locked
Certificate problem when connecting to my Edge Server RRS feed

  • Question

  • Hello all, I hope you can help me:

    I installed an Edge Server to allow external connections. This Edge server has 2 network adapters, an internal and an external. When I try to connect from outside with Communicator, I get an error "Communicator could not connect securely to server server997.unifr.ch because the certificate presented by the server did not match the expected hostname (server997.unifr.ch)". But the subject of the certificate matches exactly the server name. I spent the whole day trying to find a hint, but nothing helped. The only thing I did not find is how to display this presented certificate on the client. BTW, the client is running Vista Business, but I don't believe this has something to do with the certificate problem.

     

    Pierrot

    Tuesday, November 27, 2007 3:16 PM

Answers

  • You still need to enter the credentials of the AD account in which you are attempting to logon as.

     

    Enabling access for Anonymous Users as you described only applies to joining web conferences previously created by authenticated users.  You can't sign-in to the Communicator client anonymously, an OCS-activated AD user account needs to be used.

    Wednesday, November 28, 2007 12:15 PM
    Moderator
  • No problem.  Don't forget to mark this thread as answered Smile

     

    One additional note, only the "Enable remote user access" setting is needed for what you have tested above.  You won't see any functionailty with enabling Public IM until you license and activate communications with Microsoft for MSN/Yahoo/AOL federation.

     

     

     

    Wednesday, November 28, 2007 12:40 PM
    Moderator

All replies

  • Do you have the same certificate assigned to the Internal Interface and Edge Access Server?  Typically your internal interface's certificate will match the serv'ers FQDN and the Edge Access certificate would have a subject name of sip.domain.com our whatever FQDN you are using to connect on the client (if using manual configuration).
    Wednesday, November 28, 2007 3:42 AM
    Moderator
  • I have different certificates. For both, DNS Name = Subject. I'm using manual configuration. It's confirmed in the OCS management console: for the external interface, IP address is OK, DNS name is OK, ports are 5061 (federation) and 443 (remote), certificate subject = DNS name. For the internal interface, IP address is OK, DNS name is OK, next hop port is 5061, next hop address is the pool name, and certificate subject is the DNS name.

    Wednesday, November 28, 2007 6:12 AM
  • So, just to clarify, you are using "server997.unifr.ch:433" as your external server in manual configuration, and the Subject Name of the certificate assigned to the Acces Edge Interface is also server997.unifr.ch?  Is the SIP domain also included in the SAN?
    Wednesday, November 28, 2007 6:22 AM
    Moderator
  • To 1: yes, I'm using server997.unifr.ch:443

    To 2: yes, subject name is server997.unifr.ch

    To 3: no, nothing included in the SAN.

     

    So I included the SIP domain in the SAN, and I can go a bit further (thank you for the hint).

    Now Communicator asks me for a user name and password, although I configured the edge server to accept external user access (remote, anonymous and federated). The Communicator log shows "sip/2.0 401 unauthorized".

    Wednesday, November 28, 2007 10:17 AM
  • You still need to enter the credentials of the AD account in which you are attempting to logon as.

     

    Enabling access for Anonymous Users as you described only applies to joining web conferences previously created by authenticated users.  You can't sign-in to the Communicator client anonymously, an OCS-activated AD user account needs to be used.

    Wednesday, November 28, 2007 12:15 PM
    Moderator
  • Ah ok. So I configured the users to "Enable public IM connectivity" and "Enable remote user access", and now I can login from outside with a user-id/password that exist in the AD. I go on with Web Conferencing. Thanks alot for your help.

    Wednesday, November 28, 2007 12:21 PM
  • No problem.  Don't forget to mark this thread as answered Smile

     

    One additional note, only the "Enable remote user access" setting is needed for what you have tested above.  You won't see any functionailty with enabling Public IM until you license and activate communications with Microsoft for MSN/Yahoo/AOL federation.

     

     

     

    Wednesday, November 28, 2007 12:40 PM
    Moderator