OCS federation issue and troubleshooting with self-signed certificate

The federation needs an external trusted certificate, to allow access from everywhere. What can we do if we would like to federate only one company, and we need to cut the project cost? The solution is the self-signed certificate. How it works? Let me explain.

We have two companies, their SIP domains are CompanyA.com and CompanyB.com for example, and both use self-signed certificates all of their Communication servers. The OCS uses SSL certificates to establish MTLS connection to each other. They need to thrust each other to communicate on MTLS. We don’t need to add the root certificate of the domain A to the entire computer into the domain B, and vice-versa. We need to add the certificate on the EDGE servers.

First my Office Communicator sent an “Office Communicator 2007 R2 Error ID: 504” ERROR message. This was a link, it redirected me to an article, it means that “Server Time-out” “The Office Communications 2007 Server may be unavailable or offline.”. Did this article help you? No.

Let’s enable the Communicator logging. Here it is:

It contains a lot of unfriendly data. I prefer Snooper to understand what’s going on around the SIP messages.

The red lines are the error messaged, and there was the 504 Server time-out. On the right panel, at the ms-diagnostics said that reason=“Certificate thrust with the next-hop server could not be established” and ErrorType=”The peer certificate is not chained off a trusted root”.

After that I checked the certificates on both EDGE servers via mmc, I realized that a certificate missed on one of the EDGE server. Snooper can help, the OCS R2 Resource Kit contain it.

Advertisements

1 thought on “OCS federation issue and troubleshooting with self-signed certificate”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s