IpsCA External Certs
Being an educational institituion, we have started to use the free 2 year
certs from http://www.ipsca.com. The problem is I cannot get the signed
key to import. I keep getting errors on the key chain.
I can find nothing in the knowledge base, so I have followed the
informaiton for exporting a csr for verisign and thawt.
Does anyone have expreience with ipsCA?
Originally Posted by [email protected]
[email protected] expounded:
> Being an educational institituion, we have started to use the free 2 year
> certs from Welcome to ipsCA Worldwide. The problem is I cannot get the signed
> key to import. I keep getting errors on the key chain.
> I can find nothing in the knowledge base, so I have followed the
> informaiton for exporting a csr for verisign and thawt.
> Does anyone have expreience with ipsCA?
Being in a similar situation ourselves, we've started doing the same
thing. While I can't speak to netware, we have learned that some PKI has
problems when there is an intermediate CA in the certificate chain. Stuff
like this...
Verisign Class A Cert
|-> ipsca Root Cert
|-> Our certificate
Might be a source of the problem, but I can't test right now.
Novell, it does a network good
Did anyone find a solution to this? I am beating my head against the wall with this same problem. Thanks.
Similar Messages
-
External Cert - does it have to support SAN's?
Hi,
I have gone through the process of creating an Edge Server and assigning certificates. I'm using one single domain name with differing ports.
My regular cert provider doesn't supply certs with SAN's so I obtain a regular web server style cert with the single name specified.
Right now some of my services aren't starting.
Before I get into all of this I wanted to ask:-
Do I REQUIRE a certificate with SAN's in order for it to work with the Edge Server? Or am I ok to continue with the regular cert....
Thanks.... Jason.
Jason Smith MCITP-EA/SAhttp://technet.microsoft.com/en-us/library/gg398920.aspx "The
certificate must be issued by an approved public CA that supports subject alternative name."
The subject alternative name list contains the FQDNs of the following:
The Access Edge service external interface or hardware load balancer VIP (for example, sip.contoso.com).
Even though the certificate subject name is equal to the access Edge FQDN, the subject alternative name
must also contain the access Edge FQDN because Transport Layer Security (TLS) ignores the subject name and uses the subject alternative name entries for validation.
I also tend to use the same cert for my Reverse Proxy by adding lyncdiscover lyncexternalfrontendfqdn
and the simple URLs to reduce cost.
If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer"
Georg Thomas | Lync MVP
Blog www.lynced.com.au | Twitter
@georgathomas
Lync Edge Port Check (Beta)
This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs. -
Guest Cert problems ISE and Anchor WLC
I'm setting up new Guest Wireless, I have 2 internal foreign 5508 WLC's talking to 2 DMZ anchor WLC's. The guest connects to Guest SSID and the anchor controllers acts as a DHCP server, the Guest interface configured on the WLC is the in the range of the DHCP scope I've setup. The DHCP scope is using the anchor WLC Mgmt interface as the DHCP server.
Guest SSID - is setup for Webauth and Guest is redirected to the ISE server https://wlc.company.com/login...., when the page is presented to the Guest they get cert problem because the cert is not trusted (its an Internal Cert), Guest logins in ok and the AUP says "cert not trusted" 1.1.1.1 name of the WLC wlc.company.com.
In the browser Guest has https://wlc.company.com/loginredirecthttps://1.1.1.1........
1.1.1.1 is the Virtual interface of the Anchor WLC.
How can I get the client to stop using the Virtual Interface for cert. Why is the WLC doing this? I gather something to do with DHCP?
My plan is to apply a External Cert on the ISE for Guests, that way they will automatically trust a cert from Geotrust for example. But I'm going to still run into this Cert "not trusted" problem where the Guest is not trusting the WLC anchor Virtual Interface 1.1.1 . Why is the guest using the Virtual interface error 1.1.1.1. I've even added the ISE name of the cert to the Virtual interface, same problem, instead its just says wlc.company.com not trusted. I have also imported the cert onto the WebAuth cert on anchor WLC, still doesn't work.
Hopefully I've explained this ok.....any ideas? but if the Guest page keeps getting presented with
https://wlc.company.com/loginredirecthttps://1.1.1.1........ it will never work.I followed Richard's advice and started from scratch, removing LWA and implementing CWA -MAB. It didn't take too long to setup CWA and get authentication working, I appled a Preauth ACL on WLC's and on ISE under Authorization pofile (CWA)
This is when the problems started happening, I was using the default ISE Authorization profile
cisco-av-pair = url-redirect=https://ip:8443/guestportal/gateway?sessionid=SessionValueIdValue&action=cwa.which is not what I want, again the certificate is the server cert which is not an external Cert that the guest wants to see. The user can login fine, unlike LWA, with Firefox or IE it would accept the cert and login so at least I had a working Guest wifi solution. Though there was a cert error symbol at the end of the browser url.
The next step I tried was to change the Authorization Profile to
(wireless.company.com which is a C-NAME for ISE box and has this Alias in the cert, this was a test before I apply the external cert)
cisco-av-pair = url-redirect=https://wireless.company.com:8443/guestportal/gateway?sessionid=SessionValueIdValue&action=cwa
I applied the change and the new page appeared on the users laptop, great, but this time users were declined access via live Authentications, reason "Cannot login due to session id expiry, please login a again", I created a new user a/c, same problem. Not good. Ok so I thought well if I want clear all these stale session id's that appartenly exist I'll stop/start the application which I did from the command line, still the same error "Cannot login due to session id expiry". hmmm, whats going on here.
I then rebooted the ISE (this must clear all the sessions!), reboot I performed from home and now for some reason I cannot login to the ISE front end GUI with the admin account or my account. Tried resetting the GUI password for admin and other admin users, the message "Error: cannot reset password this can only be performed on Standalone or Primary node" Well what have I done, just rebooted ISE nothing else apart from changing authorization profile. This box is a Standalone node. Without seeing if the clients connect due t no GUI access, I have referred this issue to TAC!
Also I don't like the fact that your have to install a external cert against the internal node name, epsecially when its external. But again I haven't reached this part yet. -
Wildcard Certifikate - Edge server/External web
Hello,
In our company we have deployed Lync 2013 CU4 with topology,
Edge server - One for all roles a/v
Front End - Standard with all roles
All certs are form our internal CA, and it works for my domain users. But for all external users or skype we need external cert. We have one wildcard cert for our domain.
So question is can we user wildcard cert for our Edge server, and exteranal serwis of front end.
Front end i think can use that is on tech net: http://technet.microsoft.com/en-us/library/gg398094.aspxGood morning,
Using a wildcard certificate on Lync Edge server is not supported, and indeed will cause you problems.
It also sounds like you are passing your Lync web services directly to your front end server. This is not recommended, and you should use a reverse proxy for this purpose. You would then place an external (public) certificate on that reverse proxy. So there's
no need for a public cert on the front end in this scenario.
You may consolidate the certificate requirements for reverse proxy and Edge onto a single multi-san certificate, and use that same certificate on both servers.
OR
If you use two separate certificates then it is supported to use a wildcard public certificate on the reverse proxy (web services), but your Edge certificate must be a separate multi-san certificate.
Kind regards
Ben
Note: If you find a post informative, please mark it so using the arrow to the left. If it answers a question you've asked, please mark the thread as answered to aid others when they're looking for solutions to similar problems or queries.
For Fun: Gecko-Studio | For Work:
Nexus Open Systems -
External Web Services Url Change
When I installed Lync 2013 I used the same fqdn for the internal and external web services url. I now am implementing a reverse proxy server and realized that the fqdn needs to be different for the external services. I am using IIS AAR on a 2012
Server for my proxy. WHen I change the web services external url in topology builder and republish it, what other steps do I need to do after the change. I figured I would need to rerun the setup, but do I need new internal or external certs if I already have
the SAN name in my certificate that I plan to use.External web FQDN is required in certificate for Lync Server Front End Server, you can that at
http://technet.microsoft.com/en-us/library/gg398094.aspx
External web FQDN is require in certificate for Reverse Proxy Server, check that at
http://technet.microsoft.com/en-us/library/gg429704.aspx
Lisa Zheng
TechNet Community Support -
Lync 2013 External Mobility Not Working
Hello,
The issue I seem to be having is in regards to the external mobility access.
