locked
OCS Edge server problem... RRS feed

  • Question

  • I have followed the Edge planning guide as far as I can tell exactly except for he Reverse Proxy. I currently do not have a reverse proxy and I am jsut rying to get external access with communicator.

    When validating the edge server I get this:

    Failed to send SIP request: No such host is known
    I check to validate SIP with autologin and that is what I get.

    I am able to login internally into communicator and use it. What am I doing wrong? And is there a way to get a more detailed informaiton about this error? What host is it even talking about?
    Thursday, July 9, 2009 1:23 PM

Answers

  • So the first thing to check is that it will authenticate. so open live meeting and up at the top left corner there is a drop down arrow select that and go to user accounts (i think) open that see that the users sip uri is in the correct field. Then do a test logon. If that works then DNS, and SRV record are correct along with the live meeting can find the Correct access edge server.

    Then you should be able to do a trace to see if it is finding the correct live meeting DNS name.

    try the stuff suggested above and let us know how it goes.

    thanks.
    mitch
    • Marked as answer by Jacob Dixon Tuesday, July 14, 2009 11:25 PM
    Monday, July 13, 2009 2:07 AM
  • See my last reply in this thread for details on the reverse proxy 'features':
    http://social.technet.microsoft.com/Forums/en-US/ucccommunityocsdeployment/thread/0deda05b-5578-4264-a5ad-fa7bf404cd72

    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    • Marked as answer by Jacob Dixon Tuesday, July 14, 2009 11:25 PM
    Tuesday, July 14, 2009 11:08 AM
    Moderator

All replies

  • But heres the thing:

    DNS Resolution succeeded: 10.10.0.11
    TLS connect succeeded: 10.10.0.11:5061
      Success
      Internal FQDN: communications.adem.arkansas.gov


    So it is able to connect to communications server with DNS Resolution and TLS.
    Thursday, July 9, 2009 1:47 PM
  • Ok on my internal network the Edge deployment tool told me to put:

    _sipinternaltls and point it to access.adem.arkansas.gov (Access Edge Service).

    When I changed it to my internal communications server (the Director), that error went away. I haven't checked it from the outside yet.. i'm working on that.
    Thursday, July 9, 2009 2:00 PM
  • Nope. I am still unable to connect via communicator outside. Is there a better way to figure out why I am unable to connect?

    Ok HEre is the errors I get when validating the FRONT END server:

    Error: One or more pool hosted users are enabled for telephony, but default location profile hasn't been specified for the pool.
    Error: One or more pool hosted users are enabled for federation, remote access or public IM connectivity, but global federation is disabled.

    Here is the ONLY warning I get when validating the Edge server:
    DNS Resolution failure: No DNS SRV records corresponding to _sipfederationtls._tcp.adem.arkansas.gov were found for this domain
    Suggested Resolution: Verify that the domain name is correct and that the DNS SRV record _sipfederationtls._tcp.adem.arkansas.gov exists for this domain.


    I'm not trying to do federation.

    I've righted clicked the users group and configured all users to DISABLED "Enterprise Voice". I Disabled public IM, and federation on ALL users... 139 successful and 0 failed.



    Now I will say that the certificates for all servers are sent to a INTERNAL CA (temporarily). I have the chain installed on the computer I'm trying to use.. do you think this is the issue? Also I didn't add the _sipfederationtls._tcp.adem.arkansas.gov DNS record to the external DNS because I didn't plan on doing anything with other businesses.




    ** I did an external SRV test and it was successful. It resolved to access.adem.arkansas.gov **


    If I put the INTERNAL SRV record back to access.adem.arkansas.gov it doesn't work.
    But I did notice that on our internal network we couldn't ping access.adem.arkansas.gov.
    So what I did is add a A host for access.adem.arkansas.gov to point to the EXTERNAL address.

    Now it does a little more but cannot get past logging the user in?



    Anyone? I think its a login problem.. but I can log in internally just fine. I don't know what I'm doing wrong.

