locked
Tanjay CX700- External connection fails RRS feed

  • Question

  • I have searched and failed to find an answer as to why I can't get remote connection with a CX700 phone.

    I plugged it into the internal network first and it updated to version 3.5.6907.207 (1.23).

    When I connect it to an external network I get to the sign in screen and enter information:

    Sign-in Address: userx@company.com

    Domain\user:  compan\userx

    Password: userxpassword

    When signing in the coantacting time server appears and disappears, then Connecting to Offcie Communicator server does the same.  When Locating the server to downlood certificate appears and then disappears I get the sign in screen again with "cannot downlaod certificate because domain is not accessible. If the problem persists, contact your system administrator."

    The Last Update Status shows (0x2ee7/0).

    I am running FTMG for reverse proxy.

    I have gone into wbmtest and modified the WMI setting fr the MSFT_UpdatesServerSetting to be:

    ExternalUpdatesdownloadURL:  https://OCS Web Components.company.com/RequestHandlerExt/ucdevice.upx

    ExternalUpdatesStoreURL: https://OCS Web Components.company.com/DeviceUpdateFiles_Ext

    InterrnalUpdatesdownloadURL:  https://OCSpool.company.com/RequestHandlerExt/ucdevice.upx

    InternalUpdatesStoreURL: https://OCSPool.company.com/DeviceUpdateFiles_Ext

    The CX700 is sitting inside a NAT'd network when trying to connect.

    I have Internal and external DNS records for ucupdates-r2.company.com.  Same internal and external domain names.

    Certificate for external is from Digicert internal is self signed internal CA.  I put the Digicert in the intermediate store on the FTMG server as well.

    Any ideas where to trace this and figure out what is failing?  I am not sure exactly what the phone is searching for by name, etc.

    Thanks in advance.

    Thursday, October 28, 2010 6:20 PM

Answers

All replies

  • I see traffic on our firewall that is going to the webconf server not the webcomponents server.  Is that where the Tanjay is tryign to log into?
    Monday, November 1, 2010 2:11 PM
  • No one seems to know what address these are trying to connect to from outside a network.  Help???
    Wednesday, November 3, 2010 8:35 PM
  • If the tanjay gives the error message "cannot download certificate because domain is not accessible", then I would conclude that it fails to download the root certificate or certificate revocation list for the certificate of the service it tries to connect to. Please verify if the certificates on the edge servers include a CRL and if it's accessible from the outside network.

    If that's OK, you should verify if it really tries to connect to your edge server instead of the internal OCS, which off course is not available outside the network. Does it work for a regular Communicator client?

    By any means it has something to do with the certificates. The Updates URL's have nothing to do with your problem.


    Technical Specialist Microsoft OCS/UC - http://www.uwictpartner.be
    Monday, November 8, 2010 9:36 AM
  • Thank you for the reply.

    It is a Digicert certificate on the outside of the Edge server and it has their CRL URL listed on the certificate.

    Signing in on a Communicator client from the external netwrok does work.

    Is the phone trying to go to sip.domain.com or what?

    Monday, November 8, 2010 3:25 PM
  • That might be, if it doesn't find the required DNS records on the internet-facing DNS it falls back to a few default ones.

    Is the cert on the Edge a wildcard certificate?


    Technical Specialist Microsoft OCS & UC Voice Specialisation - http://www.uwictpartner.be
    Monday, November 8, 2010 5:20 PM
  • What Default DNS records is it looking at?  I am trying to trace the traffic but not sure which address and therefore IP address it is trying to reach.  If I could get an answer to this then I could do better  troubleshooting.

    Not a wildcard cert.  It is a Digicert UC cert with specific names and SANs.

    Monday, November 8, 2010 8:27 PM
    • Marked as answer by BiggJake Friday, February 4, 2011 4:02 PM
    Thursday, February 3, 2011 7:57 PM