locked
Edge Server : Can make a connection : 5061 being forcefully disconnected RRS feed

  • Question

  • Perhaps I should have titled that baldness setting it . . .

    The clients (Live Meeting or the validation procedure) try to connect. But for some reason they get disconnected. Tidbits that might be useful :
    • Live Meeting produces an error after about 30 seconds.
    • If try often enough I get an event on the OCS Edge server numbered 14501 that says the invalid certs are being used. However, it does not list a cert, all the cert data is blank.
    • If I look at the log generated by watching SIP traffic I see the fillowing error : "The connection from a remote user client is refused because remote user access is not enabled on this port" The error number is 0xc3e93d86 SIPPROXY_E_CONNECTION_REMOTE_CLIENT_NOT_THIS_PORT
    • I did double check, remote access is enabled.
    • When I run the validation it fails the NTLM validation with : Failed to register user: User sip:ocstestuser@---.com @ Server cs-access.---.com
      Failed to send SIP request: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond ###.###.###.###:5061
    • If I watch the ethernet packets it looks like SIP is making it all the way to the end of the initial negotiation then the server sends a reset dropping the connection.
    The server(s) setup looks like this:
    • The version is OCS 2007 R2
    • It is implemented on a Server 2008 VM
    • Edge Server has 4 interface cards. One for internal Lan and 3 in the DMZ. I am using NAT on all three interfaces, Access, Web and A/V. (Consolidated Edge deployment)  It is worth noting they are virtual cards as this is a VM.
    • There is a firewall that has all the ports needed open and it's logs do not show any packets being dropped.
    • The necessary srv records have been created for the external domain and internal domain
    • The necessary certificates have been used, supporting SANs.
    • telnet has been used to validate connections to the ports
    • I have set up the firewall rules according to several documents. 5061 is reachable externally as well as all the other necessary ports.
    • Internal clients have no problems. All services are working just fine.
    • This server has formed a good connection ONCE! I have no idea why, I ran up and down the hall a few times then tried to close it and connect again and haven't been able to get it to work since. I didn't change anything except to turn on Windows firewall logging to see if it was blocking 5061.
    My usual test is to form an adhoc meeting and send the request to my home e-mail address. I then connect with a computer outside of our network using that account. It does ask for my name, but it never connects, except for one time.

    I hope someone can point me in a direction, I have been refining it for three months with no success. I am fairly certain  am missing something, but I seem to be having difficulty figuring out what.

    Thank you
    Michael
    Friday, August 28, 2009 9:36 PM

Answers

  • I gave it a try, the behavior did not change at all. The connection still refused to finish the TLS negotiation.
    To accomplish this I disabled the other two network interfaces and added their IP addresses to the advanced tab of the primary interface tab.

    Tuesday, September 8, 2009 3:30 PM

All replies

  • There are a couple of great posts here in the forums that may help you. I believe your problem has to do with the multiple nic cards and how windows 2008 hardens the TCP stack.

    do you have gateways specified on every nic are the external facing nics all on the same subnet. Which nic has the gateway if you only have it on one nic?
    Mitch Roberson |MCITP:Enterprise Server Admin, Messaging |MCTS:OCS with Voice Achievement |MCT
    Saturday, August 29, 2009 2:10 AM
  • All three external facing NIC cards have the same gateway. The internal NIC is on it's own subnet and gateway. I noticed something about Weak and String something or other. I have it book marked around here somewhere, I will dive a little deeper on it and see if anything comes of it. I had initially written it off since I did define the same gateway on all three NICs.
    Monday, August 31, 2009 6:30 PM
  • Michael,

    This is probably the thread you were thinking about, discussing Weak vs. Strong Host Models:
    http://social.microsoft.com/Forums/en-US/communicationsserveredgeservers/thread/787d7d06-34f2-431e-b3a3-801310174e3b

    If you have the same external default route set on each of the external Edge interfaces, then you should be okay in that sense.

    Are you using the default ports for all services?

    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Monday, August 31, 2009 6:45 PM
    Moderator
  • Yes, I tried to keep everything as default as possible given this was a first time for me. The firewall rules also followed the standard cookie cutter approach in that I followed the information provided in the Designing Your Perimeter Netowrk for Office Communications Server 2007. THe one deviation is that I have my A/V server NAT'd since this is a 2007 R2 consolidated edge install.
    Monday, August 31, 2009 7:22 PM
  • For grins I went ahead and overrode the settings to the weak host model, but the connection still refused to connect.
    Port 5061 does get opened, goes through all the tls negotiation stages then gets reset when the server claims 'remote connection not this port'
    Monday, August 31, 2009 7:30 PM
  • Michael

    Try changing your deployment to just a 2 nic deployment. Associate all 3 IP's to the SAME NIC, then setup all your certs, be sure the Gateway is on the external facing NIC,

    see if that helps any.
    Mitch Roberson |MCITP:Enterprise Server Admin, Messaging |MCTS:OCS with Voice Achievement |MCT
    Tuesday, September 1, 2009 3:28 AM
  • I gave it a try, the behavior did not change at all. The connection still refused to finish the TLS negotiation.
    To accomplish this I disabled the other two network interfaces and added their IP addresses to the advanced tab of the primary interface tab.

    Tuesday, September 8, 2009 3:30 PM
  • Based on everything you have put down i would look heavly at the certificates. so here is where I would start

    On the live meeting client. I would open it up and then go to the users settings (upper left hand corner, drop down arrow, select open user accounts) and select test connection. If that gives an error please post the text of that error.

    If that works then i would look at the certificate on the webconf edge server. Also be sure that the URL you have set for web conf is not fat fingered (i tend to do that often) and validate it matches the Certificate subject name.

    give that a try and let us know how it goes.


    Mitch Roberson |MCITP:Enterprise Server Admin, Messaging |MCTS:OCS with Voice Achievement |MCT
    Wednesday, September 9, 2009 2:22 AM