.microsoft.com/2006/09/sip/provisioninggrouplist">
<provisioningGroup name="ServerConfiguration"/>
<provisioningGroup name="meetingPolicy"/>
<provisioningGroup name="ucPolicy"/>
<provisioningGroup name="publicationGrammar"/>
<provisioningGroup name="userSetting"/>
</provisioningGroupList>
The server responds with a 200 OK message that contains the settings for the requested provisioning groups. The Content type of the response is application/vnd-microsoft-roaming-provisioning-v2+xml. The response contains server configuration such as update server URLs, Address book server URLs, Console download URLs. The following settings are new in Office Communications Server 2007 R2: Call Control Server Uri, Pool Uri, and Maximum video rate allowed. An example of the response containing the roaming provisioning settings is as follows:
<provisionGroupList xmlns="https://schemas.microsoft.com/2006/09/sip/provisiongrouplist-notification">
<provisionGroup name="ServerConfiguration" >
<ucMaxVideoRateAllowed>VGA-600K</ucMaxVideoRateAllowed>
<absInternalServerUrl>https://absint.contoso.com/Abs/Int/Handler</absInternalServerUrl>
<absExternalServerUrl>https://absext.contoso.com/Abs/Ext/Handler</absExternalServerUrl>
<absWebServiceEnabled>true</absWebServiceEnabled>
<ucPC2PCAVEncryption>RequireEncryption</ucPC2PCAVEncryption>
<organization>Contoso, Inc.</organization>
<consoleDownloadInternalUrl>http://r.office.microsoft.com/r/rlidOCSR2?clid=1033&p1=livemeeting</consoleDownloadInternalUrl>
<consoleDownloadExternalUrl>http://r.office.microsoft.com/r/rlidOCSR2?clid=1033&p1=livemeeting</consoleDownloadExternalUrl>
<dlxInternalUrl>https://ocs.contoso.com/GroupExpansion/Int/service.asmx</dlxInternalUrl>
<dlxExternalUrl>https://ocs.contoso.com/GroupExpansion/Ext/service.asmx</dlxExternalUrl>
<dlxEnabled>true</dlxEnabled>
<ucDiffServVoice>40</ucDiffServVoice>
<ucVoice802_1p>0</ucVoice802_1p>
<ucEnforcePinLock>true</ucEnforcePinLock>
<ucMinPinLength>6</ucMinPinLength>
<ucPhoneTimeOut>10</ucPhoneTimeOut>
<ucExchangeMWIPoll>3</ucExchangeMWIPoll>
<ucEnableSIPSecurityMode>High</ucEnableSIPSecurityMode>
<ucEnableUserLogging>false</ucEnableUserLogging>
...
</provisionGroup>
<provisionGroup name="meetingPolicy" instanceId="{6B151D61-D98B-4A16-9D6C-8BBB3111228A}" >
<instance>
<property name="Name"><![CDATA[Default Policy]]></property>
<property name="ColorDepth"><![CDATA[High colors]]></property>
<property name="AllowPresenterToDelegateRecording"><![CDATA[false]]></property>
<property name="EnableAppDesktopSharing"><![CDATA[true]]></property>
<property name="AllowAppSharingForExternalMeeting"><![CDATA[Desktop]]></property>
<property name="MeetingSize"><![CDATA[50]]></property
...
</instance>
</provisionGroup>
<provisionGroup name="ucPolicy" instanceId="{6B41BE99-5C45-41E5-B34C-F6B8D0079E7B}" >
<instance>
<property name="Name"><![CDATA[Default Policy]]></property>
<property name="AllowUsersToChangeTeamSettings"><![CDATA[true]]></property>
<property name="AllowSimultaneousRinging"><![CDATA[true]]></property>
</instance>
</provisionGroup>
</provisionGroup>
<provisionGroup name="userSetting" >
<ucUserLocationProfile >Main.Contoso.com</ucUserLocationProfile>
</provisionGroup>
</provisionGroupList>
Provisioning Groups
There are different provisioning groups, each group deals with a specific area of category of settings. The various provisioning groups and the settings they contain are as follows:
Server Configuration. Contains update server URLs, Address Book server URLs, console download URLs, distribution list URLs, media relay server URL, Quality of Service (QoS) server URL, Communicator Web Access URLs, call control server URLs.
Meeting Policy. Settings that control whether the presenter is allowed to record a meeting, whether application sharing is allowed, IP audio and IP video.
User setting. User specific location profile.
ucPolicy. Contains settings for simultaneous ringing, phone usages, and so on.
Publication Grammar. A fixed manifest sent out by the server. It allows the client endpoint to control the aggregation logic and the manifest is server agnostic.