Archive

Archive for December, 2010

OCS 2007 R2: Troubleshoot Yahoo PIC Connectivity

December 4, 2010 Leave a comment

PIC (Public Internet Connectivity) extends the basic IM capabilities and enables OCS 2007 to consolidate with three of the major IM providers: AOL, Yahoo and MSN. Your internal clients can communicate with other users on the public IM services that are managed and maintained by AOL, Yahoo and MSN.

IM traffic between an organization and a public IM service provider uses and encrypted mutual transport layer security (MTLS) connections. So your organization must use a certificate from a public certification authority. The IM providers are also using public CAs.

But what if there are connectivity problems between your organization and on of the IM providers? This is really a challenging process to identify where the problem persists. Is it your configuration or is it at the IM providers side or maybe a firewall problem or a certificate issue? Last weeks I was troubleshooting PIC connectivity problems between Yahoo and internal OCS clients.

What can you verify at your side when you have PIC connectivity problems?

  • Are your users PIC enabled?
  • Is the PIC provider enabled on your Edge server?
  • Is there a public DNS record present of the Edge server?
  • Is there a public SRV record present that points to your Edge server _sipfederationtls._tcp.yourdomain.com on port 5061.
  • Is the certificate from the public certification authority correctly installed? Your Edge server has the correct root CAs?

Especially for Yahoo:

Yahoo’s Certificate is created by a CA called Equifax, Equifax was taken over by GeoTrust since July22, 2010 and the Root CA was changed to GeoTrust. In order for your Edge Server to trust the Certificate from Yahoo you will need to have the Root CA for GeoTrust installed. Normally this is done automatically by Windows Server Security Updates, you could try to install all pending security Updates from Microsoft and check if the Certificate was installed or you may download the Root CA from the webpage of GeoTrust. http://www.geotrust.com/resources/root-certificates/

Known issues with public IM connectivity to Yahoo: http://support.microsoft.com/kb/897567

Logging:

  • Log SIPstack on your Edge server: go to Services and Applications -> Right click “Office Communications Server 2007 R2” -> Logging Tool -> New Debug Session: Select SIPStack in the Components and select all flags.

  • Use Snooper tool in the OCS 2007 R2 resource kit to analyze the log files.
  • Use Network Monitor to capture TLS/TCP traffic

The issue I had was that  TLS connections to Yahoo fails with error  0x80072746 WSAECONNRESET. This means the connection was dropped by a peer.

TL_ERROR(TF_CONNECTION) [5]06E8.1368::11/30/2010-16:02:18.415.000447dd (SIPStack,SIPAdminLog::TraceConnectionRecord:SIPAdminLog.cpp(157))$$begin_record
LogType: connection
Severity: error
Text: Receive operation on the connection failed
Local-IP: 10.40.2.119:5061
Peer-IP: 98.136.47.9:4919
Connection-ID: 0x8E00
Transport: TLS
Result-Code: 0x80072746 WSAECONNRESET
$$end_record

It’s also a good idea to use more then one public IM provider when you are facing problems with Public IM. When one IM provider is working and the other one not then you can better pin-point the problem. After a lot of troubleshooting firewalls/logs and monitoring we figured out with Microsoft that this was probably a Certificate issue. Our IM traffic between MSN was working fine but not with Yahoo! We had really a challenging problem because sometime it was working ans sometimes not between Yahoo and OCS. We are using a Certificate from Globalsing with Extended validation. Microsoft could not guarantee which CAs will work with Yahoo and which not. They have no Idea which CAs are installed at the Yahoo side. So Microsoft also involved Yahoo and Yahoo reported that their servers were not equipped with the Extended validation CAs of Globalsing. They are using the standard CAs in Windows server 2003. Our problem was solved after Yahoo installed the Extended validation CAs of Globalsing. Probably had Yahoo the extended validation certificates on some servers and some not. This was probably the reason that it was working sometimes.

It is really important to choose a CA from the list of trusted CAs in Microsoft Windows server 2003! I know that their aren’t  intermediate CA updates for Windows server 2003! I can only advice everyone to use a certificate from a well known CA provider without extended validation or use one from Globalsing. It’s very difficult to get support from Yahoo because Microsoft need to contact Yahoo and this is really the last step of Microsoft.

Categories: OCS 2007 / Lync 2010

Lync Server 2010: Topology Deployment error

December 2, 2010 6 comments

When I published my standard Edition topology I received the following error:

An error occurred: “Microsoft.Rtc.Management.Deployment.DeploymentException” “Cannot determine where to install database files because Windows Management Instrumentation on the database server is unavailable from your computer or user account. To continue, you can resolve this issue, or you can specify where you want to install the files.”

This error indicates that the server is not able to find the database server? But the database is on the standard Edition server! After a quick review in the Topology builder I found that I made a typo in the Topology Builder. The Pool name didn’t match my FQDN of the standard Edition server.

In case of a Standard Edition the pool name must be the FQDN of the Standard Edition server.

Categories: OCS 2007 / Lync 2010

Lync Server 2010: Automatic collection of configuration data failed

December 2, 2010 3 comments

When installing Lync server 2010 you may receive a typical error: Automatic collection of configuration data failed

This error may occur when you did not complete the Topology Builder.
Execute these steps before installing the Lync server 2010:

  • Prepare first standard edition server
  • Install topology builder
  • Create a new topology with the “Topology Builder” and publish the topology

This is quite different from the OCS 2007 installation process.

Watch the video “Topology Builder: Create Your First Pool” for more information about the Topology Builder: http://technet.microsoft.com/nl-be/lync/gg454531(en-us).aspx

Categories: OCS 2007 / Lync 2010

Lync Server 2010 Prerequisites

December 2, 2010 5 comments

This article describes how to install the Lync Server 2010 prerequisites with Powershell on a Windows Server 2008 R2 server.

  • Install .NET Framework 3.5 SP1

    – Import-Module ServerManager
    – Add-WindowsFeature as-net-framework
  • Install all IIS components

    – Import-Module ServerManager
    – Add-WindowsFeature RSAT-ADDS,Web-Static-Content,Web-Default-Doc,Web-Http-Errors,Web-Asp-Net,Web-Net-Ext,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Http-Logging,Web-Log-Libraries,Web-Http-Tracing,Web-Windows-Auth,Web-Filtering,Web-Stat-Compression,Web-Mgmt-Console,Web-Scripting-Tools,Web-Client-Auth,Desktop-Experience
  • Reboot
  • Install Desktop Experience Feature

    -Import-Module ServerManager
    -Add-WindowsFeature Desktop-Experience
  • Microsoft Visual C++ 2008 Redistributable

    When you start the setup Lync server will automatically install Microsoft Visual C++ 2008 Redistributable before the actual setup.

More info: http://technet.microsoft.com/en-us/library/gg398686.aspx

 

Categories: OCS 2007 / Lync 2010