locked
Cannot open sip.domain.com site with browser RRS feed

  • Question

  • Hello,

    I am encountering strange behavior of my SfB 2015 Edge server. Usually (which is an actual situation for my other, Lync 2013 Edges) when I am on external (non-company) network, when I put "sip.mydomain.com", I am redirected to a site which returns 404 not found reply, but it shows me public certificate used by that particular edge server and its services.

    But, in one particular case, it just shows me that the "Site cannot be reached" response. 

    Now, what I have checked:

    -server itself is up and running, and CsServices also

    -the public certficate is valid, correctly installed, trusted, and not expired

    -connection towards sip.mydomain.com is allowed over 443, which I verified with online telnet site

    -since also connections on port 80 are allowed (on that "faulty" server), I am able to see IIS default website if I use public IP instead of DNS name, and use http protocol (so the service on the edge is not down)

    I have tried to run a Fiddler trace, and it showed me following result for the "faulty" server:

    fiddler.network.https> HTTPS handshake to sip.mydomain.com (for #44) failed. System.IO.IOException Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. < An existing connection was forcibly closed by the remote host

    while for an ok server it just returns this:

    Encrypted HTTPS traffic flows through this CONNECT tunnel. HTTPS Decryption is enabled in Fiddler, so decrypted sessions running in this tunnel will be shown in the Web Sessions list.

    Secure Protocol: Tls12
    Cipher: Aes256 256bits
    Hash Algorithm: Sha384 384bits
    Key Exchange: ECDHE_RSA (0xae06) 384bits

    == Server Certificate ==========
    [Subject]
      CN=sip........ etc etc

    So it seems that some secure protocols are somehow faulty. But which and how? I have SSL versions turned to Disable in registry, and TLS to enable

    Also when I try to perform Qualys SSL labs server check, I get a reply that "No secure protocols supported" (i now its called SSL checker but everytime I check something there its also checking TLS protocols)

    what to check further? I have run out of ideas

    Thanks for any hints,

    Tomas

    Thursday, April 16, 2020 3:16 PM

All replies

  • Hi Tomas

    Thanks for providing your ideas about this issue!

    Does this issue persist all the time?

    Do you have a single public IP address?

    Can you sign in Skype for Business client external normally when this issue occurs?

    It recommends you check the following records, and these records are needed:

    DNS Type

    Value

    Resolution

    SRV

    _sipfederationtls._tcp.<sip-domain>

    Access Edge FQDN: access.<sip-domain>

    SRV

    _sip._tls.<sip-domain>

    Access Edge FQDN: access.<sip-domain>

    SRV

    _xmpp-server._tcp.<sip-domain>

    Access Edge FQDN: access.<sip-domain>

    A

    sip.<sip-domain>

    Access Edge FQDN: access.<sip-domain>

    A

    Access Edge FQDN: access.<sip-domain>

    Access Edge IP address

    A

    A/V Edge FQDN: av.<sip-domain>

    A/V Edge IP address

    A

    Conf Edge FQDN: conf.<sip-domain>

    Conf Edge IP address

    A/CNAME

    lyncdiscover.<sip-domain>

    reverse proxy public IP address

    A

    meet URL

    reverse proxy public IP address

    A

    dial-in URL

    reverse proxy public IP address

    A

    external Web Services FQDN

    reverse proxy public IP address

    Then please try to check if the certificate for Edge Server meets the following requirements.


    If you have only single public IP Address, make sure the port assignment is unique across the three Edge’s (this should be default when you select the above option), e.g.

    ACCESS - sip.domain.com - Port: 5061

    CONFERENCING - sip.domain.com - Port: 444

    AV - sip.domain.com - Port: 443

    Besides, you can try to check if there are some error event log from event viewer on Edge Server.

    Best Regards,
    Jimmy Yang

    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.
    Friday, April 17, 2020 8:55 AM
  • Hello,

    and thank you for your response. I have checked the DNS records, and they are all in place (except for that xmpp, but that should not be mandatory), and according to public DNS checkes (like MXtools), they are all pointed to correct IPs.

    Yes, I have a single IP for Edge server access/av/conferencing services - check following screenshot:

    But, according to what you said, since I am using different ports for each service, it should be okay (?)

    Anyway, I am still bugged about the results that fiddler showed - it seems that for some reason security cipher suites or protocols are not correctly set up...but I dont understand what exactly to do to make this right.

    Any hints are appreciated, thank you 

    Monday, April 20, 2020 9:34 AM
  • Hi TomasCrha!

    Thanks for your feedback!

    Yes, I have checked the screenshot you provided and it seems no issue from it.

    What is your version of TLS?1.1 or 1.2?

    I searched the error message from Fiddler and found some user solved it by using TLS 1.2.

    If you TLS version is 1.0 or 1.1, you can try to disable TLS 1.0/1.1 in your Skype for Business Server and enable TLS 1.2 to see if can be fixed. For more details about how to disable TLS1.0/1.1, you can learn from the following link:

    https://docs.microsoft.com/en-us/skypeforbusiness/manage/topology/disable-tls-1.0-1.1

    Also please check the port requirements and protocols on your edge server as the following picture:

    Best Regards,
    Jimmy Yang

    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.
    Thursday, April 23, 2020 8:02 AM
  • Hi,
    Is there any update on this case?
    Please feel free to drop us a note if there is any update.
    Have a nice day!

    Best Regards,
    Jimmy Yang


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Monday, May 11, 2020 2:55 AM