:::: MENU ::::
Browsing posts in: Church IT

Configure Lync 4 Digit Extension Dialing without DIDs

Project Scope
Preparing for Deployment – Research and Education and Pricing
Deployment of Standard Server & Director Role
Deployment of Edge and Reverse Proxy
Deployment of Lync Voice Capabilities
Configuring Lync PSTN Calling thru Avaya IPOffice
Configure Lync 4 Digit Extension Dialing without DIDs
Configure Asterisk as a SIP Proxy for Avaya IPO and and Lync
Deployment of Lync Client to users
Testing Configuration of Backup Registrar


This post isn’t in the planned sequence of documenting the Lync Deployment in this series, but I found the topic fairly frustrating and undocumented today so I decided to go ahead and post this now.  Our primary location has DIDs for each extension, but or second campus only has a few POTs (Plain Old Telephone) lines for service so there are not DIDs for each extension.

Lync Extensions without the use of DIDs (Direct Inward Dial)
When deploying Lync Enterprise Voice each user is configured with a SIP Address as well as a telephone Line URI.  In deployments where every extension has a DID the Tel URI can simply be the external DID number associated with that user.

When you make a 4 digit extension call internally, Lync uses your defined Dialing Rules and normalizes the number to the E.164 format.  When dialing extension 5555 Lync would normalize (because you configured this normalization rule already) it to: +112355555555 for a US telephone number of (123) 555-5555 and will route the calls internally to the appropriate user.  Since the call matches a Lync user the call isn’t routed to the PSTN (Public Switched Telephone Network).


When a user doesn’t have a DID, you can also enter a user’s Tel URI with the extension added  in the following format: +112355555555;ext=1234 where the main telephone number is (123)555-5555 and the extension is 1234.


Even though you have created the user with the main number and extension you won’t be able to make 4 digit calls without adding additional dialing rules so the call can be completed.

To make calls to 4 digit extensions that do not have DIDs go to Lync Server Control Pannel > Voice Routing and select the appropriate Dial Plan. Once you are viewing the appropriate dial plan choose new “Associated Normalization Rule”.  Give the new Rule a Name and Description. Then skip all the boxes for Starting Digits, Length, Digits to Remove and Digits to add and go to Pattern To match and select Edit.



This example will allow dialing for 4 digit extensions starting with 12## associated with the main number (123) 555-5555
(extensions 1200-1299)
The Value for “Match this Pattern” is: ^(12d{2})$
The Translation Rule is: +11235555555;ext=$1

Rule Expression

After you save and Commit the Rules and they replicate to your Lync Clients you will now be able to dial 4 digit extensions that don’t have a DID.


Communicator 13.1 adds Screen Sharing

I am a little behind the curve on this, but in the most recent update to Mac Office Communicator, Microsoft has added Desktop Sharing for the mac clients.  This is one of the last features that was in the Lync client that was still missing from Communicator for Mac.

For all the info on the update go here. To update the clients kick off Microsoft Office Auto Update and it will download the new link client.

The one one remaining feature missing… white boarding and PowerPoint sharing…. but I can live without that for now.

Nearly Brilliant Insights

I came across an article this week that I have described to several as “Nearly Brilliant”.  It is possibly one of the most well written and well articulated articles about “managing geeks” I have seen. While I don’t claim to have read every IT management article, this is one of the best I have read.   I am am always on the lookout to get better at what I do as well as lead the team I lead better.  As a geek who manages geeks, I am always looking for insights to lead my team as well as improve how we serve our organization.

This article should be read by IT Pros as a look inward to make those natural hang-ups less of an issue and for those who manage IT Pros to understand a little more of why IT pros do what they do.

From "The Unspoken Truth About Managing Geeks”  found on ComputerWorld.com written by Jeff Ello.


Understanding why IT pros appear to act the way they do makes working with, among and as one of them the easiest job in the world.

It’s all about respect
Few people notice this, but for IT groups respect is the currency of the realm. IT pros do not squander this currency. Those whom they do not believe are worthy of their respect might instead be treated to professional courtesy, a friendly demeanor or the acceptance of authority. Gaining respect is not a matter of being the boss and has nothing to do with being likeable or sociable; whether you talk, eat or smell right; or any measure that isn’t directly related to the work. The amount of respect an IT pro pays someone is a measure of how tolerable that person is when it comes to getting things done, including the elegance and practicality of his solutions and suggestions. IT pros always and without fail, quietly self-organize around those who make the work easier, while shunning those who make the work harder, independent of the organizational chart.

