OCS Edge server - Office Communicator not able to logon from Outside

22 ตุลาคม 2552 13:52

0

Dear all
In theTest lab i am trying to setup OCS for Real envoirenment.

with the help of this forum i have completed the inastallation, the setup is

Outside Pc-communicator-- -- Router/External DNS--- Edgeserver--- switch--- Front end server,DC-Internal DNS,EXchange,InsidePCCommunicator.

Outsdie pc communicator ip address: 192.168.156.2, Gateway & DNS= 192.168.156.4---goes to |--- 192.168.156.4(Router's two cards ip add) 192.168.155.4---| 3 links towards to Edge External INterfaces | 192.168.155.1 (Access Edge), 192.168.155.2 (web confrence) , 192.168.155.1 (A/V edge Server)

i have configured gateway only on Access edge server- 192.168.155.1, 255.255.255.0 , 192.168.155.4
On A/v and Web confrence i have not confiured Gateway and All ports are open on outside network

On Edge server i have got one more LAN card (inside) which goes to OCS network .

internally i can do voice calls and chatting,voicemail every thing is working. After the installing of Edge server i have done the "validate Edge server with 2 users" it is working perfectly.

On outside External DNS i have created A record for SIP.KIN.COM, AV.KIN.COM, WEBCONF.KIN.COM and _SIP_TLS_KIN.COM: 443 = sip.kin.com and there is no issue with Certificate.

Now problem is
From outsidepc Communicator - when i have open the Communicator - options- external server = sip.kin.com:443 , selected - TLS
I try to logon with user1@kin.com , it takes some time but i get message

"can not sign in because the server is temporarly unavailable, if the problem persisits contact your system administrator"

i can "telnet sip.kin.com 443" - open a blank windows - it proves it is working. i just want to logon from outsdie-pccommunicator and would like make voice calls. for this
1.do i need A/V server adn web confrence server? I think it is not necesary?

2.please help me why the users can not able to logon when all prots are open.

ตอบทั้งหมด

22 ตุลาคม 2552 19:18

1

Did you enable remote user access?
23 ตุลาคม 2552 8:13

0

To access via outside pc-office communicator do you need A/V and webconfrence server?

when i setup edge server , i have got 3 options in user setttings:
Allow remote user access to your network = selected
Allow anonymous user to join meeting = selected
Allow users to communicate with federated contact = i can not select because it is in grey..

federation settings
Enable federation= selected |   Allow discovery of federaiton parters = selected | Federation with selected public IM PROVIDERS - MSN - YAHOO - AOL = all are selected .

but after then i see the results

Access Edge Server: Activated
Web Conferencing Edge Server: Activated
A/V Edge Server: Activated

Internal interface IP address: 192.168.152.26
Internal interface FQDN: edgesvr.ocsr2.kin.com
Internal interface port for Access Edge Server: 5061
Internal interface port for Web Conferencing Edge Server: 8057
Internal interface port for A/V Conferencing Server: 443

External interface IP address for Access Edge Server: 192.168.155.1
External interface FQDN for Access Edge Server: sip.ocsr2.kin.com
External interface federation port for Access Edge Server: 5061
External interface remote access port for Access Edge Server: 443

External interface IP address for Web Conferencing Edge Server: 192.168.155.2
External interface FQDN for Web Conferencing Edge Server: webconf.ocsr2.kin.com
External interface port for Web Conferencing Edge Server: 443

External interface IP address for A/V Edge Server: 192.168.155.3
External interface FQDN for A/V Edge Server: av.ocsr2.kin.com
External interface port for A/V Edge Server: 443

Access Edge Server remote employee access: Enabled
Access Edge Server allows anonymous users: True
Access Edge Server allows remote users: False (it is showing false , i do not understnad why it is showing false, while installation i have selected all the options)
Access Edge Server federation: Enabled
Access Edge Server automatic federation: Enabled
Access Edge Server federation with public IM provider: Enabled
Access Edge Server federation with MSN: Enabled
Access Edge Server federation with Yahoo!: Enabled
Access Edge Server federation with AOL: Enabled
Access Edge Server internal next hop: fesrv.ocsr2.kin.com

Access Edge Server internal SIP domains:
        ocsr2.kin.com

Internal Enterprise pools or Standard Edition Servers:
        fesrv.ocsr2.kin.com

Is there any other option to select to allow remote users. please let meknow..
23 ตุลาคม 2552 10:58

0

Dear all

In the user properties-communication Tab- other settings- i have selected all usrs, still now it is not working.
23 ตุลาคม 2552 11:39

1

Can you please provide a communicator log and an edge sipstack and S4 log for the external login.

