Cannot log into OCS from WITHIN the network RRS feed

  • Question

  • I cannot log into OCS if I'm connected to the VPN or in the office on the LAN. I can log in to OCS and then subsequently connect to the VPN and remain connected.

    I get "Cannot sign in to Communicator. You may have entered your sign-in address, user name, or password incorrectly, or the authetication service may be incompatible with this version of the program. If your sign-in information is correct and the problem persistes, please contact your system administrator."

    The sysadmins can't figure it out. They've also contacted the company that provides them with support and they have no idea.

    Once I am connected to the VPN I also lose the integration between Outlook and OCS. This means that I cannot add new people to OCS if I am connected to the VPN.

    We've tried the following:
    1) Uninstall the OCS client and reinstall in another directory.
    2) Check the Windows Firewall settings.
    3) Telnetting to the OCS server to port 5061 works fine.
    4) Used the Advanced Settings and manually put in the IP address of the OCS server.
    5) Changed from TCP to TLS (when we do this I get a certificate error rather than the usual error message.
    6) Usee someone else's credentials on my machine and they get the same problem.
    7) Used my credentials on another machine and I got in fine.

    The only route we can think of is to reinstall the OS.


    Thursday, December 18, 2008 11:58 AM

All replies

  •  Can we assume that in step 7 the 'other machine' was not utilizing the VPN connection? I've seen other discussions about users having problems with SIP communications over certain VPN connections.  IS there a reason that users establish VPN connections while on the LAN (site-to-remote-site for example) or are you just testing that scenario?  Do you have plans to deploy and Edge server for external user access, as that is the preferred and supported method for external usage.

    Take a look at this thread for starters:
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Thursday, December 18, 2008 1:31 PM
  • Does your DNS server change when you connect your VPN? It looks like it just can't find your OCS server anymore after connecting your VPN. It also explains an existing OCS connection doesn't drop.

    You can test this with the srvlookup tool included in the OCS resource kit.

    You can also test this by manually entering your front edge ip address (not it's dns name) in Communicator.
    Thursday, December 18, 2008 7:17 PM
  •  In step 7 I am referring to a machine on the LAN.

    The attempts with a VPN connection are being done from outside of the corporate LAN. Home or hotel broadband typically.

    In addition to not being able to use OCS when connected to the VPN, I also cannot use it without the VPN when sitting in the office connected to the LAN.

    The DNS being used via the LAN or VPN would be different from the DNS when I am on the public internet at home or in a hotel.

    Would srvlookup be something I run on my machine or on the server machine?

    I think that the suggestion to manually enter the IP address is what I mentioned is step 4.

    Tools->Options->Advanced->Personal and putting in the IP address manually.

    I noticed in the referenced thread that they were including the port when entering the IP manually. I tried that and got a message that the server is temporarily unavailable. When I don't enter the port I get that there is a problem with the certificate. Both times I tried TLS.
    Thursday, December 18, 2008 9:17 PM
  • You should run srvlookup on your client. Both when you're connected using VPN and without, to compare.

    Use the command "srvlookup domain.com -v
    The output should point to you SIP record (example: sip.domain.com)

    I would advise you to check the eventlog on your client to see why you're getting a certificate error. This certainly should not happen.
    Friday, December 19, 2008 9:13 AM
  • I ran srvlookup.exe on my machine while at home, not on the VPN, and connected to OCS.

    Command: srvlookup.exe foo.com -v

    Result: No server available on _sipfederationtls._tcp.foo.com


    Command: srvlookup.exe sip.foo.com -v

    Same results as above.


    I think connected to the VPN. I got the same result but while the first time it took some time to get the result, after VPN connection it was immediate.

    Checking the event log I see the following:

    Communicator was unable to locate the login server. No DNS SRV records exist for domain foo.com, so Communicator was unable to login.

    Communicator was unable to resolve the DNS hostname of the login server sipinternal.foo.com.

    The agent could not connect to the MOM Server FOOOO. The error reported is 'An established connection was aborted by the software in your host machine.'. Verify the management group name is correct, the MOM Server is running, that it is listening on port 1270, and that any firewalls between this agent and the MOM server are configured to pass TCP and UDP traffic on port 1270.


    Windows Firewall is turned off on this machine.

    When I connect to the VPN I get the following in the event log when I try to connect:

    Communicator was unable to authenticate to the server sip/BAR.FOO.com due to following error: 0x8009030d.

    Friday, December 19, 2008 10:15 AM
  • You don't seem to have the required dns records in your DNS. If they they are present, there is likely something wrong with your connection or DNS server entries.

    The last entry in your event log is a MOM or SCOM notice, not relevant to Communicator but it might indicate a bigger network problem.
    Friday, December 19, 2008 3:51 PM
  • To start off with is this a Standard or Enterprise Server?

    Do you have just a TLS Listner or do you have a TCP Listner on the OCS Server?

    If you using TLS - then what is the name of the server or pool?

    Put the FQDN of the Pool into the Communicator Client set for Manual and select TLS.  You can not use the IP when using TLS on the server.

    If you want you can add a TCP listner to the OCS Server and connect your client using TCP and the IP Address of the server.


    Sunday, December 28, 2008 11:58 PM