locked
CWA 2007 R2 Desktop Sharing RRS feed

  • Question

  • Hi,

    We have a strange issue with Desktop sharing in the Client Web Access.  The sharing sessions starts and on the initiator side, the status of de sharing session is "sharing desktop".

    The viewer accepts the request and the desktop viewing pane is openen.
    However, the message "Internet Explorer cannot display the website" is displayed in the left upper corner. The loading icons the in the middle of the screen keep on running.

    The website cwa.company.local is added to the local intranet zone on both clients.


    Desktop sharing from the Communicator clients to Communicator Client works perfectly.

    Desktop sharing from the Communicator clients to Web access Client works NOT.

    Desktop sharing from the Web Acces clients to Web Access Client works NOT.

    Desktop sharing from the Web Access clients to Communicator Client works perfectly.



    Anyone have an idea how to solve this?
    Tuesday, March 10, 2009 1:50 PM

Answers

  • If your CWA server is cwa.company.local then you also need CNAME records for as.cwa.company.local and download.cwa.company.local which point to cwa.company.local.


    Mike Stacy | Evangelyze Communications | http://www.evangelyze.net/cs/blogs/mike
    • Marked as answer by msogelee Monday, March 16, 2009 10:19 AM
    Monday, March 16, 2009 4:35 AM
    Moderator
  • Mark,

    Adding the CNAME records solved the problem.


    But when using CNAME entries, you also have to renew the certificate which must include the following Subject Alternate Names:
    1. Subject name (example: cwa.company.local)
    2. CNAME record as (example: as.cwa.company.local)
    3. CNAME record download (example: download.cwa.company.local)


    Be sure that your CA accepts requests with san's in it.
    If not, see MS KB 931351 to enable your CA for Certificate requests with san's.
    • Marked as answer by msogelee Monday, March 16, 2009 10:20 AM
    Monday, March 16, 2009 10:19 AM

All replies

  • Are all OC and CWA clients located internally, or externally, or both?  I'm trying to find out if an Edge server (and thus firewalls) are included in these scenarios or not as that can be a clue as to where to start troubleshooting.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Tuesday, March 10, 2009 5:03 PM
    Moderator
  • We haven't implemented a Edge Server yet. The Web Access Server is only available from the internal network.
    We have halted the project till we figure out what the cause is of this problem.
    Wednesday, March 11, 2009 7:10 AM
  • We have *exactly* the same set of symptoms as above! (OCS R2 setup in consolidated config with seperate CWA server with two web virtual servers for internal and external users, no edge server as yet). 

    Also desktop sharing attempts using CWA from outside our firewall (we do want to use ISA server, sorry) to a communicator client  fails with 'cannot start desktop sharing session currently'.  Testing the same external web virtual server from inside the firewall works.

    Reading what I can on the architecture implies that an edge server is not required for desktop sharing but is is you want audio you do need an edge server
    Desktop sharing architecture: http://technet.microsoft.com/en-gb/library/dd425349(office.13).aspx

    And 'Desktop sharing requires both CWA and AV Edge. CWA needs to have reverse proxy and media traversal for desktop sharing happens via the AV Edge.' http://blogs.technet.com/ucedsg/archive/2009/02/06/we-have-the-edge.aspx



    Hopefully somebody can shed light on these errors and edge/ ?any reverse proxy requirements
    Thanks
    David
    Wednesday, March 11, 2009 3:36 PM
  • The problem occurs when using the CWA client from within the internal network.
    This means that no traffic won't be routed to an edge sever. That is why we can't explain the problem.

    Wednesday, March 11, 2009 3:42 PM
  • If your CWA server is cwa.company.local then you also need CNAME records for as.cwa.company.local and download.cwa.company.local which point to cwa.company.local.


    Mike Stacy | Evangelyze Communications | http://www.evangelyze.net/cs/blogs/mike
    • Marked as answer by msogelee Monday, March 16, 2009 10:19 AM
    Monday, March 16, 2009 4:35 AM
    Moderator
  • Thank you for your answer.
    We're gonna test it right away and get back with the results.
    Monday, March 16, 2009 7:57 AM
  • Mark,

    Adding the CNAME records solved the problem.


