locked
External users not getting galcontacts.db RRS feed

  • Question

  •  

    We have internal users and external users (off the network and domain).  Internal users get the galcontacts within a few seconds after deleting it and opening communicator.  However external users off the network do not get it at all.  Communicator works for them (current contacts and actual chatting) however searching in the quick search returns zero results.  There is no galcontacts.db on the remote client even after 20 minutes.  If I go to tools > add a contact > and search by name I get results though.  I am assuming that method does not use the galcontacts.db on the client.

     

    I checked the permissions on abs\ext and abs\files and everything marked ext has inet_usr / anonymous access added for read/list directory.  I do not see any errors directly mentioning the galcontacts on the server or the client.

     

    Any suggestions?

    Monday, September 29, 2008 1:10 PM

Answers

  • Yes, that assumption is incorrect.  An Access Edge Server is required for any external user access, be it coporate users logging in from home, Federation, PIC, anonymous Live Meeting participants, etc.  The point of the Edge server is to move this component off to the Perimeter network, leaving the domain-member Front-Ends server more protected on the internal network.  It is possible to get some external user functionailty without the Edge server, but it would take a fair amount of tweaking, and is neither supported nor really documented.

     

    I'd suggest deploying and Edge Server and followin the deployment guides to get the supported functionality of the product.

    Monday, September 29, 2008 8:21 PM
    Moderator
  • In a normal deployment you'd have a single certificate on a Standard Consolidated Front End server, one certificate on an ISA server for the Reverse Proxy, and one-to-four certificates on an Edge server depending on the deployment scenario.
    Tuesday, September 30, 2008 2:48 AM
    Moderator

All replies

  • Do you have a reverse proxy configured or some other supported configuration to allow external clients to access the internal web server's files?

     

    External clients are passed the ExternalWebFarmFQDN in-band and must be able to access that page remotely.  You can test this access remotely by browsing out to this URL, where abs.domain.com is your ExternalWebFarmFQDN.

     

    https://abs.domain.com/conf/ext/TShoot.html

     

    You should get a page that explains how to troubleshoot Live Meeting; the content is not important, just that the page itself loads correctly.

     

    And regarding your last point, that is correct.  You don't even need to have the Address Book Service deployed in OCS to find contacts using the manual Search wizard, as the Find bar leverages the OCS address book.

    Monday, September 29, 2008 1:19 PM
    Moderator
  • Yes I can browse to that link fine from a computer off our domain/network with no login prompts.  The tshoot page comes up.

    Monday, September 29, 2008 3:44 PM
  • How did you configure the Address Book for external users?  Do you have a reverse HTTP proxy deployed are are you using a different method?  What certificate is being used?
    Monday, September 29, 2008 4:17 PM
    Moderator
  •  

    I don't believe we have anything complicated set up.  We have one communicator server on server 2003.  We have an external ip going to port 443 (which is running communicator) to that server.  We are using a entrust certificate, the kind that has two domains on it - I forget what that is called.  Like I said everything works fine aside from the galcontacts is not coming down on a remote install.

     

    Update*

    On the client I get the following error

    "Cannot synchronize with the corporate address book because the file could not be found."

     

    Monday, September 29, 2008 4:30 PM
  • The OC client downloads the Address Book by connecting to a web site by an FQDN that is passed in-band along the main client-to-server connection.  If OC determines that it is internal (via connecting to a Front-End server) or external (connected to an Edge server) then it will attempt to download the address book buy using either the Internal or External Web Farm URL respectively.

     

    Are you not using an Edge Server for external access?  Attempting external client access w/o an Access Edge Server requires some un-supported configuration to get working.

    Monday, September 29, 2008 5:06 PM
    Moderator
  • I don't believe I am running an Edge Server which could be my issue.  I just opened the ports in our firewall for 443 and 5061 I think and added the iusr_iis account to have read access to the ext directories.  In the configuration of the clients I have communicator.domain.local for the internal server and communicator.site.com for the external and TLS.  I assumed an edge server was only needed if we had multiple communications servers. 

     

    The users that I want to run communicator at home have domain accounts and are employees.  I thought an Edge Server was needed if you wanted non domain users to be able to chat with other users.  Am I mistaken ?

    Monday, September 29, 2008 7:25 PM
  • Yes, that assumption is incorrect.  An Access Edge Server is required for any external user access, be it coporate users logging in from home, Federation, PIC, anonymous Live Meeting participants, etc.  The point of the Edge server is to move this component off to the Perimeter network, leaving the domain-member Front-Ends server more protected on the internal network.  It is possible to get some external user functionailty without the Edge server, but it would take a fair amount of tweaking, and is neither supported nor really documented.

     

    I'd suggest deploying and Edge Server and followin the deployment guides to get the supported functionality of the product.

    Monday, September 29, 2008 8:21 PM
    Moderator
  • ok thanks, I've already setup a certificate on our standard server that is meant for outside users.  Do I need two seperate certificates or can I use the same one on the edge server as the standard server.  It seems odd that I would need 3 seperate certificates for the standard internal server, another for the web interface, and another for the edge server being none of them can be installed on the same server.

    Tuesday, September 30, 2008 1:50 AM
  • In a normal deployment you'd have a single certificate on a Standard Consolidated Front End server, one certificate on an ISA server for the Reverse Proxy, and one-to-four certificates on an Edge server depending on the deployment scenario.
    Tuesday, September 30, 2008 2:48 AM
    Moderator
  •  

    Wow I didn't think this was that complicated until I saw the 115page Edge server deployment guide.  I'm tempted to just tell everyone to use communicator via our citrix web interface : )

     

    Thanks for the help, I guess setting up Edge is another bunch of questions for the forums.  Thanks for the stern advice!

    Tuesday, September 30, 2008 4:00 PM
  • Hello

    I have exactly the same problem. My external users don't get the galcontacts, the same user internally does. External user can sign into communicator fine. I have an edge server and reverse proxy server set up. To test I have imported my internal CA Root certificate onto the external clients PC and imported it into the trusted certificate authorities. The reverse proxy server also has this certificate. It also has its own internal CA certificate for the web listener.

    When I go to https://webcomps.domain.com/abs/ext I am prompted for my domain\username and password which is excepted. Then a 403 forbidden page is displayed.

    What directory permissions should I have on the folders abs/ext and abs/files? Also what should the correct directory security be in IIS?

    External users can't expand distribution groups either, but that's another matter!

    Any help would be great.

    Monday, January 19, 2009 10:57 AM