locked
Consolidated Edge problem - small environment RRS feed

  • Question

  • Dear all,

    I hope you can help me. I have set up a test environment, my internal OCS is running fine, also the mediation server. My problems start when I started the consolidated edge environment. I understand this is a very basic question but it is taking a lot of me :)

    My situation:

     

      Environment

       

      OCS R2 Windows 2008 SP2 (Standard FE)

      OCS R2 Windows 2008 SP2 (Edge)


      OCS Pool

      ocsser2.domein.be
       

      Netwerk


      For the moment the edge server is located in the LAN (not DMZ)
       

      EDGE server

       

      Internal

      IP 10.0.0.189/24 (GW static route added)

       

      Webconf

      IP 10.0.0.128/24

       

      AudioVideo

      IP 10.0.0.124/24 
       

      AccessEdge

      IP 10.0.0.127/24 GW 10.0.0.245

       

      Standard server

       

      Internal

      IP 10.0.0.80/24 GW 10.0.0.245

       

       

      Public Records

       

      A records

       

      ocsser2.domein.be    212.35.117.171

      sip.domein.be           212.35.117.172

      webconf.domein.be  212.35.117.173

      av.domein.be           212.35.117.174

       

      SRV records

       

      _sipinternal._tcp.domein.be             (TCP 5061 – ocsser2.domein.be)

      _sipinternaltls._tcp.domein.be         (TCP 5061 – ocsser2.domein.be)

       

      Firewall


      Rules I made on the firewall (Watchguard)


      Name

      Natting

      Port

      OCS HTTPS

      212.35.117.171 -> 10.0.0.80

      TCP 443

      OCS HTTPS AV

      212.35.117.174 -> 10.0.0.124

      TCP 443

      OCS HTTPS SIP

      212.35.117.172 -> 10.0.0.127

      TCP 443

      OCS HTTPS Webconf

      212.35.117.173 -> 10.0.0.128

      TCP 443

      OCS 3478

      212.35.117.174 -> 10.0.0.124

      UDP 3478

      OCS 5061

      212.35.117.171 -> 10.0.0.80

      TCP 5061

       

       

      Problem description:

      I'm able to IM, Presence but no voice, LiveMeeting, sending files, ...

      Also the IM fails when I nat the 5061 port to the edge server. Can someone please take a look if I made a mistake in the Records/Rules/names ...

      Thanks a lot!!! If you need any info, please ask!! 

      Joebla 


    Wednesday, September 9, 2009 1:40 PM

Answers

  • Jeff,

    We found the mistake after checking the whole config.

    1. I connected via Communicator to (ocsser2.domein.be) -> wrong => changed to sip.domein.be:443 (changed srv record also)
    2. Made a mistake in AV edge port between OCS FE <> OCS Edge (443 -> wrong => changed to 5062)

    Now everything seems to work,  thanks for you initial support!

    Joebla

    Thursday, September 10, 2009 6:48 PM

All replies

  • You should not have the degault default defined on all of the network interfaces.  You'll need to define a static route for Edge-to-internal network routing, and with Server 2008 still leave the DG on each externally-facing interface (due to the Strong Host Model used in Server 2008) or configure Weak Host Model and add the DG to only the Access Edge interface.

    See this thread for more details: http://social.microsoft.com/Forums/en-US/communicationsserveredgeservers/thread/787d7d06-34f2-431e-b3a3-801310174e3b
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Wednesday, September 9, 2009 4:35 PM
    Moderator
  • Jeff,

    thanks for the follow up.

    I followed your advice and removed all of the gateways (except on the access edge gateway) and configured Weak Host Model. I found also a post saying that the SRV records need to point to port 443 (not to 5061) if you use R2?

    - changed the above post (removed GWs)

    Are the SRV records correct?

    Do I need to add:

    _sip._tls.domein.be that points to sip.domein.be 443

    But still no voice, no livemeeting,... I can telnet the ports from remote... Is there anything else I can try check the remote config?

    Thanks again!!

    Joebla

    Wednesday, September 9, 2009 6:48 PM
  • Take a look at this post for some troublehsooting and configuration assistance for external Live Meeting: http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=67
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Wednesday, September 9, 2009 7:21 PM
    Moderator
  • Thanks, very usefull!

    I followed all the steps but still no go...

    When I now start a livemeeting (initiated from Communicator) the program starts, after a while I get an Windows Authentication screen, when I fill in the credentials it fails after a few seconds with "Live Meeting cannot connect to the meeting"

    Eventvwr shows me this:

    Event id 9 (Livemeeting)

    LiveMeeting was unable to authenticate because an authenticating authority was not reachable.

     

    Resolution:

    The server may be asking for Kerberos authentication and Communicator is not able to find the Kerberos Domain Controller in order to generate credentials and authenticate. The network administrator will need to change the configuration on the server to utilize only NTLM authentication before Communicator can login from this location properly, or connectivity will need to be made available to an authenticating authority.

    Event id 11 (Livemeeting)

    A SIP request made by LiveMeeting failed in an unexpected manner (status code 80ee00a6). More information is contained in the following technical data:

    Response Data:

    403 Forbidden

    ms-diagnostics: 1012;reason="From URI is not authorized to communicate with users outside the enterprise";source="OCSSER2.domein.BE"

    -> my user has settings like url provided (External Livemeeting)

     

     

    Wednesday, September 9, 2009 8:32 PM
  • Have you enabled the Meeting policies to allow anonymous participants?


    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Wednesday, September 9, 2009 9:05 PM
    Moderator
  • Thanks again Jeff!


    I have enabled the meeting policies I believe:

    OCS R2 FE server:

    On the server Global Properties - Meetings:

    Anonymous participants: allow users to invite anonymous participants

    Global policy: Policy 1 (HIGH) (everything enabled)

    OCS R2 Edge server:

    Access Methods - User Access Settings:

    Allow remote user access to your network -> ON
    Allow anonymous users to join meetings -> ON

    Do I need to enable anything else?
    Thursday, September 10, 2009 6:47 AM
  • Jeff,

    We found the mistake after checking the whole config.

    1. I connected via Communicator to (ocsser2.domein.be) -> wrong => changed to sip.domein.be:443 (changed srv record also)
    2. Made a mistake in AV edge port between OCS FE <> OCS Edge (443 -> wrong => changed to 5062)

    Now everything seems to work,  thanks for you initial support!

    Joebla

    Thursday, September 10, 2009 6:48 PM