OCS 2007 R2 CWA public configuration
Posted by Chad McGreanor on January 26, 2009
So today I was looking through the VSP (Voice Specialized Partner) test scenarios and noticed that I am going to need to be able to join a desktop sharing session from the internet. We are required to “verify” our configuration with Microsoft in order to become “specialized” in OCS 2007 R2, we are already a VSP in OCS 2007. I had some problems with this initially internally due to the 2 new CNAME records that need to be added for desktop sharing to work correctly.
Those records are..
as.ocsserverfqdn or pool fqdn
download.ocsserverfqdn or pool fqdn
IE..
as.lab-ocsr2.voxlab.local
download.lab-ocsr2.voxlab.local
So for external use of desktop sharing you would need to create something like that in your public DNS zone. Here is what I did.
I already had the ISA 2006 reverse proxy configured for use with OCS so I added a new web publishing rule and firewall rule for CWA. This will vary based on your configuration basically you need to get the URL passed through correctly.
I had an externalwebfarm fqdn already published in exrernal DNS which is ocs-abs.voxns.com
So I added 2 CNAME records pointed to that A record as follows…
as.ocs-abs.voxns.com
download.ocs-abs.voxns.com
I then needed to add those URL’s to the public tab of the ISA firewall rule so that ISA would accept them. Once I did that everything worked perfectly.
If anyone has any questions please feel free to leave a comment.
David said
What kind of certificate you have used in ISA Server Listener? A public CA certificate with SAN, private CA (your internal CA) certificate with SAN or a wildcard certificate?
Chad McGreanor said
For the OCS listener I have a Public Certificate from GoDaddy with SAN of the OCS Webfarm fqdn.
IE.
Certificate Issued to ocs-abs.voxns.com <– This is my external OCS FQDN for address book publishing, distribution Group Expansion, Live Meeting. Basically anywhere OCS asks for an External domain name this is what is there.
SAN is the same: ocs-abs.voxns.com
You can not use an Internal CA to issue this certificate unless you have installed the certificate chain on all the machines that connect externally. Not really a good idea, not to mention Live Meetings with external parties will fail.
Kamil said
Hi,
I have a problem with publishing Desktop Sharing with ISA. When start desktop sharing from internal user, external CWA user can join it without problems, he can take control etc. However, i can’t start desktop sharing from external CWA client. I have message “Cannot start desktop sharing session currently”. Internal user does not even receive an invitation.
I can’t see any errors in Snoopers log on frontend.
I think it may be an issue of translating as.externaldomain to as.internaldomain and download.externaldomain to download.internaldomain. Does your setting that you described do the job? It still does not work for me…
Chad McGreanor said
Let me research this Ill get back to you.
Kamil said
Hi,
Found sth in Snooper’s log on CWA:
TL_ERROR(TF_COMPONENT) [0]04C4.0CE4::03/05/2009-08:24:38.341.000006aa (AppShareOoty,MediaAgent.EndUpdateMediaTransport:mediaagent.cs(245))( 0000000001490205 )update Failed Microsoft.Rtc.Collaboration.OfferAnswerException: Failed to negotiate media
TL_ERROR(TF_COMPONENT) [0]04C4.0CE4::03/05/2009-08:24:38.341.000006cf (AppShareOoty,SdpMediaNegotiator.SetAnswer_delegate1:appsharingsdpmedianegotiator.cs(821))( 0000000000D7A2A2 )excpetion in handling answer:Microsoft.Rtc.Collaboration.OfferAnswerException: failed to update local media
TL_ERROR(TF_COMPONENT) [0]04C4.0DB4::03/05/2009-08:24:38.341.000006d0 (AppShareOoty,AppSharingFlow.SetAnswer:appsharingflow.cs(639))( 0000000001B5D5B3 )[user=sip:OCStest3@img.com][call=c4d7b140-596a-49a7-a96a-8be4a90bb4c1] Microsoft.Rtc.Collaboration.OfferAnswerException: failed to update local media
TL_ERROR(TF_DIAG) [0]04C4.0DB4::03/05/2009-08:24:38.576.00000756 (UCWeb,ErrorHelper.LogAndGetUCWExceptionForFailure:helper.cs(211))
<<<<< [UCWeb.exception (modality)] —– Microsoft.Rtc.Collaboration.OfferAnswerException: failed to update local media
TL_ERROR(TF_DIAG) [0]04C4.0DB4::03/05/2009-08:24:38.576.00000759 (CwaServer,Wpp.Exception:log.cs(65))
<<<< Microsoft.Rtc.Collaboration.OfferAnswerException: failed to update local media
All that does not say much for me besides the fact that media negotiation failed
Kamil said
Hi,
I finally found the reason of that failure!
I was missing SP1 on my ISA server… I forgot to install it in my test environment. With SP1 everything works just fine!
BR
Kamil
Chad McGreanor said
Good catch. I was not sure what the problem could have been. That is a requirement, I guess we know why now.
Marc said
Do you mean the Public Names tab? I used to get a 403 error, not I just get a blank page when I try Desktop sharing from internal MOC user to anonymous external user. My ocsweb server certs include the sans as.ocsweb and download.ocsweb and I exported that and correctly imported on ISA reverse proxy rule. I think I’m missing something small. Just installed ISA 2006 SP1 and still no luck…