CUCM BoQ for 250 users
Hi,
I have one site consisting of 250 users and 2 sites. Regardless of geographical location, what is the best practice of design.
I mean to say, Shall we go for server based solution or router based solution.
and what other parameters do we need to consider. Anyone who can share BoQ or give me suggestion. Thanks
Hi,
CME would be a good solution if the number of users are not going to increase much beyond 250. Please check the following guide for benefits and design considerations for single site as well as distributed CME deployments
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucme/srnd/design/guide/cmesrnd/models.html
However, you may require server based solution like a BE6K depending upon your application and feature requirements. Please check the following datasheet for BE6K
http://www.cisco.com/c/en/us/products/collateral/unified-communications/business-edition-6000/data_sheet_c78-717454.html
HTH
Manish
Similar Messages
-
How to Automate to Add a Role for 250+ Users in One Shot ?
Hi all,
How can I add a Role 'X' for 250+ User in one shot. I could go to SU01 for each User and add a Role 'X' manually, but it will take at least more than two hours. Is there any automation to accomplish this task, PLEASE ?
Thanks.Look at the How To paper on maintaining authorizations through flat file...
<a href="https://www.sdn.sap.comhttp://www.sdn.sap.comhttp://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/1d8ea990-0201-0010-43b3-d13b83e2bf20">How to maintain authorizations through flat file</a>
Hope this helps. -
7 AP for 250 users in the building without Backbone
Hello,
We need connect 250 users wireless and more o less 7 AP to give cover in the building, but we don?t have a backbone wiring and need the same SSID.
which product to be the best? or you think it?s better a backbone among AP?Lots more details are needed, along with a site survey.
Is the building one floor, many floors? Construction materials? How many other wireless systems are "in the neighborhood"? Lots of radio noise, or an RF-quiet environment?
*GENERALLY* you can probably / maybe use a dual-radio AP, like a 1241, where the clients are served on 2.4 (802.11g), and the 802.11a radios are used as a backbone channel.
Because of backbone constraints, you'd probably limit your clients to some lower bandwidth (no more than 11 Mbps / 802.11b speeds).
250 clients with 7 APs ... that's probably going to be a stretch. How many logged on at the same time? What kind of traffic? Any voice?
Given the choice, a wired backbone will give you better performance ... do it if you can.
You also have a choice of having all the APs be "stand-alone" (automomous) or using "lightweight" APs to a single central controller.
You need on-site help; someone to do a solid site survey and make recommendations ... anything you get here are, at best, "a good guess," and will probably end up costing you more money and reputation.
We're OK for ideas and clarification, but someone that knows what they're doing needs to put eyeballs to the location to make a realistic recommendation.
Good Luck
Scott -
Dear All
is Scenario#1 is valid to design 3K user CUCM cluster, or i Have to stick with Scenario#2? which one of those is recommended
Scenario #1
use 2 Primary CPE (Call processing engine) each have 2500 user ( in addition to 2:1 redundancy for Secondary (Backup) CPE) ==> total will be 3 subscriber CPE, plus 1X2500 user ova for publisher ( any issue running 2500 ova as publisher for 3K user ? or this only affect number of devices).
so as a total i should have 2 UCS server each run 2X2500 ova for HW sizing
===============
Scenario #2
use 1 Primary CPE (Call processing engine) have 7500 user ( in addition to 1:1 redundancy for Secondary (Backup) CPE) ==> total will be 2 subscriber CPE
plus 1X7500 user ova for publisher.
so as a total i should have 2 UCS server one run 2X7500 ova and one run 1X7500 ova for HW sizing.
Last note according to SRND Publisher recommended to be the same size as other subscribers, but my question can we little deviate from Ova size limit like run 3K user using 2500 ova publisher? Any special consideration for TFTP?Thanks Marwan , but in this case
1- i need 2 ova for CPE sub (1:1 redundancy) , 1 Pub , 1 as TFTP/MOH ==> so total of four VMs
2 - just to understand any issue from design prospective using 2500 ova for two primary Sub , (and one 2500 Ova for Pub keeping in mind 3K user), since if Distribute the users over the two 2500 ova primary CPE and use backup 2500 ova CPE (2:1 redundancy) i have an issue only if both primary CPE fails? is it right , but this can work
3 - last things the Pub Ova is related to user size, i mean 2500 ova for Pub can handle Database for 3K user, any deep info about Pub Database capacity and related Ova size ??since we deviate little form Max number of user.
