locked
EDGE server deployment & certificate errors from Communicator RRS feed

  • Question

  •  

    Hello people,

    I am very confused with Edge server deployment. Tried almost every combination, but nothing helps.

    We have an OCS server (enterprise) in a domain.

    Servers:

    ocs-dc (DC, DNS) - internal IP is X.101. External IP none. FQDN: ocs-dc.domain.com

    ocs-ocs (OCS front-end) - internal IP is X.102. External IP none. FQDN: ocs-ocs.domain.com

    ocs-sql...not important here.

    Now, the edge:

    Internal IP X.104. Internal FQDN ocs-edge.domain.com. External IP: Y.26 External FQDN: ??? All parts have their own. Is there any for the EDGE itself?

    Parts of the edge (consolidated topology - all in one):

    Reverse proxy: External IP Y.26, FQDN ocs-ext.domain.com

    Access edge: External IP Y.27, FQDN im.domain.com

    Web conferencing edge: External IP Y.28, FQDN wc.domain.com

    A/V edge: External IP Y.29, FQDN av.domain.com

    All edge parts have certificates for their FQDN. I have read that there should be some alternate names - however I have no idea what to enter there. */domain.com???

    SIP domain: not sure what this is. Should be listed as sip.domain.com or only domain.com???

     

    And now, here are the errors:

     

    Communicator error (connecting to the access edge server): Something like "there is a problem with the certificate....". Where can I find more information about this error - which certificate? Which server? What problem?

     

    Validation errors:

    On EDGE

    DNS Resolution failure: No DNS SRV records corresponding to _sipfederationtls._tcp.sip.domain.com were found for this domain (we have this DNS SRV record on the DC)

    On OCS

    Error: One or more pool hosted users are enabled for telephony, but default location profile hasn't been specified for the pool. (don't know where to fix this)

    The remote server certificate has been revoked.: 172.19.103.4:5061 Error Code: 0x80092010 Outgoing TLS negotiation failed. Remote Certificate was revoked. HRESULT=-2146885616 (we have created new certificates. Why this error?)

     

    Now, internal connection works without problems. External doesn't. However I am able to reach the page http://ocs-ext.domain.com/??(don't remember)/Tshoot.html.
    I've been following the MS guides all the time. This seems to be rather complicated. However I would strongly appreciate any help, how-to, hint...
    Thanks a lot, if you need addittional info, please ask. I am quite new to OCS.

    Best regards

    Ravie.

     

    Friday, February 8, 2008 2:20 PM

All replies

  • Are you running split-DNS?  The DNS SRV records must exist on any external DNS servers in order for Automatic Configuration to be used on the client.

     

    The error regarding the pool users enabled for telephony can be ignored for now.

     

    The certificate revocation is a problem.  Where was the cert issied from, an internal CA or trusted third-party CA?

    Friday, February 8, 2008 4:46 PM
    Moderator
  •  

    The A/V Edge server external interface should have direct public IP Address configured on it. (No NATING)

     

    there should not be wildcard entry in cert (*.Domain name)

     

    Altername name means the other FQDNs what are you are using for the same service. if you do have consolidated edge servers, and you want to use single cert for all three edge servers, then the certificate altername would include the external name of Access Edge server, external name of Web conf Edge server and external name of A/V Edge server.

     

    SIP domain is the one which you use as a domain in your user id while login to the communicator. if your OCS user Id is user@xyz.com, then xyz.com is the SIP domain.

     

     

    Do write in case you have further questions

     

     

     

     

     

    Ram K Ojha
    MCSE 2003 - Messaging, MCTS- (LCS 2005 & OCS 2007)
    http://www.OCSPedia.com
    http://www.ITCentrics.com
    Friday, February 8, 2008 8:24 PM
  • Check the certs on your edge box and see where it is looking for CRLs and verify you can get to that destination through internet explorer.

    Monday, February 11, 2008 12:38 AM
  • Hello,

    I will try to answer what I know; sorry for the length of this post Smile.

