locked
Cannot connect to OCS IM from outside network using edge RRS feed

  • Question

  • I have deployed OCS for IM purposes only. Internally, my test users can connect and send IMs just fine. So I deployed an Edge for external users. I am not using ISA, and currently, for testing, I have the public facing network card of my edge on the Internet with one of our public IPs. I have the edge configured to listen for connections on port 443 (no federation is allowed). I have added the following DNS entries to my public DNS:

    SVR record:  _sip._tls.domain.com    sip.domain.com    port:443
    A record:    sip.domain.com          209.12.xxx.28.

    However, when a Communicator users tried to connect from outside the firewall, I get this in event viewer:

    Source: Communicator
    Event ID: 7
    Description: Communicator failed to connect to server sip.domain.com (address) on port 443 due to error 10060. The server is not listening on the port in question, the service is not running on this machine, the service in not responsive, or network connectitivity doesn't exist.

    I have double-checked everything listed in the Resolution section. Can someone tell me what I am missing??
    Thanks!!
    CB
    Thursday, October 30, 2008 4:19 PM

All replies

  • Can you telnet directly to TCP443 on the external IP address from an external host?  Are there any errors in the event log that show if the service is working or not?

    Thursday, October 30, 2008 4:46 PM
    Moderator
  • Well, no I cannot telnet to the edge server. Should I be able to?? From an external host, when I type telnet
    208.12.xxx.28 443, it fails.

    On the edge server, under the OCS section of the event viewer, there are about 50 successes....no errors and no warnings.
    Thanks!
    CB
    Thursday, October 30, 2008 4:59 PM
  • If you can't establish a telnet connection, then Communicator won't be able to communicate with the Edge. You have an issue with your firewall or the service isn't listening on that port.

     

    Jamie Schwinn

    www.systmsny.net

     

    Thursday, October 30, 2008 5:38 PM
  • OK - Thanks for the help with that!!! I can now telent to the edge server.

    Now I get an instant failure when trying to connect. The event viewer shows "Communicator was unable to resolve the DNS hostname of the login server sipinternal.domain.com." Then another similar message about sipexternal.domain.com. That's because I don't have an A records for those.....? My A record is for sip.domain.com and my certificate is for that name. Why is it looking for sipinternal.domain.com? Can I tell it to just look for sip.domain.com?

    I am using automatic configuration.
    Thanks again!!


    EDIT: my public DNS entries are posted above in first post.
    Thanks!
    Thursday, October 30, 2008 6:50 PM
  • Do I need to change my certificate and add a name for sipexternal.domain.com?
    Thanks in advance.
    Chris
    Monday, November 3, 2008 6:06 PM
  • Chris,

     

    Ideally your Access Edge certificate subject name should be sip.domain.com.  Take a look at this article to see if it helps clear-up how the Automatic Configuration process works for OC client connection:

    http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=14

     

    IMO, the only place that the sipinternal and sipexternal hostnames really should be used is when SRV records are not supported by the external DNS host and split-DNS isn't available as recommended.  Stick with using the sip. hostname as it offers the best flexibility.

    Monday, November 3, 2008 6:26 PM
    Moderator
  • Thanks for your help Jeff. I read your blog post on the issue. So to clarify, I think I need to add:
    _sipinternal._tls.domain.com
    and point it back to sip.domain.com. Right?

    Thursday, November 6, 2008 4:59 PM
  • Are you taking about adding an internal or external SRV record?  Externally the only record you need is the _sip._tls.domain.com records.  The _sipinternal should only be used (if at all) on internal DNS servers.

    Thursday, November 6, 2008 8:17 PM
    Moderator
  • I am sorry....I think I am confusing the issue.

    These are the records I have on my external DNS:

    SVR: _sip._tls.domain.com which points to sip.domain.com on port 443.
    A record for sip.domain.com that points to the IP Address of the edge.

    However, I get errors when trying to connect from outside the firewall that say this:

    Communicator unable to resolve the DNS hostname of sipinternal.domain.com;
    Communicator unable to resolve the DNS hostname of sipexternal.domain.com;
    Communicator could not securely connect to the server sipexternal.domain.com because the certificate presented by the server does not match the expected hostname.