So far everything else in our environment seems to be functioning properly.
The Lync desktop client works both internally as well as externally.
The Lync internal mobility also works. The only issue seems to be with the external mobility part.
I tried going to the external autodiscover address for our system, https://lyncdiscover.mydomain.com but it doesn’t return anything either.
I think the issue lies somewhere with DNS or my reverse proxy, however I’m having a hard time being able to just start changing settings seeing as how I don’t want to break everything that is currently working for our users.
I’ve been through a lot of the post here but I still can’t seem to find the settings to fix the issue I’m having.
Here is a breakdown of my settings I feel are in question:
1 – Lync 2013 FE Server (LYNC01)
1 – Lync Edge Server (EDGE01)
1 – Reverse Proxy Server (RPROXY01)
Public DNS:
A Records
SIP.mydomain.com
205.XXX.XXX.91 (Access Service on EDGE01)
AccessEdge.mydomain.com
205.XXX.XXX.91 (Access Service on EDGE01)
WebConfEdge.mydomain.com 205.XXX.XXX.92 (WebConf Service on EDGE01)
AVEdge.mydomain.com
205.XXX.XXX.93 (A/VEdge Service on EDGE01)
meet.mydomain.com
205.XXX.XXX.94 (Reverse Proxy Server)
dialin.mydomain.com
205.XXX.XXX.94 (Reverse Proxy Server)
lync.mydomain.com
205.XXX.XXX.94 (Reverse Proxy Server)
lyncdiscover.mydomain.com 205.XXX.XXX.94 (Reverse Proxy
Server)
SRV
_sip._tls.mydomain.com:443
AccessEdge.mydomain.com
_sipfederationtls._tcp.mydomain.com:5061
AccessEdge.mydomain.com
_xmpp-server._tcp.mydomain.com
AccessEdge.mydomain.com
Private DNS:
A Records
LYNC01
172.XXX.XXX.65 (LYNC01 FE Server)
Admin
172.XXX.XXX.65 (LYNC01 FE Server)
Dialin
172.XXX.XXX.65 (LYNC01 FE Server)
LyncDiscoverInternal
172.XXX.XXX.65 (LYNC01 FE Server)
Meet
172.XXX.XXX.65 (LYNC01 FE Server)
Sip
172.XXX.XXX.65 (LYNC01 FE Server)
EDGE01
172.XXX.XXX.66 (EDGE01 Server)
RPROXY01
172.XXX.XXX.70 (Reverse Proxy Server)
Lync
205.XXX.XXX.94 (Reverse Proxy Server)
LyncDiscover
(CNAME)
lync.gmsd.k12.pa.us
SRV
_xmpp-server._tcp.mydomain.com
Sip.mydomain.com
_sipinternaltls._tcp.mydomain.com:5061
LYNC01.mydomain.com
Lync Server Services Addresses
Lync FE Server: \\
LYNC01.mydomain.com (172.XXX.XXX.65)
File Store: \\
LYNC01.mydomain.com\Share
Office Web Apps Server:
\\lyncowa.mydomain.com
External Web Services:
\\lync.mydomain.com
Edge Server Services Addresses
Edge Server:
\\ EDGE01.mydomain.com (172.XXX.XXX.66)
Access Edge Service:
\\AccessEdge.mydomain.com (172.XXX.XXX.67, 205.XXX.XXX.91)
Web Conference Service: \\WebConfEdge.mydomain.com (172.XXX.XXX.68, 205.XXX.XXX.92)
A/V Edge Service: \\WebConfEdge.mydomain.com
(172.XXX.XXX.69, 205.XXX.XXX.93)
Reverse Proxy Server Addresses
Reverse Proxy Server:
RPROXY01.mydomain.com (172.XXX.XXX.70, 205.XXX.XXX.94)
Server Farms:
Dialin.mydomain.com:
Dialin.mydomain.com (LYNC01)
Meet.mydomain.com:
Meet.mydomain.com (LYNC01)
LyncDiscover.mydomain.com:
LYNC01.mydomain.com (LYNC01)
Lync.mydomain.com:
LYNC01.mydomain.com (LYNC01)
Edge External Cert
AccessEdge.mydomain.com
Sip.mydomain.com
WebConfEdge.mydomain.com
Reverse Proxy Cert
lync.mydomain.com
meet.mydomain.com
dialin.mydomain.com
lyncdiscover.mydomain.com
lyncowa.mydomain.com
With everything else working as it should, this external mobility part is just not really making sense to me. I have also verified that the correct ports are being using on the reverse proxy as well for the server farms,
8080 and 4443. Any help would be greatly appreciated. Thank you.I'm also attaching the log file from running Lync Connectivity Analyzer if it helps.
[6/10/2014 7:30:18 AM] [DEBUG] Logging test parameters:
[6/10/2014 7:30:18 AM] [DEBUG] SIP Uri: [email protected]
[6/10/2014 7:30:18 AM] [DEBUG] User Name:
[6/10/2014 7:30:18 AM] [DEBUG] Discovery Type: Automatic Discovery
[6/10/2014 7:30:18 AM] [DEBUG] Network access: NetworkAccessExternal
[6/10/2014 7:30:18 AM] [DEBUG] Selected client: ApplicationLyncMobile2010
[6/10/2014 7:30:18 AM] [SUBHEADING] Starting Lync server autodiscovery
[6/10/2014 7:30:18 AM] [INFO] Please wait; this test may take several minutes to complete...
