Assigning a Specific SNTP Server to ShoreTel Phones

It doesn’t come up often but occasionally you’ll find your phones aren’t getting the right information from your network’s time server. Some partners will set up the ShoreTel server as the SNTP server for your phones. I’ve been told this isn’t great practice anymore.

Your network may not be set up in a way that makes using DHCP to pass your phones settings to them possible. This means  you have to manually place all your settings in each phone right? Actually no. Some settings that are the same across all phones can be assigned with those text files on your ShoreTel FTP server.

One of those settings is which SNTP Server to use. You have to do this for each specific model of phone you use. I’ll show how to do this for a 230 phone and then share how to figure out which file goes to which kind of phone. I believe this can be done for a specific phone as well, but newer versions of ShoreTel may have changed this.

Fair warning. You can mess some settings up if you get this wrong. It’s not a bad idea to back up your C:\inetpub\ftp\root directory.

Step 1 – Log Into your ShoreTel server.

Step 2 – Open the folder C:\inetpub\ftproot – Back this folder up.

Step 3 – Look for a text file called “sevcustom.txt”

Step 4 – Add the line:” SntpServer [IP Address of NTP Server]” without the quotes. The IP address of the NTP server can be the IP address of your primary domain controller, or theoretically an online NTP server, but this is not ideal.

Step 5 – Save the file.

Step 6 – Reset a 230 phone and see if it doesn’t pick up the correct time server now.

Step 7 – If it does, it’s a simple matter of resetting all the 230 phones on the network.

The first two or three numbers or letters of the custom.txt file is the model number of a phone. Flip a ShoreTel phone over and look at the barcode on the back. Above the barcode should read “IP TELEPHONE MODEL xxx”. The xxx part is the model of the phone. The 230’s say SEV, 560’s will say S6 and so forth and so on.

You could always just add the line to each custom file.

Another thing to look out for is in the shore_xxx.txt text files. There should be a line that says ‘Include “xxxcustom.txt”‘. If it isn’t there, add it. You can also change this to another global custom text file with your edits.

Update 12/17/2014 – You can also name the files with the MAC address of a phone to put specific settings on individual phones. The text file needs to be named shore_xxxxxxxxxxxx.txt where the xx’s are the MAC address of the phone. The MAC address is the long “serial number” on the back of the phone under the bar code.

ShoreTel Active Directory Integration

Active Directory Integration is a really useful feature that the ShoreTel phone system makes available. I believe the feature was introduced in ShoreTel 9 or 10. This will let you tie a user to their Active Directory account. You want to do this if you can because it will allow you to make changes in Active Directory and the changes persist to the phones. It will also make adding new users a lot quicker.

Configuring Windows

Joining your ShoreTel server to your domain first is necessary. This goes against some conventional wisdom that ShoreTel used to put out. You might want to do this after hours as it will need at least one reboot.

Please note that the sub numbers are just notes on the step.

