• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1062
  • Last Modified:

How do I share files with users outside of my firewall with Office Communicator 2005?

I work for a company which has charged me the task of making Communicator 2005 our central chat and meeting client.  Right now everything works well behind the firewall and I can even send files from outside of the firewall to myself, but when I try and send files from behind the firewall to outside of the firewall I receive the following error:

Cannot send "file.txt" to USER. This may be due to firewall restrictions or network problems. Please try again. If you need further assistance, contact your system administrator.

The system outside of the firewall receives the following error:

You cannot received the file "file.txt" from USER.  This may be due to the firewall restrictions or network problems.  If you need further assistance please contact your system administrator.

I have port 6891 open with the firewall software we use and we have 5060 and 5061 open on our Cisco PIX.  

Any help would be greatly appreciated.
0
BRNIIT
Asked:
BRNIIT
  • 3
  • 3
1 Solution
 
Alan Huseyin KayahanCommented:
Hi BRNIIT
   From Microsoft...
 What ports are required for external access?
A. In order for external access to succeed, Communicator Mobile needs to use TLS transport. By default, port 5061 is used, but other ports, such as port 443, can be used for external access. If you configure a nondefault port for external access, the Communicator Mobile clients that connect to the server must be configured to include the port information in the server address. The correct format is <server address>:<port number>. For example, the client should be configured to use sip.contoso.com:443 if port 443 has been configured on the sip.contoso.com server.

For more information about this port configuration on the Access Proxy, see "Configuring the Internal and External Edges of an Access Proxy" in Live Communications Server 2005: Deploying Access Proxy and Director.
 
Can you post your sanitized PIX config?

Regards
0
 
BRNIITAuthor Commented:
Here's the santized PIX config:

PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password *** encrypted
passwd *** encrypted
hostname mypix
domain-name mydomain.com
clock summer-time UTC recurring 2 Sun Mar 1:00 1 Sun Nov 2:00
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip 5061
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list from_outside permit tcp any host 111.111.111.111 eq 5061
no pager
mtu outside 1500
mtu inside 1500
ip address outside 111.111.111.2 255.255.255.240
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 111.111.111.111 192.168.1.22 netmask 255.255.255.255 0 0
access-group from_outside in interface outside
route outside 0.0.0.0 0.0.0.0 111.111.111.1 1
route inside 10.1.0.0 255.255.0.0 192.168.0.2 1
route inside 10.2.0.0 255.255.0.0 192.168.0.3 1
route inside 10.3.0.0 255.255.255.0 192.168.0.3 1
route inside 10.10.10.0 255.255.255.0 192.168.0.3 1
route inside 10.10.20.0 255.255.255.0 10.1.1.3 1
route inside 10.100.1.0 255.255.255.0 192.168.0.3 1
route inside 172.16.3.0 255.255.255.0 192.168.0.2 1
route inside 172.17.0.0 255.255.0.0 192.168.0.3 1
route inside 192.168.1.0 255.255.255.0 192.168.0.2 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
http 10.1.8.201 255.255.255.255 inside
http 10.1.1.199 255.255.255.255 inside
http 10.1.8.58 255.255.255.255 inside
snmp-server host inside 10.1.0.104 poll
no snmp-server location
no snmp-server contact
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
telnet 10.0.0.0 255.0.0.0 inside
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80

0
 
Alan Huseyin KayahanCommented:
static (inside,outside) 111.111.111.111 192.168.1.22 netmask 255.255.255.255 0 0

static is for 192.168.1.22 but PIX does not have an interface in this range. What is the gateway IP address of 192.168.1.22. Is 192.168.1.22 the Office Communicator server?
0
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

 
BRNIITAuthor Commented:
This line takes care of routing to the 192.168.1.0 ip range:

route inside 192.168.1.0 255.255.255.0 192.168.0.2 1

Yes, that ip address is the Access Proxy server.
0
 
Alan Huseyin KayahanCommented:
 This line takes care of routing to the 192.168.1.0 ip range:
   route inside 192.168.1.0 255.255.255.0 192.168.0.2 1
    This is useful only when a computer in 192.168.0 network wants to browse 192.168.1.22. Is 192.168.0.2 a router or a switch vlan gateway?
0
 
BRNIITAuthor Commented:
192.168.0.2 is a router - its inside ip address is 192.168.1.1, which it uses to talk to the 192.168.1.x network.

So, traffic from the internet to my LCS access proxy server goes

internet --> 111.111.111.111 (pix translates to 192.168.1.22) --> 192.168.0.2 (since that is the static route on the pix) --> 192.168.1.1 (inside interface of the router) --> 192.168.1.22
0

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now