locked
Remote Users cannot login -Cannot Sign in because the Server is temporarily unavaliable

    Pertanyaan

  • Hi Guyz,

    I am stuck in problem. I have setup a OCS environment in office and its working fine internally. I made it working externally aswell but using internal CA. I had to import Internal Root CA to remote users to make it work. But recently I bought  a certificate for Dodaddy and successfully assign it to our access edge interface. but after that remote users are unable to sign in.

    I am using consolodated topology. My edge server is installed inside domain and not as workgroup. My domain is pro.co.uk and my access edge server FQDN is sip.pro.co.uk. Certificate sub name is sip.pro.co.uk. I have added 2 records in my external dns which is _federationtls  pointed to sip.pro.co.uk and _sip_tls pointed to 443 as stated in microsoft documentaion. 


    When login from remote client i get the following error message;

    Log Name:      Application
    Source:        Communicator
    Date:          21/11/2009 21:00:10
    Event ID:      3
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      laptop
    Description:
    Communicator was unable to resolve the DNS hostname of the login server sipexternal.pro.co.uk.
     
     Resolution:
     If you are using manual configuration for Communicator, please check that the server name is typed correctly and in full.  If you are using automatic configuration, the network administrator will need to double-check the DNS A record configuration for sipexternal.pro.co.uk because it could not be resolved.

    Log Name:      Application
    Source:        Communicator
    Date:          21/11/2009 21:00:09
    Event ID:      3
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      laptop
    Description:
    Communicator was unable to resolve the DNS hostname of the login server sipinternal.pro.co.uk.
     
     Resolution:
     If you are using manual configuration for Communicator, please check that the server name is typed correctly and in full.  If you are using automatic configuration, the network administrator will need to double-check the DNS A record configuration for sipinternal.pro.co.uk because it could not be resolved.
    21 Nopember 2009 21:21

Jawaban

  • HI,

    Sorry , I have left this question in wrong forum place. The above Request is coming in my working edge server. I have setup 2 test servers, one using internal Root Certs and one using External Root Cert for Access Edge server. The above response come on the server which is fully functional. All Clients can login after importing Interal Certs. But this error message keeps on comming on the event viewer. pbx.provu.com is my test PBX.
    • Ditandai sebagai Jawaban oleh MuhammadBajwa 15 Desember 2009 12:20
    04 Desember 2009 9:38

Semua Balasan

  • I don't think you've created your DNS entries correctly:

    > set q=srv
    > _sip._tls.pro.co.uk

    *** can't find _sip._tls.pro.co.uk: Non-existent domain


    It should look like this:

    > set q=srv
    > _sip._tls.microsoft.com

    Non-authoritative answer:
    _sip._tls.microsoft.com SRV service location:
              priority       = 0
              weight         = 0
              port           = 443
              svr hostname   = sip.microsoft.com

    sip.microsoft.com       internet address = 131.107.106.16

    In fact, I don't even see the A record for your Access Edge:

    > set q=a
    > sip.pro.co.uk

    *** can't find sip.pro.co.uk: Non-existent domain

    It looks to me like your DNS entries are not setup properly.


    Mike Stacy | Evangelyze Communications | http://www.evangelyze.net/cs/blogs/mike
    23 Nopember 2009 4:07
    Moderator
  • Hi Mike,

    Sorry, I didnt put the actual domain name.  The actual domain name is provu-ocs.co.uk and it works just fine . You can try pinging it . I have 2 public IP`s working on my Edge serverr. One for Access Edge server and web conf and other is for AV. Both are pingable. Can you please try provu-ocs.co.uk instead of pro.co.uk and let me know if you find something interesting.
    23 Nopember 2009 9:23
  • Ok, that works.  I tried a quick federation test and got a TLS error, which indicates a problem with your access edge certificate.  This would affect your end users as well.  Which certificate vendor did you use to create the certificate?

    TL_ERROR(TF_CONNECTION) [0]0764.0AFC::11/23/2009-15:28:08.748.02e3c6e5 (SIPStack,SIPAdminLog::TraceConnectionRecord:SIPAdminLog.cpp(157))$$begin_record

    LogType

    Severity

    Text

    Local-IP

    Peer-IP

    Peer-FQDN

    Connection-ID

    Transport

    Result-Code

    $$end_record

    : 0x80090325
    : TLS
    : 0x6ABAC00
    : sip.provu-ocs.co.uk
    : <removed>
    : <removed>
    : Outbound TLS negotiation failed
    : error
    : connection

    Mike Stacy | Evangelyze Communications | http://www.evangelyze.net/cs/blogs/mike
    23 Nopember 2009 15:31
    Moderator
  • Mike,

    I think i know the answer to that. The reason its giving you this  error is as i have put my internal CA back  and removed godaddy Certificate. The above message is received when i put in godaddy Certificate.

