Creating Trusted Application Pools for Microsoft Lync
So, we've got a product called Alert Manager. And while it's pretty neat, it does have some issues
with Microsoft Lync trusted application pools. Specifically, it needs to be a
trusted app, and that can be kind of rough to set up automatically.
As a result, now and then our customers have to add the Alert Manager
app to their trusted app pool manually.
There's a certain amount of data you
need before you can do that, though, so I'll start there.
First, we're going to log into our target server, where we're installing Alert Manager. From that server, start PowerShell 3.0 in Administrator mode (most of these commands require administrative rights --for obvious reasons; you're altering the structure of the network's trust systems).
All the commands below are issued to the PowerShell shell, and the results are displayed inline.
First, we're going to log into our target server, where we're installing Alert Manager. From that server, start PowerShell 3.0 in Administrator mode (most of these commands require administrative rights --for obvious reasons; you're altering the structure of the network's trust systems).
All the commands below are issued to the PowerShell shell, and the results are displayed inline.
We need the domain name for obvious
reasons –it's awfully hard to provision a server on a trusted
application if we don't have the FQDN for that server. Here's how I
get it:
$objIPProperties =
[System.Net.NetworkInformation.IPGlobalProperties]::GetIPGlobalProperties()
// from objIPProperties, get the
FQDN...
$fqdn = $objIPProperties.HostName
+“.”+$objIPProperties.DomainName
I'm going to be taking each element and
sticking it in a variable so that the code doesn't turn into a
garbled mess. So now $fqdn should contain the fully-qualified
domain-name of the server on which we're installing Alert Manager.
Next, we'll grab the identity of the
registrar with this command:
//now, get your registrar...
Get-CsService -Registrar | Format-list
As I said, we're going to want the
results on the first line, which should look like this:
“Identity:
Registrar:your.pool.domain.name.”
“...other data we don't care
about...”
So we take that information and we set
it as a variable for neatness:
$registrar =
“pool01.instant-tech.local”
(tip: don't try to set a variable
without the quotes around it; Powershell will try to interpret that
string as a command, and spit it back at you when your registrar FQDN
isn't a recognized commandlet.)
Now we need to get the data that we
have available for your Lync server site. You should know which site
you're targeting, particularly if you're using any sort of exotic
hybrid 2010/2013 front-end/back-end setup. The command that will get
you that list of sites is this:
Get-CsSite | format-list
Select the first line, which should be
look like:
“Identity: Site: yoursitename”
“...more data we don't care about...”
And set that as a variable.
$site = “yoursitename”
The last pieces of data we need come
from the Lync Certificate Authority for your system, since trusted
app pools use certificates to assure...well...trust.
//This will get a list of the
certificate authorities this computer is aware of...
CertUtil -CA | format-list
At least one of these will be your Lync
certificate authority. You should already know which one is
appropriate for your situation –finding that is beyond the scope of
this post.
From the appropriate CA entry, find the
CAPropDNSName and the CAPropCommonName, and put those into variables,
too. It should look something like this:
“CAPropCommonName =
INSTANT-TECH-2013FES-CA”
“CAPropDNSName =
2013FES.INSTANT-TECH.local”
“...this doesn't matter to us...”
And then we'll slap those into
variables for neatness...
$DNSName = “2013FES.INSTANT-TECH.local”
$CommonName = “INSTANT-TECH-2-13FES-CA”
And then combine them because when we
request the certificate we need both:
$CA = $DNSName + "\” + $CommonName
Again, do be sure to put those into
quotes so that Powershell doesn't try to interpret them. We'll be
using them as arguments in a second.
Okay!
Now we should have all the data you
need to build a new trusted app pool. First thing's first, though –if
you've gotten here, you've tried to build an app pool through our
Install Wizard. If this fails, the trusted app server retains the
(misconfigured) attempt you made earlier, so let's get rid of that:
//get rid of the old app pool you tried
to create, using the variable you made earlier.
Remove-CsTrustedApplicationPool
-Identity $fqdn -force
//Now, create a new trusted application
pool:
New-CsTrustedApplicationPool -Identity
$fqdn -Registrar $registrar -Site $site -ComputerFqdn $fqdn
//push the trusted application pool to
the lync tolopogy
enable-CSTopology
//get lync certs so that everyone plays
nice with each other.
Request-CsCertificate -New -Type
Default -ComputerFqdn $fqdn -CA $CA
That should get your app pool and
certificate all set up. From there, the Trusted Application tool in
Instant Technologies’ Setup Wizard should see you clear. Once it
loads, choose an existing app pool (the one you just created), then
swap to the other tab to create your trusted application.
A great deal of the information for the creation of Alert Manger's PowerShell comes from the excellent Joe Calev's blog.
Specifically, these articles about Lync Server Topologies and PowerShell with UCMA, while very outdated, provided a great deal of insight into the topic.
Specifically, these articles about Lync Server Topologies and PowerShell with UCMA, while very outdated, provided a great deal of insight into the topic.
Thanks for reading, and if you have any questions, please comment or email me at mmcpherson@instant-tech.com