locked
OCS Edge server - Office Communicator not able to logon from Outside RRS feed

  • Question

  • Dear all
    In theTest lab i am trying to setup OCS for Real envoirenment.

    with the help of this forum i have completed the inastallation, the  setup is

    Outside Pc-communicator-- -- Router/External DNS--- Edgeserver--- switch--- Front end server,DC-Internal DNS,EXchange,InsidePCCommunicator.

    Outsdie pc communicator ip address: 192.168.156.2, Gateway & DNS= 192.168.156.4---goes to     |--- 192.168.156.4(Router's two cards ip add) 192.168.155.4---|    3 links towards to Edge External INterfaces | 192.168.155.1 (Access Edge), 192.168.155.2 (web confrence) , 192.168.155.1 (A/V edge Server)

    i have configured  gateway only on Access edge server- 192.168.155.1, 255.255.255.0 , 192.168.155.4
    On A/v and Web confrence i have not confiured Gateway and All ports are open on outside network

    On Edge server i have got one more LAN card (inside) which goes to OCS network .

    internally i can do voice calls and chatting,voicemail every thing is working. After the installing of Edge server i have done the "validate Edge server with 2 users" it is working perfectly.

    On outside External DNS i have created  A record for SIP.KIN.COM, AV.KIN.COM, WEBCONF.KIN.COM  and _SIP_TLS_KIN.COM: 443 = sip.kin.com and  there is no issue with Certificate.

    Now problem is
    From outsidepc Communicator - when i have open the Communicator - options- external server = sip.kin.com:443  , selected - TLS
    I try to logon with user1@kin.com , it takes some time  but i get message

    "can not sign in because the server is temporarly unavailable, if the problem persisits contact your system administrator"

    i can "telnet sip.kin.com 443" - open a blank windows - it proves it is working. i just want to logon from outsdie-pccommunicator and would like make voice calls. for this
    1.do i need A/V server adn web confrence server?  I think it is not necesary?

    2.please help me why the users can not able to logon when all prots are open.
    Thursday, October 22, 2009 1:52 PM

Answers

  • Dear Thorsten and Jeff and sick.

    Good news, with help of allmighty Allah and Prophet Muhammd (saw)  i made it work. actually the problem is  while installtion of  Front end server - in step2 configure server - run - External user configuration - configure external users access now- in the FQDN of  Internal pool Access edge server - i have give edgesrv.ocsr2.kin.com (this is wrong), actually  this caused the problem.   i should give only Edgesrv .  because this is not a part of domain and certificate is also generated with edgesrv name only.

    i re run the setup and given only edgesrv  as FQDN on front end server and    on Edgeserver  also i have run the cd again and given internal edgeserver name as Edgesrv as FQDN and externaly i have given sip.ocsr2.kin.com, webconf.ocsr2.kin.com av.ocsr2.kin.com.

    Now i can able to logon from OUTSIDE PC communicator and do chat,presence.  but i can not able to do voice calls. I think i need to properly configure A/V server.. thans for your help and this might helpful for other users.
    Tuesday, October 27, 2009 9:29 AM

All replies

  • Did you enable remote user access?

    Thursday, October 22, 2009 7:18 PM
  • To access via outside pc-office communicator  do you need A/V and webconfrence server?

    when i setup edge server , i have got 3 options in user setttings:
    Allow remote user access to your network = selected
    Allow anonymous user to join meeting = selected
    Allow users to communicate with federated contact = i can not select because it is in grey..

    federation settings
    Enable federation= selected |   Allow discovery of federaiton parters  = selected | Federation with selected public IM PROVIDERS - MSN - YAHOO - AOL = all are selected .

    but after then i see the results


    Access Edge Server: Activated
    Web Conferencing Edge Server: Activated
    A/V Edge Server: Activated