Thanks
Ahmad -
How many of licenses I should consider for 200-250 users?
How many of licenses I should consider for 200-250 users?
You should contact Adobe sales for your region. See Government and business software | Adobe Creative Cloud for enterprise and click the Enterprise link.
-
Voice mail for one user with two extensions
Environment:
Cisco Unified CM Administration System version: 7.1.3.30000-1
Cisco Unity Connection Administration Version 7.1.3.10000-68
We have a user this year that will be wearing two hats and will have offices in two different locations. I have both extensions as a line on each phone. Now I just need to point both extensions to the same voicemail box or give the user two mail boxes. It seems that CM Administration only supports one voicemail box per user. I think it would be easier for the user to only have to check one mail box by having both extensions point to the same VM. How can I accomplish this?Hi Andy,
Let's say the user has numbers 7005 & 8450 but we want only one mailbox
@ 7005. There are a couple of ways to do this.
In CUCM go to> Feature> Voicemail> Voicemail Profile and create a new Profile called XXXX (whatever name you want) with a Description called "XXXX username Mailbox" the Voice Mail Box Mask will be 7005> Save
Then via CUCM go to the Users Phones> under Directory Number Config for 8450> Voicemail Profile and change to XXXX (created previously in above steps)>Update>Reset
Now when a call routes via forward to Unity Connection it will reach the Mailbox @ 7005.
Or in Unity Connection set up Alternate Extension so that 8450 is an Alternate Extension for 7005 etc.
Cheers!
Rob
"I don't know how, I don't know when
But you and I will meet again "
- Tom Petty -
How to block calls based ANI for individual user?
I want to know how to block calls based on ANI for individual user in CUCM? Lets say if the individual wants to block calls from certain number.
Malicious call id - softkey will not work for our purpose.
calls come to cucm via mgcp gateway. cucm 9.x
thanks,How to block calls has been asked hundreds, and hundreds of times at CSC, a simple search would have provided you with all the necesarry information. Please search before you ask
https://supportforums.cisco.com/docs/DOC-19628
HTH
java
if this helps, please rate
www.cisco.com/go/pdihelpdesk -
Can I install Phone designer for all user?
Hi
I have phone designer application I install it on my PC but when I install it for anther user and give me error Unable to connected to server.
Is there any parameters needs to check on CUCM?
How many times can I install it?
Thanks
KaffYou can install it as many times as you want. Ensure that either the cluster-wide parameter or the device-specific parameter is set to allow phone personalization. After that, if it works for you it will work in general; don't forget to enter the CCMCIP server address in the client.
-
NPS: Event 6274 - Network Policy Server discarded the request for a user
Intermittently I will get desktop (wired) and laptop (wireless) computers experiencing issues with NPS (they drop off the network).
Some computers are affected more than others, although they are identical hardware and based on a standard image.
In the event log of the NPS servers I can see the following messages:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2/05/2014 8:47:58 a.m.
Event ID: 6274
Task Category: Network Policy Server
Level: Information
Keywords: Audit Failure
User: N/A
Computer: NT147.domain.local
Description:
Network Policy Server discarded the request for a user.Contact the Network Policy Server administrator for more information.User:
Security ID: NULL SID
Account Name: host/DPC0387.domain.local
Account Domain: DOMAIN
Fully Qualified Account Name: DOMAIN\DPC0387$Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 3c-xx-xx-xx-xx-xx
Calling Station Identifier: 00-xx-xx-xx-xx-xxNAS:
NAS IPv4 Address: 10.nnn.nnn.nnn
NAS IPv6 Address: -
NAS Identifier: ND246
NAS Port-Type: Ethernet
NAS Port: 71RADIUS Client:
Client Friendly Name: Network Device Management Subnet
Client IP Address: 10.nnn.nnn.nnnAuthentication Details:
Connection Request Policy Name: NAP 802.1X (Wired)
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: NT147.domain.local
Authentication Type: -
EAP Type: -
Account Session Identifier: 384F322E317838316564303034313030306230666632
Reason Code: 1
Reason: An internal error occurred. Check the system event log for additional information.