    Here is my external DNS:

    Record Type

    Name

    IP Address / Name

    Port

    A

    Access.adem.arkansas.gov

    170.94.72.210

     

    A

    Conference.adem.arkansas.gov

    170.94.72.211

     

    A

    Av.adem.arkansas.gov

    170.94.72.212

     

    SRV

    _sip._tls.adem.arkansas.gov

    access.adem.arkansas.gov

    443

    SRV

    _sipfederationtls._tcp.adem.arkansas.gov

    Access.adem.arkansas.gov

    5061

    A

    Ocsrp.adem.arkansas.gov

    170.94.72.213

     

     

     

     

     


    For Internal I have:

    Record Type

    Name

    IP Address / Name

    Port

    A

    Access.adem.arkansas.gov

    170.94.72.210

     

    A

    communications.adem.arkansas.gov

    10.10.0.11

     

    A

    ocs-edge.adem.arkansas.gov

    10.10.0.102

     

    SRV

    _sipinternaltls._tcp.adem.arkansas.gov

    access.adem.arkansas.gov

    5061

     

     

     

     

     

     

     

     



    Thursday, July 9, 2009 2:29 PM
  • Ok I am stuck. No clue...

    Maximum hops: 2
    Failed to register user: User sip:jacob.dixon@adem.arkansas.gov @ Server
    Failed to send SIP request: Send is called for Connection in Disconnected state
    Suggested Resolution: Make sure that the server is listening on the specified IP address/Port/Transport. If you have a firewall make sure that this port is open. Make sure that the server is running. If this is an Edge Server, ensure that remote user access has been enabled. This can be ignored if you have not enabled the transport on the target server.
    Friday, July 10, 2009 2:31 AM
  • Hi

    Had a similar problem. In our case the fact that we put a external domain on the list of internal domains in the pool gave us exactly this problem. The deployment was with both internal and external domains and we added all to internal domain list in the pool. Once we removed external domains from the list everything was working.

     

    /T

    Friday, July 10, 2009 6:29 AM
  • Jacob

    you have a couple of DNS issues, so internally you should not have the ACCESS.Adem.arkansas.gov in your DNS, other then that it all looks good. What are  you pointing your Edge server to for the internal Address that is next hop? can it resolve the internal name of the server?
    mitch
    Friday, July 10, 2009 1:06 PM
  • I'm pointing it to our Standard edition server (communications.adem.arkansas.gov).

    It resolves 10.10.0.11 like it should. Are you saying internal I should not have the SRV or the host A record? The reason I put the host A record is because internally we couldn't resolve access.adem.arkansas.gov. External people can.

    Our SOA is at our ISP. So any exteral changes we made have to be done by them. I did a test on the SRV records and they seemed fine. The reason I put the SRV record for access.adem.arkansas.gov in our INTERNAL DNS is because the edge planning tool told me to.

    So remove the SRV and A host?

    **** NOTE:

    I removed the A host record and changed the INTERNAL SRV record to: communications.adem.arkansas.gov.

    The edge server validation completed with no errors.

    On the communications side I only get this error now:

    Error: One or more pool hosted users are enabled for telephony, but default location profile hasn't been specified for the pool.
    Error: One or more pool hosted users are enabled for federation, remote access or public IM connectivity, but global federation is disabled.


    Which I'm not trying to do federation or public IM. I am trying to do remote access though.

    *** AFter doing that.. all the validations other than above are good. But I still am unable to connect from the outside world with Live Meeting, or Communicator.
    Friday, July 10, 2009 1:21 PM
  • I guess I'm a littel confused by this... our internal AND external domain name is adem.arkansas.gov.
    Friday, July 10, 2009 1:22 PM
  • OK internally you still need the SRV record but it should point to an A record of the pool, I tend to like to put sip.domainname.com as the a record and add a Subject alternative name to the Cert. This is just a precaution because if the client does not find the SRV record it will default to sip.domain.com.

    However this does not answer the reason you are having problems for the edge. So on the edge you are saying that externally the client can resolve the SRV, and the A record and it is going to the correct IP? i.e. if you do an nslookup from an external client for the SRV it works and if you to an NSlookup for the A record it finds the correct record and IP?

    If that all works can you telnet from the outside to port 5061, and port 443? 5061 is not a big deal because you are not going to federate. however I like it to be open because federation is a good thing.

    If all the above work. then usually there is a problem with the edge server configuration. At that point we need to identify that the edge is Dual homed i.e. it has dual NIC cards. The external should have 3 IP's associated with the nic and the internal should have a single IP. They should be on different subnets. This creates some challenges because you should not have Dual gateways. So be sure the gateway is set on the External NIC and not the internal. You may have to create a route in the route table on the server to route traffic to your internal IP's.

