OCS2007 R2 to Exchange 2007UM connectivity problems

All replies

• 

  

  0

  Sign in to vote

  Do you still have the default self-signed certificate in use on the Exchange server(s) or have you replaced them with certificates issued by the same Enterprise CA used for the OCS server certificates?

  ---

  Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS

  Sunday, October 11, 2009 1:09 PM

  Moderator
• 

  

  0

  Sign in to vote

  Hi,
  
  Thanks for your reply. This problem is really driving me nuts.
  
  I have replaced the self-signed certificates with cerificates issued by my Enterprise Subordinate CA. I have also verified that the certificates on the OCS servers and the Exchange UM servers all have valid Certificte chains back to my enterprise CA via my Subordinate CA.
  
  Bill

  Sunday, October 11, 2009 4:32 PM
• 

  

  0

  Sign in to vote

  I have seen this before.
  
  By default, when we use the Certificate Wizard to create Certificate requst (Front End Server), it will insert SIP.domain as SAN. When I had the same issue, it was resolved by re-issuing the FE certificate w/o SAN.
  
  Will you please try this and let us know?
  
  
  Drago

  Sunday, October 11, 2009 5:27 PM
• 

  

  0

  Sign in to vote

  Hi,
  
  I pulled the sip domain out but now I can log into Office Communicator.
  
  Bill

  Monday, October 12, 2009 12:49 AM
• 

  

  0

  Sign in to vote

  You can or cannot login to Communicator? If you cannot, what is the error message?
  
  Let me make clear - you re-issued the certificate by:
  1. Generating new offline request
  2. You checked "Include Client EKU in the certificate request"
  3. In the box "Subject Name" you have FQDN of your front end server
  4. The box "Subject Alternative Name" is empty
  5. After the new certificate was issued, you assigned it using the Certificate wizard (Process an offline certificate request and import the certificate)
  6. You assigned the certificate to the HTTP server on the front end server
  7. The Front End was restarted
  8. The Office Communications Server log (Event viewer) is clean of errors
  
  I am sorry for the questions - it is easy to overlook something when frustrated :-)

  Monday, October 12, 2009 3:08 AM
• 

  

  0

  Sign in to vote

  Hi Again,
  
  I followed the procdeure as outlined. With out the sip.mydomain.com in the SAN attribute Office Communicator Responds with the following error message when attempting to sign on.
  
  Office Communicator will not sign on and gives the following error message: There was a problem verifying the certificate from the server. Please contact your system administrator. That's Me :-).
  
  The sign in problem on OCS was due to the fact that my SRV records were pointing to the sip.mydomain.com name which is no longer on my SAN certificate. I updated the records to point to my front-end name instead ocs.mydomain.com.
  
  Now I have a single name on the cerificate ocserver.mydomain.com. I have assigned it to both the ocserver (using the certificate wizard) and to my IIS server using the IIS7 Mangement Console (set https binding to use the new certificate)
  
  Try to connect to my Voice Mail on Exchange I get a fast busy. On the exchagne UM I get the followin Event fro Unified Messanging.
  
  Log Name:      Application
  Source:        MSExchange Unified Messaging
  Date:          10/12/2009 11:52:24 PM
  Event ID:      1113
  Task Category: UMService
  Level:         Warning
  Keywords:      Classic
  User:          N/A
  Computer:      EXCHANGE.mydomain.com
  Description:
  The Unified Messaging server failed to exchange the required certificates with an IP gateway to enable Transport Layer Security (TLS) for an incoming call. Check that this is a configured TLS peer and that the correct certificates are being used. More information: A TLS failure occurred because the remote end disconnected while TLS negotiation was in progress. The error Code was -2146233088 and the message was Unknown error (0x80131500). 
  
  I have also seen this warning in the exchange UM Log:
  
  Log Name:      Application
  Source:        MSExchange Unified Messaging
  Date:          10/12/2009 11:58:51 PM
  Event ID:      1088
  Task Category: UMService
  Level:         Warning
  Keywords:      Classic
  User:          N/A
  Computer:      EXCHANGE.mydomain.com
  Description:
  The IP gateway or IP-PBX "ocserver.mydomain.com" did not respond to a SIP OPTIONS request from the Unified Messaging server. The error code that was returned is "0" and the error text is ":This operation has timed out.".
  
  I also repeated the procedure doing an online request with same results. That is I used the certificate wizard that comes embedded in the OCS 2007 R2 Mangement Console.
  
  In each case a I restarted the OCS front-end server with no errors recorded.
  
  It all points to a cert issue but I am at a loss as to the exact nature of this. I have issued all the cerficates from my own CA. I have checked all the certs for the validity as well as their chaning back to my root CA.
  
  Thanks
  
  Bill

  Tuesday, October 13, 2009 4:01 AM
• 

  

  0

  Sign in to vote

  All this points to Certificate issue. Check this posts:
  
  http://social.technet.microsoft.com/forums/en-US/exchangesvrunifiedmessaging/thread/f842a5bf-e899-47dc-aa90-d28517affbb1/
  
  http://social.microsoft.com/Forums/en-US/ucintegrationwithexchange/thread/da52e8da-b7d6-464b-b018-15535b4b2d01
  
  Also, will you verufy toye UM Dial plan is set to secured? The server's time day and year match?
  
  
  Drago

  • Proposed as answer by Gavin-ZhangModerator Friday, October 23, 2009 8:15 AM

  Tuesday, October 13, 2009 11:36 AM
• 

  

  0

  Sign in to vote

  Hello,
  
  I have gone over this again and I am really at a loss.
  
  I have reissued both of my certificates without using any SAN names at all. The subject names of my cerificates match the full qualified domain names of my OCS and Exchange UM servers. I have checked my DNS to be sure that both forward and reverse lookups are correct.
  
  I have the UM dialplan set to secured. (not sip secured although I tried that as well) and I am still getting
  
  

  TL_ERROR(TF_CONNECTION) [0]0298.12F4::10/14/2009-04:22:57.810.00005912 (SIPStack,SIPAdminLog::TraceConnectionRecord:SIPAdminLog.cpp(157))$$begin_record

  LogType

  Severity

  Text

  Local-IP

  Peer-IP

  Peer-FQDN

  Connection-ID

  Transport

  Result-Code

  $$end_record

  : 0x80004005 E_FAIL: TLS: 0x600: EXCHANGE.mydomain.com: 10.16.30.51:5061: 10.16.30.70:51388: Outbound TLS negotiation failed: error: connection I know this is a cerificate error but I can't determine why its happening. Is there somthing more that I need to enable on my exchange server to allow certificate auth to work correctly? 

  Wednesday, October 14, 2009 4:53 AM
• 

  

  0

  Sign in to vote

  There is also a CRL (Certificate Revocation List) check duting the TLS negotiation. Check this: http://technet.microsoft.com/en-us/library/cc759324(WS.10).aspx and make sure the latest CRL exist on Exchange in particular.
  
  Drago

  • Proposed as answer by Gavin-ZhangModerator Friday, October 23, 2009 8:15 AM

  Wednesday, October 14, 2009 1:02 PM
• 

  

  0

  Sign in to vote

  Hi
  Any update for your issue?
  
  Regards!

  Friday, October 23, 2009 8:15 AM

  Moderator