locked
OCS Edge access for external - have to add SIP domain to Edge internal SIP domains list? RRS feed

  • Question

  • Hi,
           I am deploying OCS 2007 R2 on top of HMC4.5. Once I finished all steps according to HMC4.5 help file, I found I can't sign in my SIP account using external access edge server. The error message is: 'Cannot sign in because the server is temporarily unavaliable. If the problem persists, contact your system administrator'. So I am trying to find any useful message log on Windows Event Viewer, but no luck.
           My environment:
           OCS Edge Server: Windows Server 2008 Standard with SP2 64-bit
                                       OCS 2007 R2 Enterprise 
                                        1 Private Interface: - internal communications
                                           Cert issued by a Internal trusted CA.
                                        1 Public Interface binding 3 IPs: for Pblic use.
                                           Certs issued by DigiCert
                           
           OCS Front Server
    (with all roles installed):  Windows Server 2008 Standard with SP2 64-bit
                                       OCS 2007 R2 Enterprise 
                                        1 Private Interface: - internal communications
                                        Cert issued by a Internal trusted CA.
                                        IIS Certs issued by DigiCert
              OCS POOL name:  OCSPOOL01
              My internal domain name:  domainabc.local
              My SIP domain:       domainabc.com
              SRV records and DNS settings are ready and tested.
               OCS SIP Server:  sip.domainabc.com
             
    Pool/Front End Authentication:  NTLM only
              All OCS enabled users can sign in OCS internally.
              According to HMC4.5 help file, there should be only domainabc.local listed on Edge server SIP domains list.
            Below are my research:
            1. When I use @domainabc.com to sign in OCS from enternal access Edge server, it failed. So I changed user's SIP URI to @domainabc.local, it works.
            2. I changed this user's SIP URI back to @domainabc.com again, then add my SIP domain domainabc.com to Edge SIP domain list, try sign in communicator, it works!
            3. Changed Front End Authentication method to 'Both Kerberos and NTLM', keep domainabc.com listed in edge internal, both @domainabc.com and @domainabc.local can sign in.
            After that, I restored NTLM and change user's uri to domainabc.com, then I perform validation check on Edge server, i got a error message on 'check user logon' step:

    Attempting to login user using NTLM   Maximum hops: 2
    Successfully established security association with the server: User user1 Domain domainabc.local Protocol NTLM Target Z3OCSPOOL01.domainabc.local
    User registration succeeded: User sip:user1domainabc.local @ Server Z3OCSPool01.domainabc.local
      Success
    Attempting to login user using NTLM   Maximum hops: 2
    Failed to establish security association with the server: User user2 Domain domainabc.com Protocol NTLM Server Z3OCSPOOL01.domainabc.local Target Invalidated
    Suggested Resolution: Check whether the typed password and sign-in name are correct. Check whether the user is present in the AD and enabled for SIP. Check whether the target server is part of the Windows AD domain in which this user account is present. If this is a Kerberos failure check whether the client machine has access to the KDC. In some cases, Kerberos SA negotiation failures may be expected and hence can this error can be ignored.
              
               Front End/Web Components validation checks are successful.
              Anyone can help fix this issue?

    Thanks,
    Randy
    Monday, October 12, 2009 7:38 AM

Answers

  • Hi Gavin,
           Thanks for your post. Let's say we have 2 sip domains, one named domaina.com and another is domainb.com, Access Edge server have 1 public cert with common name - FQDN: sip.domainc.com. If my understand is right, auto logon need 2 basic seetings: 1. Add all sip domain's FQDN to public cert's subject alternate name; 2. Create SRV record for each domain.
          I am using manually logon, I just specify the external server name to sip.domainc.com, make sure SRV record for it and access edge's public cert match its FQDN, no need to add other sip domain's FQDN to subject alternate name.
         I have been implemented OCS R1 even R2 successfully before, the certs and DNS/Server settings are exactly same, and all sip domain users can logon!! Only different is after installing some OCS hotfixes, things going wierd. Even I uninstall all OCS servers, remove pool and undo domain/forest prep, then reinstall everything, no luck.
         Now I add all sip domains to internal list on Edge server, all OCS functions and LiveMeeting are working well. I just don't understand why I have to do this.

    Regards,
    Randy
    Monday, October 19, 2009 1:14 PM

All replies

  • Do you have the additional SIP domain added to the external certificates?  Take a look at this article for some more details:
    http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=79

    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Monday, October 12, 2009 10:57 AM
    Moderator
  • Hi Jeff,
           Thanks for your reply. I am using manually logon, so I think we don't need add SIP domain to external cert.
    Forgot to say, previous I implemented OCS 2007 RTM, same cert settings, all worked! Later I uninstall OCS 2007 RTM, then prepare new 64-bit environment, and install OCS R2, at first beginning, all worked except address book downloading. I reinstall Front End/Web Components some times, and patch some hotfixes, finally I got ABS issues fixed, but I found external users can't sign in. After reinstall OS and OCS Servers, problem still exist. So I post my issues here and want get all your help.
            Seems client don't use NTLM authentication, always trying to use Kerberos?

    BTW
    go to https://www.testocsconnectivity.com/default.aspx , check result:

    Testing OCS remote sign in through Access Edge Server: Port Number (sip.domainabc.com:443), for SignInAddress (user2#domainabc.com).
      The specified user failed to register successfully with the OCS Server.
      
     Additional Details
      User failed to signinFatal error: Register exception: Response Code 504, Deregister Reason None, Response Text Server time-out


    Regards,
    Randy
    Tuesday, October 13, 2009 1:48 AM
  • Hi
    Per your description, the issue seems caused by the CERT.
    And what do you mean by "I am using manually logon, so I think we don't need add sip domain to external cert."?
    I think it is needed. If you do not use auto logon feature, you just not have the SRV record for it. 
    And Jeff gave good suggestion you can try that, or you can refer to below link
    http://technet.microsoft.com/en-us/library/dd441368(office.13).aspx 
    http://technet.microsoft.com/en-us/library/cc498719.aspx

    If I misunderstand your issue, please tell me.
    Regards! 
    Monday, October 19, 2009 5:39 AM
    Moderator
  • Hi Gavin,
           Thanks for your post. Let's say we have 2 sip domains, one named domaina.com and another is domainb.com, Access Edge server have 1 public cert with common name - FQDN: sip.domainc.com. If my understand is right, auto logon need 2 basic seetings: 1. Add all sip domain's FQDN to public cert's subject alternate name; 2. Create SRV record for each domain.
          I am using manually logon, I just specify the external server name to sip.domainc.com, make sure SRV record for it and access edge's public cert match its FQDN, no need to add other sip domain's FQDN to subject alternate name.
         I have been implemented OCS R1 even R2 successfully before, the certs and DNS/Server settings are exactly same, and all sip domain users can logon!! Only different is after installing some OCS hotfixes, things going wierd. Even I uninstall all OCS servers, remove pool and undo domain/forest prep, then reinstall everything, no luck.
         Now I add all sip domains to internal list on Edge server, all OCS functions and LiveMeeting are working well. I just don't understand why I have to do this.

    Regards,
    Randy
    Monday, October 19, 2009 1:14 PM