[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4170
  • Last Modified:

OCS 2007 Cannot use livemeeting from outside the firewall

I have Office Communications Server 2007 set up. I have the internal side working perfectly. I also have another server set up with Access Edge and Web Conferencing Edge. I can use the OCS client from the outside perfectly with automatic sign in. The only problem i cannot figure out is why live meeting will not work. I have checked and double checked all of my configuration and my certificates set up.

When I test live meeting I can see that it connects to the server but it never initiates the meeting. I have ran logging and I get the following error over and over again
SIP/2.0 401 Unauthorized

I also ran a packet sniffer on both ends and after extensive research I have come to believe that it may be IIS permissions on the internal OCS 2007 server that is causing the issue. It was a week ago when I ran upon this so I dont remember what exactly pointed me that way.

The reason I believe there might be an issue is when I first set up OCS 2007 I had an issue with downloading the address book. I found that the install does not setup the permissions properly for the address book. I think I changed the Authentication and Access Control Permissions on another part of the IIS tree that I should not have. I believe that if I find what is wrong there I may be able to resolve the problem. I usually make an IIS backup every time I make a change but in haste I failed to do so when I made this change.

So what I am asking is for anyone who has a successful OCS 2007 with Edge and has live meeting working for external users. Take a look at your IIS settings in (esp the webconf folder) and see if there is anything different with Authentication and Access control on some of your subfolers and such.

Currently the entire Default websit have these checked on mine
Enable anonymous access
Integrated Windows Authentication

Any help would be appreciated. I am almost sure the problem resides in IIS so if I have missed anything any suggestions would be appreciated too
0
chuck-williams
Asked:
chuck-williams
3 Solutions
 
cj_1969Commented:
Are you connecting to the server with a machine from your internal domain while logged in with a domain user?
If not then this might be what is causing your problem.
This sounds like the server is set up to allow internal requests and is using MS authentication against AD.
If not using an AD machine then the machine is going to be treated as being in the Internet and IIS will not pass CHAP authentication thus not allowing Windows integrated authentication to work.

If you are running this over SSL then you can try enabling Basic Authentication which removes the requirement for the password encryption from the request and will then allow pass-through authentication.  You just do not want to do this from the Internet if you are not running this over a VPN connection and/or SSL to the web server.  You would then be passing domain credentials in clear text over the net.
0
 
jaycaCommented:
I would recommend you run the Edge Planning Tool and check it against your setup.  

Try running:  lcscmd.exe /Web /Action:Activate /PoolName: <Pool Name> /User: RTCComponentService /Password:<Password> /Guest: RTCGuestAccessUser /GuestPassword: <Password>

Then restart services.
0
 
chuck-williamsAuthor Commented:
I am looking into both suggestions. I will get back to you with what I find.
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
gaanthonyCommented:
If you didn't specify an external web fqdn when configuring the OCS Pool then this is probably the issue. Use resolution 2 from the KB article to resolve.
Error message when you try to use the Live Meeting console to connect to Communications Server 2007: "Live Meeting cannot connect to the meeting
http://support.microsoft.com/kb/938288
 
0
 
chuck-williamsAuthor Commented:
hmmm that brings up an interesting question. I had my external FQDN to POOL01.DOMAIN.COM and I do not have that specified externally. I look at the log and its for properties like ExternalUpdatesDownloadURL: and such. It points to directories on IIS for my OCS server. Do I need to make my OCS server accessible from the internet on port 443, or do I need to put the FQDN of my Access Edge or what.

It just doesnt make sense the point of the Edge serve was so that you would not be able to access the OCS server directly from the internet.
0
 
gaanthonyCommented:
The OCS Access Edge server provide Communicator and Live Meeting client connectivity from external for IM, Web Conferencing and A/V.
There are three functions where those two clients ride the IE engine which uses http port 443 through a Reverse Proxy (Not your OCS Access Edge) to access the OCS Server Web components for external Communication Address Book download, Group Expansion in Communicator, and access to web conference meeting content from outside your network.
The Reverse Proxy (normally ISA 2006) provides the security from outsie to the OCS Server web components via configuraiton of a web publishing rule.
0
 
chuck-williamsAuthor Commented:
Thx for all your help. It ended up having to do with the fact that I am using split DNS. OCS Edge did not like the reference to a internal domain even though it could resolve from DNS properly.
0
 
chuck-williamsAuthor Commented:
Thx for the help. These ideas helped me work things out to my final solution
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now