locked
OCS 2007 server with OC client from external cannot syn address book RRS feed

  • Question

  • Hi all,

     

    RecentlyI have developed an OCS environment in the site.

     

    The environment is something like that with Two tier firewalls (non-Microsoft), in between we put the Access Edge server and the Reverse Proxy (which built on top of ISA 2006), and the Front End server (Enterprise) inside the user subnet.

     

    Actually users within the company can do everything without any problems. Users from remote can still login to the server and having instant messaging with the others.

     

    However, the Address Book is not available to download. I tried to follow the steps in other documents that to test going through the web, I tried https://externalfqdnwebfarm/abs/ext/

    I got no challenge prompt from the Windows server. I double check the remote user local harddrive under the user profile

    C:\Documents and Settings\timothy.lau.DASG-KBT\Local Settings\Application Data\Microsoft\Communicator, I dont see any GAL.DB file at all.

     

    I have enabled the logging in communicator, and tried to check the log. Seems there is nothing special useful for this.

     

    I tried to telnet from the remote user machine to the externalfqdnwebfarm name of port 443. It works.

    I also tried to telnet from the reverse proxy (ISA) to the internalfqdnwebfarm name of port 443, that is the front-end server. It works.

     

    Is that any idea on where I should go deeper to shoot this out? Could it be the two firewalls issue.

     

    Regards,

    Timothy Lau

    Monday, November 17, 2008 9:25 AM

Answers

  • Tim,

     

    Yes, that is definitely related.  Since an ISA server is most commonly not domain-joined, it will not by default trust your internal Enterprise CA.  By exporting your CA's root certificate an importing into your ISA server's certificate store you've effectively verified the certificate chain.

     

    And the External Web Farm FQDN is originally defined during the Front-End server installation. To view the current setting you can simply look at the Status pane on your pool object in the OCS console. Under Meeting Settings you should see something like:

     

    External URL for meeting content download https://abs.domain.com/etc/place/null

     

    The abs.domain.com FQDN is your current ExternalWebFarmFQDN value. If you need to change this value take a look at this article for the proper command line switches:

    http://technet.microsoft.com/en-us/library/bb803611.aspx

     

    Also I talk a little bit about this near the end of this article:

    http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=19

    Wednesday, November 19, 2008 2:47 PM
    Moderator

All replies

  • What certificate do you have deployed on the ISA listener? A private cert from the internal Enterprise CA or a public third-party issued CA?  Is the remote client you are testing from a domain-joined workstation that happens to be outside the network for testing?

     

    If your port connectivity appears to be working then I'd take a close look at the certificate configuration.  Also, do you have the External Web Farm FQDN correctly published in an external DNS server (I assume yes based on your testing, but it's worth pointing out)

    Monday, November 17, 2008 2:01 PM
    Moderator
  • Hi Jeff, 

    Since now we are in the testing stage, not deployed to the end users yet, so I have put the Private cert from the internal enterprise CA to the ISA listener. Once allowed, we will replace this cert with the external public cert.

    Just now, I take a look to the reverse proxy cert, I found that there is no root cert trusted that (as I said, these are private only). And then at once I put export the root cert from the internal CA, and then import the root cert. Now there is no yellow mark "!" in the reverse proxy cert.

    The machine is not a domain joined workstation for the testing. Is that related? Indeed I installed the ROOT cert and the cert for reverse proxy into that testing workstation.

    External web farm fqdn, is that the one I defined in the Reverse Proxy - ISA? If yes, then it should be correct. Can tell me on where to check the External web farm fqdn?

    Regards,
    Tim
    Wednesday, November 19, 2008 5:23 AM
  • Tim,

     

    Yes, that is definitely related.  Since an ISA server is most commonly not domain-joined, it will not by default trust your internal Enterprise CA.  By exporting your CA's root certificate an importing into your ISA server's certificate store you've effectively verified the certificate chain.

     

    And the External Web Farm FQDN is originally defined during the Front-End server installation. To view the current setting you can simply look at the Status pane on your pool object in the OCS console. Under Meeting Settings you should see something like:

     

    External URL for meeting content download https://abs.domain.com/etc/place/null

     

    The abs.domain.com FQDN is your current ExternalWebFarmFQDN value. If you need to change this value take a look at this article for the proper command line switches:

    http://technet.microsoft.com/en-us/library/bb803611.aspx

     

    Also I talk a little bit about this near the end of this article:

    http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=19

    Wednesday, November 19, 2008 2:47 PM
    Moderator
  • Hi Jeff,

    Here is the update of the environment of OCS now. We have replaced most of the private certs into the trusted 3rd party cert.
    Now, the OCS 2007 server (Front end), it contains the SN cert with SAN name. The edge server external interface is with the cert - sip.domain.com and also the web-conference certs. We keep the Edge server Internal interface with using private cert.
    Reverse Proxy also contains the cert for the external interface.


    External URL for meeting content download: https://xxx.domain.com/etc/place/null should be defined properly. xxx.domain.com is exactly matched the external DNS server name published. I tried to ping to that and it can be resolved although cant ping to it (as ISA rule denied). I checked the ISA log, it looks like that I can be reached.

    However, until now, I still unable to use the URL to browse and prompt me for the login.

    Regards,
    Tim
    Wednesday, November 26, 2008 3:33 AM
  • Hi Jeff,

    Thanks for your help. Indeed I have removed the rule and the web listener in the ISA, then re-configure a new rule with the web listener then everything is working fine, ie. Address book, Group Expansion etc.

    Many Thanks

    Timothy
    Thursday, November 27, 2008 4:53 PM