Do I need to add the edge server to the directors host authorization tab? RRS feed

  • Question

  • Here is my layout

    Edge -> Director pool vip -> ocspool vip.

    I have been having a ____ of a time trying to get external communication working in our environment. I have all our dns records setup according to the documentation and the edge planning tool. I have verified from an outside connection using nslookup that everything seems correct. The edge server is consolidated with four nics, one internal, three external. The problem seems to be on the internal nic trying to communicate with the director pool vip.

    When I run snooper and try logging in from an external client I can see the client connecting to the edge server but when the edge server tries to communicating to the director vip I get the following error:

    TL_INFO(TF_PROTOCOL) [0]229C.2744::10/15/2009-22:44:26.292.00051edb (SIPStack,SIPAdminLog::TraceProtocolRecord:SIPAdminLog.cpp(122))$$begin_record
    Instance-Id: 00000C26
    Direction: incoming;source="internal edge";destination="external edge"
    Peer: director.internaldomain.ne:5061
    Message-Type: response
    Start-Line: SIP/2.0 401 Unauthorized
    From: <sip:EMAIL REMOVED>;tag=7ff3c7577b;epid=42e7f06267
    To: <sip:EMAIL REMOVED>;tag=0650937887462BCF47C96083AC4812C3
    CSeq: 5 REGISTER
    Call-ID: f0bf58c9d39040aea7f5b1e612528319
    Date: Thu, 15 Oct 2009 22:45:00 GMT
    WWW-Authenticate: NTLM realm="SIP Communications Service", targetname="director.internaldomain.net", version=4
    Via: SIP/2.0/TLS;branch=z9hG4bK823259AC.B289D7E58CE0FA6A;branched=FALSE;ms-received-port=54899;ms-received-cid=B000
    Via: SIP/2.0/TLS;ms-received-port=50080;ms-received-cid=17900
    ms-diagnostics: 1000;reason="Final handshake failed";source="director.internaldomain.net";HRESULT="0xC3E93EC3(SIP_E_AUTH_UNAUTHORIZED)"
    Content-Length: 0
    Message-Body: –

    On the edge Internal configuration tab I have added not only the pool names but the individual server names to just cover all my bases. Nothing seems to help. 
    Thursday, October 15, 2009 11:00 PM

All replies

  • No, but you do need the Edge server in the global properties.  At a minimum is needs to be listed on the Edge servers tab and if you want to use it as the global route for federation and/or PIC then you need it on the Federation tab as well.
    Mike Stacy | Evangelyze Communications | http://www.evangelyze.net/cs/blogs/mike
    Thursday, October 15, 2009 11:30 PM
  • The easiest way is to rerun the Pool Wizard (you can find that at installation screen) and configure External Access
    The procedure is listed in the EDGE deployment guide

    - Belgian Unified Communications Community : http://www.pro-exchange.be -
    Friday, October 16, 2009 12:07 PM
  • I have the edge server set at the global level under the Edge Servers tab. Should I also set it at the director pool level?

    Should I run the pool wizard on the director pool or ocs pool?
    Friday, October 16, 2009 5:25 PM
  • In that case it should be the Director
    Read the Deploying EDGE Servers guide (section : Connect Your Internal Servers with Your Edge Servers)
    - Belgian Unified Communications Community : http://www.pro-exchange.be -
    Monday, October 19, 2009 11:20 AM
  • I tried running the pool configuration wizard and get this error:

    Action Action Information Execution Result
    Execute Action       Failure
    Connect to local WMI       Success
    Process applications for activation   Delete existing application instance: {313931D5-7013-4170-AC6C-51CE8C9A02E8}
    Add new application:
    Process global SIP domains       Success
    Process client auto-logon SIP domains for this director   Delete existing client auto-logon SIP domain instance: {F7AAB825-6FC5-4CBA-82D1-33A436B68C3A}
    Add new client auto-logon SIP domain: sipdomain.com
    Process Web Conferencing Edge Server list       Failure

    A google search came up with nothing. Any idea's? I get this on both the director and internal pools
    Monday, October 19, 2009 5:31 PM
  • Ok, so I figured out it was a cert issue. Once we put the correct certs external users are able to connect. The wierd thing is I still get the 401 Unauthorized and 403 Forbidden on the S4 and SIPStack logs. Any idea's?
    Tuesday, October 27, 2009 6:05 PM
  • What was the certificate issue specifically.? I am in nearly the exact same situation.  Strange thing is that IM with federated partners and PIC is working.  It's just the remote access that is driving me nuts.

    Friday, November 27, 2009 10:27 PM