locked
Cannot communicate with edge server RRS feed

  • Question

  • OCS2007 Public beta is running (SE) on a single server.  It is setup as a Director for automatic logins (unsure what "should never host users" really means in the setup docs).

    Internally, this is working fine.  I can setup Live Meetings, and add AD users to the Communicator server, and OC2007 works like a charm.  Server is a domain member, so it has the AD Certificate Services CA cert preinstalled.  The cert wizard was used to generate a client certificate for the FQDN and applied it.  As I said, everything works great.  Validation fails with now Federation route; if I turn off Federation in global preferences, this error goes away.

     

    Now we wanted to test external access, so we setup another server as an edge server.  Installed IM/Federation and Web Conferencing on it.  We're interested in External IM federation (MSN and Yahoo), external IM access and external party access to web conferences.  Again, a member of the AD so it already has the Root CA certificate.  Assigned new certs for the three interfaces (detailed below) using the certificate wizard in OCS setup.

     

    Re-ran the setup on the SE and told it to setup for external access.  Set to route directly to the edge server (no Director). 

    Setup completes, and after a restart, validation fails.  There is no firewall on either machine, and nothing in between machines. 

     

    DNS Resolution succeeded: 10.10.10.49
    TLS connect succeeded: 10.10.10.49:5061
    Routing trust check and MTLS connectivity: Received a failure SIP response
    Routing trust check and MTLS connectivity: MTLS connection establishment succeeded but received a SIP
    failure response. This usually indicates lack of routing trust between the remote
    server and the current machine. Check the local and remote server certificates for any
    misconfiguration. In addition, check whether the local server is recognized
    as a trusted server by the remote server.

     

    Here are the FQDNs and the IPs

    ocsserver.corp.domain.com - ocs se, 10.10.10.253

    ocsedge.corp.domain.com - edge server private interface, 10.10.10.49

    ocs.domain.com - edge server public interface, 10.10.10.50 (external traffic is forwarded to this interface through a PIX)

    webconf.domain.com - edge server public interface, 10.10.10.10.22 (external traffic on a separate public IP is forwarded to this interface via the PIX).

     

    Any advice or help would be appreciated.

     

     

    Wednesday, May 16, 2007 7:07 PM

Answers

  • It looks like you are using a Hotmail address to test Federation.

    PIC works with MSN, but I am not sure about Hotmail.

     

    Did you provision your federation with Hotmail? And did they apply the changes on their side?

    The provisioning process is required because not only does your AP have to federate with the PIC providers, but their AP has to federate with you. Each of the PIC providers configures each of its federated partners individually (there are thousands).

     

    Did you check

    http://office.microsoft.com/en-us/communicationsserver/HA102030071033.aspx 

    and

    http://www.microsoft.com/downloads/thankyou.aspx?familyId=b257340c-2420-40d3-9b1e-f46c718574cc&displayLang=en?

     

     

    Thursday, May 24, 2007 6:49 PM
  • OK, neither of those links made a lot of sense to me (they seem to pertain to LCS 2005, which I do not have).  So, I started over from scratch, and am ignoring public IM.  I removed the edge from the AD, and redid ll the certificates, and this seemed to be my problem, at least most of it.

     

    I've got two working servers now.  Validation succeeds (sans the PIM test) on the SE server for Front end, A/V, Web Components and Web Conferencing.  I get a warning that there is no local Federation route, but the global federation route test succeeds and is correct, so I'm not real concerned about this warning.

     

    The tests on the edge server fail if I do not put the FQDN of the SE into the user login section (ie I leave it blank and it tries to login to the local edge server).  The error is:

     

    Maximum hops: 2
    Failed to register user: User sip:user1@domain.com @ Server HORNET
    Failed to send SIP request: outgoing TLS negotiation failed; HRESULT=-2146893022
    Suggested Resolution: Make sure that the server is listening on the specified IP address/Port/Transport. If you have a firewall make sure that this port is open. Make sure that the server is running. This can be ignored if you have not enabled the transport on the target server.
      Failure
    [0xC3FC200D] One or more errors were detected

     

    Maximum hops: 2
    Failed to register user: User sip:testuser@domain.com @ Server HORNET
    Failed to send SIP request: outgoing TLS negotiation failed; HRESULT=-2146893022
    Suggested Resolution: Make sure that the server is listening on the specified IP address/Port/Transport. If you have a firewall make sure that this port is open. Make sure that the server is running. This can be ignored if you have not enabled the transport on the target server.
      Failure
    [0xC3FC200D] One or more errors were detected

     

     Check two-party IM: Skipped due to user registration failure
      Failure
    [0xC3FC200D] One or more errors were detected

     

     

    If I manually enter the SE FQDN, everything succeeds.

