Home > Articole IT > OCS Edge Server errors

OCS Edge Server errors


I decided to start blogging this deployment as it might help others.

A few months ago we decided to implement OCS 2007 and we had setup a test environment.
We installed OCS 2007 standard edition with a front end machine and an edge machine.
We tested the setup for a month or so and we decided to implement it in production.

Now , the initial setup was on a single domain and everything worked perfect. The production environment it is a bit more complicated with a forest and 6 subdomains.

Installation was performed and everything worked fine until we started testing when some strange errors started to show up :

Failed to process data received from the client

Timed out waiting for client to present validation cookie

Over the past 0 minutes Office Communications Server has disconnected client(s) 1 time(s) because of timing out waiting for cookie to be presented. The last such client which was disconnected is “xx.xx.xx.xx:22851”
Cause: This can occur if client does not present a validation cookie within 20 seconds of getting connected
Resolution:
Check to make sure that the connection came from a trustworthy client. This could indicate an attack being mounted by a rogue client.

After digging a bit we also found the solution.
Due to the fact that we used our own intern ROOT CA to issue the SSL certificate for the INTERNAL Edge interface the clients were trying to connect to the internal Root CA to verify the SSL.

There are 2 solutions to this problem.
1. Open the firewall on port 80 towards the root CA .. which I do not recommend or

2. Use a SSL issued by an external Root CA.

Also a thing never documented by Microsoft.

We were using 1 SSL certificate with 3 different alternative names for all the interfaces : Edge , AV , Web conferencing but looks like this setup is not supported and if you are using one SSL with different alternate names on all the interfaces it seems that the clients can connect to the OCS server without any authentication … also the EXTERNAL users without a domain account can connect . So I suggest using different SSL’s for the interfaces.

Categories: Articole IT Tags: , ,
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: