locked
Remote users unable to join Live Meeting RRS feed

  • Question

  • Hi All,

    I have a fully functioning internal deployment of Communicator and Live Meeting.  Communicator client is fully functional for remote users (as long as the certificate chain for my internal CA is installed) but Live Meeting will not connect.  Additionally I get the "MTLS Connect Succeeded but received a SIP failure response" each time I run the validation wizard on the FE server. That also triggers this event log entry on the edge server, "In the past 0 minutes, the protocol stack rejected 1 requests that were looping and exhausted the Max-Forwards limit. The last such request had the From uri (sip:FE FQDN) and the To uri (sip:internal edge FQDN).
    Cause: This usually indicates an incorrect server configuration or a bad routing rule."  The best practices analyzer ran ok with no problems other than a recommended update that I installed on the edge server.

     

     The details of my installation are below.  I would greatly appreciate any suggestions! 

     

    Thank you for your time,

     

    Don

     

    Configuration:
    Pool with 1 FE, consolidated
    one edge server in DMZ, consolidated
    ISA 2006 reverse proxy in DMZ

    Certificates:
    Edge: Internal interface FQDN matches certificate Subject Name
    No SAN on certificate
    FE: Subject Name matches FQDN of pool, SAN sip.FQDN
    Internal enterprise CA is Trusted Root Certification Authority on FE and Edge server

    edge authorized internal server = FQDN pool name (should this be server name?  All references on edge server are for pool FQDN)

    DNS:
    not using any CNAME DNS records
    Internal:
    A record for FQDN of pool
    A record for FQDN of FE server interface
    A record for FQDN of edge server internal interface

    What works:
    Internal:
    All Communicator and Live Meeting functions.
    External: Communicator client fully functional, Live Meeting error message-"Live Meeting cannot connect to the meeting..."  Test Connection from Live Meeting account properties works.

    Validation Errors:
    Edge server - none
    FE server - Routing trust check and MTLS connectivity: Received a failure SIP response
    Routing trust check and MTLS connectivity: MTLS connection establishment succeeded but received a SIP
    failure response. This usually indicates lack of routing trust between the remote
    server and the current machine. Check the local and remote server certificates for any
    misconfiguration. In addition, check whether the local server is recognized
    as a trusted server by the remote server.

    Event log entry on Edge Server that appears each time Validation wizard is run on FE server:
    Some requests were rejected as they exhausted the Max-Forwards limit.

    In the past 0 minutes, the protocol stack rejected 1 requests that were looping and exhausted the Max-Forwards limit. The last such request had the From uri (sip:FE FQDN) and the To uri (sip:internal edge FQDN).
    Cause: This usually indicates an incorrect server configuration or a bad routing rule.
    Resolution:
    None needed unless the number of reported errors is large (> 100). Check whether all server routing rules are properly configured.

     

    Friday, August 29, 2008 6:03 PM

Answers

  • Yes, I changed it.  My edge server is colocated and the services would not start unless they all had unique port numbers.  This seems contrary to the documentation since I am using a separate NIC for each service.  Anyway, my conf port was being blocked by our firewall and my installation is working!  Thanks Delimon.  I really appreciate your assistance and time.  You rock!

     

    Don

     

    Monday, September 8, 2008 1:53 PM

All replies

  • Are your internal Certificates configured with the internal FQDN names of the servers?

     

    Did you configure your EDGE server fully?

    Did you connect your FE to the EDGE server by running the Configure Pool Wizard and configure External Access

     

    Please read the EDGE server deployment guide to the end

    http://www.microsoft.com/downloads/details.aspx?FamilyId=ED45B74E-00C4-40D2-ABEE-216CE50F5AD2&displaylang=en

     

     

    Friday, August 29, 2008 9:48 PM
  • Thank you for your reply.  I did configure the edge server fully and used the Configure Pool wizard to connect my internal server with the edge server.  I have stepped through both the internal and edge server deployment guides entirely several times!

     

    I am going to try using the logging tool from the FE and see what I can find out...

     

    Can someone explain this KB paragraph? http://support.microsoft.com/kb/948260  I am not sure how to check this part out:

     

    "The Communications Server 2007 Access Edge Server will check the Mutual Transport Layer Security (MTLS) Web server certificates that are assigned to the Communications Server 2007 Access Edge Server or to the Communications Server 2007 Access Edge Servers for the Subject Name value. Additionally, the Communications Server 2007 Access Edge Server will try to match this Subject Name value with the host name of the Communications Server 2007 Access Edge Server in Windows Management Instrumentation (WMI). If the Subject Name value and the host name do not match, the Communications Server 2007 Access Edge Server Validation Wizard generates the validation error message."

     

    On the FE server, WMI shows a host name for MSFT_SIPESTrustedServerSetting that matches IT's name.  The edge server is not listed.  It is listed in the FE properties as a trusted server.  Am I checking the correct setting?

