locked
One-way communication in Communicator Web Access (CWA) 2007 R2 RRS feed

  • Question

  • Hello...

    Just setup CWA 2007 R2 in my DMZ (yes...I know Microsoft prefers ISA for CWA...but our ISA project is still underway here).  Here is my problem:

    1.  I logon successfully to the CWA website
    2.  I send an IM to a co-worker who is using Communicator 2007 client
    3.  Co-worker receives my IM and replies back to me
    4.  I NEVER receive his IM

    I'm guessing this is a firewall issue.  I couldn't locate any errors in the application, system, or communicator logs on either server.  Also, I wasn't sure what to log using the OCS Logging tool.

    The R2 documentation ( http://technet.microsoft.com/en-us/library/dd425238%28office.13%29.aspx ) says open these ports for CWA: 

    80, 88, 389, 443, 3268, 5061.  I did...I have verified it with telnet.

     

    HOWEVER...the 2007 documentation (not 2007 R2) says to open those ports along with this range:  1025 through 65,535 (
    http://technet.microsoft.com/en-us/library/bb663583.aspx ).

     

    So...does that range of ports no longer apply in R2?  I haven't opened them and don't want to open that huge hole unless necessary.

     

    Anyone ever seen this "one way" communication with CWA before? Possibly some other problem not firewall related?






    Thursday, September 3, 2009 2:18 PM

Answers

  • You are correct in that SHA2 is not supported, this blog article covers that topic: http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=69.  I'd suggest looking in the event log's of the client, CWA, and Front-End servers to see if there are any communications-related errors.  Getting IM to work doesn't require a large range of ports and should be straightforward.


    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    • Marked as answer by Madkins1 Wednesday, September 9, 2009 5:03 PM
    Wednesday, September 9, 2009 4:47 PM
    Moderator

All replies

  • That port range is still valid for R2, but it's for media communications, not IM.  Technically you're CWA server shouldn't be in the DMZ as it's installed on a domain-meber server.  Verify that the CWA listening port is reachable by internal clients (and not just the FE server).
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Thursday, September 3, 2009 5:55 PM
    Moderator
  • OK...over the weekend I pulled it out of the DMZ and reconfigured it to be used inside my internal LAN.  Hopefully I can get ISA setup within a week or two for the external portion.

    HOWEVER.....

    I'm still having the same problem! This makes me think its not the firewall / ports / acls at all.  I've verified that the local software firewall is off on all boxes...servers and clients.  I've verified that all ports are accessible going both directions from OCS FE / OCS CWA / Clients.  I don't get it.

    Is it possible that certificates could cause this one way communication?  We discovered another problem last week in OCS because we were using a SHA2 type certificates (do a google search with that and OCS and you will see what I mean).   Well, I plan to get new certificates for ALL of the OCS boxes either today or tomorrow. 
    Monday, September 7, 2009 11:58 AM
  • You are correct in that SHA2 is not supported, this blog article covers that topic: http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=69.  I'd suggest looking in the event log's of the client, CWA, and Front-End servers to see if there are any communications-related errors.  Getting IM to work doesn't require a large range of ports and should be straightforward.


    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    • Marked as answer by Madkins1 Wednesday, September 9, 2009 5:03 PM
    Wednesday, September 9, 2009 4:47 PM
    Moderator
  • Thanks for the link.  I actually downloaded the official whitepaper on deploying certificates for OCS 2007 R2 earlier today and it explicitly states that SHA2 certs are NOT supported. 

    I'll be changing my certificates shortly.....here is the link to that whitepaper:


    http://go.microsoft.com/fwlink/?LinkId=163083


    Wednesday, September 9, 2009 5:02 PM