[6/10/2014 7:30:18 AM] [SUBHEADING] Starting automatic discovery for secure (HTTPS) internal channel
[6/10/2014 7:30:18 AM] [DEBUG] Sending HTTP request to https://lyncdiscoverinternal.mydomain.com/[email protected]
[6/10/2014 7:30:18 AM] [DEBUG] Cookie found in autodiscover response: StatusCode: 200, ReasonPhrase: 'OK', Version: 1.1, Content: System.Net.Http.StreamContent, Headers:
Pragma: no-cache
X-MS-Server-Fqdn: LYNC01.mydomain.com
X-Content-Type-Options: nosniff
Cache-Control: no-cache
Date: Tue, 10 Jun 2014 11:30:18 GMT
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Content-Length: 670
Content-Type: application/vnd.microsoft.rtc.autodiscover+xml; v=1
Expires: -1
[6/10/2014 7:30:18 AM] [DEBUG] Parsing the response for URL https://lyncdiscoverinternal.mydomain.com/[email protected]. Full response: <?xml version="1.0" encoding="utf-8"?><AutodiscoverResponse xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" AccessLocation="Internal"><Root><Link token="Domain" href="https://lync01.mydomain.com/Autodiscover/AutodiscoverService.svc/root/domain" /><Link token="User" href="https://lync01.mydomain.com/Autodiscover/AutodiscoverService.svc/root/user"
/><Link token="OAuth" href="https://lync01.mydomain.com/Autodiscover/AutodiscoverService.svc/root/oauth/user" /><Link token="Self" href="https://lync01.mydomain.com/Autodiscover/AutodiscoverService.svc/root" /></Root></AutodiscoverResponse>
[6/10/2014 7:30:18 AM] [DEBUG] Autodiscover URL https://lyncdiscoverinternal.mydomain.com/[email protected] redirected to https://lync01.mydomain.com/Autodiscover/AutodiscoverService.svc/root/user
[6/10/2014 7:30:18 AM] [DEBUG] Sending HTTP request to https://lync01.mydomain.com/Autodiscover/AutodiscoverService.svc/root/[email protected]
[6/10/2014 7:30:18 AM] [DEBUG] Cookie found in autodiscover response: StatusCode: 401, ReasonPhrase: 'Unauthorized', Version: 1.1, Content: System.Net.Http.StreamContent, Headers:
X-MS-WebTicketURL: https://lync01.mydomain.com/WebTicket/WebTicketService.svc
X-MS-WebTicketSupported: cwt,saml
X-MS-Server-Fqdn: LYNC01.mydomain.com
X-Content-Type-Options: nosniff
Date: Tue, 10 Jun 2014 11:30:18 GMT
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 1293
Content-Type: text/html
[6/10/2014 7:30:18 AM] [DEBUG] Authorization required for https://lync01.mydomain.com/Autodiscover/AutodiscoverService.svc/root/[email protected]
[6/10/2014 7:30:18 AM] [DEBUG] Obtaining WebTicket from https://lync01.mydomain.com/WebTicket/WebTicketService.svc
[6/10/2014 7:30:18 AM] [DEBUG] On-premises WebTicket server: https://lync01.mydomain.com/WebTicket/WebTicketService.svc/Auth
[6/10/2014 7:30:18 AM] [DEBUG] AcquireTicketAsync succeeded for https://lync01.mydomain.com/WebTicket/WebTicketService.svc/Auth
[6/10/2014 7:30:18 AM] [DEBUG] WebTicket: <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="SamlSecurityToken-4e51bf2a-2849-4779-a595-a5040c22ff1b" Issuer="https://lync01.mydomain.com/63b16135-930c-5e0b-998c-7ed6bc68b6f8" IssueInstant="2014-06-10T11:30:18.173Z"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"><saml:Conditions NotBefore="2014-06-10T11:30:18.173Z" NotOnOrAfter="2014-06-10T19:23:01.173Z"><saml:AudienceRestrictionCondition><saml:Audience>https://lync01.mydomain.com/</saml:Audience></saml:AudienceRestrictionCondition></saml:Conditions><saml:AuthenticationStatement
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified" AuthenticationInstant="2014-06-10T11:30:18.173Z"><saml:Subject><saml:NameIdentifier Format="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/uri">sip:[email protected]</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod><KeyInfo
xmlns="http://www.w3.org/2000/09/xmldsig#"><e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#"><e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#kw-aes256"></e:EncryptionMethod><KeyInfo><KeyName>63b16135-930c-5e0b-998c-7ed6bc68b6f8:8d152b04ce7ddbf</KeyName></KeyInfo><e:CipherData><e:CipherValue>7M3R6naVg1ifGvuQKTMS+4EjHlJrdZeQqsqobNZUhMxHE9y7klUmXw==</e:CipherValue></e:CipherData></e:EncryptedKey></KeyInfo></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement><Signature
xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod><Reference
URI="#SamlSecurityToken-4e51bf2a-2849-4779-a595-a5040c22ff1b"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform></Transforms><DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod><DigestValue>otvulmCO6kY0HQdwfqQXUZT/pdmKSdVZJTU0f/MS0N8=</DigestValue></Reference></SignedInfo><SignatureValue>WUGQOtUzu6RtuSKdHHCQZWxiOFVf8HT181U6tS8IVifyyAzA046lm0SBKbFpLzwMEAXsf3ZmkHQkzK/AfS6WJ92WkAz3LLEsqSqGBGQoxe5WPXMlfA9J4+1lnT6Zsfq7fb9aLqZch2oSga3yj0CeQgsbcmppQhQO86zJ468YskVyAk4Y/oIOyThKg/+Ce8V4tFw575+zYatuSzKvUtgHq+DKJRO7T2M8r0aoCx65ZgfCxJpA+bqalDz3BesqOzMKfWTn33fwArVh8JMF1ohNkliwOegTeEEq4aH2Sg04N7ZfLrhoFlWeXuZWn1AzWppyl+FBfwlbLOVbQgP6/3NdMQ==</SignatureValue><KeyInfo><o:SecurityTokenReference
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">/YVCIdf+YFyKopRflv61uWov2vs=</o:KeyIdentifier></o:SecurityTokenReference></KeyInfo></Signature></saml:Assertion>
[6/10/2014 7:30:18 AM] [DEBUG] Sending HTTP request to https://lync01.mydomain.com/Autodiscover/AutodiscoverService.svc/root/[email protected]
[6/10/2014 7:30:18 AM] [DEBUG] Cookie found in autodiscover response: StatusCode: 200, ReasonPhrase: 'OK', Version: 1.1, Content: System.Net.Http.StreamContent, Headers:
Pragma: no-cache
X-MS-Server-Fqdn: LYNC01.mydomain.com
X-Content-Type-Options: nosniff
Cache-Control: no-cache
Date: Tue, 10 Jun 2014 11:30:18 GMT
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Content-Length: 1646
Content-Type: application/vnd.microsoft.rtc.autodiscover+xml; v=1
Expires: -1
[6/10/2014 7:30:18 AM] [DEBUG] Parsing the response for URL https://lync01.mydomain.com/Autodiscover/AutodiscoverService.svc/root/[email protected]. Full response: <?xml version="1.0" encoding="utf-8"?><AutodiscoverResponse xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" AccessLocation="Internal"><User><SipServerInternalAccess fqdn="LYNC01.mydomain.com" port="5061" /><SipClientInternalAccess fqdn="LYNC01.mydomain.com" port="5061" /><SipServerExternalAccess
fqdn="AccessEdge.mydomain.com" port="5061" /><SipClientExternalAccess fqdn="AccessEdge.mydomain.com" port="443" /><Link token="Internal/Autodiscover" href="https://lync01.mydomain.com/Autodiscover/AutodiscoverService.svc/root" /><Link token="Internal/AuthBroker"
href="https://lync01.mydomain.com/Reach/sip.svc" /><Link token="Internal/WebScheduler" href="https://lync01.mydomain.com/Scheduler" /><Link token="External/Autodiscover" href="https://lync.mydomain.com/Autodiscover/AutodiscoverService.svc/root"
/><Link token="External/AuthBroker" href="https://lync.mydomain.com/Reach/sip.svc" /><Link token="External/WebScheduler" href="https://lync.mydomain.com/Scheduler" /><Link token="Internal/Mcx" href="https://lync01.mydomain.com/Mcx/McxService.svc"
/><Link token="External/Mcx" href="https://lync01.mydomain.com/Mcx/McxService.svc" /><Link token="Ucwa" href="https://lync.mydomain.com/ucwa/v0/applications" /><Link token="Internal/Ucwa" href="https://lync01.mydomain.com/ucwa/v0/applications"
/><Link token="External/Ucwa" href="https://lync.mydomain.com/ucwa/v0/applications" /><Link token="Self" href="https://lync01.mydomain.com/Autodiscover/AutodiscoverService.svc/root/user" /></User></AutodiscoverResponse>
[6/10/2014 7:30:18 AM] [INFO] Server discovery has completed for https://lyncdiscoverinternal.mydomain.com/.