This self-ordering behavior occurs naturally in the IT world because it is populated by people skilled in creative analysis and ordered reasoning. Doctors are a close parallel. The stakes may be higher in medicine, but the work in both fields requires a technical expertise that can’t be faked and a proficiency that can only be measured by qualified peers. I think every good IT pro on the planet idolizes Dr. House (minus the addictions).

While everyone would like to work for a nice person who is always right, IT pros will prefer a jerk who is always right over a nice person who is always wrong. Wrong creates unnecessary work, impossible situations and major failures. Wrong is evil, and it must be defeated. Capacity for technical reasoning trumps all other professional factors, period.

Foundational (bottom-up) respect is not only the largest single determining factor in the success of an IT team, but the most ignored. I believe you can predict success or failure of an IT group simply by assessing the amount of mutual respect within it.

The elements of the stereotypes
Ego — Similar to what good doctors do, IT pros figure out that the proper projection of ego engenders trust and reduces apprehension. Because IT pros’ education does not emphasize how to deal with people, there are always rough edges. Ego, as it plays out in IT, is an essential confidence combined with a not-so-subtle cynicism. It’s not about being right for the sake of being right but being right for the sake of saving a lot of time, effort, money and credibility. IT is a team sport, so being right or wrong impacts other members of the group in non-trivial ways. Unlike in many industries, in IT, colleagues can significantly influence the careers of the entire team. Correctness yields respect, respect builds good teams, and good teams build trust and maintain credibility through a healthy projection of ego. Strong IT groups view correctness as a virtue, and certitude as a delivery method. Meek IT groups, beaten down by inconsistent policies and a lack of structural support, are simply ineffective at driving change and creating efficiencies, getting mowed over by the clients, the management or both at every turn.

The victim mentality — IT pros are sensitive to logic — that’s what you pay them for. When things don’t add up, they are prone to express their opinions on the matter, and the level of response will be proportional to the absurdity of the event. The more things that occur that make no sense, the more cynical IT pros will become. Standard organizational politics often run afoul of this, so IT pros can come to be seen as whiny or as having a victim mentality. Presuming this is a trait that must be disciplined out of them is a huge management mistake. IT pros complain primarily about logic, and primarily to people they respect. If you are dismissive of complaints, fail to recognize an illogical event or behave in deceptive ways, IT pros will likely stop complaining to you. You might mistake this as a behavioral improvement, when it’s actually a show of disrespect. It means you are no longer worth talking to, which leads to insubordination.

Insubordination — This is a tricky one. Good IT pros are not anti-bureaucracy, as many observers think. They are anti-stupidity. The difference is both subjective and subtle. Good IT pros, whether they are expected to or not, have to operate and make decisions with little supervision. So when the rules are loose and logical and supervision is results-oriented, supportive and helpful to the process, IT pros are loyal, open, engaged and downright sociable. Arbitrary or micro-management, illogical decisions, inconsistent policies, the creation of unnecessary work and exclusionary practices will elicit a quiet, subversive, almost vicious attitude from otherwise excellent IT staff. Interestingly, IT groups don’t fall apart in this mode. From the outside, nothing looks to be wrong and the work still gets done. But internally, the IT group, or portions of it, may cut themselves off almost entirely from the intended management structure. They may work on big projects or steer the group entirely from the shadows while diverting the attention of supervisors to lesser topics. They believe they are protecting the organization, as well as their own credibility — and they are often correct.

Credit whoring — IT pros would prefer to make a good decision than to get credit for it. What will make them seek credit is the danger that a member of the group or management who is dangerous to the process might receive the credit for the work instead. That is insulting. If you’ve got a lot of credit whores in your IT group, there are bigger problems causing it.

Antisocial behavior — It’s fair to say that there is a large contingent of IT pros who are socially unskilled. However, this doesn’t mean those IT pros are antisocial. On the whole, they have plenty to say. If you want to get your IT pros more involved, you should deal with the problems laid out above and then train your other staff how to deal with IT. Users need to be reminded a few things, including:

  • IT wants to help me.
  • I should keep an open mind.
  • IT is not my personal tech adviser, nor is my work computer my personal computer.
  • IT people have lives and other interests.

Like anyone else, IT people tend to socialize with people who respect them. They’ll stop going to the company picnic if it becomes an occasion for everyone to list all the computer problems they never bothered to mention before.

