OCS R2 EDGE - no way to get thru validation with .LOCAL and .COM FQDNs RRS feed

  • Question

  • Hello, my current setup:

    - OCS R2 64bit italian localization domain member, FQDN ocsr2.domain.locale and an internal CA cert assigned to webconf, a/v edge, client access, etc

    - OCS R2 64bit italian localization EDGE, FQDN ocsr2edge.domain.local (not a domain member, notice the missing "e") and internal CA cert for private nic for ocsr2edge.domain.local, public trusted CA cert for av.domain.com, livemeeting.domain.com, sip.domain.com each on a separate public DMZ NIC.

    Added to internal DNS av.domain.com resolving to its public IP.

    both internal FQDNs are added to each trust list, but i still cannot pass A/V edge validation.

    A/V Authentication Edge Server: Impossibile contattare A/V Authentication Edge Server.
    Per risolvere l'errore, verificare quanto segue:
    1. Il proxy in uscita è raggiungibile.
    2. Il proxy in uscita e A/V Authentication Edge Server si trovano nei rispettivi elenchi di server trusted.
    3. I certificati del proxy in uscita e di A/V Authentication Edge Server sono validi.
    4. Il certificato del server per conferenze è valido.
    5. Il parametro Gruu di A/V Authentication Edge Server è corretto.

    Problem I have, apart from validation, is external users can IM to inside/outside but cannot start voice/video calls.

    Telnet from ocsr2.domain.locale to ocsr2edge.domain.local to port 5062 is ok

    I find no deployment guide or example which clarify when FQDN is meant as INTERNAL or EXTERNAL.

    thank you!
    Friday, March 27, 2009 3:26 PM

All replies

  • What certificate are you using for the A/V Authentication service?
    What name are you using?
    - Belgian Unified Communications Community : http://www.pro-exchange.be -
    Friday, March 27, 2009 7:58 PM
  • absolutely my bad, I was using the unneeded public certificate for av.domain.com also on A/V auth service, instead of an internal ca issued cert matching my private fqdn ocsr2edge.domain.local! thanks

    another one for you, still on validation error of the edge:

    Nessuna istanza WMI restituita dalla query : select * from MSFT_SIPFederationNetworkProviderTable where Enabled = 'TRUE'
    Nessuna istanza WMI restituita dalla query : select * from MSFT_SIPFederationPartnerTable
    Trovato Perimetro esterno indirizzo di attesa : access_edge_ip:5061:TLS - Abilitato
    Trovato Perimetro esterno indirizzo di attesa : access_edge_ip:5061:TLS - Abilitato
    Trovato Perimetro esterno indirizzo di attesa : av_edge_ip:443:TLS - Abilitato
    Trovato Perimetro esterno indirizzo di attesa : webconf_edge_ip :443:TLS - Abilitato
    Risoluzione della destinazione ambigua in indirizzo IP errato: ocsr2edge.domain.local
    Risoluzione proposta: Se è necessario connettersi al server Access Edge Server corrente, specificare un nome di destinazione che venga risolto in modo non ambiguo in un indirizzo IP esterno del server Access Edge Server corrente.

    Seems like validation doesn't like internal fqdn, error is "Resolution of ambiguous destination to IP address error: ocsr2edge.domain.local", and suggested resolution is: "If you need to connect to the current Access Server Edge, specify a not ambiguous destination name resolvable to an external IP address of current Access Edge Server".

    Saturday, March 28, 2009 8:45 AM
  • anyone?

    I still can't start A/V or audio only conferencing from outside, I always get remote party received no audio etc..

    Friday, April 10, 2009 7:07 AM
  • The certificate you request from your internal CA for the A/V Authentication Service needs to match the FQDN of your AV Edge Server interface i.e. av.domain.com.
    Have you got it setup like that?
    Friday, April 24, 2009 11:54 AM
  • Hi,

    have you already fixed this?
    We noticed this issue, too.

    This is a bug of the OCS R2 if you are not using English as server language.

    Check out this post, I think it will solve your problem


    Tuesday, May 5, 2009 8:12 AM
  • Even better

    Apply this hotfix


    Wednesday, May 27, 2009 9:58 PM