How do I debug when an internal error occurs but there is nothing in the system event log? Where else can I look?
Here's the packet trace that matches the event log entry above:
No. Time Source Destination Protocol Length Time from request Info
1 0.000000 JuniperN_xx:xx:xx Universa_xx:xx:xx EAP 60 Request, Identity
2 2.470423 Universa_xx:xx:xx Nearest EAPOL 60 Start
3 2.472870 JuniperN_xx:xx:xx Universa_xx:xx:xx EAP 60 Request, Identity
4 2.539416 Universa_xx:xx:xx Nearest EAP 60 Response, Identity
5 2.544206 Universa_xx:xx:xx Nearest EAPOL 60 Start
6 2.548804 JuniperN_xx:xx:xx Universa_xx:xx:xx EAP 60 Request, Identity
7 2.550050 Universa_xx:xx:xx Nearest EAP 60 Response, Identity
8 2.552597 10.switch 10.NPS_Server RADIUS 254 Access-Request(1) (id=249, l=208)
9 2.556043 10.NPS_Server 10.switch RADIUS 136 0.003446000 Access-Challenge(11) (id=249, l=90)
10 2.565876 JuniperN_xx:xx:xx Universa_xx:xx:xx EAP 60 Request, Protected EAP (EAP-PEAP)
11 2.569472 10.switch 10.NPS_Server RADIUS 254 Access-Request(1) (id=250, l=208)
12 2.572566 10.NPS_Server 10.switch RADIUS 136 0.003094000 Access-Challenge(11) (id=250, l=90)
13 2.580254 Universa_xx:xx:xx Nearest TLSv1 123 Client Hello
14 2.586544 10.switch 10.NPS_Server RADIUS 361 Access-Request(1) (id=251, l=315)
15 4.564841 Universa_xx:xx:xx Nearest EAPOL 60 Start
16 4.568530 JuniperN_xx:xx:xx Universa_xx:xx:xx EAP 60 Request, Identity
17 4.569876 Universa_xx:xx:xx Nearest EAP 60 Response, Identity
18 4.582263 10.switch 10.NPS_Server RADIUS 254 Access-Request(1) (id=252, l=208)
19 4.586006 10.NPS_Server 10.switch RADIUS 136 0.003743000 Access-Challenge(11) (id=252, l=90)
20 4.591896 JuniperN_xx:xx:xx Universa_xx:xx:xx EAP 60 Request, Protected EAP (EAP-PEAP)
21 4.592692 Universa_xx:xx:xx Nearest TLSv1 123 Client Hello
22 4.599634 10.switch 10.NPS_Server RADIUS 361 Access-Request(1) (id=253, l=315)
23 4.600887 10.NPS_Server 10.switch IPv4 1518 Fragmented IP protocol (proto=UDP 17, off=0, ID=07db)
24 4.609920 JuniperN_xx:xx:xx Universa_xx:xx:xx TLSv1 1514 Server Hello, Certificate, Certificate Request, Server Hello Done
25 4.610516 Universa_xx:xx:xx Nearest EAP 60 Response, Protected EAP (EAP-PEAP)
26 4.617407 10.switch 10.NPS_Server RADIUS 262 Access-Request(1) (id=254, l=216)
27 4.618352 10.NPS_Server 10.switch RADIUS 288 0.000945000 Access-Challenge(11) (id=254, l=242)
28 4.623650 JuniperN_xx:xx:xx Universa_xx:xx:xx TLSv1 176 Server Hello, Certificate, Certificate Request, Server Hello Done
29 4.643316 Universa_xx:xx:xx Nearest TLSv1 361 Certificate, Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
30 4.649607 10.switch 10.NPS_Server RADIUS 601 Access-Request(1) (id=255, l=555)
31 4.656950 10.NPS_Server 10.switch RADIUS 199 0.007343000 Access-Challenge(11) (id=255, l=153)
32 4.662734 JuniperN_xx:xx:xx Universa_xx:xx:xx TLSv1 87 Change Cipher Spec, Encrypted Handshake Message
33 4.681106 Universa_xx:xx:xx Nearest EAP 60 Response, Protected EAP (EAP-PEAP)
34 4.788536 10.switch 10.NPS_Server RADIUS 262 Access-Request(1) (id=2, l=216)
35 4.789735 10.NPS_Server 10.switch RADIUS 173 0.001199000 Access-Challenge(11) (id=2, l=127)
36 4.795723 JuniperN_xx:xx:xx Universa_xx:xx:xx TLSv1 61 Application Data
37 4.796372 Universa_xx:xx:xx Nearest TLSv1 93 Application Data
38 4.802368 10.switch 10.NPS_Server RADIUS 331 Access-Request(1) (id=3, l=285)
39 4.803363 10.NPS_Server 10.switch RADIUS 189 0.000995000 Access-Challenge(11) (id=3, l=143)
40 4.808905 JuniperN_xx:xx:xx Universa_xx:xx:xx TLSv1 77 Application Data
41 4.809501 Universa_xx:xx:xx Nearest TLSv1 77 Application Data
42 4.817342 10.switch 10.NPS_Server RADIUS 315 Access-Request(1) (id=4, l=269)
43 4.822986 10.NPS_Server 10.switch RADIUS 189 0.005644000 Access-Challenge(11) (id=4, l=143)
44 4.828973 JuniperN_xx:xx:xx Universa_xx:xx:xx TLSv1 77 Application Data
45 4.833318 Universa_xx:xx:xx Nearest TLSv1 829 Application Data
46 4.840610 10.switch 10.NPS_Server RADIUS 1073 Access-Request(1) (id=5, l=1027)
47 4.845946 10.NPS_Server 10.switch RADIUS 189 0.005336000 Access-Challenge(11) (id=5, l=143)
48 4.850938 JuniperN_xx:xx:xx Universa_xx:xx:xx TLSv1 77 Application Data
49 4.907924 Universa_xx:xx:xx Nearest TLSv1 141 Application Data
50 4.913390 10.switch 10.NPS_Server RADIUS 379 Access-Request(1) (id=6, l=333)
51 4.917535 10.NPS_Server 10.switch RADIUS 221 0.004145000 Access-Challenge(11) (id=6, l=175)
52 4.922877 JuniperN_xx:xx:xx Universa_xx:xx:xx TLSv1 109 Application Data
53 4.923472 Universa_xx:xx:xx Nearest TLSv1 61 Application Data
54 4.930319 10.switch 10.NPS_Server RADIUS 299 Access-Request(1) (id=7, l=253)
55 4.937348 10.NPS_Server 10.switch RADIUS 381 0.007029000 Access-Challenge(11) (id=7, l=335)
56 4.942543 JuniperN_xx:xx:xx Universa_xx:xx:xx TLSv1 269 Application Data
57 4.944791 Universa_xx:xx:xx Nearest TLSv1 125 Application Data
58 4.951408 10.switch 10.NPS_Server RADIUS 363 Access-Request(1) (id=8, l=317)
59 4.954022 10.NPS_Server 10.switch RADIUS 355 0.002614000 Access-Accept(2) (id=8, l=309)
60 4.981482 JuniperN_xx:xx:xx Universa_xx:xx:xx EAP 60 Success
61 32.590347 10.switch 10.NPS_Server RADIUS 361 Access-Request(1) (id=251, l=315)
62 62.592420 10.switch 10.NPS_Server RADIUS 361 Access-Request(1) (id=251, l=315)
63 92.595043 10.switch 10.NPS_Backup_Server RADIUS 361 Access-Request(1) (id=9, l=315)
64 122.597856 10.switch 10.NPS_Backup_Server RADIUS 361 Access-Request(1) (id=9, l=315)
65 152.600618 10.switch 10.NPS_Backup_Server RADIUS 361 Access-Request(1) (id=9, l=315)A belated thanks for your reply.
Our environment doesn't have NPS accounting configured so that was easy to rule out.
The mid-day drop outs have stopped after I added "set protocols dot1x authenticator no-mac-table-binding" to our Juniper switches (which prevents mac address aging from clearing the active dot1x client session).
I believe the above error message occurs because the RADIUS session ID is rejected / ignored because of some quirks in the RADIUS standard. At the start of a dot1x authentication request a RADIUS session ID is created. For whatever reason the
RADIUS/NAP server stops responding and the Juniper switch fails over to the backup RADIUS/NAP server configured. The session ID is kept (per RADIUS standard) but the backup RADIUS/NAP server doesn't know about the session, so this event: "Network
Policy Server discarded the request for a user." occurs.
