Guest

Cisco Unity

Field Notice: FN - 62484 - Microsoft Exchange 2000/2003 Security Update MS06-19 May Impact Unity Message Delivery for Some Users


Revised March 9, 2007

August 8, 2006

NOTICE:

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.


Products Affected

Product

Comments

Unity Tool Permissions Wizard - Unity

Versions 4.0 through 4.1

Problem Description

After installing Microsoft security update MS06-019 - Vulnerability in Microsoft Exchange Could Allow Remote Code Execution, Cisco Unity cannot deliver voice messages to subscribers when all of these statements are true for the applicable version of Cisco Unity:

Cisco Unity version 4.0(3) through 4.1(1):

  • The Exchange mailboxes for the affected subscribers are homed either in Exchange 2003 or Exchange 2000.

  • The Active Directory accounts associated with the affected subscribers belong to one or more administrative groups such as Enterprise Admins, Schema Admins, Domain Admins, or Administrators.

  • The Permissions Wizard that was last run to grant permissions to the installation and services accounts is older than version 2.1.0.25, dated September 8, 2004.

Cisco Unity version 4.0(2) and earlier:

  • The Exchange mailboxes for the affected subscribers are homed either in Exchange 2003 or Exchange 2000.

  • The Permissions Wizard that was last run to grant permissions to the installation and services accounts is older than version 2.1.0.25, dated September 8, 2004.

Note: The version of Permissions Wizard currently installed on the Cisco Unity server is not necessarily the version that was used to set permissions. When Cisco Unity is upgraded, a new version of Permissions Wizard is automatically installed.

If you are unsure of which version of Unity Permissions Wizard was used when your Unity application was installed, it recommended that you follow the steps outlined in the Workaround/Solution section below prior to applying the Microsoft patch.

Background

From time to time, Microsoft publishes patches for Windows which Cisco tests. Based on the impact to the Cisco application, Cisco either supports and recommends the patch or does not support or recommend the patch.

Cisco recommends that customers apply MS06-019 to Unity servers as appropriate to the release of Windows Server software. However, Cisco also requires that the latest version of Permissions Wizard appropriate to the release of Unity be run immediately after the patch is applied.

Problem Symptoms

After Microsoft Patch MS06-019 is applied to the Unity server, Unity cannot deliver voice messages to some users.

The users affected depends on the version of Cisco Unity being used. For Cisco Unity version 4.0(3) through 4.1(1), affected subscribers are those who are part of certain administrative groups such as:

Enterprise Admins

Schema Admins Domain

Admins Administrators

Domain Controllers

Cert Publishers

Backup Operators

Replicator Server Operators

Account Operators

Print Operators

For Cisco Unity version 4.0(2) and earlier, all subscribers will be unable to send voice messages.

Cisco Unity 4.2(1) is not affected by this issue.

Workaround/Solution

Preventitive Steps

The following steps will allow you to apply MS06-019 without affecting any users for the version of Cisco Unity specified:

For Cisco Unity version 4.0(3) through 4.1(1):

  1. Run the latest version of Permissions Wizard appropriate to the Unity software you have loaded. The Permission Wizard must be run for each Unity domain.

  2. Wait 2 hours while the permissions are replicated.

  3. Apply the Microsoft patch MS06-019.

For Cisco Unity version 4.0(2) and earlier:

  1. Run the latest version of Permissions Wizard available for Unity 4.0(3) through 4.1(1). The Permission Wizard must be run for each Unity domain.

  2. Wait 2 hours while the permissions are replicated.

  3. Apply the Microsoft patch MS06-019.

For Cisco Unity version 4.0(2) and earlier, the Permissions Wizard for Cisco Unity 4.0(3) must be used. After installation of MS06-19 certain "send as" rights are now enforced. The Permissions Wizard for Unity 4.0(2) and earlier did not set these rights.

The latest versions of Permissions Wizard may be obtained from the Cisco Unity Tools Alphabetical Listing of All Downloads page. Select the version appropriate for your deployment.

Workaround and Solution:

If the MS06-019 has been applied, perform Steps 1 and 2 above for the version of Cisco Unity being used. It will take approximately 2 hours to update permissions and recover the affected users. The Permissions Wizard will have to be run for each Domain.

The latest versions of Permissions Wizard may be obtained from the Cisco Unity Tools Alphabetical Listing of All Downloads page. Select the version appropriate for your deployment.

To verify the version of Permission Wizard on your Unity server follow these steps:

Right-click Permissions Wizard in Tools Depot and select Properties. That will show the version. The version must be v2.1.0.32 or later.

Note that your version of Permissions Wizard may be v2.1.0.32 or later, but if this version was not run to set permissions, your Unity may still be affected by this anomaly.

If you are unsure about which version of Permissions Wizard was run, Cisco recommends that you run the latest version of Permissions Wizard for your deployment prior to applying MS06-019.

DDTS

To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.

DDTS

Description

CSCse80855 (registered customers only)

Unity can't connect to exchange server

Tech Notes

A Cisco Tech Note has also been published for this issue:

Unity for Exchange Cannot Deliver Messages to Some Subscribers After MS06-019 is Installed

Revision History

Revision

Date

Comment

1.1

09-MAR-2007

Completely replaced Problem Description, Problem Symptoms and Workaround/Solution sections.

1.0

08-AUG-2006

Initial Public Release

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.