How we elicit the stereotypes
What executives often fail to recognize is that every decision made that impacts IT is a technical decision. Not just some of the decisions, and not just the details of the decision, but every decision, bar none.

With IT, you cannot separate the technical aspects from the business aspects. They are one and the same, each constrained by the other and both constrained by creativity. Creativity is the most valuable asset of an IT group, and failing to promote it can cost an organization literally millions of dollars.

Most IT pros support an organization that is not involved with IT. The primary task of any IT group is to teach people how to work. That may sound authoritarian, but it’s not. IT’s job at the most fundamental level is to build, maintain and improve frameworks within which to accomplish tasks. You may not view a Web server as a framework to accomplish tasks, but it does automate the processes of advertising, sales, informing and entertaining, all of which would otherwise be done in other ways. IT groups literally teach and reteach the world how to work. That’s the job.

When you understand the mission of IT, it isn’t hard to see why co-workers and supervisors are judged severely according to their abilities to contribute to that process. If someone has to constantly be taught Computers 101 every time a new problem presents itself, he can’t contribute in the most fundamental way. It is one thing to deal with that from a co-worker, but quite another if the people who represent IT to the organization at large aren’t cognizant of how the technology works, can’t communicate it in the manner the IT group needs it communicated, can’t maintain consistency, take credit for the work of the group members, etc. This creates a huge morale problem for the group. Executives expect expert advice from the top IT person, but they have no way of knowing when they aren’t getting it. Therein lies the problem.

IT pros know when this is happening, and they find that it is impossible to draw attention to it. Once their work is impeded by the problem, they will adopt strategies and behaviors that help circumvent the issue. That is not a sustainable state, but how long it takes to deteriorate can be days, months or even years.

How to Fix It
So, if you want to have a really happy, healthy and valuable IT group, I recommend one thing: Take an interest. IT pros work their butts off for people they respect, so you need to give them every reason to afford you some.

You can start with the hiring process. When hiring an IT pro, imagine you’re recruiting a doctor. And if you’re hiring a CIO, think of employing a chief of medicine. The chief of medicine should have many qualifications, but first and foremost, he should be a practicing doctor. Who decides if a doctor is a doctor? Other doctors! So, if your IT group isn’t at the table for the hiring process of their bosses and peers, this already does a disservice to the process.

Favor technical competence and leadership skills. Standard managerial processes are nearly useless in an IT group. As I mentioned, if you’ve managed to hire well in the lower ranks of your IT group, the staff already know how to manage things. Unlike in many industries, the fight in most IT groups is in how to get things done, not how to avoid work. IT pros will self-organize, disrupt and subvert in the name of accomplishing work. An over-structured, micro-managing, technically deficient runt, no matter how polished, who’s thrown into the mix for the sake of management will get a response from the professional IT group that’s similar to anyone’s response to a five-year-old tugging his pants leg.

What IT pros want in a manager is a technical sounding board and a source of general direction. Leadership and technical competence are qualities to look for in every member of the team. If you need someone to keep track of where projects are, file paperwork, produce reports and do customer relations, hire some assistants for a lot less money.

When it comes to performance checks, yearly reviews are worthless without a 360-degree assessment. Those things take more time than a simple top-down review, but it is time well spent. If you’ve been paying attention to what I’ve been telling you about how IT groups behave and organize, then you will see your IT group in a whole different light when you read the group’s 360s.

And make sure all your managers are practicing and learning. It is very easy to slip behind the curve in those positions, but just as with doctors, the only way to be relevant is to practice and maintain an expertise. In IT, six months to a year is all that stands between respect and irrelevance.

Finally, executives should have multiple in-points to the IT team. If the IT team is singing out of tune, it is worth investigating the reasons. But you’ll never even know if that’s the case if the only information you receive is from the CIO. Periodically, bring a few key IT brains to the boardroom to observe the problems of the organization at large, even about things outside of the IT world, if only to make use of their exquisitely refined BS detectors. A good IT pro is trained in how to accomplish work; their skills are not necessarily limited to computing. In fact, the best business decision-makers I know are IT people who aren’t even managers.

As I said at the very beginning, it’s all about respect. If you can identify and cultivate those individuals and processes that earn genuine respect from IT pros, you’ll have a great IT team. Taking an honest interest in helping your IT group help you is probably the smartest business move an organization can make. It also makes for happy, completely non-geek-like geeks.

Jeff Ello is a hybrid veteran of the IT and CG industries, currently managing IT for the Krannert School of Management at Purdue University. He can be contacted at jello@techoped.com.

