locked
OCS 2007 Access Edge Server - failing external Validation test RRS feed

  • Question

  • Hi there

    I've built an OCS Access Edge server with the aim of federating with a vendor we have a close relationship with.

    The Access Edge server is in a perimeter network configured on a ISA 2006 server (standard 3-leg config, internal, dmz and internet).

    The Front End server is in the internal lan.

    I followed the instructions in this document as closely as I could:

    http://www.isaserver.org/tutorials/OCS-2007-ISA-2006-Firewall-Design-Architecture.html

    However, when our partner vendor runs the Federation validation test, it fails with the following error:

    ---------------------------------------------------------------------------------------------------------------------

    Federation Validation Test For domain.com

     

     

    SIP Domain: domain.com

    SIP Access Edge: sipfed.domain.com

    Validation Test Result: Failure

    Validation Test Details: Testing connectivity for console input server Check machine sipfed.domain.com on ##.###.###.#:5061 : tls : FAIL No connection could be made because the target machine actively refused it ##.###.###.#:5061

    ----------------------------------------------------------------------------------------


    Now, not being an ISA 2006 expert (or indeed an OCS 2007 expert...) I'm trying to establish the basic cause of the above error i.e. is it the ISA server that is blocking a protocol or a port, or is it an issue with the Access Edge server itself, or even an issue between the OCS Access Edge server and the OCS Front End server in the internal lan.

    I'm leaning towards the issue being with the ISA server, but having closely followed the above document, I am not sure what I can do now to test.

    Within the error message above it says 'No connection could be made because the target machine actively refused it ##.###.###.##:5061'

    I'm assuming by 'target machine' it means the external ip of the nic on the ISA server which is configured as the external address of the Access Edge server (via NAT, the internal address of the Access Edge server in the perimeter network is a 192.168.#.# address).

    Can anyone advise on what this error is being caused by, or even how to work out what the error is caused by?

    Would be delighted to hear from someone who has also tried to deploy an OCS Access Edge server via ISA 2006 and who encountered the same issue (though managed to resolve it!).

    Best regards

    JHH


     


    Monday, October 12, 2009 9:57 AM

All replies

  • Hi

    I read in another post that I should be able to telnet to the vendors access edge via port 5061

    I tried this from our access edge:

    -------------------------------------------------------------------------------------------

    Microsoft Windows [Version 5.2.3790]
    (C) Copyright 1985-2003 Microsoft Corp.

    C:\Documents and Settings\Administrator>telnet sipfed.domain.com 5061
    Connecting To sipfed.domain.com...Could not open connection to the host, on p
    ort 5061: Connect failed

    ------------------------------------------------------------------------------------------

    I'm not certain if I should be able to telnet to the vendors access edge on 5061 before the validation test is successful or not

    Any advice?

    Tuesday, October 13, 2009 7:59 AM
  • Yes you should be able to telnet to the access edge port 5061.  Without 5061 open to their AE you will be unable to federate.  Have you verified with them this port is open and accessible?  You should have them try:  https://www.testocsconnectivity.com/


    Mark King | C/D/H | MCTS:OCS | MCSE: Messaging | MCITP:Enterprise Administrator | CCNA
    Tuesday, October 13, 2009 1:06 PM
  • JHH,

    Actually the ISA will not work for NAT. Here's the quote from Technet:

    Dd441361.note(en-us,office.13).gif Note:
    In addition to being supported as a reverse proxy, Microsoft Internet Security and Acceleration (ISA) Server is supported as a firewall for Office Communications Server 2007 R2. The following versions of ISA are supported as a firewall:
    • ISA Server 2006
    • ISA Server 2004
    If you use ISA Server as your firewall, configuring it as a NAT is not supported because ISA Server 2006 does not support static NAT.


    Jim Raymond - DynTek
    Tuesday, October 13, 2009 6:26 PM
  • ISA Server 2006 SP1 has some additional capabilities, can you please try the same.

    Additionally, creating a firewall rule on the ISA should be done correctly. The source port for the federation partner is *any*, and destination port is 5061

     External

    Local Port: 5061 TCP (SIP/MTLS).

    Direction: Inbound/Outbound (federation).

    Remote Port: Any.

    Local IP: The external IP address of the Access Edge service.

    Remote IP: Any IP address.

    Wednesday, October 14, 2009 1:36 AM
  • Thanks guys for responding, I appreciate it.