    Then you need to check to  see if the Edge server can resolve by DNS the next hop server i.e. director or pool depending on how you designed it. The if it does you need to try to telnet to port 5061 to the pool, and or director.

    Also you may want to turn on logging on the client to see what is happening with the client during the initial login attempt. Using the snooper tool out of the resource kit will tell you a lot.


    mitch
    Friday, July 10, 2009 3:00 PM
  • Ok.

    I set the internal SRV to communications.adem.arkansas.gov (Standard edition server that is the director).

    I tested telnet to port 443 and 5061 on 170.94.72.210 (access.adem.arkansas.gov) and it worked.

    On the edge server I have one external nic and one internal (different switches). External nic is on my DMZ:
    Access.adem.arkansas.gov -170.94.72.210
    Conference.adem.arkansas.gov - 170.94.72.211
    av.adem.arkansas.gov - 170.94.72.212

    Internal:
    ocs-edge.adem.arkansas.gov - 10.10.0.213

    They are on different subnets and connected to different switches. I did have gateway set on internal interface. This could be a problem?

    The edge server can resolve communications.adem.arkansas.gov (internal server), I tested telnet to communications.adem.arkansas.gov:5061 and it worked.

     

    I turend on logging on the client: ( I didnt add a external A host for sip.adem.arkansas.gov )

    Communicator was unable to resolve the DNS hostname of the login server sip.adem.arkansas.gov.

    Communicator was unable to resolve the DNS hostname of the login server sipinternal.adem.arkansas.gov.

    LiveMeeting failed to connect to server access.adem.arkansas.gov (170.94.72.210) on port 5061 due to error 10060. The server is not listening on the port in question, the service is not running on this machine, the service is not responsive, or network connectivity doesn't exist.

    Friday, July 10, 2009 3:31 PM
  • OK so I Think you have a firewall issue going on. I did a little TESTing and the DNS records are correct. I would look very closely at your firewall settings. if the Edge does not have a firewall in front of it. then i would look at the firewall on the edge server.
    mitch
    Friday, July 10, 2009 3:41 PM
  • And you will need to take the gateway off the interal nic, Be sure you setup routes in the route table to reach your internal networks (all of them that will have clients on them)
    mitch
    Friday, July 10, 2009 3:42 PM
  • We have one Cisco ASA 5540:

    Source                                  Destination                                   Service

    any                                       170.94.72.210                               5061
    any                                       170.94.72.210                               https
    any                                       170.94.72.211                               https
    any                                       170.94.72.212                               https
    any                                       170.94.72.212                               3478(UDP)
    any                                       170.94.72.212                               Communicatons
    any                                       170.94.72.212                               Communicatons(UDP)

    170.94.72.210                        any                                              IP
    170.94.72.211                        any                                              IP
    170.94.72.212                        any                                              IP

    ADEM_Internal                        any                                             ANY




    The Edge server and communications server has Windows Firewall OFF. I took the gateway off the NIC. I'm awaiting them to also add the sip.adem.arkansas.gov to DNS


    Communications Port: 50000 - 59999

    Friday, July 10, 2009 4:07 PM
  • Jacob So DNS is correct but I can not telnet into that DNS name on 443 or to the IP on 443. I would highly recommend you review logs, router configs, and firewall setup.

    mitch
    Friday, July 10, 2009 5:20 PM
  • Mitch,

    Sorry, I have some HP guys that just came in to finish some server work and we had to take the DMZ offline. I'm assuming thats why you were not able to telnet when you tried.

    When I tried earlier from the outside I was able to telnet to the DNS name and IP on port 443. I have our ISP putting in the DNS A Host record for sip.adem.arkansas.gov and sipexternal.adem.arkansas.gov and pointing it to 170.94.72.210
    Friday, July 10, 2009 5:27 PM
  • Can you check the event log on the edge server. it usually will give you some good info as well.


    mitch
    Friday, July 10, 2009 5:37 PM
  • I'm so stupid!

    I was adding the firewall rules to the DMZ instead of the Outside intrrface. Once I did that it worked great.

    Now I gotta figure out why the addin for outlook isn't working for Live Meeting

    • Edited by Jacob Dixon Saturday, July 11, 2009 12:32 AM
    Friday, July 10, 2009 11:19 PM
  • Ok I seem to have everything working correctly now EXCEPT LIVE meeting.