MS Lync 2010–Deployment Prep

This is part two of the MS Lync Deployment Series:

Project Scope
Preparing for Deployment – Research and Education and Pricing
Deployment of Standard Server & Director Role
Deployment of Edge and Reverse Proxy
Deployment of Lync Voice Capabilities
Configuring Lync PSTN Calling thru Avaya IPOffice
Configure Lync 4 Digit Extension Dialing without DIDs
Configure Asterisk as a SIP Proxy for Avaya IPO and and Lync
Deployment of Lync Client to users
Testing Configuration of Backup Registrar


Preparing for Deployment – Research and Education and Pricing
We started reviewing products that would fulfill the requirements of our project in late summer of 2010.  At that time most of the products we were reviewing were primarily video conferencing/voice providers.  The list included but wasn’t limited to: Skype, WebEx, Adobe Connect, ooVoo, TokBox, Windows Live Messenger, Microsoft Office Communications Server and some various locally hosted IM solutions.   While many would fit many of our requirements few would allow for centrally managed and deployed solutions.  Others wouldn’t fit the budget.

Many times we reviewed OCS but felt that it lacked many of the “WebEx” type web conferencing tools and was quite costly for IM and Presence.  Not to mention deployment appeared to be a fairly large undertaking.

Most “free” or low cost solutions had no integration points with our existing voice system and/or deployment and management were extremely difficult to manage on a scale past just a couple computers.  Example: Skype and ooVoo could both do video/voice but deployment was nearly impossible to the whole organization even though the price was right (Free or almost free)

In the Early fall of 2010 MS Lync was on the horizon and better integrated many of the ‘lacking’ features of its predecessor OCS.  Very quickly Lync was much more than IM and started to fit many of our criteria.

After attending WinConnections conferencing in Las Vegas in November 2010 we had enough information to make a decision…. Lync was the right tool for our organization.


Documentation/Tools/Resources for Learning about and Deploying Lync

Because Lync is a fairly young product I have documented the tools/resources that we have used as educational guides and deployment guides for Lync.  Because we started testing for our deployment in the fall of 2010 MS Lync was still in RC (Release Candidate) form.  Most of the documents can be applied to the RTM version and since then MS has released other resources… but here is a good list to start you off:


Previous: Project Scope
Next: Deployment of Standard Server & Director Role

MS Lync 2010 – Project Scope

This post is part one of our MS Lync Deployment.

Project Scope
Preparing for Deployment – Research and Education and Pricing
Deployment of Standard Server & Director Role
Deployment of Edge and Reverse Proxy
Deployment of Lync Voice Capabilities
Configuring Lync PSTN Calling thru Avaya IPOffice
Configure Lync 4 Digit Extension Dialing without DIDs
Configure Asterisk as a SIP Proxy for Avaya IPO and and Lync
Deployment of Lync Client to users
Testing Configuration of Backup Registrar


Project Planning:

A significant project in the past several months has been researching and preparing to deploy a organization wide instant messaging/presence and video conferencing solution.  The need for such a solution has increased primarily because of our launch of a campus in Galesburg.  While we are still only in the preparation stages of this campus opening, already we have seen the need for better connectivity between staff in two physical locations helping us define the list of requirements for this project.


  • Provide a toolset that allows intercampus communications via Instant Messaging, Video and Voice.
  • A product that is standardized and has enterprise level support.
  • A product that can be centrally managed and deployed across the organization
  • A product that fits in budget.
  • A product that can interact with various platforms  both OS and Communications Platform (primarily IM)
  • A product that can cohabitate with or eventually replace our Avaya IPOffice PBX
  • A product that can work with Analog POTS Lines, PRI Services and SIP Trunks
  • A tool that allows for staff connectivity (Voice/Video & IM) anywhere there is a internet connection.


Next: Preparing for Deployment – Research and Education and Pricing

ACS CheckPoint Part 5: Configuring the M2sys Vein Scanning Client and ACS CheckPoint

This is the final post in a 5 part series of installing M2Sys Scanning and CheckPoint.

Part 1: Why Biometric?
Part 2: Why Vein Scanning?
Part 3: Installing M2sys Vein Scan Server & Configuring the Database
Part 4: Installing M2Sys BioPlugin Vein Scanning Client
Part 5: Configuring the M2sys Vein Scanning Client and ACS CheckPoint


In the previous installation steps: evaluating the type of scanning and installing the server and client were documented.  Now final step of configuring the scanning client to connect to the database and work with ACS CheckPoint remains.

