Announcement

About a year ago now Microsoft rolled out some updates that broke some DCOM functionality. Even if you didn't install the update on the actual Shoretel server, the settings propogated in a domain environment causing problems for any Shoretel server (HQ or DVM) joined.

Group policy application

It all depends on whether you want group policy settings to apply to the server. Shoretel advises against it because several GP settings could cause the server to not authenticate or otherwise become unresponsive.

When I had problems upgrading from 6.0 to 7.5, they would not even support me until I removed the server from the domain and uninstalled Symantec Endpoint Protection. Prior to upgrading my server ran very smoothly on the domain for several years. Sorry for the rant but I find it very strange and inconvenient for a company to recommend against using group policy and antivirus software.

Hi James
How ya been?

I can understand and I certainly feel your pain. Officially ShoreTel has no policy on Domains, But
NEVER INSTALL Shortel on to a server that is already part of a domain.
NEVER PUSH ANY POLICY on to the shoretel server that disrupts the naming and passwords of the default shoretel users on install.

You can add the server to the domain after the server has been installed, configured and validated to be working properly as a stand alone work group server. Many times a server is pushed to the domain and the policy is so rigid it shuts down ftp, dcom, telnet and many passwords needed to ShoreTel. Even though it is not recommended or endorsed the first thing ShoreTel will ask is to have the server removed from the domain.

Yes maybe it is an issue, but from what I see, Security Nazi Admins are more the issue then moving it to the domain. They fail to understand the basic needs of the shoretel system as a DEDICATED VOIP SYSTEM. It is not just an average File Server, it is a VOIP SYSTEM :shuriken:

I disagree slightly with the last statement here. I'm the Manager of IT for a company that falls under HIPAA compliance. I had our ShoreTel server that was just installed last week placed in our Domain and installed AV software. Thesey are requirements for me, not options. I need to have complete control over every device on my network. That control and visibility includes being in AD....albeit, a special OU with specific policies directly applied.

Although I haven't run into an issue yet, I plan on asking for documentation on the specific requirements (all of them) for the software to run. I have been doing this long enough to know they exist. For example, I can't tell you how many times I have run into a piece of software that a vendor says "requires administrative rights to run." That is always a misnomer and in 2008, a requirement that does not work with "Network Security 101." I simply talk and talk until I actually speak to a developer. They then specify directories and registry settings where full rights are needed and I make the necessary changes and document.

This same mentality applies to all software. No users on our network have administrative rights. It is an impossibility for me and should never be a requirement in this day and age.

Of course, that's just my two cents......

Brian

No worries

Go ahead and push the server to the domain and change all the policies, then call TAC and wait 4 weeks to have it fixed :sailor:

I always like it when I hear, I have been doing this for such and such years :thumbup1:

In this era of centralised management I would expect that ShoreTel should be able to tell us what policies need to be set to what. The docs do mention AV software in relation to MySQL so obviously ShoreTel expect AV software to be running on the server.

Gone are the days where TAC techs can take the attitude of "not supported, <click>", IT Managers also need to have a co-operative approach with vendors. Most IT managers seem to have a pretty good head about this sort of stuff these days, too easy to get fired if users can't work due to restrictive IT policies...

I think it is a reasonable expectation that a vendor define the "least priviledge" requirements for their product. I don't think it's reasonable to expect admins "to understand the basic needs of the shoretel system as a DEDICATED VOIP SYSTEM" if ShoreTel can't tell us what they are.

Admins aren't the enemy, they are the customer. And ShoreTel lives on CSAT results...

shoretel on AD

You will break the Kadota DCOM service. The Kadota service is the heart of Shoretel functionality. I've already tried it. I had to reinstall Windows and Shoreware to fix it.

Ya got hat part dead on. It is very simple to understand, two worlds collided the data and the voice. Now on one side you have all the data gurus/nerds/hyper and hypo admins and general individuals who make believe they are admins.

On the other side you have old hack frames guys, telco/pbx techs and general cable pullers and wannaB data guys

The two worlds collide and you get :taz: on one side blaming everything on anyone and ya get :tank: on the other that just blasts away and marches to Berlin.

The truth is, ShoreTel Server is a Enterprse Voice of IP system, it is not a PBX, it is not a File Server, Domain Server, Email Server. It is a simple Stand Alone Application that runs on Winders 200x server.

The requirements are very simple, don push any policy to the server that is going to kill the shoretel process's. An enterprising admin with a shoretel manual and a little time can figure that much out :w00t:

On Rant...
Let's not pretend that this thing is any more than it is... a private branch exchange that uses the network backbone for transport (vs. a voice backbone) and has some added bells and whistles. By definition a PBX is: a telephone exchange that serves a particular business or office, as opposed to one that a common carrier or telephone company operates for many businesses or for the general public. That's what ShoreTel and any other IP phone system does. (Yeah, I'm one of those old PBX installers that has been around since the age of the dinosaurs.)

Let's not forget, people expect their phones to just work. They don't care about the complexity of the setup or that you administer a fancy IP system. What they do care about is that they hear dial tone when they lift the handset. :yes:
Off Rant...

ShoreTel, like all other enterprise application providers, must have appropriate documentation and understanding of their applications to be supportable in controlled environments. This is the 3rd millenium, afterall.

