Asked by:
OCS Edge server installation

Question
-
HI Everybody
I have installed OCS standard on my network, it works internally. Now i want my users to communicate externally also. Some info about my ofice network
Ocs standard installed on Exchange 2003- (abcd.abc.local) 192.168.1.224
OCS edge installed on Win2k3 (OSCEDGE.abc.local) 192.168.1.226(internal NIc) 192.168.1.227 (External Access edge Server IP Nic)
I also have a linux PROXY/FIREWALL machine (192.168.1.200) it has two NICs on one of them public IP is assigned 221.128.XXX.XXX
I also have A record mail.abc.in assigned to my public IP.
During the installation of Edge server i have just checked the "Activate Access Edge server" ( just wana try it one by one).
So i need following information:
Internal NIC IP:
FQDN for internal interface:
External Access edge Server IP:
FQDN External Access edge Server:
FQDN for next hop server: abcd.abc.local
Internal SIP domains:
Internal servers that can connect to edge server:
Need special help on assiging certificates
And do i need to purchase certificates from 3rd party or can i use the microsoft CA.
Pls help.......
My boss has given me limited time
I have pasted the configuration from OCSedge server...
External Interface Settings
Role:
IP Address:
DNS Name:
Port:
Certificate:
Access
192.168.1.228
sip.mail.sternstewart.in
5061 (Federation)
Certificate Authority
win2k3
443 (Remote)
Subject
sip.mail.sternstewart.in
Subject Alternate Name
sip.mail.sternstewart.in
sip.ssipl-exchange.sternstewart.localCreation Date
2/24/2009
Expiration Date
2/24/2011
Internal Interface Settings
IP Address:
192.168.1.226
DNS Name:
OCSEDGE.sternstewart.local
Next Hop Address:
ssipl-exchange.sternstewart.local
Next Hop Port:
5061
TLS Certificate Information:
Certificate Authority:
win2k3
Subject:
OCSEDGE.sternstewart.local
Subject Alternate Name:
sip.sternstewart.local
sip.sternstewart.in
OCSEDGE.sternstewart.localCreation Date:
2/25/2009
Expiration Date:
2/25/2011
Internal Edge Ports
Role:
Port:
Access
5061
Authorized Internal Servers
ssipl-exchange.sternstewart.local
Supported Internal Domains
sip.sternstewart.local
mail.sternstewart.in
ssipl-exchange.sternstewart.local
Wednesday, February 25, 2009 6:17 AM
All replies
-
If you are only testing and don't need any Federation support (with public IM : MSN, YAHOO or AOL or with Other companies) then you can use your internal Certificates
Just make sure all clients connecting from the internet need the Internal Root CA into the trusted certificate store
- Belgian Exchange Community : http://www.pro-exchange.be -Wednesday, February 25, 2009 6:43 PM -
Is this an R1 or R2 deployment?
Even with R2 the rule is still to use public IPs (and three of them unless you only want IM and presence... number two is for audio/video and number three for conferencing) - even three NICs (though you can do with just one and 3 IP Addresses - there are some people even doing with one NIC/IP Address but that's definitely entering unsupported territory), then R2 works with private IPs but R1 doesn't.
Then you have your internal and external even on the same subnet and behind a NAT - that's miles away from any deployment suggestion so let us know if you manage to get it working (just IM/Presence works with private addresses in R1.. I have a lab deployment like that but a/v and conferencing are a nogo until R2).
I think especially the audio part would object to being on the same subnet. I traced down my audio problems with the R1 edge and private IPs.. even though both NICs were in separate subnets, the edge still figured it had to do no address rewrite and told the remote endpoint to directly talk to the internal endpoint and since there was no routing in between that failed. Now you have internal and external interface on the same subnet.. I figure that could even make an R2 edge thinking it needs no address rewrite and then your external client would be told to send audio to a private IP.Wednesday, February 25, 2009 8:42 PM -
Thanks for your reply
While installing the Edge server Following information i have provided:
Internal NIC IP:192.168.1.226
FQDN for internal interface:OCSEDGE.sternstewart.local
External Access edge Server IP: 192.168.1.228
FQDN External Access edge Server:sip.mail.sternstewart.in
FQDN for next hop server: ssipl-exchange.sternstewart.local
Internal SIP domains:mail.sternstewart.in;sip.sternstewart.local;ssipl-exchange.sternstewart.local
Internal servers that can connect to edge server:ssipl-exchange.sternstewart.local
As per ur suggesstion i have removed federated user option. And when i run the validate server it gives some error
DNS Resolution failure: No DNS SRV records corresponding to _sipfederationtls._tcp.sip.sternstewart.local were found for this domain
Suggested Resolution: Verify that the domain name is correct and that the DNS SRV record _sipfederationtls._tcp.sip.sternstewart.local exists for this domain.