  1. Join your ShoreTel server to your domain.
    1. Make sure your server has a good descriptive computer name first. This helps a lot with DNS entries. Some partners don’t really set ShoreTel servers up with anything but a random name if they don’t join it to a domain. This will make setting up Communicator for new users so much easier, especially remotely as they only have to put in the server name.
  2. Open Active Directory Users and Computers. Find your ShoreTel server and right click on it and hit “Properties”.
    Click on the “Delegation” tab and select the radio button that says “Trust this computer for delegation to any service (Kerberos only). Click OK.
  3. Open Shoreware Director and log in as an administrator. If you named your ShoreTel server “SHORETEL” like I did you can go to http://shoretel/shorewaredirector.
  4. Go to System Parameters and click “Administrators” under Administrative Permissions. Make sure that  you’ve got an administrator set up that isn’t tied to a windows user. You’ll note in the picture we’ve got a public phone user and a fax server user on the list. You just need one and it has to be tied to an extension. The reason is if you have to log into ShoreTel from a non-administrative user’s computer you’ll need a non-AD login name to log in with.
  5. Now go into the “Other” section under System Parameters and scroll all the way to the bottom. Check the “Enable AD Integration” box. Fill in the AD Path box.
    1. It gives some suggestions on how to go about this. I tried them, and at least on our environment it didn’t work. I found that just putting in “LDAP://fqdn” in worked perfect. Yes it will include everyone in your domain. I can’t come  up with a scenario where this is a problem. You could include the entire forest this way.
  6. Click Save. If there are errors, it will tell you. The times I’ve done this it was usually a mistyped string in the AD Path field. Some of the errors will just mean you need to wait a few minutes for changes to propagate in AD.
  7. To enable auto-login to the Shoreware Director and to the Web Based Call Manager you need to make sure a few settings are enabled in IIS. My ShoreTel server runs on Server 2003, so I only have pictures for IIS 6, but I can post how to do this on 2008 if there’s interest.
    1. Open Internet Information Services Manager – This is under your Administrative Tools menu. You can get to this menu through Control Panel if it isn’t already on your Start Menu.
    2. Expand Web Sites -> Default Website
    3. Right click on ShorewareDirector and click Properties.
    4. Select the Directory Security Tab
    5. Click on the Edit button under “Authentication and Access Control”
    6. Make sure the “Integrated Windows Authentication” box is check and hit OK. Hit OK on the Properties box too.
    7. Note that you may have to restart IIS. You can do this by clicking on the Server Name under the IIS Manager, select All Tasks and hit Restart IIS.

Adding Users With AD Integration

Adding a user is a lot simpler now. All you need to do is make a new user, click the “AD” user checkbox, add their domain user name (domainusername), click the “Synch from AD” button. It will fill most of their information. I typically only have to select the right extension, DID and what sort of license they use. I have noticed that sometimes you have to wait a bit for Active Directory to catch up. This only happened to me when entering an AD user to another AD site than the one that the ShoreTel server was located in.

The coolest part of this now is that your users don’t have to remember a ShoreTel password for their Communicator when they set it up. All they have to do is put in the server name when they first run Communicator, and everything else is filled in for them.  Doing this alone has reduced the time needed to set up a new user by about 20 minutes.

If you find any of this information useful, do me a huge favor and like it on Facebook or Google+. I’d really appreciate it.

ShoreTel Dropped Calls – Some fixes

This is quick post today. Recently we fixed a dropped call problem around here. I’d like to outline what actually caused the problem and how it was resolved.


I believe the initial cause was that I had upgraded to ShoreTel 12.1. If you take a look at you’ll see that they have a LOT of posts on how buggy this release was. The second problem we had only aggravated the first. We were having a lot of buggy faxes coming in and jittery phone calls.


ShoreTel support was pretty good at being able to figure out the problem, but had I noticed something I could have fixed it myself months ago.

First off, upgrade to 12.2. This will fix a lot of the dropped calls almost instantly.

As for the bad call quality. Our problem was simply that if you set your ports on your network switch to manually go to 100/Full Duplex the ShoreTel switch will guess that you really want “100/Half Duplex” which will lead to massive packet loss on heavy traffic days.

So all you need to do is console into the ShoreTel switch and make sure that the port is set to “100/Full Duplex”.

If you need instructions on how to do this, the “Quick Install Guide” provided with most switches and online at If you go through the configuration menu for network settings you’ll be given the option to set the port to whatever you need.

I recommend against setting these to Auto unless you’re using Netgear switches on the network. Cisco switches and ShoreTel switches don’t particularly play nice together.

How to set up L2TP VPN in Cyberoam

If you need a super easy VPN that can be used without buying a software client like Cisco VPN Client, then L2TP is definitely the way to go. Windows 7, Vista and XP all have a built-in VPN client that can hook up to it. It’s a really good alternative to traditional IPSEC especially for your road warriors.

