locked
Edge Certificate problem RRS feed

  • Question

  •  

    I'm trying to set up OCS for my company, and apparently my "exotic" setup doesn't quite fit what Microsoft imagines I should have.  I have a server (a VM, really) in our DMZ.  This is one interface (10.2.2/24) off of our Cisco ASA firewall.  The internal network (10.1/16) lives on another of the ASA's interfaces.  The edge server has two NICs, both in the 10.2.2 network.  One of them is configured as the internal nic, and the other as the external.  The external NIC has been NATed to the external address I want users to connect to, and that address resolves from the outside (ocs.mycompany.com).  This is not the server's netbios/internal name.  I got a certificate from Entrust that has the subject name ocs.mycompany.com.  However, this doesn't seem to be working for me.  I get "Cannot sign in because the server is temporarily unavailable".  If I try to connect to the server with the IP (or a different name that resolves to the address), I get "a problem verifying the certificate".  I'm sure I am missing something with the name resolution on here, but I have tried everything I can think of.  Anybody know what I need to fix?
    Wednesday, November 28, 2007 10:56 PM

All replies

  •  

    are we talking about the edge server, first thign that comes to mind is the edge cannot be natted

     

    Blackduke

    Friday, December 14, 2007 2:32 AM
  • It sounds like you are having a problem resolving ocs.mycompany.com to the external Edge interface.  You can use NAT on the external interface for the Access Edge Server, so at least external IM connectivity should work.

     

    Do you have external SRV records setup, or at minimum an A record of sip.mycompany.com or sipexternal.mycompany.com?  Or are you using manual client configuration?

     

    Friday, December 14, 2007 3:20 AM
    Moderator
  •  Blackuke wrote:

     

    are we talking about the edge server, first thign that comes to mind is the edge cannot be natted

     

    Blackduke

     

    Natted works for Acees edge for IM but not for AV, it sounded to me as if you were taking the consolidated approach, I stand corrected

    Friday, December 14, 2007 3:45 AM
  • Larry,

     

    You might want to take a look at my blog entry covering DNS lookups with Automatic Configuration.  A simple test to verify you at least have the networking conponents working is to telnet to port 443 on the external IP address, you should be able to establish a connection.  then try using the external FQDN to validate name resolution.

     

    Friday, December 14, 2007 2:12 PM
    Moderator
  • If you are using manual client configuration, make sure you specify the port number at the end of the host name for the external server name: ocs.mycompany.com:443

    Simon
    Tuesday, December 18, 2007 12:23 AM