     

     

     

    Tuesday, September 2, 2008 1:01 PM
  • Could you list all certificates that you have assigned to you EDGE Server and FE Server

    And specify for which interface it is configured with the FQDN of the server and external FQDN records

     

    You server's FQDN must match a name in the internal certificate

    External records for EDGE Server must also be present in public external certificate

     

    Tuesday, September 2, 2008 9:32 PM
  • Thanks for your response!  Here is the certificate and DNS setup:

     

    FE Server
    Server FQDN - FEServer.internaldomain.xxx.xx.xx.us
    Certifiacte Subject
    POOL.internaldomain.xxx.xxx.xx.us
    SAN
    DNS Name=POOL.externaldomain.xxx.xx.us
    DNS Name=sip.internaldomain.xxx.xxx.xx.us
    DNS Name=FEserver.internaldomain.xxx.xxx.xx.us
    DNS Name=POOL.internaldomain.xxx.xxx.xx.us


    Edge Server Internal
    Server FQDN - Edgeserver.internaldomain.xxx.xxx.xx.us
    Certificate Subject
    Edgeserver.internaldomain.xxx.xxx.xx.us
    SAN
    none

    Edge Server External Access from digicert
    Certificate Subject
    sip.externaldomain.xxx.xx.us

    Edge Server External Conference from digicert
    Certificate subject
    conf.externaldomain.xxx.xx.us

    Edge Server External AV domain from AD CA
    Certificate Subject
    av.externaldomain.xxx.xx.us

    ISA Reverse proxy from AD CA
    Certificate Subject
    webfarm.externaldomain.xxx.xxx.xx.us

    DNS - A Records
    Internal
    FEServer.internaldomain.xxx.xxx.xx.us 10.2.1.5
    POOL.internaldomain.xxx.xxx.xx.us 10.2.1.5
    Edgeserver.internaldomain.xxx.xxx.xx.us 10.2.1.6

    External
    sip.externaldomain.xxx.xx.us 205.x.x.1
    conf.externaldomain.xxx.xx.us 205.x.x.2
    av.externaldomain.xxx.xx.us 205.x.x.3
    ISA Reverse Proxy.externaldomain.xxx.xxx.xx.us 205.x.x.4

     

     


     

    Wednesday, September 3, 2008 3:38 PM
  • What is your SIP Domain?

    Is it externaldomain.xxx.xxx.xx.us ?

     

    Then you also need to add that to the Internal EDGE Server Cert in the SAN list

    edgeserver.externaldomain.xxx.xxx.xx.us

     

     

     

    Wednesday, September 3, 2008 4:21 PM
  • You might also try out this tool that helps you with everything related to EDGE Server configuration

     

    Edge Planning Tool for Office Communications Server 2007

    http://www.microsoft.com/downloads/details.aspx?familyid=149e5dd5-eaae-46b6-afba-01c31e88a275&displaylang=en&tm

     

    Wednesday, September 3, 2008 4:53 PM
  • My SIP domain is internaldomain.xxx.xxx.xx.us.  

     

    Checking out the link you posted now... 

     

    Wednesday, September 3, 2008 8:14 PM
  • The edge server planning tool showed everything to be ok.

     

    My pwconsole log lists this:

    "[MC] 19:11:31:465 GMT [PID 3896] [THREAD 3736]  [W ] [X-PSOM] Unable to connect to server. Error code: 10060
    [MC] 19:11:31:465 GMT [PID 3896] [THREAD 3736]  [I ] [X-PSOM] Socket: Trying to connect through HTTP Proxy. conf.externaldomain: port
    [MC] 19:11:31:465 GMT [PID 3896] [THREAD 3736]  [E ] [X-PSOM] HttpProxy: Cannot find proxy. Autodetect not set and manual not specified.
    [MC] 19:11:31:465 GMT [PID 3896] [THREAD 3736]  [F ] [X-PSOM] HttpProxy: Unable to find a proxy !!!.

     

    The port number is correct. How should I troubleshoot this?"

     

    netstat shows the conf edge server listening on the correct port

    I can ping the conf.externaldomain from the outside

     

     

     

    Thursday, September 4, 2008 7:52 PM
  • Are you sure that firewalls are not blocking client or server connections?

    Can you do a telnet to host with correct port?

     

    Winsock Errors

    http://msdn.microsoft.com/en-us/library/ms740668.aspx

    WSAETIMEDOUT
    10060

    Connection timed out.

    A connection attempt failed because the connected party did not properly respond after a period of time, or the established connection failed because the connected host has failed to respond.

     

     

    Thursday, September 4, 2008 10:28 PM
  • I can telnet to sip.externaldomain:5061 from the outside but not to conf.externaldomain:8057.

     

    I can telnet to conf.externaldomain:8057 from the internal network but not from the outside.  I'll check with our WAN admin on this one.  With a combined edge server configuration is it possible that the routing table on the edge server is causing the problem? 

     

     

    Friday, September 5, 2008 1:37 PM
  • If you connect from external (internet) you have by default port 443 configured unless you changed the public port

     

    Saturday, September 6, 2008 8:39 PM
  • Yes, I changed it.  My edge server is colocated and the services would not start unless they all had unique port numbers.  This seems contrary to the documentation since I am using a separate NIC for each service.  Anyway, my conf port was being blocked by our firewall and my installation is working!  Thanks Delimon.  I really appreciate your assistance and time.  You rock!

     

    Don

     

    Monday, September 8, 2008 1:53 PM