Wednesday, June 17, 2009

Misconfigurations on OCS 2007 R2 Edge

The last couple of days I was working on a issue (with PSS – Microsoft Turkey) on a OCS R2 Edge Server at the customer side.

According to the OCS R2 Deployment documentation we setup a OCS R2 2007 Standard Edition Server – Consolidated Topology, CWA 2007 R2 server and a OCS 2007 R2 Edge Server.

After setting up those roles we run the OCS BPA to make sure all settings were setup correctly. After that we also run the OCS Validation Wizard on each corresponding MCU. No issues at all (both the Edge Server/Pool Server). Especially on the certificate part we used UCC certificates from Entrust with multiple SAN’s in the certificate. 

UCC certificates on the first side are very useful for the Access Edge interface especially when you have multiple SIP domains like (sip.contoso.com and sip.litware.com) all pointing to your external Access Edge IP address. Pay much more attention when you planned to re-use your UCC certs on the other interfaces (Web Conferencing Edge, A/V Edge).

Microsoft: “The OCS R2 Access Edge role is the single most misconfigured role of all Office Communications Server 2007 and Office Communications Server 2007 R2 services”

The misconfiguration on that part will have effect on the usability of Live Meeting 2007. When using one UCC certificate on all Edges you will see that (user B) is not be able to access the remote initiated Live Meeting 2007 invitation by (user A).

How can you reproduce/trace this issue?

First make sure you can collect some log files from your Live Meeting 2007 client. Open your registry editor and go to (NB: btw same location a Windows 7 RC):

image

image

Modify the EnableFileTracing attribute and make sure the Value data is configured with 1. image

Make sure the modification is saved and you restart your Live Meeting 2007 client. Make also sure that while starting the LM client you open your %temp% folder to collect the PWConsole log file. This file is created while setting up a connection to your remote OCS R2 Edge Server. From the server side it might be useful to start also your logging and tracing on dataproxy component with all levels and all flags checked.

Secondly make sure your Web Conferencing Edge Server certificate is assigned by a internal CA. Make sure that the Subject Name corresponds to your public URL (FQDN) for example (ucw.contoso.com). Depending on your internal CA configuration request your CA directly to a online CA or prepare it offline. After assigning the new “temp” certificate restart all your OCS 2007 R2 Edge Services.

When the OCS 2007 R2 Edge server is backup online you will see that the remote Live Meeting 2007 client isn’t be able to verify the corresponding certificate (especially external client who not have the CA Chain of your Root CA). Basically your addressed the issue now and you see that it was a certificate issue on your Web Conferencing Edge Server public interface.

Resolution:

Make absolutely sure that each OCS 2007 R2 Edge Server public certificate (subject name) is matched with the public FQDN you use. Using UCC certificates are not very useful to setup the Web Conferencing / A/V MCU’s correctly. Strange enough the OCS R2 Deployment Wizard is accepting the UCC certificates for each MCU. Please be aware of the effect!

Questions? Do not hesitate and contact me if your want.

1 comment:

Tristan Dorsey said...

That was something new to learn...Thanks... People who are looking get Unified Communications Services In Florida they can have a great benefit from this..