     

    My last problems are I cannot connect remotely to meetings from outside the firewall, and I cannot get the SRV records for external clients (using BIND 8.4).  Communicator seems to work fine through the NAT as long as I manually enter the connection information.  The NAT/Firewall port translations are as follows:

    FQDN                              Public IP                         Private IP                       Ports

    ocs.domain.com             x.x.x.200                          10.10.10.50                  5061, 443

    webconf.domain.com     x.x.x.201                          10.10.10.22                 443

     

    I have the SIP A record and the SRV records for _sipfederation._tcp.domain.com. and _sip._tls.domain.com.

    The A record is pointing at x.x.x.200 and the SRV records point at the FQDN ocs.domain.com

     

    I have also put the external NIC on the edge server directly on the internet rather than behind a NAT/firewall.  This doesn't make any difference.  Communicator still works in this case.

    In this case (there are no firewalls on and no routers; the server is plugged directly into the internet connection):

    FQDN                              Public IP                        

    ocs.domain.com             10.168.1.106                        

    webconf.domain.com     10.168.1.107 

     

    Internally, everything works great.  No problems at all.

    Wednesday, May 30, 2007 3:43 PM

All replies

  • Hi John,

    The error definitely looks like a certificate issue. Is the edge server part of the domain? The edge server should not be part of the domain and should be in your DMZ. As such, make sure it has the root CA as trusted.
    Can you run the validation wizard on the edge server and post the results?

    Thursday, May 17, 2007 7:45 PM
  • The edge server is not a member of the domain, but it is not in the DMZ (I don't have easy access to the DMZ, it is colocated).  If that's the issue, I can drive the box out there, but that doesn't make a lot of sense to me...

    Anyways, I rebuilt the edge server and ensured the CA certificate was installed as a trusted Root Certificate.

     

    Validation on the edge differs depending on if I point the user logins to the SE or if I leave the pool blank.  If I manually enter the pool, i get the following failure:

    *******************************************************************************************************************************************************

    Maximum hops: 3
    Check two-party IM: sip:user1@corp.domain.com is connected to remote user sip:testuser@corp.domain.com via route ocsserver.corp.domain.com
    Check two-party IM: sip:testuser@corp.domain.com is connected to remote user sip:user1@corp.domain.com via route ocsserver.corp.domain.com
    Attempting to establish SIP dialog: Processing failed as one or more steps did not complete successfully
    Failure
    [0xC3FC200D] One or more errors were detected

    *******************************************************************************************************************************************************

    If I run validation and leave the pool field blank, it gives the following error.  Note, HORNET is the WINS/NETBIOS name of the Edge server

    *******************************************************************************************************************************************************

    Maximum hops: 2
    Failed to register user: User sip:user1@corp.domain.com @ Server HORNET
    Failed to send SIP request: outgoing TLS negotiation failed; HRESULT=-2146893022
    Suggested Resolution: Make sure that the server is listening on the specified IP address/Port/Transport. If you have a firewall make sure that this port is open. Make sure that the server is running. This can be ignored if you have not enabled the transport on the target server.
    Failure
    [0xC3FC200D] One or more errors were detected

     

    Maximum hops: 2
    Failed to register user: User sip:testuser@corp.domain.com @ Server HORNET
    Failed to send SIP request: outgoing TLS negotiation failed; HRESULT=-2146893022
    Suggested Resolution: Make sure that the server is listening on the specified IP address/Port/Transport. If you have a firewall make sure that this port is open. Make sure that the server is running. This can be ignored if you have not enabled the transport on the target server.
    Failure
    [0xC3FC200D] One or more errors were detected

     

    Check two-party IM: Skipped due to user registration failure
    Failure
    [0xC3FC200D] One or more errors were detected

    *******************************************************************************************************************************************************
    Friday, May 18, 2007 3:39 PM
  • Well, some tinkering and changing FQDNs to match server names and redoing the certificates changed the errors considerably.

     

    hornet.corp.domain.com is the edge server.  The OCS SE server now points to that server as the default federation and edge server, and the only errors I get on the SE server validation at this point are:

    (Testing two party IM when I choose to test connectivity)

    Attempting to establish SIP dialog: Processing failed as one or more steps did not complete successfully

     

    (When I choose to test external federation)

    Received a failure SIP response: User sip:username@hotmail.com @ Server ocsserver.corp.imago.com
    Received a failure SIP response: [
    SIP/2.0 504 Server time-out
    FROM: "Test User"<sip:testuser@corp.domain.com>;tag=5160afac1a7d844255ab;epid=epid01
    TO: <sip:username@hotmail.com>;tag=F73573186820A882A31EA913F1CC5AD8
    CSEQ: 15 INVITE
    CALL-ID: 2ab4e273921b49d4aa24ada3449c16e4
    VIA: SIP/2.0/TLS 172.16.63.27:2814;branch=z9hG4bK24f5ecaf;ms-received-port=2814;ms-received-cid=7400
    CONTENT-LENGTH: 0
    AUTHENTICATION-INFO: NTLM rspauth="01000000C0FC1C03D8C50F211E635704", srand="F87FD457", snum="12", opaque="95611158", qop="auth", targetname="ocsserver.corp.domain.com", realm="SIP Communications Service"
    ms-diagnostics: 2;reason="Unknown Failure";source="ocsserver.corp.domain.com";AppUri="http://www.microsoft.com/LCS/OutboundRouting"

    ]

     

    Edge server validation logs show the same as the last entry.
    Wednesday, May 23, 2007 3:56 PM
  • It looks like you are using a Hotmail address to test Federation.