    But when using CNAME entries, you also have to renew the certificate which must include the following Subject Alternate Names:
    1. Subject name (example: cwa.company.local)
    2. CNAME record as (example: as.cwa.company.local)
    3. CNAME record download (example: download.cwa.company.local)


    Be sure that your CA accepts requests with san's in it.
    If not, see MS KB 931351 to enable your CA for Certificate requests with san's.
    • Marked as answer by msogelee Monday, March 16, 2009 10:20 AM
    Monday, March 16, 2009 10:19 AM
  • I'm having very similar issues, if not the exact same problem. I have added the DNS entries for download and as. The CWA clients can successfully download the CWAPlugin file and install it. Whenever I try to use the web client to view another person's screen, it does not work. In my production environment, I get what appears to be a cert error - it opens the sharing window and acts like it wants to start the session, but in the top left corner there is a partial piece of a security warning. In my test environment, it seems to hang in the CWA client's chat window and says "Starting Viewing..." and does not proceed any further.

    I am pretty sure this is a certificate problem, but I have tried numerous combinations. Has anyone seen the partial or chopped off security warning from their browser, and what did you do to troubleshoot this?
    Friday, April 24, 2009 5:14 PM
  • You must also add the additional names (download and as) to your certificate on the CWA server!
    - Belgian Unified Communications Community : http://www.pro-exchange.be -
    Monday, April 27, 2009 1:27 PM
  • download and as are both in the SAN of the cert, as well as the FQDN of the CWA server.
    Monday, April 27, 2009 1:30 PM
  • Ok, we just installed a UCC cert from GoDaddy, and I no longer receive the cert error in Firefox (for some reason IE didn't throw a cert error, which was strange). Now I am still getting the small section in the top left corner of the sharing window, and if I select some text and then press Ctrl-A to select all of the text (some of it is not visible), I get the following text.

    The page cannot be displayed
    Explanation: There is a problem with the page you are trying to reach and it cannot be displayed.

    Try the following:

        * Refresh page: Search for the page again by clicking the Refresh button. The timeout may have occurred due to Internet congestion.
        * Check spelling: Check that you typed the Web page address correctly. The address may have been mistyped.
        * Access from a link: If there is a link to the page you are looking for, try accessing the page from that link.

    Technical Information (for support personnel)

        * Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)


    I'm not sure where this 403 error would originate from. Has anyone else seen this and have any suggestions?
    Monday, April 27, 2009 4:35 PM
  • You should look at the IIS logfiles to check what is happening at the webserver
    What URL are you using to connect to CWA?
    - Belgian Unified Communications Community : http://www.pro-exchange.be -
    Monday, April 27, 2009 8:09 PM
  • I've looked in the IIS logs on both the CWA server and the OCS Front-end and see no reference to any 403 Forbidden errors.

    We use ocsweb.companyname as our main URL to access CWA. The cert's subject name is that URL. The CWA server is a different hostname, on the local domain. We have that hostname, along with the download.ocsweb.companyname and as.ocsweb.companyname in the SAN field of the UCC cert.

    We are also running this through an ISA server, but I have altered my hosts file on my test machine to bypass ISA and I get the exact same result, so I don't think ISA is the problem here.