 L2TP Connection Setup

  1. Log into your Cyberoam and click “VPN” on the left hand side.
  2. Select L2TP and fill in the blanks.
    1. The Local IP address should be the one corresponding to the LAN port on your Cyberoam.
    2. “Assign IP” should be a range of UNUSED IP addresses on your Local Network. I selected a range of 10. For example if through were not used for anything on your network and could be reserved for this, place those IP addresses in these field.
    3. The DNS server blanks should be your internal network DNS servers so that your users can hit your internal servers without IP addresses. Please see the note below on client set up as I’ve run into a couple of issues with this.
    4. You can add a WINS server, but who uses WINS anymore?
  3. Once you’re done there click on save, then click the policy tab.
  4. You can use the Default L2TP policy, I know it works just fine.
    Capture of Cyberoam L2TP settings
  5. Select pre-shared key in the drop down and put in a good strong passkey for your connection. Cyberoam will typically recommend a simple number sequence for testing purposes and to insure you confirmed it correctly on both ends. You can start out with something like “12345678” but please change this after you’ve tested it.
  6. The WAN port should be the internet facing IP address your users will be entering into Windows. Please note that if you don’t have a static IP address for your internet connection, you’ll need to use a dynamic DNS service or configure Cyberoam’s dynamic DNS service.
  7. I usually check the “Allow NAT Traversal” checkbox. This helps if your end users are behind a router somewhere.
  8. Set Remote LAN Network to “Any” as you might not know how the other end’s network is set up.
  9. Leave remote ID like it is.
  10. Leave the Quick Mode Selecters as default (it should look like the picture above), unless you know you need a different port.
  11. Click Save, and activate the connection.

L2TP users

I like using Active Directory Integration anywhere I can but for some reason the Cyberoam doesn’t like LDAP users authenticating to it over VPN. I might have a setting wrong, but I’ve never gotten this to work right anywhere I’ve installed one. If  you have LDAP/AD integration set up, you’ll just need to add extra users in the Cyberoam for L2TP access. If you imported all your users manually then you can just go into users you want to give access and select the L2TP enable box.

Setting Up Windows VPN

I assume Windows 7 for this. Vista directions are almost identical, XP should be easy to figure out. I would imagine Windows 8 uses the same basic wizard as Vista/7.

  1. Go into your network and sharing center and click “Set up a new connection or network”.
  2. Select “Connect to a Workplace” in the next window. Click Next.
  3. Select “Use my Internet Connection (VPN)”
  4. Type in the IP address you selected in step 6 when you set up the L2TP connection on the Cyberoam. You can also put a DNS name here if you want (Like if you use dynamic DNS or have a DNS record set up on the internet for this IP). Name the Destination. I also will typically select the “Allow other people to use this connection” if multiple usernames will be used on the target computer. Click Next.
  5. Put the username and password in on the next window. These are the Cyberoam user names. Again if you use LDAP you may or may not be able to use your normal Windows login credentials here. I typically don’t send the Domain if I set up Cyberoam specific usernames for this. Click Next.
  6. It will attempt to connect, but you want to skip that because you need to enter a pre-shared key into the Windows settings.
  7. Go back into Network and Sharing Center and click on “Change Adapter Settings”.
  8. You’ll see the VPN connection you just set up here. Right click on it and hit properties.
  9. Everything on the General Tab should be fine. Click on the Options tab. I typically uncheck “Send Windows Domain” since you are logging in with a Cyberoam account. Click on PPP Settings and make sure the bottom two boxes are unchecked.
  10. Click on the Security Tab. Change “Type of VPN” at the top to “L2TP”, this will save a LOT of login wait time. Click the Advanced button under the drop down and select “Use preshared key for authentication”. Enter the same key you put into the Cyberoam in step 5.
  11. Under Data encryption I will select “Optional Encryption” for testing purposes. Required encryption works fine though.
  12. Select “Unencrypted password (PAP)” under the allowed protocols. I usually just do this to test the connection, I take it off for production.
  13. Click the Networking tab. It’s a good idea to manually enter the DNS servers under the IP4 properties. For some reason the DNS servers aren’t always transmitted to the client.
  14. Click OK.

You should be able to connect just fine. Remember you’ll need to test this outside your own LAN. The only problem I’ve had with this method is that the connection occasionally needs to be reset by de-activating and re-activating it under the L2TP connections tab in the Cyberoam. I wouldn’t use this for more than a few users.