It would be nice to see a clearer error message "Invalid RADIUS session" or similar.
There is a Microsoft guide on how to set up RADIUS/NAP servers in a highly available configuration - something to do with RADIUS proxy servers.
It would be even nicer to see some kind of RADIUS session synchronisation between NAP servers... if it doesn't already exist?
I am having the same exact issue you posted on here except I have Extreme Network switches. Some of my computers, various hardware, will randomly not authenticate during re-authentication. The switch says that it failed to contact the NPS server so then it
switches to my backup server. The client has a random time on how long it waits to authenticate so sometimes I end up having the disable/re-enable the port they are connected to so that the session is started again. I see that you basically removed the option
to force clients to re-authenticate Any downfall disabling that?. Any idea why the NPS server is no longer responding? Are you using Windows Server 2012? -
SNR License Issue. How Can I Disable SNR for all Users?
Hi,
I Have an issue with SNR on CUCM 10.5 and with assignement of license type
I have a cluster with 400 users.
200 users use ip phone 3905 and should be use an Essential License.
When system check for assignement of license type , itassign a Basic License instead of an Essential License, because it see that users have SNR Enabled.
All users in my system have SNR enabled, and I can not disable it. All my user have Enable Mobility unchecked, and all my phone have Device Mobility Off, but system however see SNR enable.
How can i disable SNR for all users? This is a feature that client don't need.
I dont' have a sufficent number of licenses for support all 3905 in Basic License.
thanks for help.
AndreaWell actually, Mobile Identity wouldn't apply to a 3905 unless those phones had another line on a Dual-Mode device like an iPhone or Android phone. So unless you have either of those in your system you can scratch that idea. Someone else may chime in here and try to help a bit more as RD/RDP are the main SNR culprits.
-
Changing the default keyboard language for all users via command line
I have about 250 computers, that I set the wrong default language on.
I am hoping someone here can help me. I have 3 keyboard languages installed in my labs,
En-English (United States)
Fr-French (Canada)
En-English (Canada)
I'd like to make the Fr-French (Canada) the default keyboard language for all users that login I have tried the following xml but it's not working. I do not see the problem any help would be appreciated.
I tried to run it by doing this
control intl.cpl,, /f:"FR-DefaultKeyboard.xml"
The following code below is called FR-DefaultKeyboard.xml file.
<gs:GlobalizationServices xmlns:gs="urn:longhornGlobalizationUnattend">
<!--User List-->
<gs:UserList>
<gs:User UserID="Current"/>
</gs:UserList>
<!--User Locale-->
<gs:UserLocale>
<gs:Locale Name="FR-CA" SetAsCurrent="true"/>
</gs:UserLocale>
</gs:GlobalizationServices><gs:GlobalizationServices xmlns:gs="urn:longhornGlobalizationUnattend">
<gs:UserList>
<gs:User UserID="Current" CopySettingsToDefaultUserAcct="true" CopySettingsToSystemAcct="true"/>
</gs:UserList>
<gs:InputPreferences>
<!--English US EN-->
<gs:InputLanguageID Action="add" ID="0409:00000409" Default="false"/>
<!--French CA CA FR-->
<gs:InputLanguageID Action="add" ID="0c0c:00000c0c" Default="true"/>
<!--English CA EN-->
<gs:InputLanguageID Action="add" ID="1009:00001009" Default="false"/>
</gs:InputPreferences>
</gs:GlobalizationServices>
This worked, thank you -
Dedicated analog POTS line for the user
Hi Experts
yesterday ....... i post the discussion about how i can reserve one analog telephone line for one of my user so whenever he make outgoing call his calls go through one particular analog line and never found busy tone .... in reply to my this query one guy tell me to use partitions and CSS ... my question is lets say if i create new partition name " test" and assign my user to this partition so he can only use it whenever he makes PSTN dialing so his call goes through this partition and reached my GW but my GW have five different analog line's how GW came to know that the first line is reserved for all of the calls coming from this user which is assigned to this partition.
i have CUCM 8.5 and GW is Cisco 2800 series ......... i dont want my user to dial any extra digit or PIN
Regards
SalmanHi,
I assume that this is MGCP gateway
Please, try to do the following to achieve your requirment:
Create a partition named "TEST" and associate this partition with your all access CSS say XYZCSS
Create a Route Group (TEST-RG) and add one of the five analog line which you want to isolate for this user. (analog line i.e. AALN/Sx/SUx/y@abc)
Create a Route List (TEST-RL) and select the TEST-RG group.