BTW: Regarding your A/V configuration you have to use a routable address not a translated address.

It also seems that the SRV entry _sipfederationtls._tcp.domain is missing see: http://technet.microsoft.com/en-us/library/bb870404.aspx

Hope that helps
ThorstenWujek
23 ตุลาคม 2552 12:24

ผู้ดูแล

0

If this is an R1 deployment that error can indicate that the users account itself is not enabled for remote access, make sure you check the Communications tab in ADUC and check the External Access setting on the user account itself.

If you have an R2 deployment then the resulting error would be more descriptive, stating that the user was not enabled for remote access instead of the generic error you reported. Also if this is and R2 Edge server you can use a NAT'd private address on the A/V Edge Role.

Either way the _sipfederationtls SRV record is not a requirement unless you want to enable Open Federation, which is in no way related to getting external user access.
Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
23 ตุลาคม 2552 14:13

0

Dear jeff
i do not have any federation user, that the reason i have not enable _sipfederationtls SRV record, and in the user properties i have enabled for remote access and i am getting generic error.

i have added edge server in to the domain because while installing OCSR2 front end server i have give edgeserver details as: edgeserv.ocsr2.kin.com. if i put the edge server in to workgroup then it the edgeserver fqdn name will be = edgserver.

but once i add in to the domain then it will be = edgeserv.ocsr2.kin.com.

still i am getting generic error ? first i would like to test in the lab if it works then i will implement in the real network with NAT ETC...

Can you please help what causting the problem and i am using internal C.A so, i have copied the root CA on client computer. so there is no certificate issue.

please reply.
23 ตุลาคม 2552 15:41

0

I have just enabled even log on communicator.

Can you please let meknow how to tkae sipstack logs for Edge server and S4 log for the external login. what is S4 logs? how to take sipstack logs on edge server ?
23 ตุลาคม 2552 16:21

1

On the edge server:

open Computer management->services and applications->right click (ocs 2007)-> logging tool-> new debug session

Choose Components S4 and sipstack. Level <ALL> for both and All flags. Then start logging.

Would be good if you can debug a validation, too.

Bye
ThorstenWujek
26 ตุลาคม 2552 12:35

0

Dear all
i took S4 and sip logs on Edge server before that i would like draw again physical setup.

Outside Pc-communicator-- -- Router/External DNS-------------- Edgeserver--- switch--- Front end server,   DC-Internal DNS,    EXchange,InsidePCCommunicator.
192.168.156.1---- ----------192.168.156.4/192.168.155.6-----192.168.152.26----------192.168.152.23,      192.168.152.21

The logs file

LogType: connection
Severity: information
Text: TLS negotiation started
Local-IP: 192.168.155.1:443
Peer-IP: 192.168.156.1:1692
Connection-ID: 0xE00
Transport: TLS
$$end_record

Instance-Id: 00000006
Direction: incoming;source="external edge";destination="internal edge"
Peer: 192.168.156.1:1690
Message-Type: request
Start-Line: REGISTER sip:ocsr2.kin.com SIP/2.0
From: <sip:augustin@ocsr2.kin.com>;tag=75fc9989e0;epid=8ff7501aeb
To: <sip:augustin@ocsr2.kin.com>
CSeq: 1 REGISTER
Call-ID: 86c4f5bf8fb6471ba0e111bcacee33af
Via: SIP/2.0/TLS 192.168.156.1:1690
Max-Forwards: 70
Contact: <sip:192.168.156.1:1690;transport=tls;ms-opaque=693829d612>;methods="INVITE, MESSAGE, INFO, OPTIONS, BYE, CANCEL, NOTIFY, ACK, REFER, BENOTIFY";proxy=replace;+sip.instance="<urn:uuid:20126B27-4513-50FA-8E58-40FC48F892D1>"
User-Agent: UCCAPI/3.5.6907.37 OC/3.5.6907.37 (Microsoft Office Communicator 2007 R2)
Supported: gruu-10, adhoclist, msrtc-event-categories
Supported: ms-forking
ms-keep-alive: UAC;hop-hop=yes
Event: registration
Content-Length: 0
Message-Body: –
$$end_record

