Solved

OCS Access Edge Server Not Listening on Port 443

Posted on 2010-09-11
14
1,547 Views
Last Modified: 2013-11-29
I have recently configured OCS 2007 R2 Standard.  This server is working all okay internally.  I am now trying to configure Edge to allow access externally.  I have configured 3 public IPs and applied NAT rules on my firewall to local IP and the specific ports.  From that standpoint, all traffic is being forwarded okay - except traffic to my Access Edge IP on port 443.  Traffic to this local IP is going through okay on port 5061.  I have also tested with this tool:  https://www.testocsconnectivity.com/.  I have posted a screenshot of testing with this tool on port 443 and port 5061.

Not sure why port 443 is not being allowed to hit this local ip.  I have turned off the Windows Firewall on this Server, so the traffic should not be blocked.  I am not sure what to do next.  The user I am testing with

Any help is very much appreciated.
test1.jpg
test2.jpg
0
Comment
Question by:obautista
  • 7
  • 5
  • 2
14 Comments
 
LVL 33

Accepted Solution

by:
Busbar earned 500 total points
ID: 33654855
please make sure that you configured the OCS edge access IP to listen on port 443, I think you made it listen on 5061
0
 

Author Comment

by:obautista
ID: 33654893
I am still learning OCS set up.  I have attached a couple screenshot of my Edge Interface Properties.  Where should I make the changes?  Thanks for your help.
test.jpg
test2.jpg
0
 
LVL 33

Expert Comment

by:Busbar
ID: 33654907
change the remote access port to 443
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 

Author Comment

by:obautista
ID: 33654947
Thanks.  I am getting closer.  I am still getting the error shown in the screenshot when testing though.
test.jpg
0
 
LVL 33

Expert Comment

by:Busbar
ID: 33655059
can you login using this user internally
0
 

Author Comment

by:obautista
ID: 33655077
Internally, I can login using Communicator and test connectivity.  By the way, I have also enabled user for remote user access and Configuring Federation, Remote User Access, and Public IM Connectivity for Individual Users. On Edge,  External User Access/Remote User Access is checked also.
0
 
LVL 33

Expert Comment

by:Busbar
ID: 33655100
sometimes if you configure the or modify the user settings starting the front End service applies the permissions.
restart the front end service and try again
0
 

Author Comment

by:obautista
ID: 33655125
Restarted, but same results.
0
 
LVL 12

Expert Comment

by:Jeff_Schertz
ID: 33657179
You cannot place both the internal and external roles in the same TCPIP network.  From your screen-shot you either have (A) a single network interface on the Edge server or (B) two interfaces connected to the same subnetwork.

Take a look at these articles for an explanation of why those scenario are not supported:
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/ViewPost.aspx?ID=15
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/ViewPost.aspx?ID=19
http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/ViewPost.aspx?ID=33
0
 

Author Comment

by:obautista
ID: 33657226
Thanks Jeff.  I am sorry, but I do not understand.  Are you referring to Access, Web/Conferencing, or A/V.  I have the following configuration:

Public IP                   Local IP               Port#
75.149.66.202 ==> 192.168.1.42 ==> 443
75.149.66.204 ==> 192.168.1.43 ==> 443
75.149.66.204 ==> 192.168.1.43 ==> 5061
75.149.66.205 ==> 192.168.1.41 ==> 443

192.168.1.41 is my internal interface.

Does that appear to be set up correctly?  I have a 4 port NIC dedicated to ony my Edge.

Thanks for your help -
0
 
LVL 12

Expert Comment

by:Jeff_Schertz
ID: 33657395
I'm assuming you mean to say that ".40" is your internal interface. And if each NIC port is seen as a separate interface to Windows then you do have dedicated internal/external interfaces.

But the internal interface should not be on the sam TCPIP network as the external interfaces.  So either move the internal interface to another subnet (like 192.168.2.0/24) or move all of the external interfaces to a different network.  Also be aware that you cannot perform NAT on the internal interface between the Edge and the internal Front-End server, it must be routable.

Additionally look at that article to see if you have a gateway configuration issue preventing external traffic from routing correctly: http://blog.schertz.name/2010/09/understanding-strong-host-v2
0
 
LVL 33

Expert Comment

by:Busbar
ID: 33657704
eagle eye Jeff, Missed that.
from my firewall experience it will be much easier to move the External NIC to another segment like 2.0 and then change the NAT statement at the firewall side.
0
 

Author Comment

by:obautista
ID: 33674235
Just wanted to post my finding before closing this post.

I had a couple problems.  First, I am setting this up in a test environment, therefore, I do not have public certs assigned to the external interface.  I generated the certs through my local CA.  Second, to get auto-signin working, after updating my remote access port to 443 I had not updated my SRV Record on my public DNS to point to 443 (it was pointing to 5061).  I also had protocol on my public DNS set to _tcp.  I changed it to _tls.  After making the change, I waited a couple hours for the changes to propogate.  I then was able to verify traffic was being forwarded as expected using NSLOOKUP in the command prompt window.

Things are working now.  I was able to test connectivity from the outside.  I just had to export the root .cer file and import it on the client machine to test.  

Internal and External interfaces do not have to be on different segments.  I didnt have to change anything there.  I do not know the requirements around when they have to be on different segments, but using my configuration things are up and running.

Thanks so much for your help....
0
 

Author Closing Comment

by:obautista
ID: 33685541
Thanks
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On a regular basis I get questions about slow RDP performance, RDP connection problems, strange errors and even BSOD, remote computers freezing or restarting after initiation of a remote session. In a lot of this cases the quick solutions made b…
Have you considered what group policies are backwards and forwards compatible? Windows Active Directory servers and clients use group policy templates to deploy sets of policies within your domain. But, there is a catch to deploying policies. The…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question