Create a Route Pattern (Pattern .!) select Route Partition "TEST", choose the Gateway/Route List "TEST-RL" ans save
In gateway configuration for End-Point please select the Calling Search Space "XYZCSS" and the attendant DN will the user's DN
Assign the users DN in TEST Route Partition and configure the CSS as XYZCSS (this CSS will have all the other partition to rreach internal user and including the TEST partition)
Try by configuring as per the above suggestion, if you have any issue please quota me. This user will able to dial the digit directly without adding any prefix or extra digit.
I hope this will help you or will drive you to right direction.
Thanks
Selvarathnam -
Can't exec /bin/sh for single user
Hi,
When I boot up my iMac G5 it sits on the gray screen with the apple and spinning "doing something" icon, and then goes to a terminal window telling me:
"can't exec /bin/sh for single user: Input/output error"
It started doing this last night after multiple beachball of death situations. Anyone have any ideas? Or is it time for this old machine to be put out to pasture?
Thanks
MungoHi Mungo,
invalid key length is a serious issue that can sometimes be fixed by "heavy duty" utilites like DiskWarrior and Drive Genius.
If you don't have enough room to re-install the OS, though, you have seriously overfilled it and they may not be able to deal with the problem either.
You should always aim to keep at least 15% free space on the drive, preferably more. On my 250 Gig internal drive, for example, I see the beginning of stability and speed problems when I get down to below around 30 gigs of free space. It varies a bit depending on what you use your Mac for, but my own preference is to always aim for 50 Gigs free on this 250 Gig drive.
You have to fix the "keys out of order" problem before you even think of re-installing the OS.
The best solution is to reformat the drive. It is unlikely that it actually needs replacing. However I still think you should buy another drive, but an external one, if you don't have one already.
My approach to your problem would be:
1) Go and buy a nice big external firewire drive if you don't have one already (ideally at least twice the size of your internal).
2) Install OSX on the external drive (You may want to partition it into two volumes first, keeping one partition to store a "cloned backup" of your internal and one for general usage, overflow storage, etc)
3) Boot from the external HD and copy across your precious stuff from the internal drive to the external. (If you have created two partitions on the external you could use the excellent utility "SuperDuper" to "clone" the internal to the second partition - the one witout the OS installed on it)
4) Reformat the internal drive, preferably using the single "zeroing" option.
5) Re-install the OS and software on your internal drive
6) Copy back your data (documents, music, movies etc) to your internal but make sure you leave plenty of free space on it. If you have a large music library , or lots of movies, for example, you might want to keep them on the external, rather than putting them back)
7) From now on use one partition of your external drive for regular "cloned" backups of the internal and the other for general storage overflow etc.
Cheers
Rod -
Preference Panes - Install for all users, after the fact?
Is there any way to get an already installed Pref Pane to install for all other users once it has been installed for the main account? I am hoping for a way that doesn't require uninstalling the current Pref Pane and reinstalling, some have settings I don;t wan't to lose for the main account.
PowerMac G4 Dual 1.25, MacBook 1.83 Mac OS X (10.4.7) 2 Gb RAM : 250 Maxtor, 80 & 250 WD int. drives : Mighty Mouse : dual mon.Thanks for the reply.
The app (Bamboo Dock) has installed in the root applications folder. When I'm logged in as the administrator I can see the proper icon in the apps folder and run it. however, when I log on as my son I can see the app but the icon is the default icon with the A and the pencil on and the app won't run.
I didn't have a choice where to install and the app did not ask me if I wanted to install for all users.
I was wondering if I could run the installer app from the terminal with sudo, then I would be giving the installer app the authority to write the receipt? I don't know if this would work or how to do it if it would.
