locked
OCS Edge server installation RRS feed

  • Question

  • HI Everybody

     I have installed OCS standard on my network, it works internally. Now i want my users to communicate externally also. Some info about my ofice network

    Ocs standard installed on Exchange 2003- (abcd.abc.local) 192.168.1.224

    OCS edge installed on Win2k3 (OSCEDGE.abc.local) 192.168.1.226(internal NIc) 192.168.1.227 (External Access edge Server IP Nic)

    I also have a linux PROXY/FIREWALL machine (192.168.1.200) it has two NICs on one of them public IP is assigned 221.128.XXX.XXX

    I also have A record mail.abc.in assigned to my public IP.

    During the installation of Edge server i have just checked the "Activate Access Edge server" ( just wana try it one by one).

    So i need following information:

    Internal NIC IP:
    FQDN for internal interface:
    External Access edge Server IP:
    FQDN External Access edge Server:
    FQDN for next hop server: abcd.abc.local
    Internal SIP domains:
    Internal servers that can connect to edge server:

    Need special help on assiging certificates
    And do i need to purchase certificates from 3rd party or can i use the microsoft CA.
    Pls help.......
    My boss has given me limited time


    I have pasted the configuration from OCSedge server...

    External Interface Settings

     

    Role:

    IP Address:

    DNS Name:

    Port:

    Certificate:

    Access

    192.168.1.228

    sip.mail.sternstewart.in

    5061 (Federation)

    Certificate Authority

    win2k3

    443 (Remote)

    Subject

    sip.mail.sternstewart.in

    Subject Alternate Name

    sip.mail.sternstewart.in
    sip.ssipl-exchange.sternstewart.local

    Creation Date

    2/24/2009

    Expiration Date

    2/24/2011

    Internal Interface Settings

     

    IP Address:

    192.168.1.226

    DNS Name:

    OCSEDGE.sternstewart.local

    Next Hop Address:

    ssipl-exchange.sternstewart.local

    Next Hop Port:

    5061

    TLS Certificate Information:

            Certificate Authority:

    win2k3

            Subject:

    OCSEDGE.sternstewart.local

            Subject Alternate Name:

    sip.sternstewart.local
    sip.sternstewart.in
    OCSEDGE.sternstewart.local

            Creation Date:

    2/25/2009

            Expiration Date:

    2/25/2011

    Internal Edge Ports

     

    Role:

    Port:

    Access

    5061

    Authorized Internal Servers

     

    ssipl-exchange.sternstewart.local

    Supported Internal Domains

     

    sip.sternstewart.local

    mail.sternstewart.in

    ssipl-exchange.sternstewart.local

     

    Pls suggest if evry thing is right..........................................
    Wednesday, February 25, 2009 6:17 AM

All replies

  • If you are only testing and don't need any Federation support (with public IM : MSN, YAHOO or AOL or with Other companies) then you can use your internal Certificates
    Just make sure all clients connecting from the internet need the Internal Root CA into the trusted certificate store
    - Belgian Exchange Community : http://www.pro-exchange.be -
    Wednesday, February 25, 2009 6:43 PM
  • Is this an R1 or R2 deployment?
    Even with R2 the rule is still to use public IPs (and three of them unless you only want IM and presence... number two is for audio/video and number three for conferencing) - even three NICs (though you can do with just one and 3 IP Addresses - there are some people even doing with one NIC/IP Address but that's definitely entering unsupported territory), then R2 works with private IPs but R1 doesn't.
    Then you have your internal and external even on the same subnet and behind a NAT - that's miles away from any deployment suggestion so let us know if you manage to get it working (just IM/Presence works with private addresses in R1.. I have a lab deployment like that but a/v and conferencing are a nogo until R2).

    I think especially the audio part would object to being on the same subnet. I traced down my audio problems with the R1 edge and private IPs.. even though both NICs were in separate subnets, the edge still figured it had to do no address rewrite and told the remote endpoint to directly talk to the internal endpoint and since there was no routing in between that failed. Now you have internal and external interface on the same subnet.. I figure that could even make an R2 edge thinking it needs no address rewrite and then your external client would be told to send audio to a private IP.

    Wednesday, February 25, 2009 8:42 PM
  • Thanks for your reply
    While installing the Edge server Following information i have provided:
    Internal NIC IP:192.168.1.226
    FQDN for internal interface:OCSEDGE.sternstewart.local
    External Access edge Server IP: 192.168.1.228
    FQDN External Access edge Server:sip.mail.sternstewart.in
    FQDN for next hop server: ssipl-exchange.sternstewart.local
    Internal SIP domains:mail.sternstewart.in;sip.sternstewart.local;ssipl-exchange.sternstewart.local
    Internal servers that can connect to edge server:ssipl-exchange.sternstewart.local

    As per ur suggesstion i have removed federated user option. And when i run the validate server it gives some error