    Internal interface IP address: 192.168.152.26
    Internal interface FQDN: edgesvr.ocsr2.kin.com
    Internal interface port for Access Edge Server: 5061
    Internal interface port for Web Conferencing Edge Server: 8057
    Internal interface port for A/V Conferencing Server: 443

    External interface IP address for Access Edge Server: 192.168.155.1
    External interface FQDN for Access Edge Server: sip.ocsr2.kin.com
    External interface federation port for Access Edge Server: 5061
    External interface remote access port for Access Edge Server: 443

    External interface IP address for Web Conferencing Edge Server: 192.168.155.2
    External interface FQDN for Web Conferencing Edge Server: webconf.ocsr2.kin.com
    External interface port for Web Conferencing Edge Server: 443

    External interface IP address for A/V Edge Server: 192.168.155.3
    External interface FQDN for A/V Edge Server: av.ocsr2.kin.com
    External interface port for A/V Edge Server: 443

    Access Edge Server remote employee access: Enabled
    Access Edge Server allows anonymous users: True
    Access Edge Server allows remote users: False   (it is showing false , i do not understnad why it is showing false, while installation i have selected all the options)
    Access Edge Server federation: Enabled
    Access Edge Server automatic federation: Enabled
    Access Edge Server federation with public IM provider: Enabled
    Access Edge Server federation with MSN: Enabled
    Access Edge Server federation with Yahoo!: Enabled
    Access Edge Server federation with AOL: Enabled
    Access Edge Server internal next hop: fesrv.ocsr2.kin.com

    Access Edge Server internal SIP domains:
            ocsr2.kin.com

    Internal Enterprise pools or Standard Edition Servers:
            fesrv.ocsr2.kin.com


    Is there any other option to select to allow remote users. please let meknow..
    Friday, October 23, 2009 8:13 AM
  • Dear all

    In the user properties-communication Tab- other settings- i have selected all usrs, still now it is not working.
    Friday, October 23, 2009 10:58 AM
  • Can you please provide a communicator log and an edge sipstack and S4 log for the external login.

    BTW: Regarding your A/V configuration you have to use a routable address not a translated address.

    It also seems that the SRV entry _sipfederationtls._tcp.domain is missing see: http://technet.microsoft.com/en-us/library/bb870404.aspx

    Hope that helps
    ThorstenWujek
    Friday, October 23, 2009 11:39 AM
  • If this is an R1 deployment that error can indicate that the users account itself is not enabled for remote access, make sure you check the Communications tab in ADUC and check the External Access setting on the user account itself.

    If you have an R2 deployment then the resulting error would be more descriptive, stating that the user was not enabled for remote access instead of the generic error you reported.  Also if this is and R2 Edge server you can use a NAT'd private address on the A/V Edge Role.

    Either way the _sipfederationtls SRV record is not a requirement unless you want to enable Open Federation, which is in no way related to getting external user access.


    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Friday, October 23, 2009 12:24 PM
    Moderator
  • Dear jeff
    i do not have any federation user, that the reason i have not enable _sipfederationtls SRV record,  and in the user properties i have enabled for remote access and i am getting generic error.

    i have added edge server in to the domain because while installing OCSR2 front end server i have give edgeserver details as: edgeserv.ocsr2.kin.com. if i put the edge server in to workgroup then it the edgeserver fqdn name will be = edgserver.

    but once i add in to the domain then it will be = edgeserv.ocsr2.kin.com.

    still i am getting generic error ? first i would like to test in the lab if it works then i will implement in the real network with NAT ETC...


    Can you please help what causting the problem and i am using internal C.A so, i have copied the root CA on client computer. so there is no certificate issue.

    please reply.
    Friday, October 23, 2009 2:13 PM
  • I have just enabled even log on communicator.

    Can you please let  meknow how to tkae sipstack logs for Edge server and S4 log for the external login.  what is S4 logs? how to take sipstack logs on edge server ?
    Friday, October 23, 2009 3:41 PM
  • On the edge server:

    open Computer management->services and applications->right click (ocs 2007)-> logging tool-> new debug session

    Choose Components S4 and sipstack. Level <ALL> for both and All flags. Then start logging.