[6/10/2014 7:30:18 AM] [DEBUG] Autodiscover full response for URL https://lyncdiscoverinternal.mydomain.com/ is <?xml version="1.0" encoding="utf-8"?><AutodiscoverResponse xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
AccessLocation="Internal"><User><SipServerInternalAccess fqdn="LYNC01.mydomain.com" port="5061" /><SipClientInternalAccess fqdn="LYNC01.mydomain.com" port="5061" /><SipServerExternalAccess fqdn="AccessEdge.mydomain.com" port="5061"
/><SipClientExternalAccess fqdn="AccessEdge.mydomain.com" port="443" /><Link token="Internal/Autodiscover" href="https://lync01.mydomain.com/Autodiscover/AutodiscoverService.svc/root" /><Link token="Internal/AuthBroker" href="https://lync01.mydomain.com/Reach/sip.svc"
/><Link token="Internal/WebScheduler" href="https://lync01.mydomain.com/Scheduler" /><Link token="External/Autodiscover" href="https://lync.mydomain.com/Autodiscover/AutodiscoverService.svc/root" /><Link token="External/AuthBroker" href="https://lync.mydomain.com/Reach/sip.svc"
/><Link token="External/WebScheduler" href="https://lync.mydomain.com/Scheduler" /><Link token="Internal/Mcx" href="https://lync01.mydomain.com/Mcx/McxService.svc" /><Link token="External/Mcx" href="https://lync01.mydomain.com/Mcx/McxService.svc"
/><Link token="Ucwa" href="https://lync.mydomain.com/ucwa/v0/applications" /><Link token="Internal/Ucwa" href="https://lync01.mydomain.com/ucwa/v0/applications" /><Link token="External/Ucwa" href="https://lync.mydomain.com/ucwa/v0/applications"
/><Link token="Self" href="https://lync01.mydomain.com/Autodiscover/AutodiscoverService.svc/root/user" /></User></AutodiscoverResponse>
[6/10/2014 7:30:18 AM] [DEBUG] SendRequest failed for https://lync01.mydomain.com/Autodiscover/AutodiscoverService.svc/root/[email protected]
[6/10/2014 7:30:18 AM] [INFO] Automatic discovery results for https://lyncdiscoverinternal.mydomain.com/
[6/10/2014 7:30:18 AM] [INFO] Access Location : Internal
[6/10/2014 7:30:18 AM] [INFO] SIP Server Internal Access : LYNC01.mydomain.com
[6/10/2014 7:30:18 AM] [INFO] SIP Server External Access : AccessEdge.mydomain.com
[6/10/2014 7:30:18 AM] [INFO] SIP Client Internal Access : LYNC01.mydomain.com
[6/10/2014 7:30:18 AM] [INFO] SIP Client External Access : AccessEdge.mydomain.com
[6/10/2014 7:30:18 AM] [INFO] Internal Auth broker service : https://lync01.mydomain.com/Reach/sip.svc
[6/10/2014 7:30:18 AM] [INFO] External Auth broker service : https://lync.mydomain.com/Reach/sip.svc
[6/10/2014 7:30:18 AM] [INFO] Internal Auto discover service : https://lync01.mydomain.com/Autodiscover/AutodiscoverService.svc/root
[6/10/2014 7:30:18 AM] [INFO] External Auto discover service : https://lync.mydomain.com/Autodiscover/AutodiscoverService.svc/root
[6/10/2014 7:30:18 AM] [INFO] Internal MCX service : https://lync01.mydomain.com/Mcx/McxService.svc
[6/10/2014 7:30:18 AM] [INFO] External MCX service : https://lync01.mydomain.com/Mcx/McxService.svc
[6/10/2014 7:30:18 AM] [INFO] Internal UCWA service : https://lync01.mydomain.com/ucwa/v0/applications
[6/10/2014 7:30:18 AM] [INFO] External UCWA service : https://lync.mydomain.com/ucwa/v0/applications
[6/10/2014 7:30:18 AM] [INFO] Internal Webscheduler service : https://lync01.mydomain.com/Scheduler
[6/10/2014 7:30:18 AM] [INFO] External Webscheduler service : https://lync.mydomain.com/Scheduler
[6/10/2014 7:30:18 AM] [INFO] Total server discovery time: 0.1 seconds
[6/10/2014 7:30:18 AM] [SUMMARY_SUCCESS] Server discovery succeeded for secure (HTTPS) internal channel against URL https://lyncdiscoverinternal.mydomain.com/
[6/10/2014 7:30:18 AM] [SUBHEADING] Starting automatic discovery for unsecure (HTTP) internal channel
[6/10/2014 7:30:18 AM] [DEBUG] Sending HTTP request to http://lyncdiscoverinternal.mydomain.com/[email protected]
[6/10/2014 7:30:18 AM] [DEBUG] Cookie found in autodiscover response: StatusCode: 200, ReasonPhrase: 'OK', Version: 1.1, Content: System.Net.Http.StreamContent, Headers:
Pragma: no-cache
X-MS-Server-Fqdn: LYNC01.mydomain.com
X-Content-Type-Options: nosniff
Cache-Control: no-cache
Date: Tue, 10 Jun 2014 11:30:18 GMT
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Content-Length: 670
Content-Type: application/vnd.microsoft.rtc.autodiscover+xml; v=1
Expires: -1
[6/10/2014 7:30:18 AM] [DEBUG] Parsing the response for URL http://lyncdiscoverinternal.mydomain.com/[email protected]. Full response: <?xml version="1.0" encoding="utf-8"?><AutodiscoverResponse xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" AccessLocation="Internal"><Root><Link token="Domain" href="https://lync01.mydomain.com/Autodiscover/AutodiscoverService.svc/root/domain" /><Link token="User" href="https://lync01.mydomain.com/Autodiscover/AutodiscoverService.svc/root/user"
/><Link token="OAuth" href="https://lync01.mydomain.com/Autodiscover/AutodiscoverService.svc/root/oauth/user" /><Link token="Self" href="https://lync01.mydomain.com/Autodiscover/AutodiscoverService.svc/root" /></Root></AutodiscoverResponse>
[6/10/2014 7:30:18 AM] [DEBUG] Autodiscover URL http://lyncdiscoverinternal.mydomain.com/[email protected] redirected to https://lync01.mydomain.com/Autodiscover/AutodiscoverService.svc/root/user
[6/10/2014 7:30:18 AM] [DEBUG] Sending HTTP request to https://lync01.mydomain.com/Autodiscover/AutodiscoverService.svc/root/[email protected]
[6/10/2014 7:30:18 AM] [DEBUG] Cookie found in autodiscover response: StatusCode: 401, ReasonPhrase: 'Unauthorized', Version: 1.1, Content: System.Net.Http.StreamContent, Headers:
X-MS-WebTicketURL: https://lync01.mydomain.com/WebTicket/WebTicketService.svc
X-MS-WebTicketSupported: cwt,saml
X-MS-Server-Fqdn: LYNC01.mydomain.com
X-Content-Type-Options: nosniff
Date: Tue, 10 Jun 2014 11:30:18 GMT
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 1293
Content-Type: text/html
[6/10/2014 7:30:18 AM] [DEBUG] Authorization required for https://lync01.mydomain.com/Autodiscover/AutodiscoverService.svc/root/[email protected]
[6/10/2014 7:30:18 AM] [DEBUG] Obtaining WebTicket from https://lync01.mydomain.com/WebTicket/WebTicketService.svc
[6/10/2014 7:30:18 AM] [DEBUG] On-premises WebTicket server: https://lync01.mydomain.com/WebTicket/WebTicketService.svc/Auth
[6/10/2014 7:30:18 AM] [DEBUG] AcquireTicketAsync succeeded for https://lync01.mydomain.com/WebTicket/WebTicketService.svc/Auth
[6/10/2014 7:30:18 AM] [DEBUG] WebTicket: <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="SamlSecurityToken-1b6331e1-4be5-4749-869a-21feb4b7198a" Issuer="https://lync01.mydomain.com/63b16135-930c-5e0b-998c-7ed6bc68b6f8" IssueInstant="2014-06-10T11:30:18.238Z"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"><saml:Conditions NotBefore="2014-06-10T11:30:18.238Z" NotOnOrAfter="2014-06-10T19:20:24.238Z"><saml:AudienceRestrictionCondition><saml:Audience>https://lync01.mydomain.com/</saml:Audience></saml:AudienceRestrictionCondition></saml:Conditions><saml:AuthenticationStatement
