locked
Error on Edge Server via testconnectivity.microsoft.com RRS feed

  • Question

  • Hi All,

    For the last fortnight I have been trying to deploy a Skype for Business solution, I have found it easy to deploy the front end server however when I have deployed the Edge Server all has gone fine up until I have gone to do a Skype for Business Server Remote Connectivity Test however I am getting the following message under Testing the SSL certificate to make sure it's valid heading;

    "The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation."

    I have got screen shots of my Cyberoam UTM's Virtual hosts as well as external dns settings located at the following link, all labeled

    http://brcomputing.com.au/softwaredetails.aspx?sd=S4BErrorMessage

    Question: How do I resolve this issue as it is starting to make me go mad (or madder than I was)


    Cheers,

    Ben

    Wednesday, April 13, 2016 7:59 AM

Answers

  • Hi Hamed,

    In the end I tried reinstalling S4B twice both times I DID make sure that these where checked, in the end I installed Lync 2013 and all is working well.

    Ben


    Ben Ringrose

    • Proposed as answer by Eason Huang Monday, April 18, 2016 11:27 AM
    • Marked as answer by Eason Huang Sunday, April 24, 2016 6:13 AM
    Sunday, April 17, 2016 9:10 AM

All replies

  • Hi Ben,

    I've looked at your screen shots, some points and question (or skip to point 3 for the answer);

    1.) Your ports table looks fine assuming you are using a single public IP for all three of your Edge services, which I'm also assuming is sip.bomputing.org.

    Is 10.18.4.215 your front end server? and if so, it would appear that that the external interface of your edge 10.18.4.217 is on the same subnet as the front end? Your external edge interface should be on a different subnet to your edge internal interface and front end server. I might be wrong if you've subnetted the hell out of it, but it looks like your edge external interface is on the same subnet as your front end. The edge internal interface can be on the same subnet as the front end, but even this isn't deemed best practice.

    2.) You can remove lyncdiscoverinternal from your public DNS - not required. I'm assuming sipexternal is your external web services entry, otherwise i'd tell you to remove that too.

    3.) I suspect that external sign in is actually working for you. The reason the remote connectivity analyser tool isn't is due to the fact your using a single IP with custom ports for Edge services. Check the radio button for 'manually specify server settings', enter your sip address as sip.brcomputing.org, and change the port to 5061 - your test will now succeed as i can't see anything in your DNS etc that would cause it to fail.

    If it still fails i think it will be a different error, possibly related to point 1, but please don't hesitate to come back :)

    Kind regards
    Ben


    Note: If you find a post informative, please mark it so using the arrow to the left. If it answers a question you've asked, please mark the thread as answered to aid others when they're looking for solutions to similar problems.


    Wednesday, April 13, 2016 5:33 PM
  • Hi Ben,

    I have taken you advice this morning and have setup the edge server on a separate subnet (for external nic), I have also added more images at the link below showing the ip config and a link to a copy of the topology.

    http://brcomputing.com.au/softwaredetails.aspx?sd=S4BErrorMessage

    I am still getting the following error message even when I specify sip.brcomputing.org port 5061 as the Lync Access Edge Server

    The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
    Elapsed Time: 345 ms.

    I have also setup a user on the S4B Server so that anyone can test via the microsoft website.

    Sign-In: s4b.test1@brcomputing.org

    Username: BRCOMPUTING\s4b.test1

    Password: ABcd1234

    Again thank you for your help

    Ben


    Ben Ringrose


    • Edited by BR Computing Thursday, April 14, 2016 12:52 AM More Information
    Thursday, April 14, 2016 12:38 AM
  • Thanks for the update.

    I've checked your topology file. I notice your external web services FQDN is s4b.brcomputing.org, this needs to be listed in public DNS and point to 59.100.165.26. However this has nothing to do with the error you're receiving.

    Because your just PATing your 59.100.165.26 requests straight through to your front end, you get a certificate error whenever you try to browse to any of them. This is because the front end has an internal certificate assigned to it. If you browse to https://meet.brcomputing.org in a web browser you'll see what I mean. Really you should be using a reverse proxy for this - but once again nothing to do with the certificate error your getting.

    The actual Edge stuff looks OK, so could you please tell me what certificates you have assigned to the Edge server. You should have two - one for internal facing services and one for external, these are configurable through the deployment wizard on the Edge server - I need to know the name of the certificate, any SAN's on it, and whether it was issued by an internal CA or a public one. Based on the lack of a public certificate for your 59.100.165.26 requests, I suspect your not using a public certificate for external Edge services either, or if you are then there's a problem with it.

    Kind regards
    Ben


    Note: If you find a post informative, please mark it so using the arrow to the left. If it answers a question you've asked, please mark the thread as answered to aid others when they're looking for solutions to similar problems.


