OCS over ISA site-to-site VPN; AV issues RRS feed

  • Question

  • Hi

    I'm having a problem with OCS 2007 R2 and calls to my my branch office; it's driving me around the twist :(

    I have an OCS 2007 R2 standard server at head office all validated etc. and on subnet 192.168.16.x

    I have a branch office on subnet 192.168.17.x with a few users; the offices are connected with an ISA 2006 site-to-site VPN and the relationship is routed on both ISA servers. RODC at the branch. I can quite happily ping etc across the WAN link between offices and have never had a problem with interoffice communications... until now!

    DNS is configured with a single forward lookup zone integrated into AD, with 1 reverse zone per subnet.
    Internal fully trusted CA and the certificates validate fine.

    Users can enjoy any service offered by OCS as long as the other user is on the same subnet. Users can IM with any other user regardless of subnet. Branch office users can communicator call but not connect with head office users. The call dials out and the recipient's phone rings but on call pick-up the connection cuts out. Same vice-versa from the head office to the branch.

    Communicator reports on a call from me at HQ to colleague Rob Grocott at the branch; 

    A SIP request made by Communicator failed in an unexpected manner (status code 0). More information is contained in the following technical data:


     RequestUri:   sip:robert.grocott@county-rental.co.uk;opaque=user:epid:yJFwlqHZVlONpDsWjgNmigAA;gruu

    From:         sip:rob.hardman@county-rental.co.uk;tag=9ac97d2098

    To:           sip:robert.grocott@county-rental.co.uk;tag=ea71ae4c56

    Call-ID:      dc35f44c4a954ddbad89a70aae10e2c1

    Content-type: application/sdp;call-type=audiovideo




    Response Data:


    183  Session Progress



    101  Progress Report

    ms-diagnostics:  13004;reason="Request was proxied to one or more registered endpoints";source="OCS.county-rental.co.uk";appName="InboundRouting"



    180  Ringing



    183  Session Progress



    0  (null)

    Ms-client-diagnostics:  52031; reason="Call terminated on media connectivity failure"




     If this error continues to occur, please contact your network administrator. The network administrator can use a tool like winerror.exe from the Windows Resource Kit or lcserror.exe from the Office Communications Server Resource Kit in order to interpret any error codes listed above.

    I've disabled all client firewalls and I can't see anything in either ISA server log of interest. There's no mediation or edge server installed yet to keep things simple. I'm aware that communicator calls are P2P but I can't figure out why this is not working across the routed VPN.

    Any assistance would be much appreciated. I have communicator logs available (but they are very long!) should they be required. I'm also aware of a similar thread here but that issue involves edge etc. and mine doesn't.


    Rob Hardman
    Tuesday, March 17, 2009 5:57 PM


  • The solution here was to avoid sending the remote office traffic over the site-to-site VPN (with site based group policies) and to set up Edge roles instead.
    • Marked as answer by Rob Hardman Friday, July 31, 2009 2:41 PM
    Friday, July 31, 2009 2:41 PM

All replies

  • The solution here was to avoid sending the remote office traffic over the site-to-site VPN (with site based group policies) and to set up Edge roles instead.
    • Marked as answer by Rob Hardman Friday, July 31, 2009 2:41 PM
    Friday, July 31, 2009 2:41 PM
  • Hello! I am running into the exact same problem! ISA 2006 site-to-site VPN between us and our remote office. Route relationship. IM between the two is fine with Office Communicator 2007 R2. I am still having problems with the server setup, but IM and p2p works great locally. IM works great across the VPN as well, but as soon as we attempt a video call, it disconnects upon being answered. FRUSTRATING! Can't figure it out. SOOO, in the event that my bosses decide that we do indeed need to set up Edge roles, would you mind giving me a little direction as to exactly how you accomplished your setup, where the group policy objects are that you modified, etc.? I would truly appreciate it!'


    Josh Blalock
    Thursday, September 24, 2009 9:05 PM
  • Hi Guys,

    Practically I'm running a ISA 2006 Site-to-Site VPN for the pass few years and OCS infrastructure was deployed since 2 - 3 years back and I've never encountered such an issue before; way even before we've deployed Access Edge.

    There's a few things that I would like to get from you to reproduce the problem:

    1. Select 1 users each from the different offices, delete all files from the Tracing folder. Make sure you've enable the Communicator Logging.
    2. At the Front-End Pool, enable the debugging for SIP Stack and S4, Level - FULL, Flags - make sure all checkbox are select
    3. If possible, install and run wireshark to capture the network traces
    4. Once you've got it, you can email it to me and I'll take a look


    PS: Access Edge is good for Remote Access users and Federation :). Plus, Public IM with Live Messengers is FREE!! :D
    Friday, September 25, 2009 6:05 AM
  • I actually have a question or two about your setups, since they work. I started looking into deploying the consolidated edge server topology in our environment since that was listed as a fix above, but a technet article stated something that I wanted to verify with you all. It stated that for remote sites, you should do a different topology that included having an OCS server installed at each site, and that each site should have its own edge setup to talk back and forth. Is this how you have your environment set up with your remote sites, or do your sites work just fine with an OCS server at your main site only, and the edge server in your DMZ only (nothing set up at remote site)? I am really hoping I don't have to set up extra servers at the remote sites to make this all come together.

    Also, I am using a self-signed certificate generated from the OCS server itself. The client machines are set up to trust this certificate, so I am able to login and all that, but my actual OCS server itself is not working yet. I continue to get errors about not being able to reach HTTPS://server.domain.local:444/LiveServer/MCU or MCUFactory. So, P2P IM and A/V works internally, but obviously I cannot utilize any conferencing, IM or media. I have been to countless forums trying to find a solution to my errors, but NOTHING helps. I have re-installed the whole thing 3 different times, each on a different OS. This last time I didn't install on a virtual server anymore, and just put it on a physical box. Still no joy...SOOO, I am suspicious that the whole thing can't work with a self-signed certificate. Do either of you have your enviroments working with a self-signed cert by any chance?

    Thanks so much for all your help!


    Monday, September 28, 2009 6:56 PM
  • James OSW, I'm not able to assist you as we're running fine with the current set up and I don't have the resources to risk breaking it, but perhaps Josh will assist with the tracing etc. I'd be interested to know of a solution.

    Josh, in my org the branches are very small set-ups indeed, only one or two computers, hence they are only communicator endpoints with no OCS servers on site. It works flawlessly but the internet connection at HQ has to be bulletproof. It did also simplify the Enterprise Voice setup as we only use a single dialling "location."

    Using a UC certificate from an external vendor (you can also deploy your own internal PKI as well) we deployed a consolidated edge with 3 public IPs. Of course properly configured, the same UC certificate goes all around your OCS and Ex2007 servers so it's not too expensive. Note, the Edge server is not protected by ISA but just Windows Firewall. Unless you are using federation, only two ports need to be open.

    Leveraging AD Sites and Office Communicator .ADM files we then dropped a Group Policy Object on the various AD Sites that were branches to force machines in those locations to look at the public interfaces of the Edge for signing in. Thus from the branches all IMs etc actually go through the Edge and voice and video works fine. It's not the most elegant solution, but I banged my head against a brick wall trying to get routing across ISA to work - I spent literally months at it and got nowhere.


    Monday, October 19, 2009 4:50 PM