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified" AuthenticationInstant="2014-06-10T11:30:18.238Z"><saml:Subject><saml:NameIdentifier Format="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/uri">sip:[email protected]</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod><KeyInfo
xmlns="http://www.w3.org/2000/09/xmldsig#"><e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#"><e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#kw-aes256"></e:EncryptionMethod><KeyInfo><KeyName>63b16135-930c-5e0b-998c-7ed6bc68b6f8:8d152b04ce7ddbf</KeyName></KeyInfo><e:CipherData><e:CipherValue>NrQOUA0JAXMmR/4ACrZ8LyVN79jUZbR6Fz+sGlbAdWXgQF/u24DLlw==</e:CipherValue></e:CipherData></e:EncryptedKey></KeyInfo></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement><Signature
xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod><Reference
URI="#SamlSecurityToken-1b6331e1-4be5-4749-869a-21feb4b7198a"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform></Transforms><DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod><DigestValue>WnZZN/Vbfrget92urYd1+HmyXX/vYQ6CjHN4lLEXxK0=</DigestValue></Reference></SignedInfo><SignatureValue>BiFjeIuG7TW/DqIdklMNdaqRJLgbenphBcb51HGGH4WCdThgj2Oizkvfa6NRAwsE74qmyVLcfJIO2TK+if1yelHzUEde8ZvLwcruIFYWecK3OXDSDiGpYa3WdPwNUZrSRySSiCyb+fyYgz8BvZq3JjQRulOXnFhz4X3wXzoS6xMovmmVsOrdVTMjvT7l7ydEo1ucnEl5zjEnKih7WjCoElYENwEeG2HGf4Xqi43piaWXa9k7GY9k1idyrfJ7too+u7O7fhnhJ9OR0GR1KydbAPdSi5hmpZcziLn6xKCVW64w2bGCsT4N2vr+f5AhknSmjDa+9Wnyiar2uuLk+7eLmQ==</SignatureValue><KeyInfo><o:SecurityTokenReference
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">/YVCIdf+YFyKopRflv61uWov2vs=</o:KeyIdentifier></o:SecurityTokenReference></KeyInfo></Signature></saml:Assertion>
[6/10/2014 7:30:18 AM] [DEBUG] Sending HTTP request to https://lync01.mydomain.com/Autodiscover/AutodiscoverService.svc/root/[email protected]
[6/10/2014 7:30:18 AM] [DEBUG] Cookie found in autodiscover response: StatusCode: 200, ReasonPhrase: 'OK', Version: 1.1, Content: System.Net.Http.StreamContent, Headers:
Pragma: no-cache
X-MS-Server-Fqdn: LYNC01.mydomain.com
X-Content-Type-Options: nosniff
Cache-Control: no-cache
Date: Tue, 10 Jun 2014 11:30:18 GMT
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Content-Length: 1646
Content-Type: application/vnd.microsoft.rtc.autodiscover+xml; v=1
Expires: -1
[6/10/2014 7:30:18 AM] [DEBUG] Parsing the response for URL https://lync01.mydomain.com/Autodiscover/AutodiscoverService.svc/root/[email protected]. Full response: <?xml version="1.0" encoding="utf-8"?><AutodiscoverResponse xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" AccessLocation="Internal"><User><SipServerInternalAccess fqdn="LYNC01.mydomain.com" port="5061" /><SipClientInternalAccess fqdn="LYNC01.mydomain.com" port="5061" /><SipServerExternalAccess
fqdn="AccessEdge.mydomain.com" port="5061" /><SipClientExternalAccess fqdn="AccessEdge.mydomain.com" port="443" /><Link token="Internal/Autodiscover" href="https://lync01.mydomain.com/Autodiscover/AutodiscoverService.svc/root" /><Link token="Internal/AuthBroker"
href="https://lync01.mydomain.com/Reach/sip.svc" /><Link token="Internal/WebScheduler" href="https://lync01.mydomain.com/Scheduler" /><Link token="External/Autodiscover" href="https://lync.mydomain.com/Autodiscover/AutodiscoverService.svc/root"
/><Link token="External/AuthBroker" href="https://lync.mydomain.com/Reach/sip.svc" /><Link token="External/WebScheduler" href="https://lync.mydomain.com/Scheduler" /><Link token="Internal/Mcx" href="https://lync01.mydomain.com/Mcx/McxService.svc"
/><Link token="External/Mcx" href="https://lync01.mydomain.com/Mcx/McxService.svc" /><Link token="Ucwa" href="https://lync.mydomain.com/ucwa/v0/applications" /><Link token="Internal/Ucwa" href="https://lync01.mydomain.com/ucwa/v0/applications"
/><Link token="External/Ucwa" href="https://lync.mydomain.com/ucwa/v0/applications" /><Link token="Self" href="https://lync01.mydomain.com/Autodiscover/AutodiscoverService.svc/root/user" /></User></AutodiscoverResponse>
[6/10/2014 7:30:18 AM] [INFO] Server discovery has completed for http://lyncdiscoverinternal.mydomain.com/.
[6/10/2014 7:30:18 AM] [DEBUG] Autodiscover full response for URL http://lyncdiscoverinternal.mydomain.com/ is <?xml version="1.0" encoding="utf-8"?><AutodiscoverResponse xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
AccessLocation="Internal"><User><SipServerInternalAccess fqdn="LYNC01.mydomain.com" port="5061" /><SipClientInternalAccess fqdn="LYNC01.mydomain.com" port="5061" /><SipServerExternalAccess fqdn="AccessEdge.mydomain.com" port="5061"
/><SipClientExternalAccess fqdn="AccessEdge.mydomain.com" port="443" /><Link token="Internal/Autodiscover" href="https://lync01.mydomain.com/Autodiscover/AutodiscoverService.svc/root" /><Link token="Internal/AuthBroker" href="https://lync01.mydomain.com/Reach/sip.svc"
/><Link token="Internal/WebScheduler" href="https://lync01.mydomain.com/Scheduler" /><Link token="External/Autodiscover" href="https://lync.mydomain.com/Autodiscover/AutodiscoverService.svc/root" /><Link token="External/AuthBroker" href="https://lync.mydomain.com/Reach/sip.svc"
/><Link token="External/WebScheduler" href="https://lync.mydomain.com/Scheduler" /><Link token="Internal/Mcx" href="https://lync01.mydomain.com/Mcx/McxService.svc" /><Link token="External/Mcx" href="https://lync01.mydomain.com/Mcx/McxService.svc"
/><Link token="Ucwa" href="https://lync.mydomain.com/ucwa/v0/applications" /><Link token="Internal/Ucwa" href="https://lync01.mydomain.com/ucwa/v0/applications" /><Link token="External/Ucwa" href="https://lync.mydomain.com/ucwa/v0/applications"
/><Link token="Self" href="https://lync01.mydomain.com/Autodiscover/AutodiscoverService.svc/root/user" /></User></AutodiscoverResponse>
[6/10/2014 7:30:18 AM] [DEBUG] SendRequest failed for https://lync01.mydomain.com/Autodiscover/AutodiscoverService.svc/root/[email protected]
[6/10/2014 7:30:18 AM] [INFO] Automatic discovery results for http://lyncdiscoverinternal.mydomain.com/
[6/10/2014 7:30:18 AM] [INFO] Access Location : Internal
[6/10/2014 7:30:18 AM] [INFO] SIP Server Internal Access : LYNC01.mydomain.com
[6/10/2014 7:30:18 AM] [INFO] SIP Server External Access : AccessEdge.mydomain.com
[6/10/2014 7:30:18 AM] [INFO] SIP Client Internal Access : LYNC01.mydomain.com
[6/10/2014 7:30:18 AM] [INFO] SIP Client External Access : AccessEdge.mydomain.com
[6/10/2014 7:30:18 AM] [INFO] Internal Auth broker service : https://lync01.mydomain.com/Reach/sip.svc
[6/10/2014 7:30:18 AM] [INFO] External Auth broker service : https://lync.mydomain.com/Reach/sip.svc
[6/10/2014 7:30:18 AM] [INFO] Internal Auto discover service : https://lync01.mydomain.com/Autodiscover/AutodiscoverService.svc/root
[6/10/2014 7:30:18 AM] [INFO] External Auto discover service : https://lync.mydomain.com/Autodiscover/AutodiscoverService.svc/root
