This article contains general explanations about where UCMA should be installed and how "Trusted Application" works.
| Table of Contents |
|---|
UCMA
UCMA is a software component by Microsoft that we install on certain servers (typically Access the Admin Portal web serverServer).
This component allows for developers and 3rd party apps developers to get access and take control over certain aspects of the following aspects of Skype for Business internal functionalities:
- Microsoft's Enhanced Presence information
...
- .
- Impersonating messages.
- Telephone and video calls
...
- .
- Audio/video conferencing.
This component together integration combined with setting the "CsTrustedApplciation" Trusted Application configurations allow us to perform manipulations and use the SfB/Lync environment in order to do the following:
- Ethical Wall policies based on Contact list - Use Contact list information pulled from the SfB environment to set certain Ethical wall policies that apply according to contact list memebersmembers.
- User/Admin notification - Send IMs to users and admins from the local SfB environment in order to notify them about Ethical wall/DLP/etc. actions that were performed.
- Escalate conference: wheמ a conversation starts and we want to join it in a hidden way to make it a conference we will use UCMA.
...
- Organized conference for MDM registration - Create a conference after device registration when using 3rd generation MDM to ease the registration process.
Trusted Application
As part of the installation of the UCMA certain configuration in the SfB/Lync topology. These configurations allow the environment to identify and authenticate the 3rd party application that are trying to access them (Access Admin Portal Web App/SIP Filter).
In order to view this what is already configured with this configuration the following commands can be used:
Get-CsTrustedApplicationPool
Get-CsTrustedApplication
Get-CsTrustedApplicationEndpoint
Each one of those commands present a different part of the Trusted Application configuration. Generally there are 4 types of Trusted Application configurations: Trusted Application Pool, Trusted Application , Trusted Application endpoint , Trusted Application computer.
SkypeShield is not using Trusted Application computer. However it does use the others. Each one of these configurations have a few settings in them.
When troubleshooting issues regarding UCMA these specific settings are important to know :
For Trusted Application Endpoint:
https://technet.microsoft.com/en-us/library/gg398594.aspx
For Trusted Application:
https://technet.microsoft.com/en-us/library/gg398259.aspx
For Trusted Application pool:
https://technet.microsoft.com/en-us/library/gg425804.aspx
Trusted Application pool
Each Trusted Application has a pool that can contain multiple Trusted Applications,
In the Each trusted application pool is set to a specific SfB server (this is the server that we "authorize" the 3rd party application to work on) and the server in which the 3rd party App that requires authorization is installed.
Trusted Application
Within the Trusted Application pool we set a Trusted Application.
The Trusted Application specifies a "identified" (in our case "SkypeShieldTrustedApp" or "SipFilterTrustedApp") and a port to send the remote SfB actions on (by default with our scripts it's set to 11111)
Trusted Application Endpoint
In the pool our scripts also create a Trusted application endpoint, Skype for Business presents 4 entity types within the model of Trusted Applications.
Trusted Application pool
A trusted application is a Skype for Business entity that is configured under a Server pool and represents a collection of internal functionalities/components of the Server Pool(named Trusted Application).
You can list the existing Application pools by running the following command in Powershell on the Front-End
| Code Block | ||
|---|---|---|
| ||
Get-CsTrustedApplicationPool |
Trusted Application
A Trusted Application is an entity within the pool that specifies an identity and connectivity details for different components utilizing the Application Pool
Sphereshield set 3 Applications
| Trusted Application name | Port | Usage | Pool | Required |
|---|---|---|---|---|
| SkypeShieldTrustedApp | 1111 | Access Portal | Access Portal pool | Yes |
| MaintenanceServiceTrustedApp | 1113 | Maintenance Service | Access Portal pool | Yes |
| SipFilterTrustedApp | 1112 | SIP filter on the Front-End | Front-End pool | No |
You can list the existing Application pools by running the following command in Powershell on the Front-End
| Code Block | ||
|---|---|---|
| ||
Get-CsTrustedApplication |
Trusted Application Endpoint
A trusted application endpoint is an Active Directory contact object that enables the routing of calls to a trusted application.
Within the trusted application Endpoint we define a SIP address (In our case it is used to contact customers for IMs).
SkypeShield's trusted application installation
When installing UCMA for SkypeShield (in order to allow SkypeShield to send IM notifications and/or use contact lists as basis for Ethical wall policies) the Trusted Application configurations is a crucial part.
In order to configure the Trusted Applications in the SfB/Lync environment it is recommended to first define the values in the Access Portal,
the Trusted Application configuration can be set under 'settings' --> 'General':
First, it is required to insert the correct values (into the fields marked in red):
- Lync pool name - as it appears in the topology,
- Trusted application user SIP - a random SIP address that isn't already taken
- Access Portal server - the FQDN of the Access Portal server
- Lync site - the SfB/Lync site as it appears in the topology
After inserting the correct the values press 'save' (#1) to save the configurations and then press "Export Trusted Application script" (#2),
this will download a .ps1 file that is the script that needs to be ran on the FE.
This method of exporting the script and then running it on the Front End is faster than running the script manually and only then insert it to the Access Portal, it also assures that the Access Portal is using the correct values that are defined.
Troubleshooting
Please paste here UCMA errors and I'll try to give out information on each error so we will have a throughout troubleshooting section.Sphereshield requires it for IM notification and enable the ability to impersonate a SIP address
You can list the existing Application pools by running the following command in Powershell on the Front-End
| Code Block | ||
|---|---|---|
| ||
Get-CsTrustedApplicationEndpoint |
Trusted Application Computer
Not used by Sphereshield