25 Februari 2008 17:36
Can anyone help?
We have a working OCS + Ex2k7 UM solution. (OCS is RTM and fully patched, Ex2k7 is SP1 and fully patched)
Eveything works as expected however after a seemingly random period of inactivity the UM service stops working and calls from OCS do not work
On the Ex2k7 UM server the following event is logged:
Event Type: Warning
Event Source: MSExchange Unified Messaging
Event Category: UMService
Event ID: 1113
The Unified Messaging server failed to exchange the required certificates with an IP gateway to enable Transport Layer Security (TLS) for an incoming call. Check that this is a configured TLS peer and that the correct certificates are being used. More information: A TLS failure occurred because the target name that was specified in the certificate is incorrect. The error code was "1" and the message was "Incorrect function".
If we then re-start the UM service everything works fine again.
I've checked the certificates on both servers which are simply autoenrolled computer certs from our internal CA.
There doesn't seem to be any other diagnostic information I can find.
The event above is less than useful since the 'target name' on both certificates is definitely correct. If they were incorrect then surely it wouldn't work at all!
I've just re-built the UM server using the /recoverserver switch and we get the same problems.
Has anyone seen this?
Thanks in advance for your help.
09 Maret 2008 23:22
You must verify that Exchange UM is configured with the correct certificate.
You can see an event in the Eventlog that says which certificate Exchange UM uses.
Se the correct certificate for UM
13 Mei 2008 16:25ModeratorDid you ever find a solution to this? I have an environment experiencing the same issue. I have trusted internal cert with the FQDN of the server assigned to UM and SMTP and a second public cert assigned to all the other roles. After about a day I get a TLS failure from OCS. A restart of UM fixes the problem temporarily.
13 Mei 2008 18:41
Sorry but we're still getting the same issue.
The environment this is happening on does not have live users so it's not been a priority to fix this,
I havent had much time recently to fix it either...
I need to try the latest update rollup and see if that resolves it?
My last thoughts ont his was that it could be the certificate services template, we're not using a default one.
Have you made any alterations to the certificate template you're using for either server?
Post here if you geta resolution!
15 Mei 2008 14:39ModeratorWe put the rollup on over the weekend and it made no difference. We are using an unmodified template for our UM certificate.
26 Mei 2008 1:46
Hello, we had the same issue here. Restarting UM service during the day was not an option. So we decided to connect ExUM directly to our IP-PBX. It is some time ago.
But I remember a strange error message in ExUM_Server. It was a warning or error about the "IP-Address of the OCS2007 server is missing in the certificate..." (PlayOnPhone was also impossible to Communicators and quoted with the same error/ warning in the UM-Log. - WITH ACTIVATED EXPERT-LEVEL UM-LOGGING)
Adding a IP-Adress as a SAN to the certificate seemed not logical to me at this time. Maybe this will stop the TLS-error. Sorry but I cant test it anymore, because it is a productive system.
Please try to enable logging on UM-Server to EXPERT level on all UM-parts, like described here:
Maybe you will find the strange certificate / IP-Address Error / Warning too, when using PlayOnPhone to Communicators or by calling ExUM-Pilot or during a normal work-day with the TLS failure.
27 Mei 2008 22:39
Adding the IP Address in the cert will not help you
But make sure that the UM Gateway configured in the Exchange Environment connects to the FQDN of the OCS Server and that the FQDN is in the cert
28 Mei 2008 19:51ModeratorLike Jan, I can also confirm that this does not impact the PBX <-> UM integration, only OCS <-> UM.
My suspicion is that this has to do with using multiple certificates. In my case there is an Entrust certificate for public facing services (SMTP, OWA, etc.) of mail.domain.com and an internal certificate for UM for the internal FQDN of the server. The behavior seems like Exchange starts to present the wrong certificate to OCS. However, when you check the UM folder the correct certificate is there.
It's just a theory - I can't find a way to determine which certificate is actually being presented to OCS at the time of the failure.