locked
Edge Deployed, but external not working - What is missing? RRS feed

  • Question

  • FIRST OF ALL - Thanks for looking at this. I have provided as much info as possible about my config so you might help me to resolve these remote access issues.  I am at a loss and really appreciate any help in resolution.

    I am unable to log in remotely with Office Communicator after configuring the Edge Server.  A complete snapshot of my setup is listed below for review, so I am hoping some of you may be able to take a quick look at this info and let me know what may be the issue.  First, here are my issues:

    Successes -
    Users automatically log in and authenticate on the internal network.

    Failures/Issues -
    External Users are unable to authenticate  when remote.
    External IM with Yahoo, MSN and AOL do not work

    I have run all of the verification tests, but do not want to inundate you with that information unless you have specific questions about those.  Please review the setup below and let me know if anything obvious about the setup appears wrong.


    SETUP INFORMATION -
    - Forest has empty root (domain.com) with several child domains, but we are only enabling OCS for child domain 'corp.domain.com' and the root 'domain.com'
    - We are not using a Proxy
    - We are not using a Director


    Internal DNS Entries
                  *  _sipinternaltls._tcp.domain.com over port 5061 and pointing to server1.corp.domain.com
                  *  sip.domain.com pointing to 172.16.8.8
                  *  _sipinternaltls._tcp.corp.domain.com over port 5061 and pointing to server1.corp.domain.com
                  *  sip.corp.domain.com pointing to 172.16.8.8
                  *  OCS Standard pool name defaults to the server name, so this A record already exists (server1.corp.domain.com)

    - OCS R2 Standard running on Windows server 2008.  Member of internal Child domain (server1.corp.domain.com) with IP of 172.16.8.8
                 * UCC certificate issued by GoDaddy with subject name: Server1.corp.domain.com and SANs of sip.domain.com and sip.corp.domain.com

    - Edge Server installed on Windows server 2008 named 'Server2'. Member of workgroup in DMZ (created internal A record for server name as server2.corp.domain.com)
                 * Edge has 2 internal NIC's
                          - Internal NIC with IP of 172.16.8.3
                          - 'DMZ' NIC with IPs of 172.16.1.26 (Access Edge), 172.16.1.27 (WebConference Edge) and 172.16.1.28 (AV Edge)
                                    - unique External IP's are associated with each role
                 * Edge has 3rd party Certificates installed for each role (no internal CA) as follows:
                           - Internal Network Certificate - Standard SSL cert from GoDaddy with subject name of server2.corp.domain.com
                           - Access Role Certificate - UCC Certificate from GoDaddy with subject name of sip.corp.domain.com and SAN of sip.domain.com
                           - Web Conferencing Role Certificate - Standard SSL cert from GoDaddy with subject name of webconference.domain.com
                           - A/V Role Certificate - Standard SSL cert from GoDaddy with subject name of av.domain.com

    Internal DNS entries for Edge:
        - DNS A record for server2.corp.domain.com to internal IP of 172.16.8.3
        - DNS A record for AV.domain.com (resolving to external IP Address 206.195.xxx.72) SHOULD THIS BE POINTING TO INTERNAL DMZ IP INSTEAD?
        - DNS A record for Webconference.domain.com (resolving to external IP Address 206.195.xxx.71) SHOULD THIS BE POINTING TO INTERNAL DMZ IP INSTEAD?

    External DNS entries for Edge:
         - Access Edge - DNS A for sip.corp.domain.com resolving to 206.195.xxx.70
                              - DNS A for sip.domain.com resolving to 206.195.xxx.70
                 - DNS SRV for _sipfederationtls._tcp.corp.domain.com over port 5061
                 - DNS SRV for _sipfederationtls._tcp.domain.com over port 5061
                 - DNS SRV for _sip._tls.corp.domain.com over port 443
                 - DNS SRV for _sip._tls.domain.com over port 443
         - Web Conferencing Edge - DNS A record for WebConference.domain.com resolving to 206.195.xxx.71
         - A/V Edge - DNS A record for AV.domain.com resolving to 206.195.xxx.72
       

    SUMMARY OF EDGE CONFIG

    Access Edge Server: Activated

    Web Conferencing Edge Server: Activated

    A/V Edge Server: Activated

    Internal interface IP address: 172.16.8.3

    Internal interface FQDN: server2.corp.globalknowledge.com

    Internal interface port for Access Edge Server: 5061

    Internal interface port for Web Conferencing Edge Server: 8057

    Internal interface port for A/V Conferencing Server: 443

    External interface IP address for Access Edge Server: 172.16.1.26

    External interface FQDN for Access Edge Server: sip.corp.domain.com

    External interface federation port for Access Edge Server: 5061

    External interface remote access port for Access Edge Server: 443

    External interface IP address for Web Conferencing Edge Server: 172.16.1.27

    External interface FQDN for Web Conferencing Edge Server: webconference.domain.com

    External interface port for Web Conferencing Edge Server: 443

    External interface IP address for A/V Edge Server: 172.16.1.28

    External interface FQDN for A/V Edge Server: av.domain.com

    External interface port for A/V Edge Server: 443

    Access Edge Server remote employee access: Enabled

    Access Edge Server allows anonymous users: True

    Access Edge Server allows remote users: False

    Access Edge Server federation: Enabled

    Access Edge Server automatic federation: Disabled

    Access Edge Server federation with public IM provider: Enabled

    Access Edge Server federation with MSN: Enabled

    Access Edge Server federation with Yahoo!: Enabled

    Access Edge Server federation with AOL: Enabled

    Access Edge Server internal next hop: server1.corp.domain.com

    Access Edge Server internal SIP domains:

            sip.corp.domain.com

            sip.domain.com

    Internal Enterprise pools or Standard Edition Servers:

            server1.corp.domain.com

     

    Wednesday, October 14, 2009 7:27 PM

Answers

  • I found the resolution to this issue. 
    I stepped back and looked at 3 or 4 random issues that i was having and saw that many people had similar posts with my issues, but there was never a solution.

    I finally went on to the Edge Server and looked at the properties/configuration and made the following change:
     - On the 'Internal' tab (when viewing properties of 'Office Communications Server' in Computer Management) noticed that the entry for 'Internal SIP domains supported by Office Communications Servers in your organization:'  had entered the SIP names. 
    - I removed the sip.domain.com and sip.corp.domain.com entries and replaced them with only the domain names 'domain.com' and 'corp.domain.com'

    After restarting services, Everything worked Perfectly!

    I think the issue was that when the wizard asked for the SIP Domain entries, I simply was confused with the fact it was only asking for the names of the domains that I wish to support and not the SIP.Domain.Com entries that were created in DNS.
    • Marked as answer by Wall09 Monday, October 26, 2009 2:43 PM
    Monday, October 26, 2009 2:43 PM

All replies

  • Your settings sound to be wrong

    External interface IP address for Access Edge Server: 172.16.1.26

    External interface FQDN for Access Edge Server: sip.corp.domain.com

    External interface federation port for Access Edge Server: 5061

    External interface remote access port for Access Edge Server: 443

    External interface IP address for Web Conferencing Edge Server: 172.16.1.27

    External interface FQDN for Web Conferencing Edge Server: webconference.domain.com

    External interface port for Web Conferencing Edge Server: 443

    External interface IP address for A/V Edge Server: 172.16.1.28

    External interface FQDN for A/V Edge Server: av.domain.com

    External interface port for A/V Edge Server: 443

    All your external IP addresses should be 206.195.xxx.xxx IP Addresses, unitl they are NAT'ed


    Wednesday, October 14, 2009 7:52 PM
  • Thanks, but those are the Internal IP's that are assigned to the second NIC for Access, Web Conferencing and A/V.  When running the Configure Edge Server Wizard, the interanal IP's are the only selections available from the drop down.  Obviously I cant assign the true External IP's to the NIC.

    Any other ideas?
    Wednesday, October 14, 2009 8:50 PM
  • Hi
    Per your description.
    In my opinion, you should reinstall the edge server, and configure the external interface's ip address correctly.

    Regards!

    Tuesday, October 20, 2009 11:06 AM
    Moderator
  • What are your firewall rules/NAT rules for this?  Let's first concentrate on web conf and Access Edge, then we will work on the AV edge as there are a set of configuration tasks that we will need to do for that. 

    You should have:

    NAT:
    206.195.xxx.70 --> 172.16.1.26
    206.195.xxx.71 -->
    172.16.1.27
    206.195.xxx.72 -->
    172.16.1.28

    ACL:
    -Access Edge Server:
    Allow inbound 443 and 5061 to Access Edge IP
    Allow outbound 80 and 5061 from Access Edge IP
    -Web Conf Edge Server
    Allow inbound 443 to Web Conf Edge IP
    -AV Edge Server
    allow inbound and outbound 3478/UDP to AV Edge IP
    allow inbound 443 to AV Edge IP
    allow outbound 50,000 - 59,999 TCP and UDP from AV Edge IP


    Are you also using ISA or direct NAT to the Front End Server?


    Mark King | C/D/H | MCTS:OCS | MCSE: Messaging | MCITP:Enterprise Administrator | CCNA
    Tuesday, October 20, 2009 8:20 PM
  • I found the resolution to this issue. 
    I stepped back and looked at 3 or 4 random issues that i was having and saw that many people had similar posts with my issues, but there was never a solution.

    I finally went on to the Edge Server and looked at the properties/configuration and made the following change:
     - On the 'Internal' tab (when viewing properties of 'Office Communications Server' in Computer Management) noticed that the entry for 'Internal SIP domains supported by Office Communications Servers in your organization:'  had entered the SIP names. 
    - I removed the sip.domain.com and sip.corp.domain.com entries and replaced them with only the domain names 'domain.com' and 'corp.domain.com'

    After restarting services, Everything worked Perfectly!

    I think the issue was that when the wizard asked for the SIP Domain entries, I simply was confused with the fact it was only asking for the names of the domains that I wish to support and not the SIP.Domain.Com entries that were created in DNS.
    • Marked as answer by Wall09 Monday, October 26, 2009 2:43 PM
    Monday, October 26, 2009 2:43 PM