    Go-daddy Certificate Subject name is : sip.provu-ocs.co.uk
    My external domain name is : provu-ocs.co.uk this is the domain where i put all my external DNS configs
    and my sip domain is provu-ocs.co.uk

    I can trying reassigning Go daddy certificate to external edge server again if you want to test something. I am currently federated with remote branch but as i said i had to import my internal Root CA for that.
    23 Nopember 2009 16:22
  • Be aware that XP systems do not have the GoDaddy root installed by default.  You'll need to update the root certs using the links found at the following link:  http://support.microsoft.com/default.aspx/kb/931125.
    Mike Stacy | Evangelyze Communications | http://www.evangelyze.net/cs/blogs/mike
    23 Nopember 2009 17:22
    Moderator
  • Hi mike ,


    I have tried updating root certificate on my  vista machine with Godaddy certificate installed on my Edge server but its not working.  I am not sure wat would be the reason , i guess i have to troublshoot in detail about it.

    Is there a possibility that some internal cert might causing this problem. When i install this godaddy cert the internal cert is already installed and assigned to external edge server. Please note that edge server is installed inside domain.

    25 Nopember 2009 15:31
  • Hi
    Per your description, you operation seems correctly, you have made a successful test when you use CERT issued by the internal CA, right?
    So, I think it is impossible caused by the internal cert, about seting Up Certificates for the External Interface, you can refer to below link
    http://technet.microsoft.com/en-us/library/dd441368(office.13).aspx

    I have run into an issue looks like the same, it is caused by the cer Public CA, Microsoft works with CAs in order to make sure that Microsoft Office Communications Server customers can obtain certificates that they require for Communications Server servers. There are some public CA MS suggested, you can refer to below:
    http://support.microsoft.com/kb/929395

    Note, it is not a good deplyment of setting edge server inside domain for security, you can refer to bleow link for some more information.
    http://technet.microsoft.com/en-us/library/dd441152(office.13).aspx
    http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=70
    http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=79
    http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=c930febb-3a44-4bf3-969d-1c52675a7063

    Regards!
    Gavin

    27 Nopember 2009 2:32
    Moderator
  • HI Gavin,

    Thanks for your help. I am still unable to resolve this issue. I have bought a Godaddy UCC certificate with SN: sip.provu-ocs.co.uk and successfully assigned it to access edge server interface. After successfully assigning the certificate I am once again stuck. There are two records for SAN ,one added by me which is web.provu-ocs.co.uk and other one is www.sip.provu-ocs.co.uk.  I dont know why it keeps on showing www bit in SAN name. But end result is if I user communicator it gives me error *There is a problem verfiying certifciate from the server ...* and if i user Pidgen (Open Sourse and has communicator plugin) it give me SSL Read error. Any one knows how to resolve this??

    I have gone throug hte procedure  as stated in Jeff Blogs  but no success yet. I am this close to completing and yet not done. :(
    30 Nopember 2009 13:10
  • Hi,
    It seems the problem is related with CERT.
    So, please make sure you have issued to the edge server CERT correctly, and make sure you have import the root CERT for the client machines correctly.
    You can refer to below link:
    http://technet.microsoft.com/en-us/library/dd441368(office.13).aspx
    Do you manually set the external server name as sip.provu-ocs.co.uk?
    So, you should make sure your external client connect to the correct server name which matches the CERT SN.
    You also can check the uccp log on the client.
    There is usually odd issue with Godaddy CERT, per my known.
     
    Regards!
    Gavin
    01 Desember 2009 11:18
    Moderator
  • The certificate has been issued as described in Edge server documentation. In communicator I have automatic configuration as well manual configs but no success. I am still very confused why its not working. I have checked edge server event viewer and the message below is the error message i am getting repeatedly.



    Event Type:    Error
    Event Source:    OCS Protocol Stack
    Event Category:    (1001)
    Event ID:    14504
    Date:        02/12/2009
    Time:        10:33:26
    User:        N/A
    Computer:    EDGE
    Description:
    A significant number of DNS queries have been requested for _sipfederationtls._tcp.pbx.provu.co.uk, but this query does not resolve. This has occurred 283 times in the last  180 minutes. There have been 4191 errors in total.
    Resolution:
     For SRV queries, this indicates that a significant number of users are interested in communicating with users in the identified domain. The owner of the domain must enable it for federation and your infrastructure must be configured for federation. For DNS A queries, this indicates that a specific server's IP address cannot be found in the DNS. If this is a server in one of your administered domains then please correct this issue.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    02 Desember 2009 12:52
  • Hi
    Did you discover the "_sipfederationtls._tcp.pbx.provu.co.uk".
    It seems request a wrong DNS lookup, please ensure your remote client connect the correct server name and have install the correct CERT.
    In my opinion, you'd better check your senario according to above replies.

    Regards!
    gavin
    04 Desember 2009 8:46
    Moderator
  • HI,

    Sorry , I have left this question in wrong forum place. The above Request is coming in my working edge server. I have setup 2 test servers, one using internal Root Certs and one using External Root Cert for Access Edge server. The above response come on the server which is fully functional. All Clients can login after importing Interal Certs. But this error message keeps on comming on the event viewer. pbx.provu.com is my test PBX.
    • Ditandai sebagai Jawaban oleh MuhammadBajwa 15 Desember 2009 12:20
    04 Desember 2009 9:38