    PIC works with MSN, but I am not sure about Hotmail.

     

    Did you provision your federation with Hotmail? And did they apply the changes on their side?

    The provisioning process is required because not only does your AP have to federate with the PIC providers, but their AP has to federate with you. Each of the PIC providers configures each of its federated partners individually (there are thousands).

     

    Did you check

    http://office.microsoft.com/en-us/communicationsserver/HA102030071033.aspx 

    and

    http://www.microsoft.com/downloads/thankyou.aspx?familyId=b257340c-2420-40d3-9b1e-f46c718574cc&displayLang=en?

     

     

    Thursday, May 24, 2007 6:49 PM
  • OK, neither of those links made a lot of sense to me (they seem to pertain to LCS 2005, which I do not have).  So, I started over from scratch, and am ignoring public IM.  I removed the edge from the AD, and redid ll the certificates, and this seemed to be my problem, at least most of it.

     

    I've got two working servers now.  Validation succeeds (sans the PIM test) on the SE server for Front end, A/V, Web Components and Web Conferencing.  I get a warning that there is no local Federation route, but the global federation route test succeeds and is correct, so I'm not real concerned about this warning.

     

    The tests on the edge server fail if I do not put the FQDN of the SE into the user login section (ie I leave it blank and it tries to login to the local edge server).  The error is:

     

    Maximum hops: 2
    Failed to register user: User sip:user1@domain.com @ Server HORNET
    Failed to send SIP request: outgoing TLS negotiation failed; HRESULT=-2146893022
    Suggested Resolution: Make sure that the server is listening on the specified IP address/Port/Transport. If you have a firewall make sure that this port is open. Make sure that the server is running. This can be ignored if you have not enabled the transport on the target server.
      Failure
    [0xC3FC200D] One or more errors were detected

     

    Maximum hops: 2
    Failed to register user: User sip:testuser@domain.com @ Server HORNET
    Failed to send SIP request: outgoing TLS negotiation failed; HRESULT=-2146893022
    Suggested Resolution: Make sure that the server is listening on the specified IP address/Port/Transport. If you have a firewall make sure that this port is open. Make sure that the server is running. This can be ignored if you have not enabled the transport on the target server.
      Failure
    [0xC3FC200D] One or more errors were detected

     

     Check two-party IM: Skipped due to user registration failure
      Failure
    [0xC3FC200D] One or more errors were detected

     

     

    If I manually enter the SE FQDN, everything succeeds.

     

    My last problems are I cannot connect remotely to meetings from outside the firewall, and I cannot get the SRV records for external clients (using BIND 8.4).  Communicator seems to work fine through the NAT as long as I manually enter the connection information.  The NAT/Firewall port translations are as follows:

    FQDN                              Public IP                         Private IP                       Ports

    ocs.domain.com             x.x.x.200                          10.10.10.50                  5061, 443

    webconf.domain.com     x.x.x.201                          10.10.10.22                 443

     

    I have the SIP A record and the SRV records for _sipfederation._tcp.domain.com. and _sip._tls.domain.com.

    The A record is pointing at x.x.x.200 and the SRV records point at the FQDN ocs.domain.com

     

    I have also put the external NIC on the edge server directly on the internet rather than behind a NAT/firewall.  This doesn't make any difference.  Communicator still works in this case.

    In this case (there are no firewalls on and no routers; the server is plugged directly into the internet connection):

    FQDN                              Public IP                        

    ocs.domain.com             10.168.1.106                        

    webconf.domain.com     10.168.1.107 

     

    Internally, everything works great.  No problems at all.

    Wednesday, May 30, 2007 3:43 PM
  • Those 2 links were for provisioning public IM, which for the most part is the same for 2005 and 2007.

    Have you had an further progress? Have you had an further progress?

    Wednesday, June 27, 2007 6:30 PM
  • Please let us know the status of your issue? If you have found a resolution, would you be able to share it with the forums? If not, please let us know of any changes to your environment or status. Thanks
    Friday, July 6, 2007 9:01 PM
  •  

    Hi - have stumbled across yout thred. The only way I resolved this issue was to use the local FQDN for the remote server (ours too was in a co-lo). I re-created and assigned certificates based on the FQDN, not just a DNS A record as I had before. Then I made sure everything in the edge server was set up for that, obviously changed the right settings all over the pool on the front end too. Restarting edge server service is essential. Then it worked.

     

    There is no trust between the DNS (the edge server is entirely separate, which is why all the support suggestions are confusing as they imply it should somehow be 'trusted' on an inter-domain level, surely the exact opposite of how an edge server should be) so I just used the HOSTS file to add it. Works like a charm now.

     

    George

    Saturday, August 9, 2008 4:42 PM