After you have confirmed that the server is operating correctly and you have connected the scanner and installed the driver you are ready to configure the client.

Workstation Configuration MUST be done by a user who has local admin rights, a user with less rights can make the changes but once the settings window is closed all changes are lost.

Since these workstations are public machines it is wise to make them as hardened as possible to prevent non-designed use of the workstation.

Configuring Client and Server Communications

The first step is accessing the settings portion of the application. 
This is done by clicking on the icon that looks like a finger print in the System Tray (near the clock). 



The Finger Scan application will display and you have two options: Fingerprint Admin or Settings. 
Selecting Settings allows us to configure the client.  FingerPrint Admin will be used later to capture scans.



Next you are prompted for the Admin Password which by default is ‘Admin’



If you are running the server application on a separate machine from the workstation you need to change the Server Address from localhost to the IP address or the DNS name of the server. 
Note: DO NOT use the Fully Qualified Domain name, only enter the Server Name or the application will not connect.

While entering the server name choose how many scans the software will prompt you to capture.

Capturing two scans during registration allows the user to scan a finger on either hand.
Two fingers scanned is helpful for two reasons:

  • People forget which hand they registered, by capturing both hands this isn’t an issue
  • When you capture two fingers the user can try the second finger if the scan fails to lookup the individual.



Next Select the Notifications Tab

Below are the Default Values



Changing the value for how long to display the scan notification to a lower value than 5 has helped so when a person’s finger fails to scan for various reasons the right side of the screen doesn’t fill up with failed scan alerts during the check-in process.



Next choose the Security Tab



The default is to require a password for both Settings, Exiting the application and FingerPrint Admin

We elected to turn off requiring the password for FingerPrint (Vein Scan) admin for several reasons:

  • You can only set one password, and we didn’t want to give the password to change settings to volunteers.
  • It becomes very cumbersome for the volunteers to have to enter a password for registration admin.
  • Volunteers who have access to the workstations that can capture scans don’t really need restricted from accessing the scan admin.



Testing Client and Server Communications

At this time the client application has been configured and can be tested to confirm the client and server are communicating.

Open the BioPlugin application from the SysTray



Select FingerPrint Administration



Enter the Member ID for a test. 
Later once CheckPoint is configured the Member ID is the individual barcode assigned to each person in the database.



Enter the Value of the Member ID.


Select the finger that you are scanning (the index fingers will be captured in the example below)
After selecting the finger “Click Here to Capture Finger Vein” and the application will go into capture mode.



Once the scanner is in Capture mode, the following screen will display until the scanner has captured a vein scan.  The individual being scanned should lay the finger completely across the scanner and rest the finger on both the front and back ‘finger rests’ in the scanner.  After the scan is captured you will be returned to the previous window.



After the scan has been captured close the FingerPrint Administration window.
Launch Notepad and scan one of the fingers captured for the test.  If the system is working correctly notepad should display the value you used when register the test user on the first line and the cursor will move to the next line in the document.



Configure BioPlugin and CheckPoint

After completing the test scan, re-launch the settings window and select Destination Window Tab.



Right Click on “My Test Keystroke Destination” and choose Rename.



Enter Destination Name ‘CheckPoint”
This is not telling BioPlugin where to send the scan, simply naming the destination you are going to define.



Next Change the Window Title from ‘Notepad’ to ‘Checkpoint’
Note: Window Title value is case sensitive



Next choose the Startup Tab



It is helpful to the end user if you define select several settings on this tab:

  • Load BioPlugin Snap-On when windows starts (for all users)
  • On Kiosks (self-service) choose Start Minimized
  • On Assisted Check-in/out locations it might be a helpful choice to not start minimized since these locations will be used to capture scans and it is helpful to have the application maximized for ease of use.
  • Select Launch another application after BioPlugin Loads and enter “c:winacsawcpkio.exe’



The BioPlugin client is now configured to work with Checkpoint. 

The final step to configure Check-in via vein scanning you must enable the setting ‘By scanning barcode’

After the settings are complete restart the kiosk. After the reboot, you will be prompted to activate the software license.  You will need to login to the workstation as an Administrator to activate the software license.

  • If you purchased the licensing from ACS directly, contact support and provide support the Installation ID and they will activate the install and provide you with the Activation ID.  Enter this value and reboot the kiosk.