LogType: diagnostic
Severity: information
Text: The message has an internally supported domain
SIP-Start-Line: REGISTER sip:ocsr2.kin.com SIP/2.0
SIP-Call-ID: 86c4f5bf8fb6471ba0e111bcacee33af
SIP-CSeq: 1 REGISTER
Peer: 192.168.156.1:1690
Data: domain="ocsr2.kin.com"
$$end_record

LogType: connection
Severity: information
Text: TLS negotiation started
Local-IP: 192.168.152.26:1065
Peer-IP: 192.168.152.23:5061
Peer-FQDN: fesrv.ocsr2.kin.com
Connection-ID: 0xF01
Transport: TLS
$$end_record

LogType: connection
Severity: information
Text: Connection established
Local-IP: 192.168.152.26:1065
Peer-IP: 192.168.152.23:5061
Peer-FQDN: fesrv.ocsr2.kin.com
Peer-Name: fesrv.ocsr2.kin.com
Connection-ID: 0xF01
Transport: M-TLS
$$end_record

LogType: diagnostic
Severity: information
Text: Routed a request to the next hop internal server     ( edge server trying to establish a connection with Front end server)
SIP-Start-Line: REGISTER sip:ocsr2.kin.com SIP/2.0
SIP-Call-ID: 86c4f5bf8fb6471ba0e111bcacee33af
SIP-CSeq: 1 REGISTER
Peer: fesrv.ocsr2.kin.com:5061
Data: destination="fesrv.ocsr2.kin.com"
$$end_record

Instance-Id: 00000006
Direction: outgoing;source="external edge";destination="internal edge"
Peer: fesrv.ocsr2.kin.com:5061
Message-Type: request
Start-Line: REGISTER sip:ocsr2.kin.com SIP/2.0
From: <sip:augustin@ocsr2.kin.com>;tag=75fc9989e0;epid=8ff7501aeb
To: <sip:augustin@ocsr2.kin.com>
CSeq: 1 REGISTER
Call-ID: 86c4f5bf8fb6471ba0e111bcacee33af
Path: <sip:edgesvr.ocsr2.kin.com:1065;transport=tls;maddr=192.168.152.26;opaque=state:Ee.aaqZAmfWERln49ZoVv9VRBIgAA;lr>;tag=E18774264C7485D9663459C250C01112
Record-Route: <sip:edgesvr.ocsr2.kin.com:1065;transport=tls;maddr=192.168.152.26;opaque=state:Ee.aaqZAmfWERln49ZoVv9VRBIgAA;lr>;tag=E18774264C7485D9663459C250C01112
Via: SIP/2.0/TLS 192.168.152.26:1065;branch=z9hG4bK73782EF5.9461DD95EDACF106;branched=FALSE
Max-Forwards: 69
ms-edge-proxy-message-trust: ms-source-type=InternetUser;ms-ep-fqdn=edgesvr.ocsr2.kin.com;ms-source-verified-user=verified
Contact: <sip:192.168.156.1:1690;transport=tls;ms-opaque=693829d612;ms-received-cid=D00>;methods="INVITE, MESSAGE, INFO, OPTIONS, BYE, CANCEL, NOTIFY, ACK, REFER, BENOTIFY";+sip.instance="<urn:uuid:20126B27-4513-50FA-8E58-40FC48F892D1>"
Via: SIP/2.0/TLS 192.168.156.1:1690;ms-received-port=1690;ms-received-cid=D00
User-Agent: UCCAPI/3.5.6907.37 OC/3.5.6907.37 (Microsoft Office Communicator 2007 R2)
Supported: gruu-10, adhoclist, msrtc-event-categories
Supported: ms-forking
ms-keep-alive: UAC;hop-hop=yes
Event: registration
Content-Length: 0
Message-Body: –
$$end_record

LogType: connection
Severity: error
Text: Receive operation on the connection failed       ( it seems that there is some problem between front end server to Edge server)
Local-IP: 192.168.152.26:1065
Peer-IP: 192.168.152.23:5061
Peer-FQDN: fesrv.ocsr2.kin.com
Peer-Name: fesrv.ocsr2.kin.com
Connection-ID: 0xF01
Transport: M-TLS
Result-Code: 0x80072746 WSAECONNRESET
$$end_record

LogType: connection
Severity: information
Text: Connection closed
Local-IP: 192.168.152.26:1065
Peer-IP: 192.168.152.23:5061
Peer-FQDN: fesrv.ocsr2.kin.com
Peer-Name: fesrv.ocsr2.kin.com
Connection-ID: 0xF01
Transport: M-TLS
$$end_record

