We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


OCS 2007 Cannot use livemeeting from outside the firewall

Medium Priority
Last Modified: 2013-11-29
I have Office Communications Server 2007 set up. I have the internal side working perfectly. I also have another server set up with Access Edge and Web Conferencing Edge. I can use the OCS client from the outside perfectly with automatic sign in. The only problem i cannot figure out is why live meeting will not work. I have checked and double checked all of my configuration and my certificates set up.

When I test live meeting I can see that it connects to the server but it never initiates the meeting. I have ran logging and I get the following error over and over again
SIP/2.0 401 Unauthorized

I also ran a packet sniffer on both ends and after extensive research I have come to believe that it may be IIS permissions on the internal OCS 2007 server that is causing the issue. It was a week ago when I ran upon this so I dont remember what exactly pointed me that way.

The reason I believe there might be an issue is when I first set up OCS 2007 I had an issue with downloading the address book. I found that the install does not setup the permissions properly for the address book. I think I changed the Authentication and Access Control Permissions on another part of the IIS tree that I should not have. I believe that if I find what is wrong there I may be able to resolve the problem. I usually make an IIS backup every time I make a change but in haste I failed to do so when I made this change.

So what I am asking is for anyone who has a successful OCS 2007 with Edge and has live meeting working for external users. Take a look at your IIS settings in (esp the webconf folder) and see if there is anything different with Authentication and Access control on some of your subfolers and such.

Currently the entire Default websit have these checked on mine
Enable anonymous access
Integrated Windows Authentication

Any help would be appreciated. I am almost sure the problem resides in IIS so if I have missed anything any suggestions would be appreciated too
Watch Question

Are you connecting to the server with a machine from your internal domain while logged in with a domain user?
If not then this might be what is causing your problem.
This sounds like the server is set up to allow internal requests and is using MS authentication against AD.
If not using an AD machine then the machine is going to be treated as being in the Internet and IIS will not pass CHAP authentication thus not allowing Windows integrated authentication to work.

If you are running this over SSL then you can try enabling Basic Authentication which removes the requirement for the password encryption from the request and will then allow pass-through authentication.  You just do not want to do this from the Internet if you are not running this over a VPN connection and/or SSL to the web server.  You would then be passing domain credentials in clear text over the net.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
I would recommend you run the Edge Planning Tool and check it against your setup.  

Try running:  lcscmd.exe /Web /Action:Activate /PoolName: <Pool Name> /User: RTCComponentService /Password:<Password> /Guest: RTCGuestAccessUser /GuestPassword: <Password>

Then restart services.


I am looking into both suggestions. I will get back to you with what I find.
If you didn't specify an external web fqdn when configuring the OCS Pool then this is probably the issue. Use resolution 2 from the KB article to resolve.
Error message when you try to use the Live Meeting console to connect to Communications Server 2007: "Live Meeting cannot connect to the meeting


hmmm that brings up an interesting question. I had my external FQDN to POOL01.DOMAIN.COM and I do not have that specified externally. I look at the log and its for properties like ExternalUpdatesDownloadURL: and such. It points to directories on IIS for my OCS server. Do I need to make my OCS server accessible from the internet on port 443, or do I need to put the FQDN of my Access Edge or what.

It just doesnt make sense the point of the Edge serve was so that you would not be able to access the OCS server directly from the internet.
The OCS Access Edge server provide Communicator and Live Meeting client connectivity from external for IM, Web Conferencing and A/V.
There are three functions where those two clients ride the IE engine which uses http port 443 through a Reverse Proxy (Not your OCS Access Edge) to access the OCS Server Web components for external Communication Address Book download, Group Expansion in Communicator, and access to web conference meeting content from outside your network.
The Reverse Proxy (normally ISA 2006) provides the security from outsie to the OCS Server web components via configuraiton of a web publishing rule.


Thx for all your help. It ended up having to do with the fact that I am using split DNS. OCS Edge did not like the reference to a internal domain even though it could resolve from DNS properly.


Thx for the help. These ideas helped me work things out to my final solution
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.