Once the client machine is configured, Launch CheckPoint Express Check-In start a session.  Users can now scan their finger and  CheckPoint will return the individual/families record for Check-in.

Register CheckPoint users to Check-in With Biometrics

When registering users, Open both ACS Desktop (CheckPoint Tab>Check IN/Out) and BioPlugin FingerPrint Administration.

Lookup the individual that you are registering.
Right click on the name of the person in the Individual List and select Copy BarCode



Go to FingerPrint Admin and Paste the barcode into the BioPlugin Screen and proceed with the registration process that was used in the testing scenario above.  Once the individual is registered they can immediately visit any other kiosk running Express Check-in and scan their finger and Check-in.



Optional Settings
If you would like for the Registration Admin to default to a finger other than the middle finger you can edit the client.ini file.  Since our first roll out of vein scanning was with Jr. High ministry we elected to change the default finger to the index finger.

Finger Print Scanning returnes the best results when the middle finger is the print registered, and M2sys has indicated that remains the same for vein scanning

Access the Client.ini file by browsing to c:program filesBioPlugin


Right Click on client.ini and choose Open.
Edit the line Default_LeftFinger=3 and change it to Default_LeftFinger=2
Edit the line Default_RightFinger=3 and change it to Default_RightFinger=2
Note: Thumb is = 1 and pinky is =  5



Previous Part 4: Installing M2Sys BioPlugin Vein Scanning Client

ACS CheckPoint Part 4 Installing M2sys BioPlugin Vein Scan Client

This post is post 4 in a series of 5 posts on ACS CheckPoint and M2Sys Biometric Scanning.

Part 1: Why Biometric?
Part 2: Why Vein Scanning?
Part 3: Installing M2sys Vein Scan Server & Configuring the Database
Part 4: Installing M2Sys BioPlugin Vein Scanning Client
Part 5: Configuring the M2sys Vein Scanning Client and ACS CheckPoint

Previously I documented our process of selecting hardware and software as well as installing the server, now I will document Installing & Configuring M2Sys Vein Scanning Client.

This part of the installation is to install the application that allows the scanner to work and talk to the database to recall a record and identify a person to the application (in our case CheckPoint).

As previously mentioned, the M2sys Vein Scanning and Fingerprint Scanning applications are two separate applications for the related technology. At the time of writing this documentation it is not possible to use a vein and finger print scanners on the same computer concurrently.  Although I have been told by M2sys that a combined solution is in development to allow both scanners to be connected to the same workstation concurrently.

Note: Most steps are identical for Fingerprint Scanning Server and DB but Vein Scanning install requires a different installer than the BioPlugin for Finger Print Scanning.
Your mileage may very depending upon your environment, do due diligence before following these procedures.

Installing M2Sys BioPlugin Client
After downloading the installer running it on a XP, Vista, or Windows 7 workstation is fairly standard.  This installer does not install the server application and the software will not work without the proper install of the server application.

Do not connect the Scanner to the computer before starting the client install process.  Connecting the hardware prior to the client install can make the device driver install significantly more difficult.

Start the installer:



Agree to the Licensing Agreement



Enter your User and Organization Names



Choose your Installation Location
The Default is C:Program FilesBioPlugin



Choose Install to confirm the installation configuration



Installation Continues without any additional user interaction



Click Finished when the Install is done.



After the installer finishes you are prompted to install the scanner



After you connect the scanner you may be prompted to locate the driver.



Hit Browse and navigate to C:Program FilesBioPluginDrivers and locate the file HjmCap.sys
The file will be located in the Installation Destination that you choose earlier in the install process.







After you have located the driver the installation process is complete.

The next step is to configure the M2sys Vein Scanning Client and ACS CheckPoint.

Previous Part 3: Installing M2sys Vein Scan Server & Configuring the Database

Next Part 5: Configuring the M2sys Vein Scanning Client and ACS CheckPoint

Serving & Security Best Practices Web Event

Check out this web event Hosted by ACS Technologies.  Angus Davis has great insight on Volunteer and Children’s security and you should check out the web event. Register by clicking one of the options below. 



Note: NON-ACS Customers, when registering Enter “CITRT” as your ‘Site Number’.