LogType: connection
Severity: information
Text: TLS connection closed
Local-IP: 192.168.152.26:1065
Peer-IP: 192.168.152.23:5061
Peer-FQDN: fesrv.ocsr2.kin.com
Peer-Name: fesrv.ocsr2.kin.com
Connection-ID: 0xF01
Transport: M-TLS
$$end_record

i have tried a lot but still i can not able to log on ???? please help me.
26 ตุลาคม 2552 14:39

0
Dear Jeff or thorston and sick ..... is there any update. i have enabled remote access on all users properties. i am using Internal CA on edge server interfaces.. on Ousidepc communicator , i have copied the root ca. so, there is no certificate issue. i can see logs that some M-TLS issue between edge server to front end server . (see the above log). please can you help me.
- ทำเครื่องหมายเป็นคำตอบโดย feroz1020 26 ตุลาคม 2552 15:05
- ยกเลิกการทำเครื่องหมายเป็นคำตอบโดย feroz1020 26 ตุลาคม 2552 15:05
26 ตุลาคม 2552 15:18

0

How many interfaces and IPs do your edge server have. You have noted one. Is that how your config is ?

ThorstenWujek
26 ตุลาคม 2552 16:05

0

On edge server i have 4 Interfaces, above is have not properly given the list of ip address. Now i have given below.

LAN 1 = 192.168.152.26 ,no Gateway , Dns =192.168.152.1 (internal dns server)

Access edge = 192.168.155.1 , gateway = 192.168.155.6 , dns = 192.168.155.6

Web confrence= 192.168.155.2, no gateway , dns = 192.168.155.6

A/v = 192.168.155.3, no gateway , dns = 192.168.155.6

but i just want to logon with outsidepc communicator --- through Access edge server.
26 ตุลาคม 2552 16:28

0

hi i found one new error on front end server: when i run the validation it shows one error

Checking federation settings   Federation: Disabled
   Success

Checking static routes   No WMI Instance Returned By Query : select * from MSFT_SIPRoutingTableData where Backend="(local)\\rtc"
Static route: None Found
   Success

Checking all trusted servers       Failure
[0xC3FC200D] One or more errors were detected

Local Federation Route edgesrv.ocsr2.kin.com DNS Resolution succeeded: 192.168.152.26
TLS connect failed due to incorrect remote subject name: 192.168.152.26:5061 Error Code: 0x80090322 outgoing TLS negotiation failed; HRESULT=-2146893022
   Failure
[0xC3FC200D] One or more errors were detected

Internal Server fesrv.OCSR2.kin.com DNS Resolution succeeded: 192.168.152.23
TLS connect succeeded: 192.168.152.23:5061
Routing trust check and MTLS connectivity: Succeeded
   Success

Is this similar to this error
http://social.microsoft.com/Forums/en-US/communicationsserveredgeservers/thread/c3294ccc-fc11-40e3-a9f1-02ee3142f741

if it is then i have created a new certificate for internal interface of edge server and external 3 interfaces of Edge server from same C.A SERVER.
26 ตุลาคม 2552 19:19

1

Hi

this is a certificate issue. I am busy today so can can deal with that tomorrow.

Bye
ThorstenWujek
27 ตุลาคม 2552 9:29

0
Dear Thorsten and Jeff and sick.

Good news, with help of allmighty Allah and Prophet Muhammd (saw) i made it work. actually the problem is while installtion of Front end server - in step2 configure server - run - External user configuration - configure external users access now- in the FQDN of Internal pool Access edge server - i have give edgesrv.ocsr2.kin.com (this is wrong), actually this caused the problem. i should give only Edgesrv . because this is not a part of domain and certificate is also generated with edgesrv name only.

i re run the setup and given only edgesrv as FQDN on front end server and on Edgeserver also i have run the cd again and given internal edgeserver name as Edgesrv as FQDN and externaly i have given sip.ocsr2.kin.com, webconf.ocsr2.kin.com av.ocsr2.kin.com.

Now i can able to logon from OUTSIDE PC communicator and do chat,presence. but i can not able to do voice calls. I think i need to properly configure A/V server.. thans for your help and this might helpful for other users.
- ทำเครื่องหมายเป็นคำตอบโดย Gavin-ZhangModerator 29 ตุลาคม 2552 9:07
27 ตุลาคม 2552 9:53

1

Hi,

nice to hear that it is working.
FYI: It is of no meaning if the computer is within the domain. All what counts for TLS is the CN and SAN in the certificate.

Luck for your A/V problem :-)

Thorsten
ThorstenWujek