locked
OCS 2k7 Front End validation fails- Federation RRS feed

  • Question

  •  

    We have the following design:

    1- OCS 2k7 Standard Consolidated server

    1- Consolidated Edge Server- (stand alone, not a member of the domain)

    1- ISA 2006 server- (stand alone, not a member of the domain)

     

    Internal Communicator messaging works.  External OCS users can send messages to internal users but internal users get a 504 error when sending externally.

    I get the following when running the FE server validaiton on the OCS server.

     

    Checking federation settings   Default outgoing route for federation: None available
    Suggested Resolution: Federation is enabled at the forest level. However, no global or default federation servers are available. Ensure that these settings point to a valid server and that the server is running.
      Failure
    [0xC3FC200D] One or more errors were detected

    Checking global federation route   Global Federation Route: RCT2k8EDGE
      Failure
    [0xC3FC200D] One or more errors were detected
    Global Federation Route RCT2k8EDGE   DNS Resolution succeeded: 172.16.24.28 64.207.53.67
    TLS connect succeeded: 172.16.24.28:5061
    Routing trust check and MTLS connectivity: Succeeded
    TLS connect succeeded: 64.207.53.67:5061
    Routing trust check and MTLS connectivity: Timed Out
    Suggested Resolution: Routing trust check and/or MTLS connection establishment failed.
    This is usually caused by the remote server not accepting the certificate presented by the
    current machine. Check the local and remote server certificates for any
    misconfiguration. In addition, check whether the local server is recognized
    as a trusted server by the remote server.

      Failure
    [0xC3FC200D] One or more errors were detected
    Checking local federation route   Local Federation Route: rct2k8edge
      Failure
    [0xC3FC200D] One or more errors were detected
    Local Federation Route rct2k8edge   DNS Resolution succeeded: 172.16.24.28 64.207.53.67
    TLS connect succeeded: 172.16.24.28:5061
    Routing trust check and MTLS connectivity: Succeeded
    TLS connect succeeded: 64.207.53.67:5061
    Routing trust check and MTLS connectivity: Timed Out
    Suggested Resolution: Routing trust check and/or MTLS connection establishment failed.
    This is usually caused by the remote server not accepting the certificate presented by the
    current machine. Check the local and remote server certificates for any
    misconfiguration. In addition, check whether the local server is recognized
    as a trusted server by the remote server.

      Failure
    [0xC3FC200D] One or more errors were detected
    Checking static routes   No WMI Instance Returned By Query : select * from MSFT_SIPRoutingTableData
    Static route: None Found
      Success
    Checking all trusted servers       Failure
    [0xC3FC200D] One or more errors were detected
    Global Federation Route RCT2k8EDGE   DNS Resolution succeeded: 172.16.24.28 64.207.53.67
    TLS connect succeeded: 172.16.24.28:5061
    Routing trust check and MTLS connectivity: Succeeded
    TLS connect succeeded: 64.207.53.67:5061
    Routing trust check and MTLS connectivity: Timed Out
    Suggested Resolution: Routing trust check and/or MTLS connection establishment failed.
    This is usually caused by the remote server not accepting the certificate presented by the
    current machine. Check the local and remote server certificates for any
    misconfiguration. In addition, check whether the local server is recognized
    as a trusted server by the remote server.

      Failure
    [0xC3FC200D] One or more errors were detected
    Local Federation Route rct2k8edge   DNS Resolution succeeded: 172.16.24.28 64.207.53.67
    TLS connect succeeded: 172.16.24.28:5061
    Routing trust check and MTLS connectivity: Succeeded
    TLS connect succeeded: 64.207.53.67:5061
    Routing trust check and MTLS connectivity: Timed Out
    Suggested Resolution: Routing trust check and/or MTLS connection establishment failed.
    This is usually caused by the remote server not accepting the certificate presented by the
    current machine. Check the local and remote server certificates for any
    misconfiguration. In addition, check whether the local server is recognized
    as a trusted server by the remote server.

      Failure
    [0xC3FC200D] One or more errors were detected
    Internal Server rct2k8ocs.rcttech.com   DNS Resolution succeeded: 172.16.24.26
    TLS connect succeeded: 172.16.24.26:5061
    Routing trust check and MTLS connectivity: Succeeded

     

    I can name resolve the edge server fomr the ocs server by the name.

    Thanks for any assistance.

    Wednesday, November 19, 2008 7:16 PM

All replies

  • Checking your name : RCT2k8EDGE

    makes me think that you installed on Windows 2008?

    That is totally not supported with OCS 2007

    Wednesday, November 19, 2008 9:32 PM
  • no, it is on a W2k3 RC SP2 machine. Not a Win2k8 server

     

    Wednesday, November 19, 2008 9:35 PM
  • I'm sorry but you might guess that SP2 RC is not supported either

    But does your EDGE Server trust the OCS Server's cert and visa versa?

    It looks like its cert problems

     

    Wednesday, November 19, 2008 10:17 PM
  • Sorry should have said R2 not RC..

     

    All the certs are confusing...

    I have an internal CA and an 3rd party external cert. 

     

    Can you be specific on how to check what you are asking me and where to check it?  Which cert should be used etc?

     

    Thanks in advance.

     

    Wednesday, November 19, 2008 10:23 PM
  • Then you should import your internal Certificate Authority Cert into your EDGE server

    Otherwise your EDGE will not trust your Internal OCS Server

    Actually the internal interface of the EDGE should also be configured with internal cert

     

     

    Wednesday, November 19, 2008 10:41 PM
  • Here are the settings as of now:

    Edge Server

    Status

    General Settings

    Default Route:<None>

    Internal Interface Settings

    Next Hop Address: <ocsserver>.<domain>.com

    Next Hop Port:  5061

    TLS Cert info

    CA:  Internal domain naming

    Subject:  <ocsserver>.<domain>.com

    SAN:   sip.<domain>.com  and <ocsserver>.<domain>.com

    User Auth Cert Info

    CA:  3rd party CA

    Subject:  <avconf>.<domain>.com

    SAN:  <avconf>.<domain>.com

    <sip>.<domain>.com

    <edgeservername>

    <externalwebfarmFQDN>

    Authorized Internal Servers:  includes the OCS server name (netbios and FQDN- both resolvable via dns

     

     

    I have also gone to teh Internal CA webpage and installed the Chain from there.

     

    Same issue..

    Wednesday, November 19, 2008 11:24 PM
  •  

    Your Internal Cert must be the internal FQDN name of your EDGE server

     

    TLS Cert info

    CA:  Internal domain naming

    Subject:  <ocsserver>.<domain>.com <= internal EDGE Server FQDN

     

     

    The User Auth Cert should be an internal one without any SANs

    Friday, November 21, 2008 8:37 PM
  •  

    I got it resolved thank you!

     

    It turned out to be a bad 3rd party certificate.  ONce I reissued it, the system worked again.  Thanks.

    Friday, November 21, 2008 8:43 PM