    So my overall question is what am I missing here. I have the external DNS entries that I need, but outside users cannot connect using Communicator. I think Communicator is connecting to the wrong host names. Communicator is set for Automatic configuration.

    Thanks in advance.
    Thursday, November 6, 2008 8:32 PM
  • According to that a name resolution is happening for sipexternal.domain.com but you probably have a certificate Subject Name on the Access Edge of sip.domain.com, hence the cert error.  Verify that you don't have a sipexternal.domain.com A record in DNS or in a host file entry on the workstation.

     

    If your external SRV record is configured correctly then the OC client should not be even attempting to perform the fallback DNS A record lookups.

    Thursday, November 6, 2008 9:25 PM
    Moderator
  • OK...then my SVR record must not be configured correctly...and since I don't manage the DNS I can only tell you what they tell me. Can you tell me if this look right?

    _sip._tls.domain.com.    86400   IN      SRV     0 0 443 sip.domain.com.
    sip.domain.com.          86400   IN      A       209.12.xx.28

    Thursday, November 6, 2008 9:31 PM
  • That looks correct.

     

    Try configuring OC with Manual Configuration and use "sip.domain.com:443" as the External Server setting in the client.  This will eliminate your SRV/A lookup and connect directly to the Access Edge server.  You can then see if you have a certificate name-mismatch or some other configuration issue.

     

    Friday, November 7, 2008 1:12 PM
    Moderator
  • Jeff. Thanks for the tip. When I configure the client manually, I still get the "Cannot sign in because the server is temporarily unavailable" but I get nothing in the event viewer of the client or the front end server.....
    Not sure where to go from here. Any ideas?
    Thanks!
    CB
    Monday, November 17, 2008 9:21 PM
  • Are you still able to telnet to the server directly?  It sounds like it's either not listening or traffic isn't reaching the Edge server.

     

    Monday, November 17, 2008 9:46 PM
    Moderator
  • Yes, when I telnet, I get a connection, with a blank screen. In other words, I can't do anything there, but I get a connection. Pressing "enter" yeilds just a line with a carriage return.
    Thanks again for your help!
    Tuesday, November 18, 2008 3:14 PM
  • Ok, that test validates that you are getting to something that is listening on the correct ports.  Can you post a re-cap of where the issue is currently at?

     

    Tuesday, November 18, 2008 4:32 PM
    Moderator
  • Sure.

    - I stood up a OCS 07 server for IM purposes only.
    - Internally, IM works great with Automatic configuration on the Comm 07 client.
    - Stood up an OCS 07 Edge. It's got 2 NICs, one internal and one public.
    - Added these entries to my externally hosted DNS:
    _sip._tls.domain.com.   86400   IN      SRV    0 0 443 sip.domain.com
    sip.domain.com.         86400   IN    A       209.12.xxx.xxx

    I have no other sip-related DNS entries in my zone file.

    - In automatic configuration, from outside the network, I get these errors in the Application log of the machine trying to connect: "Communicator was unable to resolve the DNS hostname of the login server sipinternal.domain.com"; AND "Communicator could not connect securely to server sipexternal.icsfl.com because the certificate presented by the server did not match the expected hosname (sipexternal.domain.com)". I get those errors back to back.

    -In manual mode, with the external server configured to "sip.domain.com:443" and TLS checked, I don't get connected, but also don't get a single error is the Application log. I just get "Cannot sign in because the server is temporarily unavailable." This is true to whether I put TLS or TCP, or try on ports 443 or 5061.

    - I can telnet to sip.domain.com 443, however, I get a blank screen with horizontal lines when I press enter.

    I think that sums it up. Basically, I am completely unable to connect from outside through the Edge to my OCS2007 server using IM. Internally, it works fine.

    Thanks!!

    <!--[endif]-->

    Tuesday, November 18, 2008 7:18 PM
  • For one, you won't be able to connect to the Edge Server via TCP, it's TLS-only.  TCP

    connections are only used for internal client connectivity, if desired.  Certificates are required for all external client communications and any server-to-server (MTLS) communications.

    Tuesday, November 18, 2008 9:08 PM
    Moderator
  • In case anyone runs into this issue...I wanted to post the answer.

