Answered by:
OCS Edge access for external - have to add SIP domain to Edge internal SIP domains list?

Question
-
Hi,
I am deploying OCS 2007 R2 on top of HMC4.5. Once I finished all steps according to HMC4.5 help file, I found I can't sign in my SIP account using external access edge server. The error message is: 'Cannot sign in because the server is temporarily unavaliable. If the problem persists, contact your system administrator'. So I am trying to find any useful message log on Windows Event Viewer, but no luck.
My environment:
OCS Edge Server: Windows Server 2008 Standard with SP2 64-bit
OCS 2007 R2 Enterprise
1 Private Interface: - internal communications
Cert issued by a Internal trusted CA.
1 Public Interface binding 3 IPs: for Pblic use.
Certs issued by DigiCert
OCS Front Server
(with all roles installed): Windows Server 2008 Standard with SP2 64-bit
OCS 2007 R2 Enterprise
1 Private Interface: - internal communications
Cert issued by a Internal trusted CA.
IIS Certs issued by DigiCert
OCS POOL name: OCSPOOL01
My internal domain name: domainabc.local
My SIP domain: domainabc.com
SRV records and DNS settings are ready and tested.
OCS SIP Server: sip.domainabc.com
Pool/Front End Authentication: NTLM only
All OCS enabled users can sign in OCS internally.
According to HMC4.5 help file, there should be only domainabc.local listed on Edge server SIP domains list.
Below are my research:
1. When I use @domainabc.com to sign in OCS from enternal access Edge server, it failed. So I changed user's SIP URI to @domainabc.local, it works.
2. I changed this user's SIP URI back to @domainabc.com again, then add my SIP domain domainabc.com to Edge SIP domain list, try sign in communicator, it works!
3. Changed Front End Authentication method to 'Both Kerberos and NTLM', keep domainabc.com listed in edge internal, both @domainabc.com and @domainabc.local can sign in.
After that, I restored NTLM and change user's uri to domainabc.com, then I perform validation check on Edge server, i got a error message on 'check user logon' step:Attempting to login user using NTLM
Maximum hops: 2
Successfully established security association with the server: User user1 Domain domainabc.local Protocol NTLM Target Z3OCSPOOL01.domainabc.local
User registration succeeded: User sip:user1domainabc.local @ Server Z3OCSPool01.domainabc.localSuccess Attempting to login user using NTLM
Maximum hops: 2
Failed to establish security association with the server: User user2 Domain domainabc.com Protocol NTLM Server Z3OCSPOOL01.domainabc.local Target Invalidated
Suggested Resolution: Check whether the typed password and sign-in name are correct. Check whether the user is present in the AD and enabled for SIP. Check whether the target server is part of the Windows AD domain in which this user account is present. If this is a Kerberos failure check whether the client machine has access to the KDC. In some cases, Kerberos SA negotiation failures may be expected and hence can this error can be ignored.
Front End/Web Components validation checks are successful.
Anyone can help fix this issue?
Thanks,
RandyMonday, October 12, 2009 7:38 AM
Answers
-
Hi Gavin,
Thanks for your post. Let's say we have 2 sip domains, one named domaina.com and another is domainb.com, Access Edge server have 1 public cert with common name - FQDN: sip.domainc.com. If my understand is right, auto logon need 2 basic seetings: 1. Add all sip domain's FQDN to public cert's subject alternate name; 2. Create SRV record for each domain.
I am using manually logon, I just specify the external server name to sip.domainc.com, make sure SRV record for it and access edge's public cert match its FQDN, no need to add other sip domain's FQDN to subject alternate name.
I have been implemented OCS R1 even R2 successfully before, the certs and DNS/Server settings are exactly same, and all sip domain users can logon!! Only different is after installing some OCS hotfixes, things going wierd. Even I uninstall all OCS servers, remove pool and undo domain/forest prep, then reinstall everything, no luck.
Now I add all sip domains to internal list on Edge server, all OCS functions and LiveMeeting are working well. I just don't understand why I have to do this.
Regards,
Randy- Marked as answer by Gavin-ZhangModerator Friday, October 23, 2009 8:19 AM
Monday, October 19, 2009 1:14 PM
All replies
-
Do you have the additional SIP domain added to the external certificates? Take a look at this article for some more details:
http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=79
Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCSMonday, October 12, 2009 10:57 AMModerator -
Hi Jeff,
Thanks for your reply. I am using manually logon, so I think we don't need add SIP domain to external cert.
Forgot to say, previous I implemented OCS 2007 RTM, same cert settings, all worked! Later I uninstall OCS 2007 RTM, then prepare new 64-bit environment, and install OCS R2, at first beginning, all worked except address book downloading. I reinstall Front End/Web Components some times, and patch some hotfixes, finally I got ABS issues fixed, but I found external users can't sign in. After reinstall OS and OCS Servers, problem still exist. So I post my issues here and want get all your help.
Seems client don't use NTLM authentication, always trying to use Kerberos?
BTW
go to https://www.testocsconnectivity.com/default.aspx , check result:
Testing OCS remote sign in through Access Edge Server: Port Number (sip.domainabc.com:443), for SignInAddress (user2#domainabc.com).
The specified user failed to register successfully with the OCS Server.
Additional Details
User failed to signinFatal error: Register exception: Response Code 504, Deregister Reason None, Response Text Server time-out
Regards,
RandyTuesday, October 13, 2009 1:48 AM -
Hi
Per your description, the issue seems caused by the CERT.
And what do you mean by "I am using manually logon, so I think we don't need add sip domain to external cert."?
I think it is needed. If you do not use auto logon feature, you just not have the SRV record for it.
And Jeff gave good suggestion you can try that, or you can refer to below link
http://technet.microsoft.com/en-us/library/dd441368(office.13).aspx
http://technet.microsoft.com/en-us/library/cc498719.aspx
If I misunderstand your issue, please tell me.
Regards!Monday, October 19, 2009 5:39 AMModerator -
Hi Gavin,
Thanks for your post. Let's say we have 2 sip domains, one named domaina.com and another is domainb.com, Access Edge server have 1 public cert with common name - FQDN: sip.domainc.com. If my understand is right, auto logon need 2 basic seetings: 1. Add all sip domain's FQDN to public cert's subject alternate name; 2. Create SRV record for each domain.
I am using manually logon, I just specify the external server name to sip.domainc.com, make sure SRV record for it and access edge's public cert match its FQDN, no need to add other sip domain's FQDN to subject alternate name.
I have been implemented OCS R1 even R2 successfully before, the certs and DNS/Server settings are exactly same, and all sip domain users can logon!! Only different is after installing some OCS hotfixes, things going wierd. Even I uninstall all OCS servers, remove pool and undo domain/forest prep, then reinstall everything, no luck.
Now I add all sip domains to internal list on Edge server, all OCS functions and LiveMeeting are working well. I just don't understand why I have to do this.
Regards,
Randy- Marked as answer by Gavin-ZhangModerator Friday, October 23, 2009 8:19 AM
Monday, October 19, 2009 1:14 PM