Publishing OCS 2007 behind ISA RRS feed

  • Question

  • We have set up OCS 2007 internally and have IM working with a beta group of users. We are now trying to get the ISA portion working so you can connect from the outside world. I did not set up the OCS environment but am the ISA admin and cannot get this woring. We are running ISA 2004 Standard with Rainwall for Load Balancing/Failover. We (myself and my windows admin) spent 4 hours on the phone today with Mircosoft ISA and OCS engineers with absolutely no progress. I have a web server publishing rule configured on my ISA server for port 443 with the appropriate certificate. The test clients are manually configured to connect to our OCS name using TLS. The connection first hits the ISA server as port 5061 and fails (as this is not open through ISA) then tries 443. The connection is initiated and then immediately closed. The ISA guy is stating that the edge server is resetting the connection but the OCS guy says there is nothing wrong with the server config. They essentially keep pointing the finger at each other and we get nowhere.

    Can someone help me with this setup? We can't be the only ones trying to set this up...


    Wednesday, October 24, 2007 7:54 PM

All replies


    Hi Tricia,


    I have a very similar setup to what you have from the sound of it...and I've been able to get things working just fine. I would suggest you check out http://jason-shave.blogspot.com to get everything you need.


    On my ISA Server (ver. 2006) I have three publishing rules as follows:

    • meeting.contoso.com, allow, HTTPS Server, from 'External', to 'ip of Edge server's Web Conferencing role'
    • sip.contoso.com, allow OCS (5061), from 'External', to 'ip of Edge server's Access role'
    • ocs.contoso.com, allow HTTPS, from OCS Listener, to 'fqdn of internal OCS server hosting users'

    If your internal domain name is different than the external name you will need to make sure the certificate for your OCS Standard Edition server has a Subject Alternate Name such as "serverA.externalname.com". Your "OCS Listener" should have a certificate bound to it that matches the FQDN of your "External URL for meeting content download".


    When the OCS admin installed the product he/she specified the internal and external name, this can be changed if necessary but you can view the current setting as follows:


    Launch the OCS Admin tool and expand the Forest, then expand the Standard Edition Servers, click on the server and in the main window expand the Meeting Settings section and note the value(s) you need.


    In the end you will need three certificates from a trusted root CA to make it all work. You only need one certificate bound to the ISA listener though...


    Hope this helps.





    Thursday, October 25, 2007 2:17 AM
  • We have ISA 2004 with Rain Connect too.  After lots of testing we've concluded ISA 2004 cannot support SIP/OCS.  We are in process of testing Rain Connect with ISA 2006 on virtual server & will let you know if it works.  Otherwise we will setup separate ISA 2006 server for use with OCS & use it for reverse proxy & just the rules necessary for OCS.  Regards, Fred

    Friday, October 26, 2007 12:28 PM
  • Hi Jason,

    Your blog is in russian and there is nothing there ;) Botnet maybe?

    Tuesday, March 3, 2009 12:47 PM