Answered by:
Cannot communicate with edge server

Question
-
OCS2007 Public beta is running (SE) on a single server. It is setup as a Director for automatic logins (unsure what "should never host users" really means in the setup docs).
Internally, this is working fine. I can setup Live Meetings, and add AD users to the Communicator server, and OC2007 works like a charm. Server is a domain member, so it has the AD Certificate Services CA cert preinstalled. The cert wizard was used to generate a client certificate for the FQDN and applied it. As I said, everything works great. Validation fails with now Federation route; if I turn off Federation in global preferences, this error goes away.
Now we wanted to test external access, so we setup another server as an edge server. Installed IM/Federation and Web Conferencing on it. We're interested in External IM federation (MSN and Yahoo), external IM access and external party access to web conferences. Again, a member of the AD so it already has the Root CA certificate. Assigned new certs for the three interfaces (detailed below) using the certificate wizard in OCS setup.
Re-ran the setup on the SE and told it to setup for external access. Set to route directly to the edge server (no Director).
Setup completes, and after a restart, validation fails. There is no firewall on either machine, and nothing in between machines.
DNS Resolution succeeded: 10.10.10.49
TLS connect succeeded: 10.10.10.49:5061
Routing trust check and MTLS connectivity: Received a failure SIP response
Routing trust check and MTLS connectivity: MTLS connection establishment succeeded but received a SIP
failure response. This usually indicates lack of routing trust between the remote
server and the current machine. Check the local and remote server certificates for any
misconfiguration. In addition, check whether the local server is recognized
as a trusted server by the remote server.Here are the FQDNs and the IPs
ocsserver.corp.domain.com - ocs se, 10.10.10.253
ocsedge.corp.domain.com - edge server private interface, 10.10.10.49
ocs.domain.com - edge server public interface, 10.10.10.50 (external traffic is forwarded to this interface through a PIX)
webconf.domain.com - edge server public interface, 10.10.10.10.22 (external traffic on a separate public IP is forwarded to this interface via the PIX).
Any advice or help would be appreciated.
Wednesday, May 16, 2007 7:07 PM
Answers
-
It looks like you are using a Hotmail address to test Federation.
PIC works with MSN, but I am not sure about Hotmail.
Did you provision your federation with Hotmail? And did they apply the changes on their side?
The provisioning process is required because not only does your AP have to federate with the PIC providers, but their AP has to federate with you. Each of the PIC providers configures each of its federated partners individually (there are thousands).
Did you check
http://office.microsoft.com/en-us/communicationsserver/HA102030071033.aspx
and
Thursday, May 24, 2007 6:49 PM -
OK, neither of those links made a lot of sense to me (they seem to pertain to LCS 2005, which I do not have). So, I started over from scratch, and am ignoring public IM. I removed the edge from the AD, and redid ll the certificates, and this seemed to be my problem, at least most of it.
I've got two working servers now. Validation succeeds (sans the PIM test) on the SE server for Front end, A/V, Web Components and Web Conferencing. I get a warning that there is no local Federation route, but the global federation route test succeeds and is correct, so I'm not real concerned about this warning.
The tests on the edge server fail if I do not put the FQDN of the SE into the user login section (ie I leave it blank and it tries to login to the local edge server). The error is:
Maximum hops: 2
Failed to register user: User sip:user1@domain.com @ Server HORNET
Failed to send SIP request: outgoing TLS negotiation failed; HRESULT=-2146893022
Suggested Resolution: Make sure that the server is listening on the specified IP address/Port/Transport. If you have a firewall make sure that this port is open. Make sure that the server is running. This can be ignored if you have not enabled the transport on the target server.Failure
[0xC3FC200D] One or more errors were detectedMaximum hops: 2
Failed to register user: User sip:testuser@domain.com @ Server HORNET
Failed to send SIP request: outgoing TLS negotiation failed; HRESULT=-2146893022
Suggested Resolution: Make sure that the server is listening on the specified IP address/Port/Transport. If you have a firewall make sure that this port is open. Make sure that the server is running. This can be ignored if you have not enabled the transport on the target server.Failure
[0xC3FC200D] One or more errors were detectedCheck two-party IM: Skipped due to user registration failure Failure
[0xC3FC200D] One or more errors were detectedIf I manually enter the SE FQDN, everything succeeds.
My last problems are I cannot connect remotely to meetings from outside the firewall, and I cannot get the SRV records for external clients (using BIND 8.4). Communicator seems to work fine through the NAT as long as I manually enter the connection information. The NAT/Firewall port translations are as follows:
FQDN Public IP Private IP Ports
ocs.domain.com x.x.x.200 10.10.10.50 5061, 443
webconf.domain.com x.x.x.201 10.10.10.22 443
I have the SIP A record and the SRV records for _sipfederation._tcp.domain.com. and _sip._tls.domain.com.
