Archive for August, 2008

OCS Edge Server errors

August 26, 2008 Leave a comment

I decided to start blogging this deployment as it might help others.

A few months ago we decided to implement OCS 2007 and we had setup a test environment.
We installed OCS 2007 standard edition with a front end machine and an edge machine.
We tested the setup for a month or so and we decided to implement it in production.

Now , the initial setup was on a single domain and everything worked perfect. The production environment it is a bit more complicated with a forest and 6 subdomains.

Installation was performed and everything worked fine until we started testing when some strange errors started to show up :

Failed to process data received from the client

Timed out waiting for client to present validation cookie

Over the past 0 minutes Office Communications Server has disconnected client(s) 1 time(s) because of timing out waiting for cookie to be presented. The last such client which was disconnected is “xx.xx.xx.xx:22851”
Cause: This can occur if client does not present a validation cookie within 20 seconds of getting connected
Check to make sure that the connection came from a trustworthy client. This could indicate an attack being mounted by a rogue client.

After digging a bit we also found the solution.
Due to the fact that we used our own intern ROOT CA to issue the SSL certificate for the INTERNAL Edge interface the clients were trying to connect to the internal Root CA to verify the SSL.

There are 2 solutions to this problem.
1. Open the firewall on port 80 towards the root CA .. which I do not recommend or

2. Use a SSL issued by an external Root CA.

Also a thing never documented by Microsoft.

We were using 1 SSL certificate with 3 different alternative names for all the interfaces : Edge , AV , Web conferencing but looks like this setup is not supported and if you are using one SSL with different alternate names on all the interfaces it seems that the clients can connect to the OCS server without any authentication … also the EXTERNAL users without a domain account can connect . So I suggest using different SSL’s for the interfaces.

Categories: Articole IT Tags: , ,