    Sri Todi, I will check the rules again to ensure they comply with your advice.

    Mark King posted a link to a tool which tests remote connectivity to edge servers https://www.testocsconnectivity.com/

    I ran the test externally and this was the result:

    -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    Connectivity Test Failed

    Test Details

    Testing the Remote Connectivity of user EMAIL GONE.
      
    The specified user failed to register successfully with the OCS Server.
      
    Test Steps

      Attempting to Resolve the host name sipfed.domain.co.uk in DNS.
      
      Host successfully Resolved
      

      Testing TCP Port 443 on host sipfed.domain.co.uk to ensure it is listening/open.
      
      The port was opened successfully.


      Testing SSLCertificate for validity.
      
      The certificate passed all validation requirements.validation checks.

      
      Testing OCS remote sign in through Access Edge Server: Port Number (sipfed.domain.co.uk:443), for SignInAddress (EMAIL GONE).
      
      The specified user failed to register successfully with the OCS Server.
        
      Tell me more about this issue and how to resolve it
    -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    Given that the test confirms that the OCS server/port is listening/open, I'm unsure of why I still failed to remotely logon, is this an obvious issue?

    I'll try the advice of Sri Todi and see how I get on.

    Again, thanks to all who responded.

    JHH

    Wednesday, October 14, 2009 6:25 AM
  • Hi

    I tried to telnet FROM my Front End server TO my Access Edge server on port 5061 and it worked ok

    I tried to telnet FROM my Access Edge server TO the Front End server on port 5061 and it again worked ok.

    That behaviour I imagine is expected.

    I can also telnet from my AE server to my FE server on port 443.

    But I cannot telnet FROM my FE server TO my AE server on port 443.

    Is this a problem?

    Or is this expected behaviour?

    And I still cannot telnet from the internet to my AE server on port 5061.

    Thanks

    JHH



    Wednesday, October 14, 2009 7:28 AM
  • But I cannot telnet FROM my FE server TO my AE server on port 443.
    Your access Edge has multiple IP Addresses and you should be able to telnet on port 443 to the remote access external IP address. By efault, telnet will pick up the internal IP Address.

    You should be able to telnet your Access Edge (if it is your federation AE Server).
    Wednesday, October 14, 2009 7:43 PM
  • I've just came across something in my OCS Front-End server which I'm not happy about.

    I was going to double-check the steps I took (from the Syngress book 'How to Cheat at Administering OCS 2007') when I noticed I had missed a step out.

    The fella who wrote the Edge server chapter states at a certain point that you must go back to the Front-End server and configure it for correct communication with the Edge server.

    He says re-run the OCS setup.exe file and go into Deploy Standard Edition server again, and select 'Configure Server'.

    However when I go into this, the 'Deploy Server' and everything below is grayed out, and the 'Prepare Active Directpry' button is set to 'partial'.

    I then checked the FE server, and under Forest>General Settings and under Forest, Schema Version and Prep State it now says 'Information not available in this view'.

    This is news to me, we've had our OCS server running perfectly internally for a year and a half now.

    When I click on the 'Prepare Active Directory' button, 'Prep Schema' and 'Prep Forest' are ticked ok, but 'Prep Current Domain' for some reason is set as 'Run' as if its never been done before.

    When I run through the 'Prep Current Domain' wizard, it completes with the following failure:

    Create Permission Settings of UsersContainer       Failure
    [0x8007200A] The specified directory service attribute or value does not exist.

    I have no idea what this means, the only thing I can think of is some other admin has been playing about with AD.

    Could this be the reason I am unable to access OCS from a remote location?

    The guy from the book says I should be going into 'Configure Server' and configuring for 'external user access' and 'routing directly to and from internal pools and servers'.

    I can't deny, deploying an OCS access edge server is not as much fun as I'd hoped.

    Thanks

    JHH


    Thursday, October 15, 2009 9:24 AM
  • Please follow the physical setup first like which is mentioned in this url.

    Dear all Please have a look to this url  for physical edgeserver setup.

    http://www.appliednet.gr/Blog/CategoryView,category,VoIP.aspx

    other power point slides are creating  a big problem to understand , but this url is clearly explain what will be the physical setup.
    Wednesday, October 21, 2009 3:05 PM
  • Hi
    Any update for you issue?

    Regards!
    Friday, October 23, 2009 8:59 AM
    Moderator