The main reason you won’t be able to connect is if you typed the pre-shared key incorrectly. The second reason is usually an incorrect user/password combination. The third biggest reason is the connection needs to be reset as mentioned above. Also I’ve never been able to get more than one remote user per site to be able to connect successfully. So don’t do this and send teams of people to one place on a shared internet connection and expect them all to be able to connect.



ShoreTel Communicator Not Installing Properly – Fixes

If you’ve got a new ShoreTel system install, there are a few things that can go wrong with installing Communicator on people’s machines. Several problems I’ve run into are the following:

  • ShoreTel Communicator install isn’t writing the registry key. It seems to install fine otherwise.
  • Communicator fails midway through the installation.
  • Communicator demands to have .NET Framework 3.5 installed, but can’t download it.
  • Some other dependency won’t install.
  • Pushing Communicator out through Group Policy doesn’t work.
  • Pushing Communicator out through Desktop Authority (or similar software) doesn’t work.
  • Communicator asks for a password to install.

Most of these problems are not actually problems with ShoreTel Communicator, they’re security policy conflicts. Here’s how to remedy these 99% of the time.

  • Turn off UAC in Vista if you can. This is a big one, it screws up some older versions of the install package. Most of the stuff UAC controls, you can control with group policy. This assumes you have a domain.
  • Try to install Communicator from a local administrator account. Sometimes running it as Administrator won’t cut it, especially if you’ve got roaming profiles and such.
  • Do a Full Uninstall of Communicator. You must be logged in as an Administrator account. I use the local Administrator account when I do this for speed reasons. Here are the steps:

Step 1– Uninstall Communicator the normal way. If this fails, just skip to the next step. If it succeeds, well you need to do the following steps anyway.

Step 2 – Delete the following folder: “C:Program FilesShoreline Communications”. Delete all of it. Use one of those disk wipe utilities if you have to. If ANYTHING is in here, this can cause the install to fail. If you see a Shoreline Teleworks folder here too, get rid of it.

Step 3 – Delete the following registry key: “HKEY_CURRENT_USERSoftwareShoreline Teleworks”. Usually you’ll find one under HKEY_LOCAL_MACHINESOFTWAREShoreline Teleworks. You may also see a “Shoreware Communications” or similar key. This is usually because of an older install on the computer. Shouldn’t see this with a brand new install.

Step 4 – Go into Control Panel and click on Phone and Modem. You may have to set this up, just entire an area code, the number 1, and the number 9 in the blanks.

Step 5 – Once you have the Phone and Modem thing set up, click on the Advanced tab and make sure to delete any entry here with “ShoreTel” in the name. Normally you will see one entry: “ShoreTel Remote TAPI Service Provider”. If you see two like this, that’s why ShoreTel isn’t installing right, or isn’t working right once installed.

Step 6 – Click OK and Reboot your computer.

Step 7 – Once you’ve done this, log back into the computer under the same local administrator account and re-install Communicator. It should install just fine.

Step 8 – Log into the user’s account, run ShoreTel again and let it finish setting up.

  • Sometimes it’s not Communicator or any security policies but a corrupt user profile. Remove the user profile and many times that will fix the problem as well.

I’ve found that if you get to step 8 of the “Full Uninstall” and it isn’t remembering settings, meaning it won’t write the registry values, that you need to turn UAC off if at all possible.You may need to delete the ShoreTel registry keys from the current user as well. You might have to log in back as an administrator and load that user’s hive if your permissions don’t allow you to do this from their account.

A tool that can help is Privilege Authority from ScriptLogic. That’s cleared up a lot of problems for us. They have a free version that will help you solve this.  There is a ShoreTel Communicator rule in the Community. If you have a 64 bit version of Windows you’ll need to alter the path of where it looks for the program (just add (x86) to the Program Files part of the path).

If you’re upgrading your ShoreTel installation you’ll get some similar problems to above. The Full Uninstall method will clear these up too. One odd problem I’ve found when pushing Communicator through Group Policy or Desktop Authority is that it doesn’t always uninstall the old version correctly. You’ll know this happens when you see two entries for ShoreTel Communicator, and one may or may not have the icon filled in. This requires you to do a Full Uninstall and then delete all the registry keys. After you’ve done this you’ll need a tool like CCleaner to remove any entries in Programs and Features.