Monday, August 11, 2014

Creating Trusted Application Pools for Microsoft Lync

So, we've got a product called Alert Manager. And while it's pretty neat, it does have some issues with Microsoft Lync trusted application pools. Specifically, it needs to be a trusted app, and that can be kind of rough to set up automatically. As a result, now and then our customers have to add the Alert Manager app to their trusted app pool manually.

There's a certain amount of data you need before you can do that, though, so I'll start there.

First, we're going to log into our target server, where we're installing Alert Manager. From that server, start PowerShell 3.0 in Administrator mode (most of these commands require administrative rights --for obvious reasons; you're altering the structure of the network's trust systems).

All the commands below are issued to the PowerShell shell, and the results are displayed inline.

We need the domain name for obvious reasons –it's awfully hard to provision a server on a trusted application if we don't have the FQDN for that server. Here's how I get it:

$objIPProperties = [System.Net.NetworkInformation.IPGlobalProperties]::GetIPGlobalProperties()

// from objIPProperties, get the FQDN...
$fqdn = $objIPProperties.HostName +“.”+$objIPProperties.DomainName

I'm going to be taking each element and sticking it in a variable so that the code doesn't turn into a garbled mess. So now $fqdn should contain the fully-qualified domain-name of the server on which we're installing Alert Manager.

Next, we'll grab the identity of the registrar with this command:

//now, get your registrar...
Get-CsService -Registrar | Format-list

As I said, we're going to want the results on the first line, which should look like this:

“...other data we don't care about...”

So we take that information and we set it as a variable for neatness:

$registrar = “pool01.instant-tech.local”
(tip: don't try to set a variable without the quotes around it; Powershell will try to interpret that string as a command, and spit it back at you when your registrar FQDN isn't a recognized commandlet.)

Now we need to get the data that we have available for your Lync server site. You should know which site you're targeting, particularly if you're using any sort of exotic hybrid 2010/2013 front-end/back-end setup. The command that will get you that list of sites is this:

Get-CsSite | format-list
Select the first line, which should be look like:
“Identity: Site: yoursitename”
“...more data we don't care about...”

And set that as a variable.
$site = “yoursitename”

The last pieces of data we need come from the Lync Certificate Authority for your system, since trusted app pools use certificates to

//This will get a list of the certificate authorities this computer is aware of...
CertUtil -CA | format-list

At least one of these will be your Lync certificate authority. You should already know which one is appropriate for your situation –finding that is beyond the scope of this post.

From the appropriate CA entry, find the CAPropDNSName and the CAPropCommonName, and put those into variables, too. It should look something like this:

“CAPropCommonName = INSTANT-TECH-2013FES-CA”
“CAPropDNSName = 2013FES.INSTANT-TECH.local”
“...this doesn't matter to us...”

And then we'll slap those into variables for neatness...

$DNSName = “2013FES.INSTANT-TECH.local”
$CommonName = “INSTANT-TECH-2-13FES-CA”

And then combine them because when we request the certificate we need both:

$CA = $DNSName + "\” + $CommonName

Again, do be sure to put those into quotes so that Powershell doesn't try to interpret them. We'll be using them as arguments in a second.

Now we should have all the data you need to build a new trusted app pool. First thing's first, though –if you've gotten here, you've tried to build an app pool through our Install Wizard. If this fails, the trusted app server retains the (misconfigured) attempt you made earlier, so let's get rid of that:

//get rid of the old app pool you tried to create, using the variable you made earlier.
Remove-CsTrustedApplicationPool -Identity $fqdn -force

//Now, create a new trusted application pool:
New-CsTrustedApplicationPool -Identity $fqdn -Registrar $registrar -Site $site -ComputerFqdn $fqdn

//push the trusted application pool to the lync tolopogy

//get lync certs so that everyone plays nice with each other.
Request-CsCertificate -New -Type Default -ComputerFqdn $fqdn -CA $CA

That should get your app pool and certificate all set up. From there, the Trusted Application tool in Instant Technologies’ Setup Wizard should see you clear. Once it loads, choose an existing app pool (the one you just created), then swap to the other tab to create your trusted application.  

A great deal of the information for the creation of Alert Manger's PowerShell comes from the excellent Joe Calev's blog.
Specifically, these articles about Lync Server Topologies and PowerShell with UCMA, while very outdated, provided a great deal of insight into the topic.

Thanks for reading, and if you have any questions, please comment or email me at