    I was using the same 3rd party SAN certificate for both the internal and external connections on the edge server. Once I created a self signed cert for the internal side, with a different name, everything started working. I could not really find this posted anywhere in the documentation.

    Thanks,
    CB
    Monday, December 8, 2008 3:03 PM
  • Using a self-signed certificate on the Edge server's internal interface is not the recommended deployment. You should be issuing a certificate request for the FQDN of the Edge server's name against the internal Enterprise CA.  These steps are detailed in the Edge Server Deployment Guide starting on page 70.

    Configuring the Certificates on Your Internal Interface

    14.     Submit this file to your CA (by e-mail or other method supported by your organization for your Enterprise CA) and, when you receive the response file, copy the new certificate to this computer so it is available for import.

    Monday, December 8, 2008 3:59 PM
    Moderator
  • Thanks...I guess I over looked that.

    Monday, December 8, 2008 10:26 PM
  • recently deployed OCS 2007 R2 in our environment with Communicator Web Access. Successfully login on https://ocs.domain.com , but continuously receiving problems with signing in Microsoft Office Communicator 2007. I have given ocs.domain.com as internet and external server addresses, even checked with port 443 but keep saying in log that

    "Communicator failed to connect to server ocs.domain.com (XX.XX.XXX.XXX) on port 5061 due to error 10060.  The server is not listening on the port in question, the service is not running on this machine, the service is not responsive, or network connectivity doesn't exist.
     
    Resolution:
    Please make sure that your workstation has network connectivity.  If you are using manual configuration, please double-check the configuration.  The network administrator should make sure that the service is running on port 5061 on server ocs.domain.com (XX.XX.XXX.XXX) ."

    when i searched it online i came on this thread, also wondering whether Office Communicator 2007 functions with Communicator Web Access or I have to configure Edge Server for that??? but than Edge server can't coexist with Communicator Web Access........

    Help appreciated
    Thursday, September 24, 2009 11:10 AM
  • Hi Salman,

    is your Front-End Service running?
    is port 5061 reachable, try "telnet ocs-server 5061"
    is your ocs port 5061? default is 5061 but maybe you have changed that somehow, you can check this in admintools

    hope this helps
    Thursday, September 24, 2009 11:47 AM
  • You've posted this question in many threads related to Edge Server topics but it appears you are talking about connecting to an internal Front-End Server.    Do you have the Windows firewall disabled on the server?

    Also the Edge Server and CWA Server are completely separate components that must be installed on separate computers and offers different functionality.  Neither is required to allow for internal client sign-in.  either can be used for external support, with an Edge server allowing external access using the standard Communicator client while CWA offers access from a web browser.

    I suggest you read through the Supported Topologies section of the documentation to get a better understanding of which components offer what features: http://technet.microsoft.com/en-us/library/dd425322(office.13).aspx


    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Thursday, September 24, 2009 12:53 PM
    Moderator
  • @Jeff Schertz - thanks for answer, i delete questions from other threads.... as i had normally late-answer time at other forums and expected same here :)
    so you are saying that... we cannot connect office communicator 2007 with our OCS 2007 R2, if we have only CWA on that box???

    @g30cs - yes front-end service is running, firewall is off but unable to telnet on port 5061.
    Thursday, September 24, 2009 1:53 PM
  • I don't understand your question.  CWA on 'what' box?  Communcator Web Access has nothing to do with comnnecting the Communcator 2007 clients to the OCS 2007 R2 Front-End Server.  CWA simply offers the ability to sign-in to OCS WITHOUT the client by using a web browser instead.  It's the same as what Outlook Web Access does for Exchange Server.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Thursday, September 24, 2009 2:08 PM
    Moderator
  • CWA on OCS 2007 R2 machine (box).... however, I am understanding that Office Communicator 2007 doesn't works with Communicator Web Access role only. I have to configure Edge server on separate machine for Office communicator 2007 connectivity for live, external users.
    Thursday, September 24, 2009 2:45 PM
  • Correct, CWA is not supported if installed on the OCS Front-End server, it should be installed on a spearate server.  The Edge server also needs to be on a completely separate server as well.  You will need three servers.  The Edge server must also not be in the domain but in a stand-alone workgroup and should not be installed on the internal LAN but in a Perimeter network.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Thursday, September 24, 2009 3:07 PM
    Moderator