External CWA R2 Desktop Sharing RRS feed

  • Question

  • I've recently upgraded our entire infrastructure to R2, and everything is working except for one scenario:

    If I'm using CWA on an external system (internet connected), I can't initiate desktop sharing to an internal user.  I get the message "Cannot start desktop sharing session currently."  However, the internal user can initiate desktop sharing to the external CWA user.

    Again, desktop sharing works for every other scenario:
    External Communicator client  <--> Internal CWA/Communicator client - works - either can initiate/join
    External Communicator client <--> External Communicator client - works - either can initiate/join
    Internal CWA <--> Internal CWA - works - either can initiate/join

    Thoughts?  Using ISA 2006 SP1 in bridge-mode.  Certificates appear to be fine, with as/download entries included.

    Friday, July 17, 2009 5:09 PM

All replies

  • I'm having the same issue. Only I have a fresh installation of OCS 2007 R2.

    When a user uses CWA to initiate desktop sharing, it fails with 'Cannot start desktop sharing session currently'. In the logging on the following servers I see an error message ' SIP/2.0 481 Call Leg/Transaction Does Not Exist'
    -OCS 2007 R2 Front End server
    -OCS 2007 R2 Edge server
    -OCS 2007 R2 CWA server

    All prerequisites are met, the DNS registrations are correct (as and download CNAME records). SAN certificate has all the names in it.

    It's driving me crazy...

    Any ideas?

    Monday, August 3, 2009 5:56 AM
  • First make sure you have all Cert names in it. Example given below.

    Subject name

    Matches the URL of the Communicator Web Access site. For example, if the URL is https://im.contoso.com then the certificate should have im.contoso.com as subject name.

    Subject alternative name (SAN)

    Includes the following:

    • The URL of the Communicator Web Access site.
    • The as URL.
    • The download URL.
    • The fully qualified domain name (FQDN) of the Communicator Web Access server.

    For example, suppose you have a computer named cwaserver.contoso.com, and users access this server using the host name im.contoso.com. In that case your certificate would need to include the following information:

    Subject name

    • im.contoso.com

    Subject alternative name (SAN)

    • im.contoso.com
    • as.im.contoso.com
    • download.im.contoso.com
    • cwaserver.contoso.com

    Incase you have all these and still facing the issue capture the SIPSTACK, S4 from CWA and Front end server while repro the issue.

    Jithendranath Reddy
    Monday, August 3, 2009 9:00 AM
  • The DNS and certificates are correct.

    I captured the logging on the front end and CWA server and have the SIP/2.0 481 Call Leg/Transaction Does Not Exist in the logging.

    What's the next step?

    Monday, August 3, 2009 11:25 AM
  • Just to complete this thread, I found the solution for my problem.
    The solution was to open the ports 50000-59000 on the edge server firewall.

    I thought that these ports would be open because after the installation of the edge roles on the Windows 2008 server, there were already some changes to the firewall. Unfortunatly, this was not enough. So I opened the ports and now it works.

    • Proposed as answer by PcDPcD Monday, September 14, 2009 12:03 PM
    Monday, September 14, 2009 12:01 PM
  • Desktop sharing can be implemented only if the virtual server uses the HTTPS connectivity protocol. If you log on to a Communicator Web Access Web site that uses the HTTP protocol the desktop sharing button will be disabled. If you hold the mouse over the button a tooltip will appear stating that, "Desktop sharing requires a secure connection (HTTPS). Contact your system administrator." You will also need to open firewall ports 49152 through 65535 to support desktop sharing.

    Bruno Estrozi - MCSE +S +M/MCTS/MCITP - Unified Communications Specialist | http://brunoestrozi.com.br
    Monday, September 14, 2009 10:53 PM
  • Have you checked if your ISA Server is allowing connections for download/as.
    Typically when you create a web-listener, the web-listener will only listen to the host-names specified in the listener.

    You can test that using a simple telnet to as.<CWA_URL> 80/443, if the telnet session NOT connected, your firewall is blocking
    Monday, September 21, 2009 5:06 PM
  • Hi,

    Thanks for all of the input.

    For security reasons, we only opened certain ports on firewall (Cisco ASA) from the INSIDE to the OUTSIDE, namely 80, 443, 25, etc.
    In order to get the remote desktop sharing piece of CWA working, we had to allow port 1024-65535 from the OCS server to outside.
    I set 1024 because our firewall logs showed CWA trying to use ports as low as 12744.

    Basically, we allowed TCP ports 1024-65535 out of the firewall from the OCS server.

    I hope this helps someone...
    Thursday, September 24, 2009 3:10 PM