locked
On May 10th at ~3am, my SfB FE server stopped connecting to my edge server. RRS feed

  • Question

  • My SfB FE server is running on Windows 2008R2.

    My SfB Edge is running on Windows 2012R2.

    On May 10th at around 3am, a few MS updates auto applied which resulted in my FE constantly reporting two events:

    Connection to the Web Conferencing Edge Server has succeeded

    Edge Server Machine FQDN: <machine>, Port:8057

    Then:

    No connectivity with any of Web Conferencing Edge Servers. External Skype for Business clients cannot use Web Conferencing modality.

    I slowly removed each update that was installed one by one. Upon removing KB4014514, errors disappeared.

    Curious if others see this? Trying to figure if my situation is unique or not.

    -mick


    • Edited by Mick_G Friday, May 12, 2017 1:14 AM
    Friday, May 12, 2017 1:14 AM

Answers

All replies

  • Hi Mick_G,

    Based on your description, it looks like this issue is caused by this security update.

    The KB 4014514 is released on May 9<sup>th</sup>, 2017, so I haven’t seen this situation, but we will monitor if others who has the similar issue, if any update, I will share it with you.

    The following document is for your reference
    https://support.microsoft.com/en-us/help/20170509/security-update-deployment-information-may-9-2017


    Regards,

    Alice Wang


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 12, 2017 8:12 AM
  • To add a little more, the high level update that was installed was:

    May 2017, Security and Quality Rollup for the .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, and 4.6.2 updates for Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1: May 9, 2017 (KB4019112). 

    KB4014514 was thus installed as part of the above update.

    At this point I believe my problem is really with the edge server and its handling of the port 8057 connection. For some reason the edge server is trying to set an old security/encryption method when the FE connects and the FE was happy to do it prior to 4014514 which disables some of the older methods. Why my edge is doing this is what I'm trying to figure out.

     

    Friday, May 12, 2017 2:39 PM
  • Hi,

    I too have just patched my Skype servers and are now seeing this message repeating in the event logs.

    I too would love to know if anyone has a working solution.

    Thanks in advance. 


    Regards, Robert --------- You can view my blog at: http://scnuggets.blogspot.co.uk

    Monday, May 15, 2017 11:06 PM
  • Same issue but no the same KB I remove all the kb installed the 15/05 about 11, and the problem has been solved
    Tuesday, May 16, 2017 12:18 PM
    • Proposed as answer by WVoos Wednesday, May 17, 2017 4:27 PM
    • Marked as answer by Mick_G Thursday, May 18, 2017 1:02 AM
    Wednesday, May 17, 2017 4:22 PM
  • I agree this is the issue. I had first thought that my older sha1 certs were the issue but after issuing a sha2 cert, I found that it was in fact a policy problem with the certificate issued to the edge server.  The default computer certificate that is auto issued to the FE when its being joined to the domain uses the "Computer" template which provides both client and server authentication and so the FE is always good. However, the Computer template requires the subject name (computer name) to be pulled from AD which obviously doesn't work in the case of the edge server. It appears that most folks (including myself) then resort to using the "webserver" template when requesting the internal edge cert but it does not support "client authentication".

    So to resolve, I duplicated the Computer template to "Computerv2", changed the subject name requirement to be pulled from the actual request, requested a new cert for my edge and presto - all good.

    -mick



    • Edited by Mick_G Thursday, May 18, 2017 1:03 AM
    Thursday, May 18, 2017 12:54 AM
  • Glad to hear that it helped.

    We did not have SHA-1 certificates, so we could rule that out (but as the newest IE-Update starts warning if there is a SHA-1 certificate, it's probably a very good idea to swap these out, too - could very well be a problem "next month")

    Regarding the Webserver-Template ... the Cert-Wizard proposes to use this template (it lets you specify another one, but will fall back to "Webserver" if you leave the field empty ...)


    Also note that I would replace all internal certificates (not only the edge one). We've only seen errors in the eventlog regarding this one connection, but as far as we now, Lync/S4B uses a lot of MTLS "under the hood" - better be safe than sorry ...
    • Edited by WVoos Thursday, May 18, 2017 8:34 AM more infos
    Thursday, May 18, 2017 8:32 AM