[6/10/2014 7:30:18 AM] [INFO] Internal MCX service : https://lync01.mydomain.com/Mcx/McxService.svc
[6/10/2014 7:30:18 AM] [INFO] External MCX service : https://lync01.mydomain.com/Mcx/McxService.svc
[6/10/2014 7:30:18 AM] [INFO] Internal UCWA service : https://lync01.mydomain.com/ucwa/v0/applications
[6/10/2014 7:30:18 AM] [INFO] External UCWA service : https://lync.mydomain.com/ucwa/v0/applications
[6/10/2014 7:30:18 AM] [INFO] Internal Webscheduler service : https://lync01.mydomain.com/Scheduler
[6/10/2014 7:30:18 AM] [INFO] External Webscheduler service : https://lync.mydomain.com/Scheduler
[6/10/2014 7:30:18 AM] [INFO] Total server discovery time: 0.1 seconds
[6/10/2014 7:30:18 AM] [SUMMARY_SUCCESS] Server discovery succeeded for unsecure (HTTP) internal channel against URL http://lyncdiscoverinternal.mydomain.com/
[6/10/2014 7:30:18 AM] [SUBHEADING] Starting automatic discovery for secure (HTTPS) external channel
[6/10/2014 7:30:18 AM] [DEBUG] Sending HTTP request to https://lyncdiscover.mydomain.com/[email protected]
[6/10/2014 7:30:39 AM] [DEBUG] Exception encountered while sending an HTTP request to https://lyncdiscover.mydomain.com/[email protected]: An error occurred while sending the request.. Complete Exception: \r\nSystem.Net.Http.HttpRequestException:
An error occurred while sending the request. ---> System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period
of time, or established connection failed because connected host has failed to respond 205.XXX.XXX.94:443
at System.Net.Sockets.Socket.EndConnect(IAsyncResult asyncResult)
at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)
--- End of inner exception stack trace ---
at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.LyncServer.WebServices.AutoDiscoverManager.<SendHttpRequest>d__9.MoveNext()
[6/10/2014 7:30:39 AM] [ERROR] An error occurred while sending the request.
Unable to connect to the remote server
A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 205.XXX.XXX.94:443
[6/10/2014 7:30:39 AM] [INFO] For troubleshooting, try using a browser to open the server discovery URL https://lyncdiscover.mydomain.com/[email protected]
[6/10/2014 7:30:39 AM] [DEBUG] System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: A connection attempt failed
because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 205.XXX.XXX.94:443
at System.Net.Sockets.Socket.EndConnect(IAsyncResult asyncResult)
at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)
--- End of inner exception stack trace ---
at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.LyncServer.WebServices.AutoDiscoverManager.<SendHttpRequest>d__9.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
at Microsoft.LyncServer.WebServices.AutoDiscoverManager.<SendRequest>d__d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
at Microsoft.LyncServer.WebServices.AutoDiscoverManager.<TryNextUrl>d__3.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.LyncServer.WebServices.AutoDiscoverManager.<StartDiscoveryJourney>d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at LyncConnectivityAnalyzerCore.Utilities.<RetrieveUserLocation>d__3e.MoveNext()
[6/10/2014 7:30:39 AM] [SUMMARY_ERROR] Server discovery failed for secured external channel against https://lyncdiscover.mydomain.com/
[6/10/2014 7:30:39 AM] [SUBHEADING] Starting automatic discovery for unsecure (HTTP) external channel
[6/10/2014 7:30:39 AM] [DEBUG] Sending HTTP request to http://lyncdiscover.mydomain.com/[email protected]
[6/10/2014 7:31:00 AM] [DEBUG] Exception encountered while sending an HTTP request to http://lyncdiscover.mydomain.com/[email protected]: An error occurred while sending the request.. Complete Exception: \r\nSystem.Net.Http.HttpRequestException:
An error occurred while sending the request. ---> System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period
of time, or established connection failed because connected host has failed to respond 205.XXX.XXX.94:80
at System.Net.Sockets.Socket.EndConnect(IAsyncResult asyncResult)
at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)
--- End of inner exception stack trace ---
at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.LyncServer.WebServices.AutoDiscoverManager.<SendHttpRequest>d__9.MoveNext()
[6/10/2014 7:31:00 AM] [ERROR] An error occurred while sending the request.
Unable to connect to the remote server
A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 205.XXX.XXX.94:80
[6/10/2014 7:31:00 AM] [INFO] For troubleshooting, try using a browser to open the server discovery URL http://lyncdiscover.mydomain.com/[email protected]
[6/10/2014 7:31:00 AM] [DEBUG] System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: A connection attempt failed
because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 205.XXX.XXX.94:80
at System.Net.Sockets.Socket.EndConnect(IAsyncResult asyncResult)
at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)
--- End of inner exception stack trace ---
at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
--- End of inner exception stack trace ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.LyncServer.WebServices.AutoDiscoverManager.<SendHttpRequest>d__9.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
at Microsoft.LyncServer.WebServices.AutoDiscoverManager.<SendRequest>d__d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
at Microsoft.LyncServer.WebServices.AutoDiscoverManager.<TryNextUrl>d__3.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.LyncServer.WebServices.AutoDiscoverManager.<StartDiscoveryJourney>d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at LyncConnectivityAnalyzerCore.Utilities.<RetrieveUserLocation>d__3e.MoveNext()
[6/10/2014 7:31:00 AM] [SUMMARY_ERROR] Server discovery failed for unsecured external channel against http://lyncdiscover.mydomain.com/
[6/10/2014 7:31:00 AM] [DEBUG] None, AutoExternalSecureD, AutoExternalUnsecureD, ManualDNSFail, ManualSecureD, ManualUnsecureD, AuthBrokerInternalLMXCheckGET, AuthBrokerInternalLMXCheckPOST, AuthBrokerExternalLMXCheckGET, AuthBrokerExternalLMXCheckPOST, MobilityMCXInternalLMXCheckGET,
MobilityMCXInternalLMXCheckPOST, MobilityMCXExternalLMXCheckGET, MobilityMCXExternalLMXCheckPOST, LMXSIPServerInternalDNS, LMXSIPServerExternalDNS, MobilityUCWAInternalCheckPOST, MobilityUCWAExternalCheckPOST
[6/10/2014 7:31:00 AM] [SUMMARY]
[6/10/2014 7:31:00 AM] [SUMMARY_ERROR] Automatic discovery meant for external network access failed. Please verify the server requirements at http://go.microsoft.com/fwlink/?LinkId=278998 .
[6/10/2014 7:31:00 AM] [SUMMARY] Automatic discovery meant for internal network access succeeded from an external network which could be a potential security concern.
[6/10/2014 7:31:00 AM] [MAINHEADING] Starting the requirement tests for Lync Mobile 2010 App
[6/10/2014 7:31:00 AM] [INFO] Please wait; this test may take several minutes to complete...