ACS CHeckPoint Part 3 – Installing Vein Server

Continuation of a series of posts on ACS CheckPoint and Biometric Scanning Part 3 of 5

Part 1: Why Biometric?
Part 2: Why Vein Scanning?
Part 3: Installing M2sys Vein Scan Server & Configuring the Database

Part 4: Installing M2Sys BioPlugin Vein Scanning Client
Part 5: Configuring the M2sys Vein Scanning Client and ACS CheckPoint

As previously mentioned Part 1 & Part 2 we have deployed M2Sys’ products before and have some familiarity with the products.  Even with this familiarity there were a few areas that we had to work thru to get everything working.  Our specific install is unique since we will be deploying both Vein Scanning and Fingerprint Scanning on the same network.  At the time of writing this documentation, the two technologies are not able to be compatible with one another and require separate installation for independent use.  Future updates are expected in the next few months that will allow for one Database install and one client install to support both types of scanning on the same workstation concurrently.  Until that is the case the Vein Scanning Database and Finger Print Scanning Databases must be accessed via two separate servers.

Installation of M2Sys BioPlugIn Vein Scanning Server and Database
Most steps are identical for Fingerprint Scanning Server and DB but Vein Scanning install requires a different installer than the BioPlugin for Finger Print Scanning.
Your mileage may very depending upon your environment, do due diligence before following these procedures.

- Install OS On a new Server – Since  almost all of our servers are virtual isolation of applications is key.

- When using 2008 or 2008R2 as your server operating system disable UAC prior to starting the install of the M2Sys software.  If UAC is not disabled before install of M2sys the service will fail.
On Server 2008R2 disable UAC by going to Control Pannel>User Accounts>Change User Account Control Settings and change the slider to “Never Notify”.

- Install M2sys BioPlugin Software
Note: Installing BioPlugin 6.6.1 on a 64bit server the service will fail because the application is making a call to the Hitachi Driver which is only 32bit at this time. Uninstalling and installing resolved this issue.

- After installation is completed you will notice a traffic light icon in the system tray

This icon only indicates if the service is running or not.  Administration of the BioPlugin is done in the control panel, not the Sys Tray icon or start menu.

Note: If you are using server 2008 or 2008r2 you will have to change the view of the Control Panel to Large or Small icons to view the BioPlugin control. BioPlugin does not display in any of the Category Groupings.

- After accessing the BioPlugin Server Preferences you will need to apply the license key.  Do this by Navigating to the last tab “"License”.  If you purchased the scanners and software from ACS Directly you will need to send your account manager the Installation ID and they will send back a License ID.  Enter the License ID and Select Apply.

- After you have installed the software and applied the license key you can restart the server and BioPlugin should show green on the little traffic signal.  It is possible for the service to try to start and fail and the green will go back to red.  This is the first indicator that we were having an issue with 6.6.1 not working  on a 64bit server.

- Check the Service is actually running by going back into the Control Panel BioPlugin Server Preferences and click on View Core Server Log.  The Log should display “Waiting for Client Request”. If the service is failing the log file will either not display “Waiting for Client” or when you click on view Core Server log nothing will happen because the log hasn’t yet been created.

Note: It is not stated anywhere in the documentation, but Cached Size: # is the number of registered users you have currently in the BioSnapOn Server.

- Once you know the service is working locally you have to decide to either keep the database on the server as an access database, which M2sys says is ok for up to 10,000 or point the M2sys server to another database server like MySQL, or MSSQL.  Because we already have a backup strategy in place for MSSQL databases and have a server running MSSQL 2008 it was best for our situation to use the MSSQL backend rather than the local access database. 
Note: In a testing environment the local database worked without any issue.

- If you are using a MSSQL database the next step is to create an empty database and user account for the BioPlugin server to use to connect to the database.  Because we already have our finger print scanning database in production we simply created a new database with the same name and added database–02 to the name.  In a dual database setup like ours it is important that the right BioPlugin server be pointing the correct database or your biometric check in with not be successful.  You define which database the BioSnapOn Server connects to in the DB string later in this process.

- After a blank database is created and the user account is set as the owner you run a script to prepare the database for use by BioPlugin.  These scripts can be found in the location on the BioPlugin server where you installed BioPlugin (Default is C:Program FilesBioPlugin).  Copy Tables-Script-SQL Server.sql for the MS SQL install locally to the SQL Server.  Select the database for the biometrics and execute the script.  Once this is done configure your backup of the database.  After the backup configuration is done the database is ready.

-Now that the database preparation is done be sure the BioSnapon service is not running (make sure the traffic light is red) next launch the BioSnapon Server Administration tool again and Select the Microsoft SQL Server radio button on the Database Tab.  This will change the connection string to a template of a SQL connection string.

