locked
Unable to sign-in via internal edge interface. RRS feed

  • Question

  •  

    IN my lab enviroment:

     

    I installed  OCS standard server in a virtual machine and Access Edge server in a signle computer.

    except these two server, I didn't deploy any servers such as director, etc.

     

    The following are some configurations in my lab envrioments:

     

    SIP domain: ocslab.fw.nu

    virtual pc ip  address 192.9.200.45 and FQDN is virtualpc.ocslab.fw.nu, the OCS server is deplyed to this machine.

     

    Edge Server Configuration:

    internal interface of IP address: 192.9.200.43

    FQDN for the internal interface: internal.ocslab.fw.nu

    external aceess edge interface  ip address: 192.9.200.42.

    FQDN for external aceess edge interface: external.ocslab.fw.nu

     

     

    FQDN of internal Next Hop Server: virtualpc.ocslab.fw.nu

    internal sip domain: ocslab.fw.nu

    internal servers connected to the edge server:  virtualpc.ocslab.fw.nu

     

     

    I do manual configuration in communicator and put "internal.ocslab.fw.nu" in internal server name or IP address field and check TLS option.

    However I can not sign in the message shows :

    " Cannot sign in because the server is temporarily unavailable, if the problem persists, contact your system administrator".

     

    I am sure the following things happens when communciator sign in

    1: the communicator client send data packet to  5061 tcp port of edge machine (internal interface)

    2. edge server machine trasfer some data packet to virtualpc mahine via 5061 tcp port.

     

    Friday, September 14, 2007 6:24 PM

All replies

  • Hi,

    You need to set your manual configuration of your client to: external.ocslab.fw.nu:443

     

    You can't have communicator sign in to the internal interface of an edge server. And the edge will be listening on port 443 on the external side, that's why you need to specify 443 after the external FQDN

     

    Regards,

    Matt

     

    Friday, September 14, 2007 8:26 PM
  •  

    Thanks for your reply, I try to specify 443 after external FQDN, but it still can not sign in.

     

     

    The error log coming from edge server:

    TL_ERROR(TF_CONNECTION) [0]00B8.0C10::09/14/2007-20:58:05.093.000005d4 (SIPStack,SIPAdminLog::TraceConnectionRecord:1224.idx(157))$$begin_record

    LogType: connection

    Severity: error

    Text: Connection was closed because the peer failed to provide valid credentials within establishing timeout

    Local-IP: 192.9.200.44:443

    Peer-IP: 192.9.200.21:4118

    Connection-ID: 0x2600

    Transport: TLS

    $$end_record

     

    TL_INFO(TF_PROTOCOL) [0]00B8.0C10::09/14/2007-20:58:05.578.00000795 (SIPStack,SIPAdminLog::TraceProtocolRecord:1224.idx(122))$$begin_record

    Instance-Id: 0000000A

    Direction: incoming;source="internal edge";destination="external edge"

    Peer: virtualpc.ocslab.fw.nu:5061

    Message-Type: response

    Start-Line: SIP/2.0 400 Missing correct Via header

    From: <sip:bo@ocslab.fw.nu>;tag=8aaf18373a;epid=01d52b9bb5

    To: <sip:bo@ocslab.fw.nu>;tag=BA6D71378C30E99B9550B249EBC6D3D2

    CSeq: 1 REGISTER

    Call-ID: f88085ac0aaa4d279b84472bacfa3c66

    Via: SIP/2.0/TLS 192.9.200.43:1782;branch=z9hG4bKE2B88090.0CD11E6F;branched=FALSE;ms-received-port=1782;ms-received-cid=600

    Via: SIP/2.0/TLS 192.9.200.21:4120;ms-received-port=4120;ms-received-cid=2700

    ms-diagnostics: 1018;reason="Parsing failure";source="virtualpc.ocslab.fw.nu"

    Content-Length: 0

    Message-Body:

    $$end_record

     

    The following log coming from front_end server:

    TL_ERROR(TF_CONNECTION) [0]096C.0860::09/14/2007-21:04:32.234.000004c6 (SIPStack,SIPAdminLog::TraceConnectionRecord:1224.idx(157))$$begin_record

    LogType: connection

    Severity: error

    Text: Connection was closed because the peer failed to provide valid credentials within establishing timeout

    Local-IP: 192.9.200.45:5061

    Peer-IP: 192.9.200.43:1782

    Peer-FQDN: internal.ocslab.fw.nu

    Connection-ID: 0x600

    Transport: TLS

    $$end_record

    Friday, September 14, 2007 9:15 PM
  • HI Matt,

      Thanks for your help. finally I can let communicator to sign in with using external FQDN.

    but I still get the error message when validate front end server configuration:

     

    Routing trust check and MTLS connectivity: Received a failure SIP response
    Routing trust check and MTLS connectivity: MTLS connection establishment succeeded but received a SIP

    failure response. This usually indicates lack of routing trust between the remote
    server and the current machine. Check the local and remote server certificates for any
    misconfiguration. In addition, check whether the local server is recognized
    as a trusted server by the remote server.

