locked
Live Meeting doesn't work for external user (remote user) ?? RRS feed

  • Question

  •  

    HI there,

     

    I have installed OCS 2007 Standard Edition on 2 different hosts (core and edge server).  The edge server has been configured for Access Edge Server and Web Conference Edge Server.  In addition, I didn't install the ISA 2006 or DIRECTOR in the network at all and the whole thing works great (IM works internally and externally BUT Web Conferencing ONLY works internally).  So I need some help to find out why it doesn't work for external people and fix it if possible.

     

    My external and internal cert on the Edge Server have the following SN and SAN

     

    ext: SN: edge.company.com

           SAN: sip.company.com,

                    edge.company.com

                    edge

     

    int:  SN: edge.company.local

           NO SAN

     

    Furthermore, I also used Windows Management Instrumentation (WMI) to configure the server to use the external URL but it still doesn't solve the issue.  So could anyone point me to the right direction to fix it ?

     

    Thanks in advance.

     

    -Desmond

    Monday, October 27, 2008 6:24 AM

All replies

  •  

    Hi Desmond,

     

    I suspect that your issue lies either within your edge configuration. Did you use a different IP address for your Access and Web Conf Edge Roles? Otherwise if they use the same IP, then you could have a conflict because both Access and Web Conf listen on port 443 unless you configure one of them to listen on a non-default port. I like to give each Edge role it's own IP and certificate.

     

    For example:

     

    Access Edge

    sip.company.com

    Public IP Address 1

     

    Web Conf Edge

    webconf.company.com

    Public Address 2

     

    A/V Edge

    media.company.com

    Public Address 3

     

    Reverse Proxy

    proxy.company.com

    Public Address 4

     

    This way you do not need SAN enabled certificates for your edge IP's. Your configuration does not REQUIRE the A/V and Reverse Proxy, but I would highly suggest that you implement the Reverse Proxy otherwise your external users will get errors about group expansion and address book. You will be fine without a Director. The Director is only important in large implementations with multiple FE servers. Can you give us more information about your Edge configuration so that we can help troubleshoot? Are you getting any event log errors on your clients or servers?

     

    Jamie Schwinn

    www.systmsny.net

     

    Monday, October 27, 2008 3:52 PM
  • What Configuration is your Conferencing EDGE: IP, Ports, DNS

    What public DNS record has your conferencing EDGE Server that must also be present in the Certificate

     

    External URL is only for meeting content, does not configure external settings to start a live meeting

     

    Monday, October 27, 2008 3:56 PM
  • Hi Jamie,

     

    thanks for your response.  I have just installed another certs for external port and internal port.

     

    The following are the new certs:

     

    INT:  SN:  edgeint.corp.company.local

            SAN: edge.corp.company.local

            SAN: edgeint.corp.company.local

            SAN: edgeint

     

    EXT: SN: edge.company.com

            SAN: sip.company.com

            SAN: edge.company.com

            SAN: edge

     

    In the event log of EDGE server,

     

    I found the following .....

     

    Web Conferencing Server has been added to Web Conferencing Edge Server's trusted server list

    Web Conferencing Server with FQDN ocs2007.corp.company.local has been added to Web Conferencing Edge Server's trusted server list

     

    Web Conferencing Server connected successfully

    Web Conferencing Server with FQDN ocs2007.corp.company.local connected successfully

     

    BUT LIVE MEETING 2007 STILL DOESN'T WORK EXTERNALLY.

     

    Any suggestions or advice ?

     

    Thanks in advance.

     

    -Desmond

    Tuesday, October 28, 2008 4:52 PM
  • Desmond,

     

    The information you have provided does not help troubleshoot this issue. We would need to see  what IP addresses, ports, hostnames, AND certificates you are using on your edge server. Is you edge server only configured with a single address externally? What are you using as a perimeter firewall and what ports are forwarded where? What external DNS entries have you published? Are you getting any errors on the client side?

     

    Jamie Schwinn

    www.systmsny.net

     

     

    Tuesday, October 28, 2008 5:22 PM
  • Hi Jamie,

     

    The following is the info:

     

    IP address of OCS: 172.20.10.40   (Internal FQDN: ocs2007.corp.company.local)

     

    The below is the info of my EDGE configuration:

     

    IP address of Edge: External: 172.20.10.41          Internal: 172.20.10.42

     

    External Interface Settings:

    Access: 172.20.10.41     DNS Name:edge.company.com        Port: 5061 (federation)  , 443 (Remote)

    Web Conferencing: 172.20.10.41    DNS Name:edge.company.com              Port: 444

     

    Certificates:

    INT:  SN:  edgeint.corp.company.local

            SAN: edge.corp.company.local

            SAN: edgeint.corp.company.local

            SAN: edgeint

     

    EXT: SN: edge.company.com

            SAN: sip.company.com

            SAN: edge.company.com

            SAN: edge

     

    On the Cisco ASA 5510, we have opened port 443, 444, 5061, 5062.

     

    we have published edge.company.com for DNS entries.

     

    for the client side, according to the even viewer, it's trying to resolve the interal fqdn (ocs2007.corp.company.local) (I put down both internal fqdn and external fqdn in the configuration) and these settings works fine for the office communicator externally and internally.  However, i don't see any error message in the event viewer if I put the edge.company.com as both internal and external fqdn but it still doesn't let me join the meeting externally.

     

    on the edge server, in the event log, the most recent errors i found are :  (but these have different time stamps, like couple hours earlier)

    1.  ocs applications module: office communciation server start up is pending.

    some configured critical applcations have not yet registered.

    resolution: For script only applications ensure that the application is available in the path specified in the MMC, and that no errors are reported by the Office Communications Server Script-Only Applications Service. For non-script only critical applications ensure that they are configured to register on server startup.

