OCS 2007 Cannot use livemeeting from outside the firewall

Posted on 2009-02-18
Last Modified: 2013-11-29
I have Office Communications Server 2007 set up. I have the internal side working perfectly. I also have another server set up with Access Edge and Web Conferencing Edge. I can use the OCS client from the outside perfectly with automatic sign in. The only problem i cannot figure out is why live meeting will not work. I have checked and double checked all of my configuration and my certificates set up.

When I test live meeting I can see that it connects to the server but it never initiates the meeting. I have ran logging and I get the following error over and over again
SIP/2.0 401 Unauthorized

I also ran a packet sniffer on both ends and after extensive research I have come to believe that it may be IIS permissions on the internal OCS 2007 server that is causing the issue. It was a week ago when I ran upon this so I dont remember what exactly pointed me that way.

The reason I believe there might be an issue is when I first set up OCS 2007 I had an issue with downloading the address book. I found that the install does not setup the permissions properly for the address book. I think I changed the Authentication and Access Control Permissions on another part of the IIS tree that I should not have. I believe that if I find what is wrong there I may be able to resolve the problem. I usually make an IIS backup every time I make a change but in haste I failed to do so when I made this change.

So what I am asking is for anyone who has a successful OCS 2007 with Edge and has live meeting working for external users. Take a look at your IIS settings in (esp the webconf folder) and see if there is anything different with Authentication and Access control on some of your subfolers and such.

Currently the entire Default websit have these checked on mine
Enable anonymous access
Integrated Windows Authentication

Any help would be appreciated. I am almost sure the problem resides in IIS so if I have missed anything any suggestions would be appreciated too
Question by:chuck-williams
    LVL 22

    Assisted Solution

    Are you connecting to the server with a machine from your internal domain while logged in with a domain user?
    If not then this might be what is causing your problem.
    This sounds like the server is set up to allow internal requests and is using MS authentication against AD.
    If not using an AD machine then the machine is going to be treated as being in the Internet and IIS will not pass CHAP authentication thus not allowing Windows integrated authentication to work.

    If you are running this over SSL then you can try enabling Basic Authentication which removes the requirement for the password encryption from the request and will then allow pass-through authentication.  You just do not want to do this from the Internet if you are not running this over a VPN connection and/or SSL to the web server.  You would then be passing domain credentials in clear text over the net.
    LVL 10

    Assisted Solution

    I would recommend you run the Edge Planning Tool and check it against your setup.  

    Try running:  lcscmd.exe /Web /Action:Activate /PoolName: <Pool Name> /User: RTCComponentService /Password:<Password> /Guest: RTCGuestAccessUser /GuestPassword: <Password>

    Then restart services.
    LVL 6

    Author Comment

    I am looking into both suggestions. I will get back to you with what I find.
    LVL 12

    Accepted Solution

    If you didn't specify an external web fqdn when configuring the OCS Pool then this is probably the issue. Use resolution 2 from the KB article to resolve.
    Error message when you try to use the Live Meeting console to connect to Communications Server 2007: "Live Meeting cannot connect to the meeting
    LVL 6

    Author Comment

    hmmm that brings up an interesting question. I had my external FQDN to POOL01.DOMAIN.COM and I do not have that specified externally. I look at the log and its for properties like ExternalUpdatesDownloadURL: and such. It points to directories on IIS for my OCS server. Do I need to make my OCS server accessible from the internet on port 443, or do I need to put the FQDN of my Access Edge or what.

    It just doesnt make sense the point of the Edge serve was so that you would not be able to access the OCS server directly from the internet.
    LVL 12

    Expert Comment

    The OCS Access Edge server provide Communicator and Live Meeting client connectivity from external for IM, Web Conferencing and A/V.
    There are three functions where those two clients ride the IE engine which uses http port 443 through a Reverse Proxy (Not your OCS Access Edge) to access the OCS Server Web components for external Communication Address Book download, Group Expansion in Communicator, and access to web conference meeting content from outside your network.
    The Reverse Proxy (normally ISA 2006) provides the security from outsie to the OCS Server web components via configuraiton of a web publishing rule.
    LVL 6

    Author Comment

    Thx for all your help. It ended up having to do with the fact that I am using split DNS. OCS Edge did not like the reference to a internal domain even though it could resolve from DNS properly.
    LVL 6

    Author Closing Comment

    Thx for the help. These ideas helped me work things out to my final solution

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Join & Write a Comment

    Suggested Solutions

    Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found listed in my profile here: http:…
    Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    This video discusses moving either the default database or any database to a new volume.

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now