Stuart -
Getting mail authentication errors for outlook user sending mail
When Outlook 2010 user attempts to use port 587 to send mail (to himself at this point), we see the following in the server logs:
(User in question can attach to file shares on the same server just fine from his Windows laptop)
Outlook config for outbound server is "port: 587, encryption TLS"
When we connect, we get "connection interrupted by server"
Tried other encryption methods - outlook 2010 states that server does not support the other methods (None, SSL)
SMTPD Logs
Jul 29 22:22:58 <servername>.l-n-l.com postfix/smtpd[2306]: connect from <Outlook Client Name>[<Outlook ClientAddr>]
Jul 29 22:22:58 <servername>.l-n-l.com postfix/smtpd[2306]: error: validate response: error: Authentication server failed to complete the requested operation.
Jul 29 22:22:58 <servername>.l-n-l.com postfix/smtpd[2306]: error: validate response: authentication failed for user=colin (method=DIGEST-MD5)
Jul 29 22:22:58 <servername>.l-n-l.com postfix/master[1407]: warning: process /usr/libexec/postfix/smtpd pid 2306 killed by signal 6
Jul 29 22:22:58 <servername>.l-n-l.com postfix/master[1407]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling
Jul 29 22:24:12 <servername>.l-n-l.com postfix/smtpd[2270]: timeout after END-OF-MESSAGE from localhost[127.0.0.1]
Jul 29 22:24:12 <servername>.l-n-l.com postfix/smtpd[2270]: disconnect from localhost[127.0.0.1]
Meanwhile: Mac clients are able to connect to smptd submission port to send mail with no problems. Based on what the logs say, it appears that the Mac mail is using a different authentication mechanism.
Client config for outbound server is "use custom port: 587, Use SSL:Checked, Authentication: MD5 Challenge-Response"
Jul 29 22:19:12 <servername>.l-n-l.com postfix/smtpd[2261]: connect from <Mac Client Name>[<MacClientAddr>]
Jul 29 22:19:12 <servername>.l-n-l.com postfix/smtpd[2261]: 721FCEC991: client=<Mac Client Name>[<MacClientAddr>], sasl_method=CRAM-MD5, sasl_username=<username>@l-n-l.com
Jul 29 22:19:12 <servername>.l-n-l.com postfix/cleanup[2267]: 721FCEC991: message-id=<[email protected]>
Jul 29 22:19:12 <servername>.l-n-l.com postfix/qmgr[1800]: 721FCEC991: from=<[email protected]>, size=573, nrcpt=1 (queue active)
Jul 29 22:19:12 <servername>.l-n-l.compostfix/smtpd[2270]: connect from localhost[127.0.0.1]
Jul 29 22:19:12 <servername>.l-n-l.com postfix/smtpd[2270]: E722AEC9A0: client=localhost[127.0.0.1]
Jul 29 22:19:12 <servername>.l-n-l.com postfix/cleanup[2267]: E722AEC9A0: message-id=<[email protected]>
Jul 29 22:19:12 <servername>.l-n-l.com postfix/qmgr[1800]: E722AEC9A0: from=<[email protected]>, size=994, nrcpt=1 (queue active)
Jul 29 22:19:12 <servername>.l-n-l.com postfix/smtp[2268]: 721FCEC991: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.55, delays=0.06/0.01/0.01/0.48, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as E722AEC9A0)
Jul 29 22:19:12 <servername>.l-n-l.com postfix/qmgr[1800]: 721FCEC991: removed
Jul 29 22:19:13 <servername>.l-n-l.com postfix/pipe[2273]: E722AEC9A0: to=<[email protected]>, relay=dovecot, delay=0.13, delays=0/0.01/0/0.12, dsn=2.0.0, status=sent (delivered via dovecot service)
Jul 29 22:19:13 <servername>.l-n-l.com postfix/qmgr[1800]: E722AEC9A0: removed
Jul 29 22:20:12 <servername>.l-n-l.com postfix/smtpd[2261]: disconnect from <Mac Client Name>[<MacClientAddr>]
Running OS X 10.8.4 with Server 2.2.1.
Any thoughts on what I need to do to make OSX Server mail play nice with Outlook over the submission port?
Thanks in advance!!Ok - so I think I have it almost all sussed. So for all 3 of you who might be reading this, here is what is going on.
1) As I expected, this has nothing to do with the FQDN/Outlook problem. I actually rejoiced when I finally got far enough to have that problem with my Outlook 2007 and 2010 clients. And I don't like the recommended fix for that either. There is another way - more on that in a minute.