Warning
[0x43FC200C] Not all checks were successfulmail.sternstewart.in DNS Resolution failure: No DNS SRV records corresponding to _sipfederationtls._tcp.mail.sternstewart.in were found for this domain
Suggested Resolution: Verify that the domain name is correct and that the DNS SRV record _sipfederationtls._tcp.mail.sternstewart.in exists for this domain.
Warning
[0x43FC200C] Not all checks were successfulssipl-exchange.sternstewart.local DNS Resolution failure: No DNS SRV records corresponding to _sipfederationtls._tcp.ssipl-exchange.sternstewart.local were found for this domain
Suggested Resolution: Verify that the domain name is correct and that the DNS SRV record _sipfederationtls._tcp.ssipl-exchange.sternstewart.local exists for this domain.
Warning
[0x43FC200C] Not all checks were successfulChecking direct partner configuration Direct Partner: None Found
Success
Checking enhanced federation domain allow list configuration Enhanced Federation Domain Allow List Partner: None Found
Warning
[0x43FC200C] Not all checks were successful
What could be the problem........
REgarding certificates could u please tell me detail how do i create it.... along with SIP, SAN names please
I also tried yesterday to connect it from outside... IT gave an error "could not verify the certificate"
And what would you put in the external server name in OCS client........Thursday, February 26, 2009 7:48 AM -
Made some more changes could pls check:
Access Edge Server: Activated
Web Conferencing Edge Server: Not Activated
A/V Edge Server: Not Activated
Internal interface IP address: 192.168.1.226
Internal interface FQDN: OSCEDGE.sternstewart.local
Internal interface port for Access Edge Server: 5061
External interface IP address for Access Edge Server: 192.168.1.228
External interface FQDN for Access Edge Server: OCSEDGE.sternstewart.local
External interface federation port for Access Edge Server: 5061
External interface remote access port for Access Edge Server: 443
Access Edge Server remote employee access: Enabled
Access Edge Server allows anonymous users: True
Access Edge Server allows remote users: True
Access Edge Server federation: Disabled
Access Edge Server internal next hop: ssipl-exchange.sternstewart.local
Access Edge Server internal SIP domains:
sternstewart.in
sternstewart.local
Internal Enterprise pools or Standard Edition Servers:
ssipl-exchange.sternstewart.local
Pls reply......................Thursday, February 26, 2009 10:04 AM -
When i try to connect from outside world i get thes errors:
Communicator failed to connect to server ssipl-exchange.sternstewart.local (192.168.1.224) on port 5061 due to error 10060. The server is not listening on the port in question, the service is not running on this machine, the service is not responsive, or network connectivity doesn't exist
pls help.............................
Communicator could not connect securely to server mail.sternstewart.in because the certificate presented by the server was not trusted due to validation error 0x80090325. The issuing certificate authority (CA) for the server's certificate may not be locally trusted by the client, the certificate may be revoked, or the certificate may have expired.
Thursday, February 26, 2009 11:39 AM -
Normally the external port is configured to use 443 instead of 5061
- Belgian Exchange Community : http://www.pro-exchange.be -Thursday, February 26, 2009 7:55 PM -
Robin, your configuration is showing the correct default ports:
External interface federation port for Access Edge Server: 5061
External interface remote access port for Access Edge Server: 443
But if you are seeing that error then I'd guess you are using manual configuration on the external client. If so you need to enter the External Servername or IP address as "servername.domain.com:443" so that the client doesn't automatically attempt to connect to the normal TLS listening port of 5061 as it does when connecting to an internal Front-End Server or Director. The Federation services listen on 443 on an Access Edge server.
Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCSThursday, February 26, 2009 8:04 PMModerator -
I tried using pub IP and also mail.sternstewart.in(221.128.xxx.xxx) but it gives the certificate error.....
Then what could be the prob.....
Friday, February 27, 2009 5:09 AM -
Jeff, you have said External Servername or IP address ,, so in my case what it could be........
Friday, February 27, 2009 5:14 AM -
hi all
some success atlast
i made a small change in the setup
1)i removed it from domain and made it as workgroup
2) on the external nic i put the pub ip and reconfigured it.
3) removed the linux firewall
4) tried connecting from outside it worked
so do i have to open any particular ports on my firewall and instead of 443 can i put 4443 .....
Friday, February 27, 2009 11:17 AM -
Jeff
Do i need to install any addition certificates on my client machine for connecting from outside world...Saturday, February 28, 2009 11:45 AM -
you must make sure that the external certificate on the EDGE server is trusted by your clients
If you issued by the same CA as your Internal Pool then you should be alright
- Belgian Exchange Community : http://www.pro-exchange.be -Sunday, March 1, 2009 4:14 PM -
There is no need to post this question 5 times in 5 different threads. See the responses posted in this thread:
http://social.microsoft.com/Forums/en-US/communicationsserveredgeservers/thread/124cf304-662a-4d1a-abac-33d5f3fc46e2
Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCSThursday, September 24, 2009 12:47 PMModerator