Home > OCS 2007 / Lync 2010 > OCS 2007 R2: Troubleshoot Yahoo PIC Connectivity

OCS 2007 R2: Troubleshoot Yahoo PIC Connectivity

PIC (Public Internet Connectivity) extends the basic IM capabilities and enables OCS 2007 to consolidate with three of the major IM providers: AOL, Yahoo and MSN. Your internal clients can communicate with other users on the public IM services that are managed and maintained by AOL, Yahoo and MSN.

IM traffic between an organization and a public IM service provider uses and encrypted mutual transport layer security (MTLS) connections. So your organization must use a certificate from a public certification authority. The IM providers are also using public CAs.

But what if there are connectivity problems between your organization and on of the IM providers? This is really a challenging process to identify where the problem persists. Is it your configuration or is it at the IM providers side or maybe a firewall problem or a certificate issue? Last weeks I was troubleshooting PIC connectivity problems between Yahoo and internal OCS clients.

What can you verify at your side when you have PIC connectivity problems?

  • Are your users PIC enabled?
  • Is the PIC provider enabled on your Edge server?
  • Is there a public DNS record present of the Edge server?
  • Is there a public SRV record present that points to your Edge server _sipfederationtls._tcp.yourdomain.com on port 5061.
  • Is the certificate from the public certification authority correctly installed? Your Edge server has the correct root CAs?

Especially for Yahoo:

Yahoo’s Certificate is created by a CA called Equifax, Equifax was taken over by GeoTrust since July22, 2010 and the Root CA was changed to GeoTrust. In order for your Edge Server to trust the Certificate from Yahoo you will need to have the Root CA for GeoTrust installed. Normally this is done automatically by Windows Server Security Updates, you could try to install all pending security Updates from Microsoft and check if the Certificate was installed or you may download the Root CA from the webpage of GeoTrust. http://www.geotrust.com/resources/root-certificates/

Known issues with public IM connectivity to Yahoo: http://support.microsoft.com/kb/897567

Logging:

  • Log SIPstack on your Edge server: go to Services and Applications -> Right click “Office Communications Server 2007 R2” -> Logging Tool -> New Debug Session: Select SIPStack in the Components and select all flags.

  • Use Snooper tool in the OCS 2007 R2 resource kit to analyze the log files.
  • Use Network Monitor to capture TLS/TCP traffic

The issue I had was that  TLS connections to Yahoo fails with error  0x80072746 WSAECONNRESET. This means the connection was dropped by a peer.

TL_ERROR(TF_CONNECTION) [5]06E8.1368::11/30/2010-16:02:18.415.000447dd (SIPStack,SIPAdminLog::TraceConnectionRecord:SIPAdminLog.cpp(157))$$begin_record
LogType: connection
Severity: error
Text: Receive operation on the connection failed
Local-IP: 10.40.2.119:5061
Peer-IP: 98.136.47.9:4919
Connection-ID: 0x8E00
Transport: TLS
Result-Code: 0x80072746 WSAECONNRESET
$$end_record

It’s also a good idea to use more then one public IM provider when you are facing problems with Public IM. When one IM provider is working and the other one not then you can better pin-point the problem. After a lot of troubleshooting firewalls/logs and monitoring we figured out with Microsoft that this was probably a Certificate issue. Our IM traffic between MSN was working fine but not with Yahoo! We had really a challenging problem because sometime it was working ans sometimes not between Yahoo and OCS. We are using a Certificate from Globalsing with Extended validation. Microsoft could not guarantee which CAs will work with Yahoo and which not. They have no Idea which CAs are installed at the Yahoo side. So Microsoft also involved Yahoo and Yahoo reported that their servers were not equipped with the Extended validation CAs of Globalsing. They are using the standard CAs in Windows server 2003. Our problem was solved after Yahoo installed the Extended validation CAs of Globalsing. Probably had Yahoo the extended validation certificates on some servers and some not. This was probably the reason that it was working sometimes.

It is really important to choose a CA from the list of trusted CAs in Microsoft Windows server 2003! I know that their aren’t  intermediate CA updates for Windows server 2003! I can only advice everyone to use a certificate from a well known CA provider without extended validation or use one from Globalsing. It’s very difficult to get support from Yahoo because Microsoft need to contact Yahoo and this is really the last step of Microsoft.

Advertisements
Categories: OCS 2007 / Lync 2010
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: