locked
Access Edge : Two Tier (Intermediate) Public Certificates RRS feed

  • Question

  • Hey all...

     

    In the hope of getting a definitive answer on this.

     

    I have purchased an Entrust 3 year advantage certificate with  the following properties

     

    host.domain.co.uk

    and a SAN of

    sip.domain.co.uk

     

    I didn't require any other SANs so the UComms Cert looked like overkill, and from what I can figure shouldn't be required.

     

    The certificate was issued with the following Chain

     

    Entrust

    Entrust Certification Authorith - L1B

    <my cert>

     

    The issue:

    Federation works in as much as when a third party sends a message I see the 'toaster' popup with the initial conversation - this seems to imply everything is ok, *but* upon trying to send/respond it fails, and also the conversation window is empty (not even the message that appeared in the toast appears. 

     

    I cannot initiate a conversation outbound (I'm allowed to federate) - I get Error ID: 504. which apparently is server timeout.

    Presence Status does not show.

     

    We've even tried adding them explicitly as a federation partners to see if that helps (for diagnosing purposes)). We've even tried adding the trust chain to their edge, and still the same symptoms persist.

     

    I've been told that having anything other than a certificate issued directly from a trusted root (ie. anything with an intermediary) has been known to cause issues. However I cannot see anything in MS Support Articles about this, and the cert supplier said that they cant reissue the cert from the root (ironicly if I'd bought a 1 or 2 year, then it would have been inssued from the root, not the intermediary authority - though apparently in the next couple of years all their certs are going to be via intermediaries).

     

    So, to my questions - before I buy a 1 year cert just to get the damn thing working!

    Is this a known issue?

    Has anyone got a cert with an intermediart working with enhanced federation with other OCS partners - without having them add any certs at their end? if so who did you use as the CA?

    Has anyone else experienced this, and how did you resolve it?

    Is there some secret super-duper firewall port that I need to open for CRL checking or something?

     

    Chris

    Monday, November 3, 2008 12:10 PM

Answers

  • That 504 Error with federation is most commonly related to network communications. Since you are dealing with not one but two separate environments in Federation there are many firewalls that typically must be traversed.  I would take a hard look at that configuration on both ends since the toast is at least appearing on the recipient; a certifiacte error would usually cause a complete communication failure.

    Monday, November 3, 2008 2:22 PM
    Moderator

All replies

  • That 504 Error with federation is most commonly related to network communications. Since you are dealing with not one but two separate environments in Federation there are many firewalls that typically must be traversed.  I would take a hard look at that configuration on both ends since the toast is at least appearing on the recipient; a certifiacte error would usually cause a complete communication failure.

    Monday, November 3, 2008 2:22 PM
    Moderator
  • Thanks Jeff,

     

    You were correct in that we had a config error, which I had just spotted when you replied, however thank you for your prompt reply (incase anyone else is experiencing this we'd tested inbound to our edges, but neglected to test outbound 5061 on them - oops)..

     

    I now can initate a conversation, however still not recieve replies. The status of the conversation jumps from

     

    However, we're still seeing the issues of

     

    Inviting to a conversation, to

    in a conversation, then back to

    inviting to a conversation...

     

    and not getting any conversational text - only the toaster popups...  so something still isnt right

     

    Jeff, Do you know of anyone that is actually succeeding enhanced federation with a cert. issued from an intermediate? (are you?)

     

     

     

    Monday, November 3, 2008 3:54 PM
  •  

    *SUCCESS* Further to this I did some more delving

     

    Server validation is a great tool if you understand what its getting at.

     

    I'm not sure exactly whats fixed it, but using the validation - specifically the connectivity test - it indicated somethign was wrong...

     

    As we changed a lot of things in diagnosing this, I'm not sure what fixed it precisely, but then suddenly it came to life!

     

    we...

    Added every possible hostname and FQDN of the Access Edge/OCS pool/Load Balance names to the authorised hosts between the edge and the FE servers.

    Double checked the federation routes/next hops

    Double (ok quadruple) checked every certificate assignment

    Double (ok quadruple) checked every certificate validity

    triple checked every DNS entry in all locations (since we have split brain DNS)

    triple checked every firewall in the route for denies when there should be allowed - including server FW/loadbalance ACLs/Edge Firewalls

    triple checked routes on all the boxes...

     

    and at the moment, fingers X'ed it seems to be working and working well...

     

    So in answer to my above Q's - yes you can use public certificates (for external interface) with intermediary CAs in the Chain - be sure to add the chain to your own intermediary store (follow your cert suppliers instructions).

     

    Hope this helps someone else.. Thanks again jeff

    Chris

    Monday, November 3, 2008 5:26 PM
  • i Chris

    e have the exact same problem.. answers from federated org popping up in systray, but communicator window empty, and we cant respond...
     I tried your tip about adding al possible hosts to authorised hosts "authorized hosts" but when i add anything there, the front end service wont start? ...

    Can you in someway specify what solved your problem ? please.

    thomas.
    Wednesday, January 14, 2009 3:06 PM