    Would be good if you can debug a validation, too.

    Bye


    ThorstenWujek
    Friday, October 23, 2009 4:21 PM
  • Dear all
    i took S4 and sip logs on Edge server before that i would like draw again physical setup.

    Outside Pc-communicator-- -- Router/External DNS-------------- Edgeserver--- switch--- Front end server,   DC-Internal DNS,    EXchange,InsidePCCommunicator.
    192.168.156.1----  ----------192.168.156.4/192.168.155.6-----192.168.152.26----------192.168.152.23,      192.168.152.21

    The logs file

    LogType: connection
    Severity: information
    Text: TLS negotiation started
    Local-IP: 192.168.155.1:443
    Peer-IP: 192.168.156.1:1692
    Connection-ID: 0xE00
    Transport: TLS
    $$end_record


    Instance-Id: 00000006
    Direction: incoming;source="external edge";destination="internal edge"
    Peer: 192.168.156.1:1690
    Message-Type: request
    Start-Line: REGISTER sip:ocsr2.kin.com SIP/2.0
    From: <sip:augustin@ocsr2.kin.com>;tag=75fc9989e0;epid=8ff7501aeb
    To: <sip:augustin@ocsr2.kin.com>
    CSeq: 1 REGISTER
    Call-ID: 86c4f5bf8fb6471ba0e111bcacee33af
    Via: SIP/2.0/TLS 192.168.156.1:1690
    Max-Forwards: 70
    Contact: <sip:192.168.156.1:1690;transport=tls;ms-opaque=693829d612>;methods="INVITE, MESSAGE, INFO, OPTIONS, BYE, CANCEL, NOTIFY, ACK, REFER, BENOTIFY";proxy=replace;+sip.instance="<urn:uuid:20126B27-4513-50FA-8E58-40FC48F892D1>"
    User-Agent: UCCAPI/3.5.6907.37 OC/3.5.6907.37 (Microsoft Office Communicator 2007 R2)
    Supported: gruu-10, adhoclist, msrtc-event-categories
    Supported: ms-forking
    ms-keep-alive: UAC;hop-hop=yes
    Event: registration
    Content-Length: 0
    Message-Body: –
    $$end_record

    LogType: diagnostic
    Severity: information
    Text: The message has an internally supported domain
    SIP-Start-Line: REGISTER sip:ocsr2.kin.com SIP/2.0
    SIP-Call-ID: 86c4f5bf8fb6471ba0e111bcacee33af
    SIP-CSeq: 1 REGISTER
    Peer: 192.168.156.1:1690
    Data: domain="ocsr2.kin.com"
    $$end_record

    LogType: connection
    Severity: information
    Text: TLS negotiation started
    Local-IP: 192.168.152.26:1065
    Peer-IP: 192.168.152.23:5061
    Peer-FQDN: fesrv.ocsr2.kin.com
    Connection-ID: 0xF01
    Transport: TLS
    $$end_record

    LogType: connection
    Severity: information
    Text: Connection established
    Local-IP: 192.168.152.26:1065
    Peer-IP: 192.168.152.23:5061
    Peer-FQDN: fesrv.ocsr2.kin.com
    Peer-Name: fesrv.ocsr2.kin.com
    Connection-ID: 0xF01
    Transport: M-TLS
    $$end_record


    LogType: diagnostic
    Severity: information
    Text: Routed a request to the next hop internal server     ( edge server trying to establish a connection with Front end server)
    SIP-Start-Line: REGISTER sip:ocsr2.kin.com SIP/2.0
    SIP-Call-ID: 86c4f5bf8fb6471ba0e111bcacee33af
    SIP-CSeq: 1 REGISTER
    Peer: fesrv.ocsr2.kin.com:5061
    Data: destination="fesrv.ocsr2.kin.com"
    $$end_record


