locked
need help with configuring certificates for edge RRS feed

  • Question

  • Hi everybody,

    I have reached a dead end with my edge-configuration. When I run the Communication Server validation of my Front End Server, I always get the error message 0xC3FC200D: "Received a SIP failure response. This usually indicates lack of routing trust between the remote server and the current machine. Check the local and remote server certificates for any misconfiguration. In addition, check whether the local server is recognized as a trusted server by the remote server."

    When I log on to the internal IP-Adress (port 5061) of the Edge server via Telnet, I do not get an error message but a blank black screen, which I take for success.

    My configuration is as follows:

     

    All certificates are issued by our company SubCA (yes, I am aware that external people will have to trust our CA in order to be able to use the benefits of an Edge server).

     

    Front End Server:

    - is named Myservername28.internaldomain.companyname.org

    - has the ip 10.x.x.114

    - has a certificate issued to Myservername28.internaldomain.companyname.org, alternative names are "Myservername28", "Myservername28.internaldomain.companyname.org", "sip.officialdomainname.de"

    DNS / AD

    - regular Domain name is "internaldomain.companyname.org"

    - it has a forward lookup zone for "officialdomainname.de", which is also the external domain name issued by our ISP

    - the DNS resolution seems to work so far (pings are resolved and so forth). If you need additional information, just let me know.

    Edge Server

    - is outside the AD (of course)

    - is named Servername29

    - has the IP-Address 192.168.3.115 for the internal interface

    - the internal interface is named sipinternal.officialdomain.de

    - The certificate is issued to "Servername29". Alternative names are "sipinternal.officialdomain.de" and "Servername29"

    - in the internal configuration it says "next hop" is "Servername28.internaldomain.companyname.org" (which can be pinged), port is 5061, domain is "externaldomain.de" and the trusted servers are "Servername28", "Servername28.internaldomain.companyname.org" and "Isaservername.internaldomain.companyname.org"

     

    ISA-Server

    - at the moment just routes every traffic from my internal network to the Edge DMZ network

    - is connected to both networks

     

    In the certification path of my certificates I do see "certificate is ok", our SubCA and our RootCA are listed correctly.

     

    Can you give me any clues where to look for more information, what to try next or even how to solve this riddle? Thank you very much for your help!

    Monday, January 18, 2010 2:03 PM

All replies

  • This forum is for Speech Server question.

    The OCS forums are here - http://social.technet.microsoft.com/Forums/en-US/category/ocs
    Monday, January 18, 2010 3:16 PM
  • Your Edge configuration should be modified a bit as that is probably where the problems are coming from.  Ideally you should have something like this:

    Edge Server
    Hostname: servername29.internaldomain.companyname.org
    The Edge server is not actually a member of this domain, but you manually create an internal DNS Host (A) Record for that FQDN which points to the internal Edge interface IP address (192.168.3.115).

    Access Edge FQDN: sip.officialdomainname.de
    You should not be using sipinternal as a prefix on any of the Edge server names (internal or external FQDNs)   That name is really designed for use on the Front-End server, although it doesn't have to be used there either.  I rarely use either sipinternal or sipexternal in deployment.  I almost always use just sip.

    The Edge internal certificate should only contain the Hostname and no SAN entries.  The Access Edge certificate should only contain the Access Edge FQDN.  If you need to support additional SIP domains and/or the other Edge services read the first blog article posted below.

    For further details on Edge configuration best practices, see theses articles:
    http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=79
    http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=33
    http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=19


    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Monday, January 18, 2010 3:44 PM