    Suggested Resolution: Routing trust check and/or MTLS connection establishment failed.
    This is usually caused by the remote server not accepting the certificate presented by the
    current machine. Check the local and remote server certificates for any
    misconfiguration. In addition, check whether the local server is recognized
    as a trusted server by the remote server.

     

    and in the meantime the access edge server sip-stack has the following

    log message when validate front end server configuration:

     

    TL_WARN(TF_DIAG) [0]074C.0E68::09/15/2007-05:56:09.656.0000052a (SIPStack,SIPAdminLog::TraceDiagRecord:1224.idx(142))$$begin_record
    LogType: diagnostic
    Severity: warning
    Text: Request exceeded the Max-Forwards limit
    Result-Code: 0xc3e93c5d SIPPROXY_E_ROUTING_MSG_LOOP_DETECTED
    SIP-Start-Line: OPTIONS sip:internal.huangbo.fw.nu:5061;transport=tls SIP/2.0
    SIP-Call-ID: 9e47d5ac617543758203fc5877dfbb39
    SIP-CSeq: 1 OPTIONS
    Data: from-uri="sip:virtualpc.huangbo.fw.nu";to-uri="sip:internal.huangbo.fw.nu"
    $$end_record

     

    TL_INFO(TF_PROTOCOL) [0]074C.0E68::09/15/2007-05:56:09.656.0000071a (SIPStack,SIPAdminLog::TraceProtocolRecord:1224.idx(122))$$begin_record
    Instance-Id: 0000000A
    Direction: outgoing;source="local";destination="internal edge"
    Peer: virtualpc.ocslab.fw.nu:4702
    Message-Type: response
    Start-Line: SIP/2.0 483 Too many hops
    From: <sip:virtualpc.ocslab.fw.nu>;tag=577bfddc57
    To: <sip:internal.ocslab.fw.nu>;tag=FA689B8B7CA1F29434454C400C606A86
    CSeq: 1 OPTIONS
    Call-ID: 9e47d5ac617543758203fc5877dfbb39
    ms-edge-proxy-message-trust: ms-source-type=EdgeProxyGenerated;ms-ep-fqdn=internal.ocslab.fw.nu;ms-source-verified-user=verified;ms-source-network=federation
    Via: SIP/2.0/TLS 192.168.1.110:4702;branch=z9hG4bKddcf41f6;ms-received-port=4702;ms-received-cid=1300
    ms-diagnostics: 2;reason="See response code and reason phrase";source="external.ocslab.fw.nu";HRESULT="C3E93C5D(SIPPROXY_E_ROUTING_MSG_LOOP_DETECTED)"
    Content-Length: 0
    Message-Body: –
    $$end_record

     

     

    Regards,

    Bo

     

    Saturday, September 15, 2007 8:33 AM
  • Hi Matt,

     

    You're an absolute life-saver... This got me much further than I had been before coming in through the Edge Server. At least now I know the public cert is a good one.

     

    Now i'm presented with 2 extra fields to provide my AD credentials, which is what I was hoping to see, but when I enter my credentials (tried both domain\user and user@domain) I'm getting the error:

     

    Cannot sign in to Communicator. You may have entered your sign-in address, user name, or password incorrectly, or the authentication service may be incompatible with this version of the program. If your sign-in information is correct and the problem persists, please contact your system adminstrator.

     

    I'm going to start looking into this one now Smile. btw. I've tried it a few times.. I know the credentials are correct and the user is enabled for remote OCS access.

     

    Thanks again,

     

    Morris

     

     

    Monday, October 15, 2007 7:51 AM
  • Hi Morris,

    Don't forget to make sure that your edge server is set for "allow remote access".

     

    Also, you will normally get some good info in the event log for the machine that the OC client is installed on. To enable OC client logging, go to tools-->options-->general tab. Check "turn on logging for communicator" and "turn on Windows Event logging for communicator". Log out and log back on - events should start showing up in the windows application event log. They usually provide some good detail on why you aren't able to log in.

     

    Regards,

    Matt

     

    Tuesday, October 16, 2007 5:21 PM
  • I think this error mainly signifies the user cannot authenticate with AD. Could be user account locked out, expired, disabled etc, and unfortunately OCS doesn't know whether an account is expired in AD or not.

    Monday, November 5, 2007 11:58 PM
  • Bo,

     

    I'm stuck at the error message that says "Connection was closed because the peer failed to provide valid credentials within establishing timeout" - how'd you get past that part?  I never get prompted on client-side for credentials, and it certainly sounds like the front-end and the edge servers are failing to authenticate each other.  Did you do something with their certs?

     

    Thanks,

    Mark

     

    Friday, March 7, 2008 1:23 PM