    Instance-Id: 00000006
    Direction: outgoing;source="external edge";destination="internal edge"
    Peer: fesrv.ocsr2.kin.com:5061
    Message-Type: request
    Start-Line: REGISTER sip:ocsr2.kin.com SIP/2.0
    From: <sip:augustin@ocsr2.kin.com>;tag=75fc9989e0;epid=8ff7501aeb
    To: <sip:augustin@ocsr2.kin.com>
    CSeq: 1 REGISTER
    Call-ID: 86c4f5bf8fb6471ba0e111bcacee33af
    Path: <sip:edgesvr.ocsr2.kin.com:1065;transport=tls;maddr=192.168.152.26;opaque=state:Ee.aaqZAmfWERln49ZoVv9VRBIgAA;lr>;tag=E18774264C7485D9663459C250C01112
    Record-Route: <sip:edgesvr.ocsr2.kin.com:1065;transport=tls;maddr=192.168.152.26;opaque=state:Ee.aaqZAmfWERln49ZoVv9VRBIgAA;lr>;tag=E18774264C7485D9663459C250C01112
    Via: SIP/2.0/TLS 192.168.152.26:1065;branch=z9hG4bK73782EF5.9461DD95EDACF106;branched=FALSE
    Max-Forwards: 69
    ms-edge-proxy-message-trust: ms-source-type=InternetUser;ms-ep-fqdn=edgesvr.ocsr2.kin.com;ms-source-verified-user=verified
    Contact: <sip:192.168.156.1:1690;transport=tls;ms-opaque=693829d612;ms-received-cid=D00>;methods="INVITE, MESSAGE, INFO, OPTIONS, BYE, CANCEL, NOTIFY, ACK, REFER, BENOTIFY";+sip.instance="<urn:uuid:20126B27-4513-50FA-8E58-40FC48F892D1>"
    Via: SIP/2.0/TLS 192.168.156.1:1690;ms-received-port=1690;ms-received-cid=D00
    User-Agent: UCCAPI/3.5.6907.37 OC/3.5.6907.37 (Microsoft Office Communicator 2007 R2)
    Supported: gruu-10, adhoclist, msrtc-event-categories
    Supported: ms-forking
    ms-keep-alive: UAC;hop-hop=yes
    Event: registration
    Content-Length: 0
    Message-Body: –
    $$end_record


    LogType: connection
    Severity: error
    Text: Receive operation on the connection failed       ( it seems that there is some problem between front end server to Edge server)
    Local-IP: 192.168.152.26:1065
    Peer-IP: 192.168.152.23:5061
    Peer-FQDN: fesrv.ocsr2.kin.com
    Peer-Name: fesrv.ocsr2.kin.com
    Connection-ID: 0xF01
    Transport: M-TLS
    Result-Code: 0x80072746 WSAECONNRESET
    $$end_record



    LogType: connection
    Severity: information
    Text: Connection closed
    Local-IP: 192.168.152.26:1065
    Peer-IP: 192.168.152.23:5061
    Peer-FQDN: fesrv.ocsr2.kin.com
    Peer-Name: fesrv.ocsr2.kin.com
    Connection-ID: 0xF01
    Transport: M-TLS
    $$end_record

    LogType: connection
    Severity: information
    Text: TLS connection closed
    Local-IP: 192.168.152.26:1065
    Peer-IP: 192.168.152.23:5061
    Peer-FQDN: fesrv.ocsr2.kin.com
    Peer-Name: fesrv.ocsr2.kin.com
    Connection-ID: 0xF01
    Transport: M-TLS
    $$end_record


    i have tried a lot but still i can not able to log on ???? please help me.
    Monday, October 26, 2009 12:35 PM
  • Dear Jeff or thorston and sick .....  is there any update. i have enabled remote access on all users  properties. i am using Internal CA   on edge server interfaces.. on  Ousidepc communicator , i have copied the root ca.  so, there is no certificate issue. i can see logs that some M-TLS issue between edge server to front end server . (see the above log).  please can you help me.
    • Marked as answer by feroz1020 Monday, October 26, 2009 3:05 PM
    • Unmarked as answer by feroz1020 Monday, October 26, 2009 3:05 PM
    Monday, October 26, 2009 2:39 PM
  • How many interfaces and IPs do your edge server have. You have noted one. Is that how your config is ?

