External Address Book issues RRS feed

  • Question

  • I am having issues with external users and the "Cannot Syncronize address book" error. Internal users are working fine. I have verified the "Address Book Server Settings" for the external URL and it points to my WebFarmURL on the reverse proxy (https://ocsrp.domain.com/Abs/Ext/Handler). I have also verified this with wbemtest. I CAN download the file https://ocsrp.domain.com/Abs/Ext/files/F-0c7a.lsabs from IE. Currently I am using a certificate signed from the domain and testing with a laptop as a member of the domain and when going to the URL https://ocsrp.domain.com/Abs/Handler I show the LOCK and no errors.

    The only thing that seems suspicious is when I CTRL+right-click the communicator tray icon and look at the configuration Information I am showing the Internal Address Book URL in "GAL Status - https://ocs1.child.internaldomain.com/Abs/Int/Handler - Cannot Synchronize..."

    Please help as I have been struggling through this for many days now.

    Below are my enviroment details:
    Front End Server - OCS 207 R2 x64, Windows 2008 SP1
    Access Edge - OCS 2007 R2 x64, Windows 2008 SP1
    Reverse Proxy - Windows 2003 SP2 x32, ISA Server 2006 Version 5.0.5723.493

    Also, not sure if this is related (I think it is) or helpful, but when I try to connect to LiveMeeting I get "Live Meeting cannot connect to the meeting. Wait a few..."

    Please let me know if there is any additional info I may be able to give.

    Wednesday, September 30, 2009 9:12 PM

All replies

  • Please verify the settings and use LCSCMD
    Lcscmd /web /action:ListWMISettings /poolname:<poolName>

    - Belgian Unified Communications Community : http://www.pro-exchange.be -
    Thursday, October 1, 2009 9:50 AM
  • What do you have configured as your External Web Farm FQDN?  You can verify it be following the steps at the end of this article:

    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Thursday, October 1, 2009 12:03 PM
  • I have run the command, and the log chcks out:

    Class MSFT_SIPDataMCUCapabilitySetting - ExternalClientContentDownloadURL: https://ocsrp.domain.com/etc/place/null
    Class MSFT_SIPGroupExpansionSetting - ExternalDLExpansionWebURL: https://ocsrp.domain.com/GroupExpansion/Ext/service.asmx
    Class MSFT_SIPAddressBookSetting - ExternalURL: https://ocsrp.domain.com/Abs/Ext/Handler
    Class MSFT_SIPPSTNConferencingSetting - ExternalURL: http://ocsrp.domain.com/PhoneConferencing/Ext/
    Class MSFT_SIPClientUpdaterSetting - ExternalURL: https://ocsrp.domain.com/AutoUpdate/Ext/Handler/OCUpgrade.aspx
    Class MSFT_SIPUpdatesServerSetting - ExternalUpdatesStoreURL: https://ocsrp.domain.com/DeviceUpdateFiles_Ext
                                                              ExternalUpdatesDownloadURL: https://ocsrp.domain.com/RequestHandlerExt/ucdevice.upx

    All of the above points to my reverse proxy that is publicly know as ocsrp.domain.com

    Thursday, October 1, 2009 3:18 PM
  • I looked at what was reported in the GUI by going pool->properties->web component properties and under address book I do show the correct URL: https://ocsrp.domain.com/GroupExpansion/Ext/service.asmx

    I also have checks in the "Enable Address book query" and "Enable distribution groups expansion"
    Thursday, October 1, 2009 3:22 PM
  • BUMP (Sorry, I am desperate)

    Thursday, October 1, 2009 10:19 PM
  • This looks like an proxy misconfiguration issue, probably with the certificate on the Web Listener (if ISA) or on the FE server IIS cert.  Can you provide information on your cert, is it a SAN cert, was is the CN, SANs?  Are you using ISA?  What is the CN and SAN on the IIS virtual directory?

    I see that you have a parent domain and a child domain.  Is the OCS server a member of the parent or child?

    Mark King | C/D/H | MCTS:OCS | MCSE: Messaging | MCITP:Enterprise Administrator | CCNA
    Thursday, October 1, 2009 11:24 PM
  • Please correct me if my understanding is wrong. I see that you can download the abs file when you are using a domain joined machine, internally. You are also able to access the external URL and do not get an error. I wanted to know if you are using a non domain-joined machine when testing externally ? In that case the certificate wouldn't be validated and hence you will get this error. Can you please let me know what error you get when you open the external ABS URL in IE ? (You might have to disable "Show friendly error messages in IE).
    Friday, October 2, 2009 5:58 PM
  • Mark,
    I should have been more clear in my representation of my domain. Our root domain for activedirectory is corp.domain.com. Its not really a child of another domain. I should have shown sub.domain.com or root.domain.com

    When I view the certificate on the client I do not have a SAN. This was done on purpose as I read about issues regarding certs on ISA 2006 with SAN's. If this is incorrect please let me know.

    I can download the abs file EXTERALLY with a domain member machine. I have not tested with a non-domain member pc due to the fact the cert is domain signed and I would have to install the root cert and be in the same place as I am now.
    Monday, October 5, 2009 3:34 PM
  • Hi
    I have do some test to reproduce your issue, you can do below and try again.
    Per your above description.
    From the external, please use IE to access the https://ocsrp.domain.com/Abs/Ext/Handler (https://ocsrp.domain.com/GroupExpansion/Ext/service.asmx) that you have referred.
    Then you will need to install a certificate, please confirm you do it successfully.
    Then log out you OC and then log in again.
    May be it will be solved.
    The method is based on you have confiured the cert on your servers correctly.
    That is, the issue is caused by the CERT!
    If there still any issue please tell us!

    Friday, October 9, 2009 9:33 AM
  • Hi
    Any update for your issue?

    Friday, October 16, 2009 7:00 AM