none
OCS 2007 R2 Edge issues: Can't telnet from external computers to port 443 and 5061 RRS feed

  • Question

  • Hi,

    I am running an OCS 2007 R2 test environment at home, on my VMware ESX machine. Being a Microsoft and Cisco student, I figured learning some more OCS wouldn't hurt. Running the OCS environment works fine, Exchange 2010 integration works fine as well. Even Cisco CallManager integration works. Only thing I just can't get my head around is the Edge server.

    Being just a student, I live at home. Because of this, I don't have pretty things like multiple IP addresses or even a fixed IP. I have my own domainname though, a .net domain. To solve the issue of my dynamic external IP, I'm using DynDNS that automatically is updated by my router. I've made a CNAME on my .net domain, to the DynDNS domain, so I can just resolve uc.mydomain.net to my external IP address. No problems here.

    My Edge server has two NICs, which both are in the same subnet: 192.168.2.215 and 192.168.2.216. I know this is against the guidelines, but I figured I don't need any security for my test environment anyway. Plus I don't really have the luxury of running a great firewall environment. The .215 IP address is used as internal address, the .216 as external. 

    First of all, my Edge server settings. This list comes from the overview at the end of the OCS "Configure Edge Server" configuration.

    Access Edge Server: Activated
    Web Conferencing Edge Server: Activated
    A/V Edge Server: Activated
    Internal interface IP address: 192.168.2.215
    Internal interface FQDN: edge.van-strijp.local
    Internal interface port for Access Edge Server: 5061
    Internal interface port for Web Conferencing Edge Server: 8057
    Internal interface port for A/V Conferencing Server: 443
    External interface IP address for Access Edge Server: 192.168.2.216
    External interface FQDN for Access Edge Server: uc.domain.net
    External interface federation port for Access Edge Server: 5061
    External interface remote access port for Access Edge Server: 443
    External interface IP address for Web Conferencing Edge Server: 192.168.2.216
    External interface FQDN for Web Conferencing Edge Server: uc.domain.net
    External interface port for Web Conferencing Edge Server: 442
    External interface IP address for A/V Edge Server: 192.168.2.216
    External interface FQDN for A/V Edge Server: uc.domain.net
    External interface port for A/V Edge Server: 444
    Access Edge Server remote employee access: Enabled
    Access Edge Server allows anonymous users: True
    Access Edge Server allows remote users: False
    Access Edge Server federation: Enabled
    Access Edge Server automatic federation: Enabled
    Access Edge Server federation with public IM provider: Disabled
    Access Edge Server internal next hop: ocs.van-strijp.local
    Access Edge Server internal SIP domains:
            van-strijp.local
    Internal Enterprise pools or Standard Edition Servers:
            ocs.van-strijp.local
    The thing I don't really understand here is Access Edge Server allows remote users: False. I have checked all available boxes during the configuration, one of which is 'enable remote user access'.

    Anyway, as I only have 1 external IP address, I figured it wouldn't be of any use having multiple internal IP addresses either. This is why I changed the default ports for Web Conferencing and A/V Edge.

    I also have made a forward in my D-link router:
    Server Name External Port Start External Port End Protocol Internal Port Start Internal Port End Server IP Address
    OCS Edge 5061 5061 TCP 5061 5061 192.168.2.216 
    OCS Edge 3478 3478 UDP 3478 3478 192.168.2.216 
    OCS Edge 442 444 TCP 442 444 192.168.2.216

    I think this all looks fine, but please correct me if I'm wrong.

    Now the part that I don't understand: If I do a netstat /a on the Edge server, I see that the server is listening on the right IP's/ports. I can also telnet to all ports from any computer internally, using the internal IP address of the Edge server (192.168.2.216). However, if I use telnet from an external computer (a computer at my parents' house that I remote control through LogMeIn), I get a timeout on all ports. Office Communicator R2 says "The service is temporarily unavailable" and the event log shows the server didn't respond at port 5061. The ports aren't blocked by my provider; if I change the settings in the router to route port 443 to 192.168.2.210 (the Exchange server), I can just access the OWA externally without any issues.

    I have made rules on the Edge server to enable all traffic for ports 442-444, 5061. After this I tried making a rule to allow any traffic, and after that I even completely disabled the firewall. All with no result: I cannot reach the Edge server from my external machine.

    So, because all network settings seem to be right, is there something I'm missing? Is it possible that the Edge server blocks all traffic when there is a configuration mismatch somewhere? I see my FrontEnd is having a lot of this error: "TLS outgoing connection failures. Over the past 15 minutes Office Communications Server has experienced TLS outgoing connection failures 9 time(s). The error code of the last failure is 0x80090322 (The target principal name is incorrect.) while trying to connect to the host "edge.van-strijp.local"."
    I am looking into fixing this, but first I wanted to be able to at least get some sort of connection to my Edge server. Don't fix error 2 while error 1 still is open ;-) Edit: While I was typing this, I ran through the setup again, and I noticed I accidentally assigned the uc.domain.net cert to the Edge Server Interface (.215). I assigned the edge.van-strijp.local cert to the Edge server interface, now the errors on the FrontEnd haven't showed up in half an hour.

    I have a StartCom free certificate for uc.domain.net. It's not a SAN cert, but at least uc.domain.net is covered. I'm using this cert for Access and Web Conferencing Edge. For Edge Server and AV Auth I'm using a cert signed by my internal CA, for edge.van-strijp.local.

    Does anyone understand why I can't access my Edge server through telnet? As I said, I can just access my Exchange server from the external computer, when I change the router's settings to route port 443 to the Exchange server instead of Edge server.

    Thanks,
    Ruud van Strijp



    Ruud van Strijp - Network Infrastructure Design in the Netherlands. MCSE: 70-270, 70-284, 70-290, 70-291, 70-294, 70-297. Cisco: CCNA, CCDA, CCNP, CCDP.
    Tuesday, April 13, 2010 4:23 AM

Answers

All replies

  • If you cannot telnet to any of the listening ports on your external Edge from an Internet host then you do not correctly have the server published to the Internet.  Typically this is related to the return traffic leaving the Edge server back to the Internet host that fails.  How many interfaces are configured on the Edge Server?

    Read through these blog article for assistance with getting the Edge server routing configured correctly:
    http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=78
    http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=33
    http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=19


    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Tuesday, April 13, 2010 1:47 PM
    Moderator
  • Thanks for your reply, Jeff. Your tip solved my issue! I have two NICs, one for internal connections, one for external. They are both in the same subnet, which as you described is supported but not recommended. However, I didn't give the external NIC a default gateway, because both NICs would be using the same gateway anyway (as they are in the same subnet). This worked for regular networking services, and I could access the internet from the Edge server without issues.

    While reading your text however, I realised that traffic coming in on one adapter will want to go out from the same adapter. It will not use the default gateway of the other adapter, it needs its own. So I just added the default gateway to the external adapter as well and voila, it works right away.

    I feel stupid now ;-)


    Ruud van Strijp - Network Infrastructure Design in the Netherlands. MCSE: 70-270, 70-284, 70-290, 70-291, 70-294, 70-297. Cisco: CCNA, CCDA, CCNP, CCDP.
    Tuesday, April 13, 2010 2:57 PM
  • Hi Rudd,

    I am also building a lab as per your post. Having one doubt, have you assigned two different NIC to two different network with same subnet?

    Sunday, March 18, 2012 6:18 PM