[6/10/2014 7:31:00 AM] [INFO] Testing the app requirements using the following discovery response:
[6/10/2014 7:31:00 AM] [INFO] Access Location : Internal
[6/10/2014 7:31:00 AM] [INFO] SIP Server Internal Access : LYNC01.mydomain.com
[6/10/2014 7:31:00 AM] [INFO] SIP Server External Access : AccessEdge.mydomain.com
[6/10/2014 7:31:00 AM] [INFO] SIP Client Internal Access : LYNC01.mydomain.com
[6/10/2014 7:31:00 AM] [INFO] SIP Client External Access : AccessEdge.mydomain.com
[6/10/2014 7:31:00 AM] [INFO] Internal Auth broker service : https://lync01.mydomain.com/Reach/sip.svc
[6/10/2014 7:31:00 AM] [INFO] External Auth broker service : https://lync.mydomain.com/Reach/sip.svc
[6/10/2014 7:31:00 AM] [INFO] Internal Auto discover service : https://lync01.mydomain.com/Autodiscover/AutodiscoverService.svc/root
[6/10/2014 7:31:00 AM] [INFO] External Auto discover service : https://lync.mydomain.com/Autodiscover/AutodiscoverService.svc/root
[6/10/2014 7:31:00 AM] [INFO] Internal MCX service : https://lync01.mydomain.com/Mcx/McxService.svc
[6/10/2014 7:31:00 AM] [INFO] External MCX service : https://lync01.mydomain.com/Mcx/McxService.svc
[6/10/2014 7:31:00 AM] [INFO] Internal UCWA service : https://lync01.mydomain.com/ucwa/v0/applications
[6/10/2014 7:31:00 AM] [INFO] External UCWA service : https://lync.mydomain.com/ucwa/v0/applications
[6/10/2014 7:31:00 AM] [INFO] Internal Webscheduler service : https://lync01.mydomain.com/Scheduler
[6/10/2014 7:31:00 AM] [INFO] External Webscheduler service : https://lync.mydomain.com/Scheduler
[6/10/2014 7:31:00 AM] [SUBHEADING] Starting tests for Mobility (MCX) service
[6/10/2014 7:31:00 AM] [INFO] Verifying internal Mobility (MCX) service: https://lync01.mydomain.com/Mcx/McxService.svc
[6/10/2014 7:31:00 AM] [INFO] Successfully obtained the WS-Metadata Exchange (MEX) document using GET. The service did not require authorization.
[6/10/2014 7:31:00 AM] [INFO] Verifying external Mobility (MCX) service: https://lync01.mydomain.com/Mcx/McxService.svc
[6/10/2014 7:31:00 AM] [INFO] Successfully obtained the WS-Metadata Exchange (MEX) document using GET. The service did not require authorization.
[6/10/2014 7:31:00 AM] [INFO] Verifying internal Mobility (MCX) service: https://lync01.mydomain.com/Mcx/McxService.svc
[6/10/2014 7:31:00 AM] [WARNING] Failed to obtain the WS-Metadata Exchange (MEX) document using POST for https://lync01.mydomain.com/Mcx/McxService.svc/mex. The service did not require authorization.
[6/10/2014 7:31:00 AM] [INFO] Verifying external Mobility (MCX) service: https://lync01.mydomain.com/Mcx/McxService.svc
[6/10/2014 7:31:00 AM] [WARNING] Failed to obtain the WS-Metadata Exchange (MEX) document using POST for https://lync01.mydomain.com/Mcx/McxService.svc/mex. The service did not require authorization.
[6/10/2014 7:31:00 AM] [SUMMARY] Completed tests for Mobility (MCX) service
[6/10/2014 7:31:00 AM] [DEBUG] None, AutoExternalSecureD, AutoExternalUnsecureD, ManualDNSFail, ManualSecureD, ManualUnsecureD, AuthBrokerInternalLMXCheckGET, AuthBrokerInternalLMXCheckPOST, AuthBrokerExternalLMXCheckGET, AuthBrokerExternalLMXCheckPOST, MobilityMCXInternalLMXCheckPOST,
MobilityMCXExternalLMXCheckPOST, LMXSIPServerInternalDNS, LMXSIPServerExternalDNS, MobilityUCWAInternalCheckPOST, MobilityUCWAExternalCheckPOST
[6/10/2014 7:31:00 AM] [SUMMARY]
[6/10/2014 7:31:00 AM] [SUMMARY_SUCCESS]
Your deployment meets the minimum requirements for Lync Mobile 2010 App. -
Publish Lync Externally without Reverse Proxy
Hello All,
Well let me start out by saying I'm well aware that publishing lync externally without a reverse proxy is not suggested due to security measures. To get to the point I have the following questions regarding setting this up. As of right now
I have lync fully working internally only.
Here is my current setup
1 standard front end server with one nic card that has two ip addresses assigned to it and is signed with our internal CA,
I also have an edge server that has two interfaces. One interface is facing external with three public IP addresses with the AV one set as the primary, This interface has a public UC cert applied to it. The other interface is using a private ip address that
has a cert from our internal CA.
My questions are as follow
1. I currently have a GoDaddy UCC cert that allows me to have 5 San's. I'm trying to maximize this cert but am unsure of how to configure the SAN's. Which sans should be on the certificate so that I can use it for the edge server (av.domain.com/webconf.domain.com/access.domain.com)
and lync front end external cert (lync.domain.com and meet.domain.com). I also have a wildcard cert from GoDaddy for *.domain.com however I can not attach SAN's to it I was wondering if this could be used for meet.domain.com or autodiscover.domain.com?
2. Regarding external DNS entries so far I have the following:
webconf.domain.com -> to the ip for webconf on edge server public interface
av.domain.com -> to the ip for av on edge server public interface
access.domain.com -> to the IP for the access on edge server public interface
lync.domain.com -> to the IP configured for external access on the lync front end server ( I have configured IIS on this site to listen to port 80 and 443 as stated in Ken Lasko's blog post)
meet.domain.com -> to the IP configured for external access on the lync front end server
Now my question is do i need to add the autodiscover.domain.com and if so where do I point this entry to? Also can how can I configure this setup to work with lync mobile device.As for the Reverse proxy if going that route:
External DNS
lyncdiscover.domain.edu -
Point to Reverse Proxy Public IP
lync.domain.edu (this is used as our external webservices url) -
Point to Reverse Proxy Public IP
meeting.domain.edu (/meet and /dialin for the simple url's) - Point to Reverse Proxy Public IP
sip.domain.edu (this is currently pointing to our external edge server access ip) - Correct
av.domain.edu (this is currently pointing to our external edge server av ip) - Correct
webcon.domain.edu (this is currently pointing to our external edge server webconf ip) - Correct
Internal DNS
You should setup Split DNS or pinpoint zones as meet/Lyncdiscover/sip/dialin records should be created for the domain.edu: http://technet.microsoft.com/en-us/library/gg398758.aspx
Lyncdiscover.domain.edu - Not required Internally but should point to the private IP (external interface) of the Reverse
proxy to direct 443 to 4443.
lync.domain.edu -Point
to the private IP (external interface) of the Reverse proxy to direct 443 to 4443
Lyncdiscoverinternal.edu - pointed to front end server ip
meeting.domain.edu - pointed to front end server ip
lgcclync2013.domain.cc (this is our FE server) - pointed to our front ender server ip - correct
Cisco ASAs don't allow hair-pining of the firewall this is why the internal dns needs to have the lync.domain.edu pointing to an internal IP that can redirect 443 to 4443
(reverse proxy) instead of pointing to the Public IP of the reverse proxy: http://technet.microsoft.com/en-us/library/hh690030.aspx
Hi Michael,
Thank you for all your help. I've set up and configured both the external dns and the IIS ARR, but now I'm running into an error when I try to connect any of the following sites https://lyncdiscover.domain.edu, https://meeting.domain.com,
https://lync.domain.edu I get an Internal 500 error. When I check the Microsoft Remote Connectivity Analyzer under
Lync Autodiscover Web Service Remote Connectivity Test I get the following error
Testing HTTP authentication methods for URL https://lyncdiscover.domain.edu/Autodiscover/AutodiscoverService.svc/root/user.
HTTP authentication test failed.
Additional Details
An HTTP 500 response was returned from IIS7.
Headers received:
Content-Length: 1208
Content-Type: text/html
Date: Wed, 01 Jan 2014 14:56:12 GMT
Server: Microsoft-IIS/8.0
Elapsed Time: 286 ms.