     


    ThorstenWujek
    Monday, October 26, 2009 3:18 PM
  • On edge server i have 4 Interfaces,  above is have not properly given  the list of ip address.  Now i have given below.

    LAN 1 = 192.168.152.26 ,no  Gateway , Dns =192.168.152.1 (internal dns server)

    Access edge = 192.168.155.1 , gateway = 192.168.155.6  , dns = 192.168.155.6

    Web confrence= 192.168.155.2, no gateway , dns = 192.168.155.6

    A/v = 192.168.155.3, no gateway , dns = 192.168.155.6

    but i just want to logon with outsidepc communicator --- through  Access edge server.
    Monday, October 26, 2009 4:05 PM
  • hi i  found one new error on front end server: when i run the validation it shows one error




    Checking federation settings   Federation: Disabled
       Success
     

    Checking static routes   No WMI Instance Returned By Query : select * from MSFT_SIPRoutingTableData where Backend="(local)\\rtc"
    Static route: None Found
       Success
     

    Checking all trusted servers       Failure
    [0xC3FC200D] One or more errors were detected 

    Local Federation Route edgesrv.ocsr2.kin.com   DNS Resolution succeeded: 192.168.152.26
    TLS connect failed due to incorrect remote subject name: 192.168.152.26:5061 Error Code: 0x80090322 outgoing TLS negotiation failed; HRESULT=-2146893022
       Failure
    [0xC3FC200D] One or more errors were detected 

    Internal Server fesrv.OCSR2.kin.com   DNS Resolution succeeded: 192.168.152.23
    TLS connect succeeded: 192.168.152.23:5061
    Routing trust check and MTLS connectivity: Succeeded
       Success
     
    Is this similar to this error
    http://social.microsoft.com/Forums/en-US/communicationsserveredgeservers/thread/c3294ccc-fc11-40e3-a9f1-02ee3142f741

    if it is then i have  created a new certificate for internal interface of edge server and  external  3 interfaces of Edge server from  same  C.A    SERVER.

    Monday, October 26, 2009 4:28 PM
  • Hi

    this is a certificate issue. I am busy today so can can deal with that tomorrow.

    Bye

    ThorstenWujek
    Monday, October 26, 2009 7:19 PM
  • Dear Thorsten and Jeff and sick.

    Good news, with help of allmighty Allah and Prophet Muhammd (saw)  i made it work. actually the problem is  while installtion of  Front end server - in step2 configure server - run - External user configuration - configure external users access now- in the FQDN of  Internal pool Access edge server - i have give edgesrv.ocsr2.kin.com (this is wrong), actually  this caused the problem.   i should give only Edgesrv .  because this is not a part of domain and certificate is also generated with edgesrv name only.

    i re run the setup and given only edgesrv  as FQDN on front end server and    on Edgeserver  also i have run the cd again and given internal edgeserver name as Edgesrv as FQDN and externaly i have given sip.ocsr2.kin.com, webconf.ocsr2.kin.com av.ocsr2.kin.com.

    Now i can able to logon from OUTSIDE PC communicator and do chat,presence.  but i can not able to do voice calls. I think i need to properly configure A/V server.. thans for your help and this might helpful for other users.
    Tuesday, October 27, 2009 9:29 AM
  • Hi,

    nice to hear that it is working.
    FYI: It is of no meaning if the computer is within the domain. All what counts for TLS is the CN and SAN in the certificate.

    Luck for your A/V problem :-)

    Thorsten
    ThorstenWujek
    Tuesday, October 27, 2009 9:53 AM