Thursday, December 17, 2009 3:43 PMHi guys,
I am facing a strange problem in my setup. I have build a test environment using Windows Server 2008 and FE server and 2003 as Edge Server. Internally everything works fine. I am using 2 public IP for edge server
1 Public IP x for access edge ad web conf services
1 Public IP x for AV edge services
Edge server external interfaces are using Godaddy UCC Certs. AV edge server is using internal cert as explained in deployment guide. Problem is external users cannot sign in using communicator but they can login there OCS enable IP phones (Snom) and they can call each other snom phones but there is no audio. I have disabled firewall on all my test server and tried that again but no success.
When Communicator tries to sign in from remote location it give an error message i.e. There was a problem verifying certificate from the server
Event Type: Error
Event Source: Communicator
Event Category: None
Event ID: 5
Communicator could not connect securely to server sip.provu-ocs.co.uk because the certificate presented by the server was not trusted due to validation error 0x80ee0065. The issuing certificate authority (CA) for the server's certificate may not be locally trusted by the client, the certificate may be revoked, or the certificate may have expired.
A tool like winerror.exe from the Windows Resource Kit or lcserror.exe from the Office Communications Server Resource Kit can be used in order to interpret the error code listed above. If you trust the server certificate, the issuing certificate authority (CA) certificate can be placed in the local trusted root certificate authorities certificate store. If you have logged into the server before without issues the network administrator should carefully examine the certificate if no known configuration changes have been made.
Can you please help me ? thanks
Thursday, December 17, 2009 5:55 PMModeratorYou may be using a certificate that is not supported in it's current configuration; take a look at these related discussions to see if you have a error in your original certificate request process. I've also seen specific issues with some GoDaddy certificates based on key lenght and other variable when used with OCS.
You may also need to enable the root CA's certificate for "all purposes", as discussed in the last section of this blog article:
Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
Friday, December 18, 2009 9:44 AMI have gone through Jeff`s Blog which explains a lot and I have enble all purpose for Root Certificate Auth of Godaddy but still no joy. I can telnet to port 443 and 5061 etc on my edge server without a problem. MY AD , DNS server is 2003 x64, FE server is 2008 x64 and Edge server is 2003 x64.
One confusion from the above post is this bit,
"Your external edge interface needs to have the following SANs associated with it:
^These have to be as they are above
^These names have to be whatever you have assigned in the edge server configuration wizard.
I found that it was easiest to just tack on the role of each SAN to the end of ocsedge, so my entries were:
I though the external interface should only have SANs such as FQDN of external interface which in my case is sip.provu-ocs.co.uk and I am trying to use same cert for webconf as well with web.provu-ocs.co.uk added to SAN. But above statement quotes that I have to put something like localserver.domain.com which in my case is the same as FQDN of internal interface.
Also in my godaddy SAN Cert I have an addition SAN name which is www.sip.provu-ocs.co.uk which i didnt enter. Do you think it might create issues like this. I have tested this using testocsconnectivity website and it passes the test for remote users. Confused ;(
Saturday, December 19, 2009 9:36 PMHi Muhammad & Jeff :)
when you open the link:
in Mozilla Firefox, you will get:
pretty plain explaination of whats wrong with the cert. Even a selfsigned is better than a revoked one ;)
btw: feel free to contact me, in case you like to get a UC (SAN) certificate that you can really count on :)
Or simply check out our current one by opening https://sip.snom.com:443 in Mozilla Firefox and have look at the SAN's / FQDN's in the subject alternate name field.
Cheers and have a great sunday,
Jan Boguslawski | Technical Product Manager - snom OCS Edition | MCITP: EA, MCTS OCS, MCTS EXCHANGE | snom technology AG, Berlin | www.snom.com | http://ocsphoneguy.blogspot.com