- Connecting the SQL database is a little annoying if you (like me) do not frequently work with MSSQL. But in the latest release the BioPlugin server help files give sample definitions for the connection string. You will next want to review the BioSnapOn Installation Help Guide found on the install CD in the Documentation folder.  Navigate to the Help file location: Installation>Database Configuration>SQL Server. This provides settings and options for Using ODBC connection, SA and Windows Authentication.


- We had success with  MS SQL Server DSN-Less Connection with SQL Authentication and the following connection string. Values have been changed and display what information should be entered for each variable.
  User ID=SQL Account Created when you created the Database;
  Password=Password for the Account Created Above;
  Persist Security Info=False;Initial Catalog=Database Name for the Database you created above;
  Data Source=Name of the SQL Server to which you are connecting

- Apply the settings and restart the server.  After the restart your BioPlugin server should have a green light and the core server log should be ‘waiting for client request’

Now you are ready to Install and configuring the BioSnapOn Client on the workstation, point it to the BioSnapOn Server and testing scans.

Previous -  Part 2: Why Vein Scanning?

Next – Part 4: Configuring M2Sys Vein Scanning Client

ACS Checkpoint Part 2 Why Vein Scanning vs. Print Scanning

Part 2 of 5

Part 1: Why Biometric?
Part 2: Why Vein Scanning?
Part 3: Installing M2sys Vein Scan Server & Configuring the Database

Part 4: Installing M2Sys BioPlugin Vein Scanning Client

Part 5: Configuring the M2sys Vein Scanning Client and ACS CheckPoint

In the past year we have learned a lot about biometrics and our check-in system and I have had people ask me multiple times a great question, “Would you do it again?”.  They are really asking would we use finger print scanners as an key component of our check-in system, and I would reply, Yes.  The finger print scanning has been successful to accomplish the two areas we saw concern in the other flavors (bar code, key fob, number/name lookup) of check-in: Security and Speed.  The finger scanning has allowed us to have check-in remain secure, limiting the use to families who had followed the registration process and allow them to do it in a process that takes less than 15 seconds per family.  A major positive of the finger scanning over other scanning solutions, the speed isn’t dependant upon the end user remembering to bring a key tag or key fob with them to church.

Even saying Yes to that question wouldn’t mean we haven’t learned things over the past year and we haven’t modified the configuration. We have learned that finger print scanning is dependant upon indoor and outdoor temperatures, humidity, dry skin, etc.  The quality of the scan is affected by more environmental variables than we expected.  A second learning point was paying attention to the scans captured at pre-registration.  This process is much more important than we originally thought.  If attention to detail was paid at the pre-registration process then the success rate increased exponentially.  And finally, we were affirmed in our thought that there would be some people not able to use the biometric system because they just didn’t have “good” fingerprints.  So with the environmental variables and the fact that some people couldn’t use the biometrics we had to identify a workaround, which was allowing people to check-in by pager number. This is not the security number printed on the child’s tag but rather the number that is used to alert families the DLand staff need them to come get their child.  Allowing check-in via pager this did have negative impact on speed and people do forget their number.

So when it was time to start planning our rollout of Jr. High and Sr. High check-in we decided to put all options back on the table.  Our team came to the conclusion that if we could make finger scanning more reliable it was still the best option.  This planning was happening concurrently to the release of a new product by M2Sys called Vein Scanning.

Vein Scanning works under the principal that your vein alignment in your fingers is as unique as your finger prints.  Allowing you to be identified in a system without the environmental and “good” print concerns noted above.  The Scanner uses infrared to ‘see’ your vein alignment in your finger and allows the software to translate that alignment into a string of numbers that can be called back to identify you after you have pre-registered.

The solution sounded good but needed to be tested.  We contacted ACS and asked if we could put the scanner thru some testing and they provided a demo for us.  Our testing showed the Vein scanners to be much higher in accuracy no matter the variables.

So why not vein scanning in the first launch a year ago?  The products weren’t available a year ago in the capacity they are now.

Will you be migrating your finger print users to vein scan users?  Not at this time, currently the two technologies are not able to be used concurrently on the same workstation and would require a mass re-registration process for over 1250 individuals.

Will you possibly migrate everyone to vein scanning?  Once the converged product allowing both types of scanning at one workstation (12 weeks) we might explore this option.

Previous Part 1: Why Biometric?
Next Part 3: Installing M2sys Vein Scan Server & Configuring the Database