Help with Deployment, cannot auto-connect internally / connect externally RRS feed

  • Question



    I've done vast amounts of reading but I've always found MS tech documents to go a little over my head, maybe it's because they never include pictures so I'm not always certain that what I'm thinking they mean and what I mean is on the same page.


    In anycase  I'm attempting to deploy a Enterprise OCS server + Edge Server at this time, I will be adding a mediation gateway and so on down the road but for now I'm just looking to get the IM working properly.


    I have OCS deployed in a consolidated topoligy on a machine named MSCOMM under domain OEMGROUP.local

    with the Pool named COMMS01


    I have a GoDaddy SSL Certificate assigned to the MSCOMM machine as MSCOMM.OEMGROUP.local

    I have a GoDaddy SSL Certificate assigned to the MSCOMMEDGE server as MSCOMMEDGE.OEMGROUP.local for internal communication.

    I have a GoDaddy SSL Certificate assigned to the MSCOMMEDGE server as sip.mydomain.com for external access (using the same cert for all roles atm, will get added certs as needed).


    When running the validation test on the edge server or the pool with auto discovery I get the following error under Kerberos and NTLM authentications:

    Failed to register user: User sip:Jeff.Hunter@mydomain.com @ Server

    Failed to send SIP request: No connection could be made because the taget machine actively refused it.



    On the DNS server I have the following Entries defined.

    Host Record for: COMMS01.OEMGROUP.local pointing to

    SRV Records for:






    Host Record for mydomain.com pointing to

    Host Record for sip.mydomain.com pointing to

    SRV Records For:







    When trying to login to the Communicator Client on LAN I get a certificate error, if I manually configure to look at COMMS01.OEMGROUP.local it will sign in fine.


    please help ....

    Saturday, December 15, 2007 3:56 PM

All replies

  • When you configure an internal client for manual connection are you selecting TCP by any chance?


    I would triple-check all of your DNS SRV records internally.  Are you using split DNS or could the client possibly be resolving an external IP meant for your Edge server?  Take the Edge server out of the mix and concentrate solely on getting full internal connectivity before moving further.


    What is the IP address Is it the only address on your Enterprise Front-End server?  When using a single-server pool w/o a hardware load balancer add a second IP address to the Front-End server for the pool.  Meaning if the MSCOMM.oemgroup.local resolves to, then add another IP address ( and configure a DNS A record for the COMMS01.oemgroup.local pool name.

    Sunday, December 16, 2007 4:14 PM
  • I've checked the event logs of the communicator client it does resolve correctly to the front end server, when auto connecting it says it couldn't connect because "There was a problem verifying the certificate from the server.  Please contact your system administrator".  For a sign-in address I am using first.lastname@mydomain.com which is what shows up in the user profiles. 


    Here is the list of errors that communicator logs:

    Communicator failed to connect to server mycomain.com ( on port 5060 due to error 10061. The server is not listening on the port in question, the service is not running on this machine, the service is not responsive, or network connectivity doesn't exist.


    Communicator was unable to resolve the DNS hostname of the login server sipinternal.mydomain.com.


    Communicator was unable to resolve the DNS hostname of the login server sipinternal.mydomain.com.


    Communicator could not connect securely to server sip.mydomain.com because the certificate presented by the server did not match the expected hostname (sip.mydomain.com).



    I haven't setup a distinct IP for COMMS01.oemgroup.local it is the same as the server, there is no hardware load balancer on my network.  When I configure the client to connect to COMMS01.oemgroup.local with TLS it logs in just fine so I don't think I need to configure an additional ip ? .  I have a feeling my connection problems just has to do with my certificates I have in place -- I would rather not have to replace them though.  Is there a way that I can get sip.mydomain.com to point to COMMS01.oemgroup.local instead of the direct IP ? ... so that the CERT in place matches up ?

    Sunday, December 16, 2007 4:33 PM
  • I would add the second IP and DNS A record and configure all SRV records to use the pool

    FQDN, this way client requests will use that FQDN and resolve to a dedicated IP address.


    Technically you are supposed to use a hardware load balancer in an Enterprise deployment with even a single pool server, so attempting to point clients directly to the Front-End IP (using a CNAME or conflicting A record) might be the reason you are having problems, and thus why the documentation require the balancer.


    You want the clients referring to the pool name and NOT getting a reverse-resolution back to the server FQDN as that can cause certificate errors.

    Sunday, December 16, 2007 7:14 PM