    2.  ocs protocol stack:

    Unable to set the Access Edge Server internal DNS name.
    DNS name: 'edge.corp.company.local'.
    Cause: A DNS name is already set.
    Resolution:
    Please restart the service in order to apply this change.

    3.  ocs web conferencing edge server:

    Failed to process data received from the client
    Over the past 0 minutes Office Communications Server has disconnected clients 1 time(s) as a result of invalid data being received on client connections. The last such client which was disconnected is "75.101.17.64:1203".
    Cause: Failed to process data received from the client
    Resolution:
    Check and make sure that the connection came from a trustworthy client.

     

    On the OCS2007:

    At least one attempt to reference stale (non-existent or deleted) security association was detected.
    There were 1 messages with signature that referenced stale (non-existent or deleted) security association in the last 0 minutes. The last one was this SIP message:
    Instance-Id: 000005E6
    Direction: no-direction-info
    Source: edgeint.corp.company.local
    Message-Type: request
    Start-Line: SERVICE sip:bwong@company.com;gruu;opaque=app:conf:focusfactory SIP/2.0
    From: <sip:bwong@company.com>;tag=a0e1f229b6;epid=9c1304db48
    To: <sip:bwong@company.com;gruu;opaque=app:conf:focusfactory>
    CSeq: 1 SERVICE
    Call-ID: 75e6231ef617473a8c8fe1da65ce5b6d
    Via: SIP/2.0/TLS 10.20.100.42:1826;branch=z9hG4bK73CA7B2F.5644ABE3;branched=FALSE;ms-received-port=1826;ms-received-cid=1200
    Record-Route: <sip:edgeint.corp.company.local:1826;transport=tls;maddr=10.20.100.42;lr>;tag=F9BCAE7198D87FD337E8EE25BBA3EA52
    Max-Forwards: 69
    ms-edge-proxy-message-trust: ms-source-type=InternetUser;ms-ep-fqdn=edgeint.corp.company.local;ms-source-verified-user=verified
    Contact: <sip:bwong@company.com:1956;maddr=65.175.48.186;transport=tls;ms-received-cid=3F00>;+sip.instance="<urn:uuid:A6AE7A60-22A0-5FA2-81A8-DE5C9E0D89E2>"
    Via: SIP/2.0/TLS 172.20.10.138:1470;received=65.175.48.186;ms-received-port=1956;ms-received-cid=3F00
    User-Agent: UCCP/2.0.6362.91
    Proxy-Authorization: NTLM qop="auth", realm="SIP Communications Service", opaque="DE6D23F8", targetname="ocs2007.corp.company.local", crand="20332509", cnum="6", response="0100000043005000fb6d66edaf040329"
    Content-Type: application/cccp+xml
    Content-Length: 2274

    Cause: This could be due to users that utilize large number of devices (in excess of configured maximum), or due to connection refresh logic re-balancing remote users to a different director in a bank or a pool, or it could be due to an attacker.
    Resolution:
    None needed unless the failure count is high (>100). Check if number of allowed devices per user is too low for existing usage scenarios. Check your network for any rogue clients. Restart the server if problem persists.

     

     

    That's all I have found so far.......

     

    Any thoughts or advice ?

     

    Jamie, thanks you in advance.  I am really appreciated.

     

    -Desmond

     

     

     

    Tuesday, October 28, 2008 9:23 PM
  • Hi Jamie,

     

    I just made the following change to see if it will fix the problem .... but looks like i am out of luck ....

     

     

    I went to OCS2007 (the front-end hosts) > forest - company.local > Standard Edition Servers >

    RIGHT CLICK OCS2007 >  properties > web conferencing properties > the TAB of web conferencing edge server >

     

    In there, I have update the settings with the following info ....

    443 as the external port

    8057 as the internal port

    edgeint.corp.company.local as the Internal FQDN

    edgeext.corp.company.local as the external FQDN

     

    Maybe I made a mistake in one of these settings ??

     

    -Desmond

    Tuesday, October 28, 2008 10:14 PM
  • You must have an external configured FQDN it seems to be an internal one

    Also this FQDN must be present in a Certificate bound to your External interface listening on your Conferencing EDGE IP/Port

     

    Wednesday, October 29, 2008 12:17 AM
  • HI Deli Pro-Exchange,

     

    I found the following logs in the event viewer .......

     

    Web Conferencing Server has been added to Web Conferencing Edge Server's trusted server list

    Web Conferencing Server with FQDN ocs2007.corp.company.local has been added to Web Conferencing Edge Server's trusted server list

     

    Web Conferencing Server connected successfully

    Web Conferencing Server with FQDN ocs2007.corp.company.local connected successfully

     

     

    It looks like it does recognzie the internal FQDN as the internal interface and I am also pretty sure i have the appropriate FQDN is present in the appropriate certificate.

     

    I also use the WMI to modify the URL ......... it still doesn't work for me ......

     

     

    Any suggestions where else I should look for ?

     

    Thanks in advance.

     

    -Desmond

    Thursday, October 30, 2008 7:01 AM
  • This means that your internal config looks ok, your EDGE server can connect to the OCS Server

    But this does not necessary mean that external users can connect, that is a different thing

     

    You should actually look at sip messages to verify that all is fine when users connect externally.

    So open a new Debug Session on the EDGE Server and verify the Sip traffic (select S4 and SIP)

    Look at the log with the Snooper tool fron OCS 2007 Resource kit

     

     

     

    Friday, October 31, 2008 12:47 AM
  • Desmond,

    Did you every get your external Live Meeting working?  If so what was the resolution?  Was MSFT Support able to help you with your problem?

    Thank you

    Walter - MCS
    Got Milk
    Monday, February 2, 2009 10:12 PM