The A record is pointing at x.x.x.200 and the SRV records point at the FQDN ocs.domain.com
I have also put the external NIC on the edge server directly on the internet rather than behind a NAT/firewall. This doesn't make any difference. Communicator still works in this case.
In this case (there are no firewalls on and no routers; the server is plugged directly into the internet connection):
FQDN Public IP
ocs.domain.com 10.168.1.106
webconf.domain.com 10.168.1.107
Internally, everything works great. No problems at all.
Wednesday, May 30, 2007 3:43 PM
All replies
-
Hi John,
The error definitely looks like a certificate issue. Is the edge server part of the domain? The edge server should not be part of the domain and should be in your DMZ. As such, make sure it has the root CA as trusted.
Can you run the validation wizard on the edge server and post the results?Thursday, May 17, 2007 7:45 PM -
The edge server is not a member of the domain, but it is not in the DMZ (I don't have easy access to the DMZ, it is colocated). If that's the issue, I can drive the box out there, but that doesn't make a lot of sense to me...
Anyways, I rebuilt the edge server and ensured the CA certificate was installed as a trusted Root Certificate.
Validation on the edge differs depending on if I point the user logins to the SE or if I leave the pool blank. If I manually enter the pool, i get the following failure:
*******************************************************************************************************************************************************
Maximum hops: 3
Check two-party IM: sip:user1@corp.domain.com is connected to remote user sip:testuser@corp.domain.com via route ocsserver.corp.domain.com
Check two-party IM: sip:testuser@corp.domain.com is connected to remote user sip:user1@corp.domain.com via route ocsserver.corp.domain.com
Attempting to establish SIP dialog: Processing failed as one or more steps did not complete successfully
Failure
[0xC3FC200D] One or more errors were detected*******************************************************************************************************************************************************
If I run validation and leave the pool field blank, it gives the following error. Note, HORNET is the WINS/NETBIOS name of the Edge server
*******************************************************************************************************************************************************
Maximum hops: 2
Failed to register user: User sip:user1@corp.domain.com @ Server HORNET
Failed to send SIP request: outgoing TLS negotiation failed; HRESULT=-2146893022
Suggested Resolution: Make sure that the server is listening on the specified IP address/Port/Transport. If you have a firewall make sure that this port is open. Make sure that the server is running. This can be ignored if you have not enabled the transport on the target server.
Failure
[0xC3FC200D] One or more errors were detectedMaximum hops: 2
Failed to register user: User sip:testuser@corp.domain.com @ Server HORNET
Failed to send SIP request: outgoing TLS negotiation failed; HRESULT=-2146893022
Suggested Resolution: Make sure that the server is listening on the specified IP address/Port/Transport. If you have a firewall make sure that this port is open. Make sure that the server is running. This can be ignored if you have not enabled the transport on the target server.
Failure
[0xC3FC200D] One or more errors were detectedCheck two-party IM:
Skipped due to user registration failure
Failure
[0xC3FC200D] One or more errors were detected *******************************************************************************************************************************************************Friday, May 18, 2007 3:39 PM -
Well, some tinkering and changing FQDNs to match server names and redoing the certificates changed the errors considerably.
hornet.corp.domain.com is the edge server. The OCS SE server now points to that server as the default federation and edge server, and the only errors I get on the SE server validation at this point are:
(Testing two party IM when I choose to test connectivity)
Attempting to establish SIP dialog: Processing failed as one or more steps did not complete successfully
(When I choose to test external federation)
Received a failure SIP response: User sip:username@hotmail.com @ Server ocsserver.corp.imago.com
Received a failure SIP response: [
SIP/2.0 504 Server time-out
FROM: "Test User"<sip:testuser@corp.domain.com>;tag=5160afac1a7d844255ab;epid=epid01
TO: <sip:username@hotmail.com>;tag=F73573186820A882A31EA913F1CC5AD8
CSEQ: 15 INVITE
CALL-ID: 2ab4e273921b49d4aa24ada3449c16e4
VIA: SIP/2.0/TLS 172.16.63.27:2814;branch=z9hG4bK24f5ecaf;ms-received-port=2814;ms-received-cid=7400
CONTENT-LENGTH: 0
AUTHENTICATION-INFO: NTLM rspauth="01000000C0FC1C03D8C50F211E635704", srand="F87FD457", snum="12", opaque="95611158", qop="auth", targetname="ocsserver.corp.domain.com", realm="SIP Communications Service"
ms-diagnostics: 2;reason="Unknown Failure";source="ocsserver.corp.domain.com";AppUri="http://www.microsoft.com/LCS/OutboundRouting"
]Wednesday, May 23, 2007 3:56 PM -
It looks like you are using a Hotmail address to test Federation.