    I can share my desktop using CWA to anyone with the MOC client installed on their computer. The CWAPlugin file downloads and installs just fine. I can also hand over control to anyone with the MOC client. However, when I try going the other way, sharing my computer's desktop (using the MOC client) with anyone else using CWA, it gives the error I pasted above.
    Monday, April 27, 2009 8:35 PM
  • If you connect to the CWA directly which URLs are you using?
    - Belgian Unified Communications Community : http://www.pro-exchange.be -
    Monday, April 27, 2009 9:23 PM
  • Not sure what you are asking for exactly, but the URL to access our CWA is ocsweb.gtri.gatech.edu. This is in the subject name of the cert, and the SAN has the as and download url's, and the FQDN of the server. We do not use the FQDN of the CWA server to access CWA - we redirect traffic to ocsweb.gtri.gatech.edu when the fqdn is used. That being said, I have at one point in this adventure created a self-signed cert based on the FQDN of the CWA server and the sharing worked both ways (to and from CWA), but it only worked in internet explorer. This is not an acceptable solution, as we eventually want to be able to invite people into meetings/conferences from the web who are not necessarily on our VPN or domain.
    Tuesday, April 28, 2009 2:13 PM
  • I believe that sharing the desktop only works for Internet explorer because it requires the ActiveX plugin
    Viewing can be done from any browser
    - Belgian Unified Communications Community : http://www.pro-exchange.be -
    Tuesday, April 28, 2009 10:44 PM
  • it doesn't matter if i use firefox or IE (or even safari on a mac), I still get the same result.
    Thursday, April 30, 2009 7:44 PM
  • for the benefit of other people who may see the same problem, we figured it out. It turns out that the as.ocsweb.gtri.gatech.edu was still trying to go through ISA, and the ISA rule was only configured for ocsweb.gtri.gatech.edu. Stupid mistake, but it works now.
    Tuesday, May 12, 2009 12:38 PM
  • Hello all,

    I am experiencing the same issue as the original post.  When a CWA 2007 R2 client attempts to display an incoming shared desktop, the right pane displays "The page cannot be displayed."

    My CWA 2007 R2 server is Windows 2003, and it's computer name is mlb-baseball.sports.net 

    DNS A Record = mlb-baseball.sports.net  CNAME's  for mlb-baseball.sports.net are as.sports.net, download.sports.net   In other words in Windows DNS, it looks like "as   Alias (CNAME)  mlb-baseball.sports.net)

    In terms of the Cert, SN = mlb-baseball.sports.net   SAN = mlb-baseball.sports.net, as.sports.net, download.sports.net

    CWAService SPN = http/mlb-baseball,http/mlb-baseball.sports.net,http/as.sports.net,http/download.sports.net

    Any suggestions?

    Thanks

    Ron

    Wednesday, May 13, 2009 10:27 PM
  • i Ron,

    If I read the above comments correctly your cname should be as.mlb-baseball.sports.net and download.mlb-baseball.sports.net.

    Regards,

    Frank
    Thursday, May 14, 2009 10:55 AM
  • Still not working for me.

    Ron
    Monday, May 18, 2009 11:03 PM
  • are you running through an isa firewall for anything? one thing to try might be to add mlb-baseball.sports.net, as.mlb-baseball.sports.net, and download.mlb-baseball.sport.net to the hosts file on your client computer so it is talking directly to your CWA server.
    Tuesday, May 19, 2009 3:42 PM
  • I'm not going through ISA.  It is just Internal at the moment.

    I'm still a little confused in how you guys are describing and maybe implementing CNAME (alias). 

    When I create a CNAME record in Windows 2003 for as, the target host is mlb-baseball.sports.net and the CNAME FQDN is as.sports.net and not as.mlb-baseball.sports.net.

    Is as.sports.net and as.mlb-baseball.sports.net the same?

    Thanks

    Ron

    Tuesday, May 19, 2009 9:18 PM
  • I don't think you are creating the cnames quite right. the cname fqdn should be as.mlb-baseball.sport.net (and likewise for the download cname). That way if you go and ping as.mlb-baseball.sport.net, you should return the same IP as if you were pinging mlb-baseball.sport.net. You should not create a cname for as.sports.net. Does this make sense? Give this a try and see if that works.
    Tuesday, May 19, 2009 9:24 PM
  • OK.  When I tried this before, mlb-baseball became a subzone of sports.net.  The cnames were located in the mlb-baseball subzone.

    Is this how it works?

    Ron
    Wednesday, May 20, 2009 12:11 AM
  • That sounds right...  did you try that and test it out?

    Any input, Frank?
    Thursday, May 21, 2009 2:20 PM
  •  When you create a cname like as.mlb-baseball.sports.net in the sports.net then you get a subzone mlb-basebal, and in the subzone there is the cname record.
    I have tried it myself, and it worked.
    Thursday, May 21, 2009 7:21 PM
  • I will give it a try this week.

    Thanks
    Wednesday, June 3, 2009 5:37 PM