I won't assault you all with a wall of text. We have OCS 2007 R2 EE installed into our new forest. Very small environment less than a dozen servers. Internal IM is working swimmingly. I can also connect using communicator when VPN'ed into the environment. I am in no way an OCS guru so try to be descript as possible when replying with suggestions.
I am looking to enable external SIP over TCP connectivity (non-TLS) so a few of us who want IM connectivity won't be required to VPN in. We already have Exchange OA setup so why VPN in for one simple thing if we want to use the full Communicator client. I would prefer to use that over OCS web access. we created a public SRV record for _sip.domainname.com for TCP on port 5061. Then we created an ISA rule to allow that port into our OCS machine behind it.
I was a little unlucky in finding any real steps documented anywhere in how to get this to work. Did i miss something or not configure something correctly?
Background..
single OCS box ( i know not supported ) behind an isa 2006 firewallChad Solarz
Sr. Tech Instructor
Directions Training
MCSA / MCSE / MCDST / MCT
MCTS: Vista / exch 2k7 / server 2k8 / forefront
MCITP: Vista / server 2k8
For certificates on the external Edge roles you should't add the server's FQDN (technically the Edge Internal FQDN) to any of the fields. Check the "certificates' section about 3/4 of the way down this article for details on what should be included in the SN/SAN fields for Edge: http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=19
Also, take a look at this article for details on setting upo Liuve Meeting for external access; there are a few gotchas that can be a pin to uncover sometimes: http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=67 Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
If you are using a Edge server for external access you cannot use TCP 5060, only TLS 5061 (via 443 on external listener) is supported. If you are attempting to publish the internal OCS front-End server directly to Internet via a firewall (unsupported and not best practice) you'd have to first enable TCP 5060 on the FE server's properties in OCS, then setup port-forwarding. Communications over 5061 are TLS only and require certificates to work.
Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
Looks like i'll drop down an edge box and do this the right way. While i'm at it ill get an additional cert for the OCS environment, since i only have a wildcard cert now. I know they don't play nicely with wildcard certs.
On the topic of certs. I'll get a UCC cert and if I recall correctly you should use the POOL name as the main name then add the host name(s) as the SAN correct? Now as the SAN's go, do i add the Edge server name? the FE server name? both? I wasn't very sure on that part.
per the public SRV entries, if i do the edge box and certificate, then allow access via ISA, is the port 5061 still correct? or do i need that changed? I am looking at getting MOC connectivity working remotely without using a VPN, as well as allowing anonymous users to live meeting once i get the IM up and running. At least that is the end goal. Were not looking to any enterprise voice here at all. Just IM & live meeting hosting.
the worst part of my environment in regards to OCS is i didnt do the initial installation, so i am unsure how well or correct it is. Jeff I did get around the FE service startup issue I had mailed you on before - thanks for your assistance on that :) It ended up being a name was incorrectly set in the config.
Thanks in advance,Chad Solarz
Sr. Tech Instructor
Directions Training
MCSA / MCSE / MCDST / MCT
MCTS: Vista / exch 2k7 / server 2k8 / forefront / MDOP / Win 7
MCITP: Vista / server 2k8
For certificates on the external Edge roles you should't add the server's FQDN (technically the Edge Internal FQDN) to any of the fields. Check the "certificates' section about 3/4 of the way down this article for details on what should be included in the SN/SAN fields for Edge: http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=19
Also, take a look at this article for details on setting upo Liuve Meeting for external access; there are a few gotchas that can be a pin to uncover sometimes: http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=67 Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