PIC works with MSN, but I am not sure about Hotmail.
Did you provision your federation with Hotmail? And did they apply the changes on their side?
The provisioning process is required because not only does your AP have to federate with the PIC providers, but their AP has to federate with you. Each of the PIC providers configures each of its federated partners individually (there are thousands).
Did you check
http://office.microsoft.com/en-us/communicationsserver/HA102030071033.aspx
and
Thursday, May 24, 2007 6:49 PM -
OK, neither of those links made a lot of sense to me (they seem to pertain to LCS 2005, which I do not have). So, I started over from scratch, and am ignoring public IM. I removed the edge from the AD, and redid ll the certificates, and this seemed to be my problem, at least most of it.
I've got two working servers now. Validation succeeds (sans the PIM test) on the SE server for Front end, A/V, Web Components and Web Conferencing. I get a warning that there is no local Federation route, but the global federation route test succeeds and is correct, so I'm not real concerned about this warning.
The tests on the edge server fail if I do not put the FQDN of the SE into the user login section (ie I leave it blank and it tries to login to the local edge server). The error is:
Maximum hops: 2
Failed to register user: User sip:user1@domain.com @ Server HORNET
Failed to send SIP request: outgoing TLS negotiation failed; HRESULT=-2146893022
Suggested Resolution: Make sure that the server is listening on the specified IP address/Port/Transport. If you have a firewall make sure that this port is open. Make sure that the server is running. This can be ignored if you have not enabled the transport on the target server.Failure
[0xC3FC200D] One or more errors were detectedMaximum hops: 2
Failed to register user: User sip:testuser@domain.com @ Server HORNET
Failed to send SIP request: outgoing TLS negotiation failed; HRESULT=-2146893022
Suggested Resolution: Make sure that the server is listening on the specified IP address/Port/Transport. If you have a firewall make sure that this port is open. Make sure that the server is running. This can be ignored if you have not enabled the transport on the target server.Failure
[0xC3FC200D] One or more errors were detectedCheck two-party IM: Skipped due to user registration failure Failure
[0xC3FC200D] One or more errors were detectedIf I manually enter the SE FQDN, everything succeeds.
My last problems are I cannot connect remotely to meetings from outside the firewall, and I cannot get the SRV records for external clients (using BIND 8.4). Communicator seems to work fine through the NAT as long as I manually enter the connection information. The NAT/Firewall port translations are as follows:
FQDN Public IP Private IP Ports
ocs.domain.com x.x.x.200 10.10.10.50 5061, 443
webconf.domain.com x.x.x.201 10.10.10.22 443
I have the SIP A record and the SRV records for _sipfederation._tcp.domain.com. and _sip._tls.domain.com.
The A record is pointing at x.x.x.200 and the SRV records point at the FQDN ocs.domain.com
I have also put the external NIC on the edge server directly on the internet rather than behind a NAT/firewall. This doesn't make any difference. Communicator still works in this case.
In this case (there are no firewalls on and no routers; the server is plugged directly into the internet connection):
FQDN Public IP
ocs.domain.com 10.168.1.106
webconf.domain.com 10.168.1.107
Internally, everything works great. No problems at all.
Wednesday, May 30, 2007 3:43 PM -
Those 2 links were for provisioning public IM, which for the most part is the same for 2005 and 2007.
Have you had an further progress? Have you had an further progress?
Wednesday, June 27, 2007 6:30 PM -
Please let us know the status of your issue? If you have found a resolution, would you be able to share it with the forums? If not, please let us know of any changes to your environment or status. ThanksFriday, July 6, 2007 9:01 PM
-
Hi - have stumbled across yout thred. The only way I resolved this issue was to use the local FQDN for the remote server (ours too was in a co-lo). I re-created and assigned certificates based on the FQDN, not just a DNS A record as I had before. Then I made sure everything in the edge server was set up for that, obviously changed the right settings all over the pool on the front end too. Restarting edge server service is essential. Then it worked.
There is no trust between the DNS (the edge server is entirely separate, which is why all the support suggestions are confusing as they imply it should somehow be 'trusted' on an inter-domain level, surely the exact opposite of how an edge server should be) so I just used the HOSTS file to add it. Works like a charm now.
George
Saturday, August 9, 2008 4:42 PM