    The plugin for outlook no longer works (Meet Now) and I can't seem to get anyone to join external. Any idea what might cause this? This seems to be the last thing
    Saturday, July 11, 2009 1:44 AM
  • So the first thing to check is that it will authenticate. so open live meeting and up at the top left corner there is a drop down arrow select that and go to user accounts (i think) open that see that the users sip uri is in the correct field. Then do a test logon. If that works then DNS, and SRV record are correct along with the live meeting can find the Correct access edge server.

    Then you should be able to do a trace to see if it is finding the correct live meeting DNS name.

    try the stuff suggested above and let us know how it goes.

    thanks.
    mitch
    • Marked as answer by Jacob Dixon Tuesday, July 14, 2009 11:25 PM
    Monday, July 13, 2009 2:07 AM
  • Are you talking internal or external?

    Its weird, I just setup a user's outlook and their 'Meet Now' button works in Outlook.

    When I try it and a couple other people we get: "A connection to the Internet could not be established. Please check your Internet Connection and try again."

    Monday, July 13, 2009 2:46 PM
  • Fixed the 'Meet Now' button.

    It was a LIVE MEETING Add-in that was causing the problem. ONce I uninstalled that my Microsoft Conferencing add-in for outlook works great. I am testing for external users now.
    Monday, July 13, 2009 2:59 PM
  • Ok I started a LIVE meeting. Connecting external does not work. Just says it was unable to join the meeting. I then try manually entering the MEeting ID, Entry Code, and Location and it still comes back with the same thing. I do not see anything in the event viewer (External).

    Externally:

    I goto User Accounts.. my sign-in name is in there, Live MEeting Service URL is blank, but when I verify my information (Test Connection) it successfully verifies.
    But it still won't join??


    *****************************************************
    On the Edge SERVER:

    Failed to process data received from the client

    Over the past 1 minutes OFfice Communications Server has disconnected clients 1 time(s) as a result of invalid data being received on client connections. The last such client which was disconnected is "96.15.128.149:1213".
    Cause: Failed to process data received from client
    Resolution:
    Check and make sure that the connection came from a trustworthy client.
    Monday, July 13, 2009 3:12 PM
  • For external Live Meeting take a look at this article to see if anything helps:
    http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=67
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Monday, July 13, 2009 6:38 PM
    Moderator
  • I also noticed.. Communicator works fine.. but if I try to goto: https://communications.adem.arkansas.gov/GroupExpansion/Int/service.asmx I get a 'The certificate for the organization has been revoked'. But you look at the certificate in IIS and its fine.

    Its just with my computer? OTher computers don't do it.....


    ** Ok I fixed the certificate problem It was something to do with IE7
    Monday, July 13, 2009 7:14 PM
  • OK so is live meeting fixed?
    mitch
    Tuesday, July 14, 2009 12:41 AM
  • I just tried it and no...

    I created a meeting and sent a email to my personal accuont on my other computer.
    When I clicked Join Now, it tried to connect, but then it popped up asking for login information to connect to: jacob.dixon@adem.arkansas.gov.

    I entered my username and apssword and no luck?

    *********************

    I did a little more reading and they said under the options you have to remove the username from the textbox. They said even if you have it unchecked to authenticate it will still prompt. I unchecked it, like it said and it didn't prompt. It brought me to the spot on the LIVE MEETING to enter a name since anonymous users are allowed. I entered a name and it still did NOT let me in. Told me to just try again later
    Tuesday, July 14, 2009 1:11 AM
  • I also see: Failed to connect external users because the download URL is invalid.

    I am not using a reverse proxy as of yet anyways. I thought you didn't have to, you just wouldn't be able to exchange meeting content
    Tuesday, July 14, 2009 1:56 AM
  • ********** Fixed


    I followed:

    http://support.microsoft.com/default.aspx/kb/938288


    seems working! Was able to share desktop and such... what EXACTLY is it that I won't be able to do with a reverse proxy? Microsoft ISA is kind of pricy but it looks like you can do great things with it
    Tuesday, July 14, 2009 2:20 AM
  • See my last reply in this thread for details on the reverse proxy 'features':
    http://social.technet.microsoft.com/Forums/en-US/ucccommunityocsdeployment/thread/0deda05b-5578-4264-a5ad-fa7bf404cd72

    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    • Marked as answer by Jacob Dixon Tuesday, July 14, 2009 11:25 PM
    Tuesday, July 14, 2009 11:08 AM
    Moderator