    Thursday, April 14, 2016 6:35 AM
  • Hi Ben,

    The internal edge certificate is issued internally to BRC-SED-01.brcomputing.org with no SAN's

    The external edge certificate is issued by COMODO to brcomputing.org with the SAN's as brcomputing.org, inspntas.com.au, sip.brcomputing.org and sip.inspntas.com.au (Comodo Positive Multi-Domain SSL Certificate) Have I selected the incorrect certificate from https://cheapsslsecurity.com/. If so can you please let me know which I need

    I have also added an external dns a record of s4b > 59.100.165.26, and port 443 is now pointing to a reverse proxy with a ssl certificate of *.brcomputing.org (Comodo PositiveSSL Wildcard Certificate) Now when i go to meet.brcomputing.org on my mobile I dont get an certificate error.

    Cheers,

    Ben

    Thursday, April 14, 2016 7:05 AM
  • HI Ben

    i saw that you are using wild card certificate do you add sip in san of certificate?

    also i couldn't see the static natting configuration @ UTM notice it is one-one NAT that mean ine outgoing traffic also you should use same public IP "59.100.165.25" I saw this problem a lot with customer they always make nat for inbound traffic only and let edge server go outbound with default Dynamic NAT public IP.

    Thursday, April 14, 2016 7:33 AM
  • Thanks Ben.

    Based on the information you've provided I think the certificate error you are receiving may be due to the fact that the subject name of your public certificate is brcomputing.org.

    The subject name of the edge external certificate should be the access edge service FQDN; in your case sip.brcomputing.org. This should then also be listed as a SAN in addition to any other required entries, but sip.brcomputing,.org should be the subject name (or common name if your prefer) on the cert.

    Kind regards
    Ben


    Note: If you find a post informative, please mark it so using the arrow to the left. If it answers a question you've asked, please mark the thread as answered to aid others when they're looking for solutions to similar problems.

    • Proposed as answer by Liinus Monday, April 18, 2016 1:32 PM
    Thursday, April 14, 2016 8:16 AM
  • Hi Ben

    I have reissued the certificate so that sip.brcomputing.org is the Common Name with SAN's of sip.brcomputing.org, brcomputing.org, inspntas.com.au and sip.inspntas.com.au

    When I went to assign the certificate I got this error.

    Hi Hamed,

    I currently have the below NAT rule, when I go to whatsmyip.org it shows as 59.100.165.25

    I am still getting the exact same error as at the start.

    I have updated the images at the first link

    Ben

    Thursday, April 14, 2016 10:26 AM
  • Have you restarted the Edge server since making the changes and are all the Edge services running?

    I'm not even having a certificate present itself when I query sip.computing.org, but can telnet onto the box via the same address.

    Kind regards
    Ben


    Note: If you find a post informative, please mark it so using the arrow to the left. If it answers a question you've asked, please mark the thread as answered to aid others when they're looking for solutions to similar problems.

    Thursday, April 14, 2016 11:05 AM
  • Hi Ben,

    Unfortunatly, after every small change I have made to either the edge of FE servers I have restarted the server and double checked that the services are running after boot.

    I am going to try and do a fresh install of the edge server in the morning and hope that it works correctly.

    Do you have any suggestions on a dumb-dumb's guide on how to setup edge correctly.

    Cheers,

    Ben


    Ben Ringrose

    Thursday, April 14, 2016 12:11 PM
  • I have just completed a reinstall of the edge server, I decided to see if I could navigate to the internal website via https://10.18.4.216 (internal NIC) and https://192.168.0.2 (external NIC, after connecting to correct subnet) and I am getting an error simply saying that This page can't be displayed. I have disabled the firewall on the server to eliminate possibilities.

    Cheers


    Ben Ringrose

    Friday, April 15, 2016 3:14 AM
  • I think you're slightly muddled regarding how the Edge server works, your internal and external web services are on the front end, not on the edge server - and when you access them from outside the corporate network you do so through your reverse proxy, not the edge server.

    Providing the edge certificate has been applied correctly and the associated services are all running,  I can only think there's something on the UTM appliance causing a problem as I don't even see your public certificate presented to me when I query it from a tool like below;

    https://www.digicert.com/help/

    I'd expect to be able to put sip.brcomputing.org in there and get details of your public certificate back - but it simply can't connect.

    Incidentally I can no longer telnet onto that address either on 5061, so you don't appear to have any routing at this time.

    Kind regards
    Ben


    Note: If you find a post informative, please mark it so using the arrow to the left. If it answers a question you've asked, please mark the thread as answered to aid others when they're looking for solutions to similar problems.

    Friday, April 15, 2016 7:58 AM
  • Dear ben

    first i tried test today and it give me 443 is not open as below ma be you closed the server or you need to check your UTM firewall.

    

    also did you enable external access from control panel and allow this user for external access from external policy as below two images.

    Sunday, April 17, 2016 5:41 AM
  • Hi Hamed,

    In the end I tried reinstalling S4B twice both times I DID make sure that these where checked, in the end I installed Lync 2013 and all is working well.

    Ben


    Ben Ringrose

    • Proposed as answer by Eason Huang Monday, April 18, 2016 11:27 AM
    • Marked as answer by Eason Huang Sunday, April 24, 2016 6:13 AM
    Sunday, April 17, 2016 9:10 AM