locked
Public IM Connectivity works only one way RRS feed

  • Question

  • Hello,

    I have setup OCS 2007 R2 for my company.
    For Public IM Connectivity (we have license for), I have setup a OCS 2007 Edge Server.

    Edge server validation is OK, and PIC activation has been requested two months ago (MVLS support has confirmed that it is well activated).

    Currently, I'm performing some public IM tests using a public MSN messenger account. And I have the followings:

    * Presence
    Public account can well see company account presence.
    Company accounts (Communication 2007 R2) can never see public account presence (always "Unknown Presence").

    * Invitation
    Invitations look like working in both way, except that invitation message from public account is always blank.

    * Messages
    Company account can well send IM to public account (except for the first IM that always fail with error "no response from the server").
    Public account can never send IM to company account (no error on public account side but no IM arrives on company side).

    I have looked for debug logs on edge server and it looks like OCS is well communicating with federation.messenger.msn.com. But I guess some messages are missing (inbound presence, inbound messages, etc.).

    What diagnostic can I make? Is it a misconfiguration issue, a certificate issue or a MSN issue?
    Saturday, May 30, 2009 2:11 AM

All replies

  • This could either typically be a firewall issue (traffic in one direction not able to complete the trip) or a certificate issue (incorrect keylength).  Are you using federation with any other OCS deployments?  This can validate the firewall portion of the scenario as the same IP/port is used for that as PIC connectivity.  If so then take a hard look at the certificates onthe external Edge role(s).
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Saturday, May 30, 2009 1:33 PM
    Moderator
  • Hello Jeff,

    Thanks for your response.

    We have never used federation with any other OCS deployment as we doesn't know any one...
    Is there any one we could exchange with for test purposes ?

    Regarding certificate issue, is there any requirements regarding key length?
    We now are using a CSC Trusted Secure Certificate Authority (Entrust signed) UC Certificate with a public key that is 1024 bits...
    Wednesday, June 3, 2009 8:17 PM
  • The 1024 keylength you have is good.

    Feel free to email me (check my profile) if you want to test OCS federation.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Wednesday, June 3, 2009 8:57 PM
    Moderator
  • I'm having almost the identical problem, was there a solution to this problem?

    The MVLS site shows our PIC licenses are now active, and I can add contacts from MSN and see presence status.
    I can send messages from OCS to MSN Messenger, but all responses fail.  If I initiate the IM from MSN, OCS gets a toast, but it's empty.
    We are also using Entrust UC certificates on our edge servers, but I don't know if it's 1024 or 2048, how do you tell and would this cause problems?
    afoint
    Tuesday, September 1, 2009 1:31 PM
  • It sounds like you may have a 2048 bit key length.  To verify the setting goto the Edge Interfaces tab on the Edge server Properties (Administrative Tools, Computer Management, Services and Applications, Office Communications Server).  Click on the 'Configure' button for the external role you want to check (Access Edge Server in your case) and then click Select Certificate.  Click View Certificate on the currently assigned cert, click the Details tab, and then look for the Public Key field.  It will mostly likely show either RSA 1024 or 2048 .

    Also take a look at this blog article for details on the requirements:
    http://blogs.msdn.com/scottos/archive/2009/07/14/federation-and-or-pic-may-fail-against-partners-using-2048-bit-signed-root-cas.aspx
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Tuesday, September 1, 2009 2:21 PM
    Moderator
  • Hello,

    In fact, we had to fix two things :

    - the public certificate CN (Object/Common Name)
    You have to check that the public certificate CN is exactly the hostname you gave to MVLS as SIP gateway for your organization.
    It does not work in any other case, even if your gateway hostname has been recorded as SAN (Alternate Name) in the public certificate.

    - the unsupported use of NLB for OCS front-end pool
    We had setup an OCS pool with two front-end servers and we mapped the OCS pool FQDN to the NLB IP Address (we had setup a NLB cluster with the two front-end servers).
    That is not supported at all. You should set and use only one front-end server.

    Since we fixed these two issues, all is working fine.

    Hope it will help.
    Tuesday, September 1, 2009 6:31 PM