locked
External users without the edge server, possible? RRS feed

  • Question

  • We have been using OCS internally for number of weeks now and thanks to people here have always managed to find solution to my problems.

     

    Now I have a new problem.

     

    We have decided to include external user support so our internal users can connect to the OCS externally when they need to.

    We have installed another front end server in our DMZ network and added it to the pool (in the internal network).

    This is what the MOCS console looks like:

     

    Enterprise Pools

                  Lcs2007

                            Users

                            Front Ends

                                        Ldocs1.company.com

                                                    Application

                                        Lddmzocs.dmz.company.com

                                                    Applications

                            Etc….

                            Etc….

     

    So far everything worked fine. Users outside now can connect to the lddmzocs.company.com.

    Problem is, when internal users message external users (or vice versa), they get the following error:

     

    The following message was not delivered to testuser1. More details (ID:504) and get this when I click on More details………….

     

    Details

    Product: Office Communicator 2007

    Version: 2.0

    Source: Office Communications Server

    ID: 504

    Message: Server Time-out 

     

    Explanation

    The server did not receive a timely response from an external server it accessed in attempting to process the request.

     

    Cause

    You attempted to transfer a call to a user that Communicator could not locate. Possible causes include:

     

    The user is not part of your company's Office Communications Server and cannot be located.

    The user is not signed in to Communicator.

    Resolution

    Try to contact the user later. Ensure that the user that you are attempting to transfer a call to is part of your company's Office Communications Server or a federated contact.

     

    If an external user was to message another external user or internal to internal, this works fine!

    To me it seems like I am missing something, like both front ends aren’t communicating with each other.

    We like to avoid using edge servers if we can as we don’t have any proxy servers in DMZ.

    Is this possible? Any help would be appreciated. Thanks.

     

    Friday, January 25, 2008 5:50 PM

All replies

  • This really isn't the route you want to go to support external user access. Even without a proxy server, you're still much better using an Edge server to support external access. The proxy is only used for the web component services (Live Meeting content, address book) and is strongly suggested to be a reverse-proxy, but it's not required for the functionality. All you'd need to do is open port 443 on your firewall and direct it to the internal OCS server (omitting the reverse-proxy server hop).

    And as to why your current configuration doesn't work - to have both servers in the pool you need a hardware load balancer. Simply standing up 2 FE servers in the same pool doesn't create any communication between the two.
    Friday, January 25, 2008 10:24 PM
  • Well, the front-end wasn't meant to be in the DMZ. Front-ends like to talk to AD to pull down address books for the clients to use and you don't want this on your DMZ.

     

    The Edge server is the way to go. Here are the specifics that answer your questions...

     

    There are three roles to the Edge server: Access, Web Conferencing, and A/V.

    For IM you just need Access. If you want to escalate to a voice Communicator call, you will need the A/V. Now here is where the trick is for A/V...

    You need an IP address that does not get NATed for the A/V IP address.

    Now you can install all three roles (or just Access and A/V) on the same Edge server. However, unless you want to use all IPs that are NOT NATed, you will need to have 2 NICs and specify gateways for both NICs. Yes, you wouldn't normally do that, but there is a workaround for having all roles on the same Edge server. You need to disable Dead Gateway Detection:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

            Value Name: EnableDeadGWDetect

            Value Type: REG_DWORD

            Value Range: 0 or 1 (False, True)

     

    The proxy you mention, assuming reverse proxy serves three purposes: Address Book download externally, Group Distribution List Expansion externally, and Live Meeting content download/upload. So, if you can don't mind not having these three functions, you don't need to install a reverse proxy.

     

    This should get you going with IM and voice between Communicator clients. Let me know if you have any questions.

    Friday, January 25, 2008 10:31 PM