I, too, am frequently frustrated by applications which do not behave well with OS-vendor-documented best practices.

Jlorenz, unless you can provide specific, detailed, reasoned explanations as to what technical reasons require the configuration as specified, then you have no call to ridicule people who do have significant industry experiencing with forcing the issue with vendors.

One of my clients currently in the process of deploying ShoreTel also requires HIPAA compliance on all systems. ShoreTel is signing off on the fact they can make it work.

In my experience, it is best NOT to put the ShoreTel server into your domain.
Lets say (not for the sake of argument but just to make a point) that your ShoreTel server was made out of Linux or consisted of a black box (or orange obviously) with a couple of network connections and an electrical cable. You wouldn't add your network switches to your domain (Although you might want to leverage AD for authenticating administrator access). I am not a security expert, but I understand you wouldn't add a firewall to your domain.
At the end of the day, the job of the ShoreTel server is to control the ShoreTel system and to host voicemail.

(let the flaming begin)

Lets see now, I worked in side ST for some years, I have been in telecom for 20 years. I think my expertise in ST trumps unk:

I make no apologies for my answer, it is what it is. The ST requires specifically not to touch the users IPBX_ Shoretel_ and so on that are default users to shoretel stand alone install. Bottom line, do not let the GPO Policy muck with these and you will be fine. I do not understand what is so difficult to understand that.

In my experience, the over zealous, fresh out of school, got to account for every bit and byte cannot think out of the box admin, hoses more ST installs up then I can count. So take it for what it is, my advise is sound, my advise is the same as ST's advise and that is

Install the server as a stand alone Work group server (As per the Requirements provided by ST throughout PIG as well as Release notes)
Install ShoreTel - Nothing more
Confirm the system is running as design
Leaving the Default installed Shoretel users and PW's alone Add to domain with out pushing policy to server.

Very simple

The confusion comes when the Data only Admin doesn't understand the fundamental of telephony, simply this is a Phone system that runs on a Windows Server. It is Not a File Server, Domain Server, Email sever, it is a phone system and has its own requirements

Here is the problem with the "it is just a phone system" statement.....it runs on a Windows Server. As soon as it is a Windows server, it is a "Windows server that runs PBX software". Let us remember that a PBX as described by the "just a phone system" statement is generally proprietary hardware and software most likely on a separate network (voice). Windows is well known and therefore "open to attack".

Security is the top priority for HIPAA compliance. If you are not well documented and following standard security protocols, you are significantly increasing the liability for your company.

Here is what I did. The server was delivered preconfigured from our vendor in a workgroup. Once it was up and running, I "imaged" the box with Acronis and then added it to our domain and installed AV software. The server sits in a unique OU with only the default domain policy (at the moment). It is running fine and we have had no issues. My only issue now is I need to be able to apply patches to it. Obviously, as with ALL software, this is a careful process of research and testing. We have dozens of apps that run on our servers, many of which are mission critical. The ShoreTel software is no different from the other apps.

Listen, the point I'm making is that companies that fall under some sort of compliance DO need to account for every device, bit of data, and log file out there. It is not an option for us to say "no, this is fine and we'll live with it." (If you think I'm bad, you obviously have never dealt with a hospital IT department! ) So, companies need to realize this and provide adequate, reasonable options for their customers. I have requested information from ShoreTel regarding this (through our vendor).

I'm not a jacka$$ when I call any of these companies looking for answers. I describe my needs, help them understand the importance of those needs, and they generally are happy to help. The carrot always works better than the stick in my experience.

Brian

Well the issue with it is just a server is its just a Software based PBX.

ShoreTel is very clear on its requirements, (See PIG) they fit well within HIPAA compliance. All they need to do is supply the requirements to run (See PIG), its up to the admin to install the rest. As you stated, ShoreTel also has a "Team" of "professional" who will work directly with you on a contractual basis if its needed for special or criteria based applications.

The issue is and I will stick with this, because of experience witnessing first hand the UNPREPARED over Zealous Admin, who does not study, does not educate, does not understand the requirements of the application. Installs the ShoreTel onto a Domain Controller, or pushes the ShoreTel as a Domain Controller, installed as a File Server, Webserver and yes even on firewalls and email servers. Only to have it FUBAR and then it is ShoreTels Fault.

And when the proverbial words form Support come
"Move it off the DOmain, Unsinstall IIS, Reinstall IIS"
come :scared: :1eye:

well I have seen it a more then dozen times in more then a dozen companies by many unprepared admins. :nuke:

Believe me, I am no fan of ShoreTels design and testing methodologies, let alone the internal management. I think they suck at it and many have no clue on basic functional design. But given that the architecture is simply an application that runs on a Windows Server should be clue enough to the admin what needs to be done to not kill the box. I refer to the PIG, it is great bathroom reading, also if you do the research and gain access to a Maintenance manual, this will give you a clear picture as to WHAT NOT TO TOUCH on the ShoreTel Installation. I am no admin and i do not pretend to be, what I know is what I know and I am not hindered by being locked into a data mindset only, for which the underlying issue really is. I just shoot form the hip because I know I am good at what I do. I don't blow smoke up my customers Woo Hoo to make a sale, I tell them the truth, period, even at the cost of loosing the contract.