locked
Remote users fail to connect, certificate or settings? RRS feed

  • Question

  •  

    Hello Everyone,

     

    I'm currently installing OCS 2007 public beta.  We're using a simple deployment with support for external users.  We have an OCS server, a director, and a consolidated edge server.  The edge server has the edge server, the web conference server, and A/V server all on one machine.  Most of our users are internal, on our domain, but we do support some external anonymous users who IM with some of our employees.  We are primarily concerned with getting IM functionality working, as we don't require audio or video.

     

    On the internal network, everything seems to be working fine.  Users can connect to the server with no problem.  However, I cannot get the remote users to login - the error states that there is a problem verifying the certificate (using Communicator 2007).  The users are enabled for remote access in Active Directory and the OCS management tool. We have not set up the DNS records yet, so I'm just trying to connect to the IP address of the external OCS interface.  I ran the edge server validation wizard from the edge server and tested connectivity between two users, one internal and one remote, using the FQDN of the OCS server for the internal user and the IP of the external edge for the remote user.  Everything works fine (connectivity with next hop server is a success), and the internal user can log in, but I get the following error when trying to log in the remote user:

     

    Attempting to login user using NTLM   Maximum hops: 2
    Failed to register user: User sip:XXX@sip.domain.com @ Server xxx.xxx.xxx.xxx
    Failed to send SIP request: outgoing TLS negotiation failed; HRESULT=-2146893022
    Suggested Resolution: Make sure that the server is listening on the specified IP address/Port/Transport. If you have a firewall make sure that this port is open. Make sure that the server is running. This can be ignored if you have not enabled the transport on the target server.
      Failure
    [0xC3FC200D] One or more errors were detected
     

    I have three questions;

     

    1. Is this error because I'm running the wizard from the edge server and trying to test connectivity for a remote user? 

     

    2.  Is this a certificate issue for the remote user?  I've installed every certificate I can think of on the remote user's computer.  It trusts our CA, so I'm not sure what other certificate he would need.   What certificate does he need, if we are not using a public CA?

     

    3.  What is the "User Authentication Certificate" found under the Internal Interface Settings on the edge server management snap-in?  The certificate wizard prompts for an "A/V certificate" to be assigned, even though one is not required, and then puts whatever certificate you specify under this catagory.  I cannot find any information in the documentation about this. 

     

    Sorry for the long winded message, hopefully it will assist someone else.  Thank you for your assistance.

     

    -Tighe

    Friday, April 20, 2007 7:27 PM

Answers

  • Try creating a hosts file on the client that has the FQDN of the certificate bound to the external interface of the Edge server.  If you are putting an IP address in the client, you will get a certificate error.

     

    Pete

    Friday, April 20, 2007 8:36 PM

All replies

  • Try creating a hosts file on the client that has the FQDN of the certificate bound to the external interface of the Edge server.  If you are putting an IP address in the client, you will get a certificate error.

     

    Pete

    Friday, April 20, 2007 8:36 PM

  • Great, that totally fixed the certificate error.  Thanks a bunch!  I'm still curious about the "User Authentication Certificate" on the internal interface of the edge server though.  Do you know what this is for?

    -Tighe
    Friday, April 20, 2007 11:29 PM
  • Both certs are server authentication and the certificate on the internal interface is used for https server communication intiated by the director/pool.

     

    Pete

    Friday, April 20, 2007 11:47 PM