2) This problem was all about authentication methods. At present, I have OS X Mail Server set for plain text and APOP only. I will be working to fix this soon - but at present I am unable to find any other combination that permits both Mac Mail and Outlook clients to authenticate properly. Mac Mail wants to use CRAM-MD5 by default. Outlook is so incompatible with CRAM-MD5 that even when there are other authentication methods available on the mail server, if CRAM-MD5 is selected on the Server then Outlook fails miserably no matter how you configure the Outlook client. Caveat: this is my own observation and I still have some experimenting to do. If you know otherwise (or can confirm more definitively), then please speak up!
So here is the working configuration at present:
A) Mail Server authentication set to Custom with PlainText and APOP selected, all others blank.
B) Firewall permits inbound from ports 25 (for mail from "outside"), 587 (submission for authenticated users, TLS) 993 (SSL IMAP), and 995 (SSL POP).
C) Mac POP Clients:
i) For retrieval (POP) In advanced settings, use Port 995, Check "Use SSL", Select APOP for authentication.
ii) For submission (SMTP) : Set port 587 (only), Set Authentication to "Password"
D) Outlook 2007,2010,2013 clients
i) For retrieval (POP), Set "Require secure logon using SPA"
ii) In "More Settings/Outgoing Server" set it to require authentication with same credentials as inbound
iii) In "More Settings/Advanced"
a) Turn on Encryption for the POP3, this should change the port to 995 automatically. If it does not, fix that too.
b) Set outgoing server to 587
c) Set TLS for the encryption type (nothing else will work here)
Once you do 2.A, 2.B, 2.D, you will THEN, finally encounter the FQDN problem.
3) So Apple and a lot of folks here in the forums resolve the FQDN problem by removing one of the restrictions:
Remove "reject_non_fqdn_helo_hostname" from "smtpd_helo_restrictions" in your postfix main.cf file.
I have at least 2 problems with this:
A) It removes yet another little bit of security from the setup
B) It involves non-GUI changes to the config...which is dangerous if you use the GUI, as changes within the GUI will often result in overwrites to your changes outside the GUI. So you can easily lose this fix without being aware of it until one of your Outlook users starts screaming.
The problem is really with Outlook and Windows not sending the FQDN in the first place. So how about we force them to do that instead? It turns out not to be too hard. I found a thread somewhere that goes into this and it works. Further, the solution remains on through reboots AND also can be made part of an automated deployment of a standard config. The only gotcha is you have to edit the registry...so you have to be careful. You only need to do this ONCE though, and the two entries are easy to find.
C) Under HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/Tcpip/Parameters
i) Set Hostname to the FQDN of your host (replace HOST with HOST.domain.com - or .net, or whatever)
ii) Set NV Hostname to the FQDN of your host
iii) Close Regedit and Reboot to have the changes take effect
Once you do this, the FQDN problem for Outlook users goes away.
So I am looking for suggestions to make the SMTP submission more secure. Aside from that, things are working - and I have had to make ZERO changes to config files outside of the Server GUI - a plus as far as I am concerned.
Maybe you are looking for
-
How can I move my /library folder to another drive?
I'll try and keep this as brief as possible. (tl;dr version: My library folder is on the wrong drive. How can I move it?) About 18 months ago I switched the HDD in my mid 2009 MBP for an SSD and replaced the optical drive with a larger HDD for storag
-
What are you waiting for?
I wonder do you guys feel the same. I must wait very long times for some operations on my system. 1) opening Firefox for a first time 2) starting xfce4 3) opening menu in xfce4 after some change (then it opens immediately) 4) running pacman 5) checki
-
Repoint Audit database in BO XI 3.1 SP3 running on Solaris Server
Hi, We need to repoint to new Audit database in Solaris server which is running BO XI 3.1 SP3 .What steps we need to follow to do that? Do we require root privileges for that? Really appreciate your the help Regards, Anshuman
-
Unable to download PDF from Form Central
I understand Forms Central is going away and I am unable to upgrade from the free version. Is there anyway to download my one form?
-
Inactive cost center is able to be assigned to a vacant position or Org uni
Hi, Is there a config that can be turned on which prevent inactive cost centre, ie cost centre which has been blocked to be assigned to a vacant position or a Org Unit? Thanks Regards, HR team