    - We are not running split-DNS. We have one DNS which is on the DC (domain controller). We are testing it internally, so the DNS is not public routable - we are using a computer that is not in our company network, and the DNS needed is in C:\windows\system32\drivers\etc\hosts. Is this a problem?

    - The certificate was issued by our internal CA configured to serve the OCS installation only. We had a problem (front-end service could not be started) in our previous installation, therefore we reinstalled DC, OCS and EDGE and revoked all certs and created all we think we need once again - from scratch.

    - The A/V EDGE does have an external public address of Y.29 and fqdn av.domain.com - the only non-standard situation is that we are using hosts records as written above, not as public routable DNS.

    - I have re-created the certs so the internal certificate is issued to ocs-edge.domain.com (internal edge FQDN) and alternative names are

    DNS Name=im.domain.com (external FQDN, access edge server)

    DNS Name=ocs-ext.domain.com (external FQDN, reverse proxy)

    DNS Name=av.domain.com (external FQDN, A/V edge)

    DNS Name=wc.domain.com (external FQDN Web conferencing edge)

    DNS Name=ocs-edge.domain.com (internal FQDN)

    and the external certificate is issued to sip.domain.com (no idea why, but this was suggested by the wizard!) and alternative names are the same as for private interface (I am so confused that I added all I thought should have any influence. The primary target is to run the edge somehow without considering the security risks).

    After re-creating the certs, the errors regarding revoken certs are gone.

    When I try to validate the EDGE, I am still getting errors, including the DNS Resolution failure: No DNS SRV records corresponding to _sipfederationtls._tcp.domain.com were found for this domain.

    I have created the record by going to Forward lookup zones, then Domain (domain name) and Other new records, type SRV, then pasting "_sipfederationtls._tcp.domain with port 5061 and adding "im.domain.com" into "Host offering this service" field. Im.domain.com is the external fqdn of the Access edge server. Is that right so far or not?

    Besides, when validating OCS server, there are some more issues:

    Front end:

    One or more pool hosted users are enabled for telephony, but default location profile hasn't been specified for the pool. Ignoring for the moment.

    Web components:

    * https://ocs.domain.com/GroupExpansion/Int/service.asmx - Unauthorized (error 401). OCS.domain.com is our enterprise pool.

    * Another one: https://ocs-ext.domain.com/GroupExpansion/Ext/service.asmx (ocs-ext is the reverse proxy). Error: ConnectFailure Warning: Failed to connect to the external URL. This may be expected if external web farm FQDN isn't accessible from intranet.

    This looks like I am missing something important - why does the system try GroupExpansion on the reverse proxy?

    Web conferencing: without errors.

    A/V:

    A/V Authentication Edge Server: Could not contact A/V Authentication Edge Server.
    To resolve this error, check for the following
    1. The outbound proxy is reachable.
    2. The outbound proxy and A/V Authentication Edge Server are in trusted server list of each other.
    3. The outbound proxy and A/V Authentication Edge Server have valid certificates.
    4. Conference Server certificate is valid.
    5. A/V Authentication Edge Server Gruu is correct

     

    - Thank you for the SIP domain clarification and alternate names. This really helped me to understand a little bit more.

    - I tried to reach the CRL location from EDGE, OCS and DC, the url was like

    URL=ldap:///CN=OCS%20Certification%20Authority,CN=OCS-DC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

    ...but I could not reach the location. How can I figure out the reason?

     

    This may give a clue: When connecting with the Communicator (to im.domain.com - the access edge - is that right???), I am getting the Certificate error - in the system event log there is a message that the Communicator is looking for im.domain.com but the cert doesn't match it. However, the im.domain.com is included in the SAN. What does it mean? Should I be connecting not to the access edge, but to anything else? To the "whole" edge itself?

     

    Thank you very much for your time.

    And, of course, all posts marked as helpful.

    Best regards

    Ravie

     

    Monday, February 11, 2008 6:37 AM
  • Hello,
    Did you get an answer on the A/V errors that you had?
    I'm receiving the same exact A/V Error Message.

    Friday, May 22, 2009 5:20 PM