locked
TLS Connection Issues RRS feed

  • Question

  •  

    When I attempt to make a call to an auto attendant I get this in the error log in OCS:

     

      5/3/2007 7:50:41 AM OCS Exchange Unified Messaging Routing 1040 44022
      An attempt to route to an Exchange UM server failed.

    The attempt failed with response code 504: exchange2007.domain.com.
    Failure occurrences: 2, since 5/3/2007 7:50:11 AM.
    Resolution:
    Check this server is correctly configured to point to the appropriate Exchange UM server. Also check whether the Exchange UM server is up and whether it in turn is also properly configured.
    5/3/2007 7:50:11 AM OCS Protocol Stack 1001 14428
     

    TLS outgoing connection failures.

    Over the past 0 minutes Office Communications Server has experienced TLS outgoing connection failures 1 time(s). The error code of the last failure is 0x80090325 (The certificate chain was issued by an authority that is not trusted.) while trying to connect to the host "exchange2007.domain.com".
    Cause: Wrong principal error could happen if the peer presents a certificate whose subject name does not match the peer name. Certificate root not trusted error could happen if the peer certificate was issued by remote CA that is not trusted by the local machine.
    Resolution:
    For untrusted root errors, ensure that the remote CA certificate chain is installed locally. If you have already installed the remote CA certificate chain, then try rebooting the computer.

     

    I have tried to turn off tls everywhere I can but it is still saying it.  Any ideas?

    Thursday, May 3, 2007 12:01 PM

Answers

  • Zack,

     

    First off, you cannot turn off TLS with OCS 2007. Unlike LCS 2005, it is required for server-to-server communication. Also, using the Exchange self-signed certificate with OCS will not work because OCS does not trust the cert. Youy'll need to issue the Exchange UM server a cert from a certificate authority that all servers trust. You can then disable the self-signed cert that UM is using now.

    Thursday, May 17, 2007 4:24 PM

All replies

  • Did you check to make sure exchange dial plan is not secure?

    get-umdialplan |fl and take a look at VoIPSecurity parameter. If it says SIPSecured, you will need to modify that as well.

    Thursday, May 3, 2007 7:55 PM
  • It says VoIPSecurity                      : Unsecured
    Thursday, May 3, 2007 8:54 PM
  • Do you still use the self signed cert on the exchange server?

    Or have you changed it to a CA cert?

    Sunday, May 6, 2007 2:17 PM
  • I am using the self signed cert for webmail if that is what you mean
    Monday, May 7, 2007 2:14 AM
  • Zack,

     

    First off, you cannot turn off TLS with OCS 2007. Unlike LCS 2005, it is required for server-to-server communication. Also, using the Exchange self-signed certificate with OCS will not work because OCS does not trust the cert. Youy'll need to issue the Exchange UM server a cert from a certificate authority that all servers trust. You can then disable the self-signed cert that UM is using now.

    Thursday, May 17, 2007 4:24 PM
  • Hi Zack,

    Did you get a trusted certificate for your UM server as Chad suggested? Can you let us know the status of your issue?
    Thanks.

    Thursday, May 24, 2007 3:57 PM
  • I issued iis a new cert from a cert server in my domain but I am still getting the same errors.  Is that where I should put the cert or is there somewhere else that sip will use?
    Thursday, May 24, 2007 9:03 PM
  • Saturday, June 23, 2007 2:25 PM
  •  Zack Lester wrote:
    I issued iis a new cert from a cert server in my domain but I am still getting the same errors.  Is that where I should put the cert or is there somewhere else that sip will use?

     

    i had the same problem some days ago.

     

    The solution is to issue a cert using the Um Server FQDN as subject name! you can't use SubjectAlternateName becuuse OCS will not recognize it!

    I used a cert for all my needs (OWA,UM,ACTIVESYNC AND Outlook Anywhere) using SubjectAlternateName , but even if the UM FQDN was in the list it won't be recognized.

     

    Just issue a cert and use it only for UM and SMTP (otherwise errors will appear when UM try to send messages to HubTransoportServer).

    UM will automatically use the most recent cert it will find in exchangecertificate list.

     

    Bye

    Monday, June 25, 2007 10:51 AM