    DNS Resolution failure: No DNS SRV records corresponding to _sipfederationtls._tcp.sip.sternstewart.local were found for this domain
    Suggested Resolution: Verify that the domain name is correct and that the DNS SRV record _sipfederationtls._tcp.sip.sternstewart.local exists for this domain.
       Warning
    [0x43FC200C] Not all checks were successful 

    mail.sternstewart.in   DNS Resolution failure: No DNS SRV records corresponding to _sipfederationtls._tcp.mail.sternstewart.in were found for this domain
    Suggested Resolution: Verify that the domain name is correct and that the DNS SRV record _sipfederationtls._tcp.mail.sternstewart.in exists for this domain.
       Warning
    [0x43FC200C] Not all checks were successful 

    ssipl-exchange.sternstewart.local   DNS Resolution failure: No DNS SRV records corresponding to _sipfederationtls._tcp.ssipl-exchange.sternstewart.local were found for this domain
    Suggested Resolution: Verify that the domain name is correct and that the DNS SRV record _sipfederationtls._tcp.ssipl-exchange.sternstewart.local exists for this domain.
       Warning
    [0x43FC200C] Not all checks were successful 

    Checking direct partner configuration   Direct Partner: None Found
       Success
     

    Checking enhanced federation domain allow list configuration    Enhanced Federation Domain Allow List Partner: None Found
       Warning
    [0x43FC200C] Not all checks were successful
     

    What could be the problem........
    REgarding certificates could u please tell me detail how do i create it.... along with SIP, SAN names please

    I also tried yesterday to connect it from outside... IT gave an error "could not verify the certificate"
    And what would you put in the external server name in OCS client........

    Thursday, February 26, 2009 7:48 AM
  • Made some more changes could pls check:

    Access Edge Server: Activated
    Web Conferencing Edge Server: Not Activated
    A/V Edge Server: Not Activated
    Internal interface IP address: 192.168.1.226
    Internal interface FQDN: OSCEDGE.sternstewart.local
    Internal interface port for Access Edge Server: 5061
    External interface IP address for Access Edge Server: 192.168.1.228
    External interface FQDN for Access Edge Server: OCSEDGE.sternstewart.local
    External interface federation port for Access Edge Server: 5061
    External interface remote access port for Access Edge Server: 443
    Access Edge Server remote employee access: Enabled
    Access Edge Server allows anonymous users: True
    Access Edge Server allows remote users: True
    Access Edge Server federation: Disabled
    Access Edge Server internal next hop: ssipl-exchange.sternstewart.local
    Access Edge Server internal SIP domains:
            sternstewart.in
            sternstewart.local
    Internal Enterprise pools or Standard Edition Servers:
            ssipl-exchange.sternstewart.local

    Pls reply......................

    Thursday, February 26, 2009 10:04 AM
  • When i try to connect from outside world i get thes errors:

    Communicator failed to connect to server ssipl-exchange.sternstewart.local (192.168.1.224) on port 5061 due to error 10060.  The server is not listening on the port in question, the service is not running on this machine, the service is not responsive, or network connectivity doesn't exist


    Communicator could not connect securely to server mail.sternstewart.in because the certificate presented by the server was not trusted due to validation error 0x80090325.  The issuing certificate authority (CA) for the server's certificate may not be locally trusted by the client, the certificate may be revoked, or the certificate may have expired.
     

    pls help.............................
    Thursday, February 26, 2009 11:39 AM
  • Normally the external port is configured to use 443 instead of 5061


    - Belgian Exchange Community : http://www.pro-exchange.be -
    Thursday, February 26, 2009 7:55 PM
  • Robin, your configuration is showing the correct default ports:

    External interface federation port for Access Edge Server: 5061
    External interface remote access port for Access Edge Server: 443


    But if you are seeing that error then I'd guess you are using manual configuration on the external client.  If so you need to enter the External Servername or IP address as "servername.domain.com:443" so that the client doesn't automatically attempt to connect to the normal TLS listening port of 5061 as it does when connecting to an internal Front-End Server or Director.  The Federation services listen on 443 on an Access Edge server.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Thursday, February 26, 2009 8:04 PM
    Moderator
  • I tried using pub IP and also mail.sternstewart.in(221.128.xxx.xxx) but it gives the certificate error.....

    Then what could be the prob.....

    Friday, February 27, 2009 5:09 AM
  • Jeff, you have said External Servername or IP address ,, so in my case what it could be........

    Friday, February 27, 2009 5:14 AM
  • hi all

    some success atlast

    i made a small change in the setup

    1)i removed it from domain and made it as workgroup

    2) on the external nic  i put the pub ip and reconfigured it.

    3) removed the linux firewall

    4) tried connecting from outside it worked

    so do i have to open any particular ports on my firewall and instead of 443 can i put 4443 .....

    Friday, February 27, 2009 11:17 AM
  • Jeff

    Do i need to install any addition certificates on my client machine for connecting from outside world...
    Saturday, February 28, 2009 11:45 AM
  • you must make sure that the external certificate on the EDGE server is trusted by your clients
    If you issued by the same CA as your Internal Pool then you should be alright
    - Belgian Exchange Community : http://www.pro-exchange.be -
    Sunday, March 1, 2009 4:14 PM
  • There is no need to post this question 5 times in 5 different threads.  See the responses posted in this thread:
    http://social.microsoft.com/Forums/en-US/communicationsserveredgeservers/thread/124cf304-662a-4d1a-abac-33d5f3fc46e2
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Thursday, September 24, 2009 12:47 PM
    Moderator