I created 3 server farms on the IIS ARR sever
Lync.domain.edu which is being directed to lgcclync2013.domain.cc ports 8080 and 4443 LyncDiscover.domain.edu which is being directed to lgcclync2013.domain.cc ports 8080 and 4443
meeting.domain.edu which is being directed to lgcclync2013.domain.cc ports 8080 and 4443 When I ping lgcclync2013.domain.cc from the IIS Server it resolved
correctly to the right IP address. -
Auto Discover Mobile Client Connectivity issue.
I am currently working on getting mobility working for our lync environment. I have followed online articles for setting up the mobility service and while I have not got a true reverse proxy put in place yet I have a question regarding the autodiscover.
When I go to https://lyncdiscover.ourdomain.com/autodiscover/autodiscoverservice.aspx/root/sipuri=[email protected]
I get the following results
{"AccessLocation":"External","Root":{"Links":[{"href":"https:\/\/lyncfe-v01.ourdomain.local\/Autodiscover\/AutodiscoverService.svc\/root\/domain","token":"Domain"},{"href":"https:\/\/lyncfe-v01.ourdomain.local\/Autodiscover\/AutodiscoverService.svc\/root\/user","token":"User"}]}}The problem is that is our local internal URL not the external URL. I believe the setting comes from the Topology Builder under the Standard Front End Server for External web services FQDN as that is what is set there. My question is should that be changed to the FQDN of the edge server or the FQDN of the reverse proxy server? Also should that be the public ourdomain.com or remain the internal ourdomain.local?I hope this makes sense. I am just taking this piece by piece as I was hoping to get my android phone working internally on Wifi at the very least.Also for testing purposes I just pointed our firewall and setup nat from 80 -> 8080 and 443 -> 4443 to test that the external website was working and it is that is how I was able to get the auto discover information. I know this is not secure or ideal I am simply taking this one step at a time to ensure I get this working properly.Thank you for everyone's help.
KKOk update on my progress.
we updated our UCC certificate that we bought for our edge server. That certificate had the following in it
sip.ourdomain.com
webconf.ourdomain.com
we added
dialin.ourdomain.com
meet.ourdomain.com
lyncdiscover.ourdomain.com
I left the External Web Services FQDN as lyncdiscover.ourdomain.com
I then put that cert on the Reverse Proxy server. I then tested using testconnectivity.microsoft.com and the autodiscover test and everything passed. This is the good news.
Now the bad.
When I run the connectivity test if I manually select the server and put in sip.ourdomain.com and choose port 5061 the test passes but if I choose port 443 which apparently the mobile clients use as I do not see a spot to change that at it fails stating
that
The SSL certificate failed one or more certificate validation checks.
The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
Elapsed Time: 192 ms.
I checked the External Cert on the edge server and sip.ourdomain.com and webconf.ourdomain.com are listed.
The Edge Pool has been configured to have SIP Access, Web Conf service and A/V service all point to sip.ourdomain.com using ports 5061, 444, 443
Can someone point to me what I have setup incorrectly?
This seems like I am very close to actually having this working. Almost like I can see the light.
Thank you,
KK -
Configuring Lync 2010 Mobility with Front end and Edge Server
I have been racking my brain the past week trying to figure out how to get the lync edge server working properly and how to get the mobility service working properly.
Currently I have 1 front end server that is configured and working. I have one edge server that has been configured according to nearly every online help I could find along with public CERT.
If I use microsoft's online connectivity test and I run the test for
Lync Server Remote Connectivity Test everything passes. I am also able to connect to lync using a windows lync client from outside of the internal network however I have to specify the server name as being sip.ourdomain.com I cannot get connected using
autodiscover.
When I run the Lync Autodiscover Web Service Remote Connectivity Test it fails due to SSL error to lyncdiscover.ourdomain.com which then lead me down the path that I needed to install
the Mobility service but it also tells me that I may need to update our SSL cert as well.
This is where I am getting confused and would like to be pointed in the correct direction.
When I installed mobility service on the front end server it created the autodiscover section in IIS. If I am inside our network I can browse to it without any issue. Where I am confused at this point is how to either setup DNS or how to configure
the edge server to use autodiscover.
Do I need to setup an additional public IP and point lyncdiscover.ourdomain.com to the IP of our front end server or to our edge server? If I have to point this to our front end server then that would mean that I use one public IP that goes to 443,
444 and 5061 for our edge server and then I would need one public IP that goes to ports 443 and 80 that get redirected to ports 4443 and 8080 on our front end server? If that is the case then do I have to get an external cert for the front end server
that contains lyncdiscover or can clients connect if it is just using the self signed cert from the domain?
This is where I am getting confused at and hopefully some nice folks out there can clarify this for me so I can get this resolved.
Thank you
KKYou need an additional public IP to point to a reverse proxy, which will listen on port 443 and proxy requests to your front end server on port 4443 (notice the extra 4). You can use IIS ARR, Web Application Proxy, or whatever else you may have for
this purpose, but you need to ensure you redirect port 443 to port 4443. This reverse proxy cannot be collocated on your front end server or edge, you'll need a separate box or appliance.
Beyond Lyncdiscover, you'll want to do this for your external web services FQDN as defined in the topology builder and your meet and dialin URLs too. You'll want a third part cert for all of this (though it doesn't need to be installed on the front
end, just the reverse proxy) so that you don't need to install any internally signed root certs on anyone's smartphone.
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
SWC Unified Communications
This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs. -
Lync 2010 Standard Edition Front-End and Edge Cerificate Renewal issue
Hi Experts,
I have a client with Single Standard Edition FE server and 1 Edge server and both are using PUBLIC certificates. It also has a reverse-proxy server (F5 HLB) with wildcard certificate installed. The FE and Edge certificates are about to expire and the client
now wants the ff.
1. Internal Certificate from Internal CA server for FE
2. External Certificate from Public CA for Edge
What I did was,
A. For Internal Cert - I generated a CSR from MMC cert manager using custom request from the FE server and have it signed by the Internal CA. Reason I did that was, everytime I requested the CSR from Lync Certificate Wizard, it is getting the certificate
template not supported by the Internal CA.
B. For External Cert - I requested the Edge external CSR thru Lync Certicate Wizard and submitted to the client for public CA renewal.
When I installed both certificates, internal lync works fine but anything external (i.e. external lync access, mobile, federation) do not work anymore.
So I decided to roll back the certificates and everything went back to normal?
Question is, what steps or process did i miss or gone wrong? Hope for your response. Thank you in advance.Hi DaxZilla,
You also need to request a certificate to internal interface of Edge Server from internal enterprise certificate authority.
The certificate for the external edge interface should contain SANs as below:
SAN=Access Edge service FQDN
SAN=Web conference service FQDN
SAN=SIP domain FQDN
Mobile client goes through reverse proxy server to sign in. It is not related with Edge Server. Check the certificate on reverse proxy is not expired.
Best Regards,
Lisa Zheng
Lisa Zheng
TechNet Community Support -
An authentication error has occured (Code: 0x607)
Hi all,
This one is driving me NUTS! The problem itself is when I go to connect to a session host using a web access server I get the error in the title. This is only happening to some of my session hosts and not all. I have compared them and can't find
a single difference. I also cant find anything useful in the event logs about this. Below is my setup.
A full RDS environment using all Windows Server 2012 Data Center. Nothing 2008 R2. All Clean installs.
I have 6 servers a VM's split evenly between 2 ESXi 5.1 Hosts.
1. MP-RDP-CB1.inucoda.net (Connection Broker 1)
2. MP-RDP-CB2.inucoda.net (Connection Broker 2)
3. MP-RDP-GW1.inucoda.net (Gateway Server 1)
4. MP-RDP-GW2.inucoda.net (Gateway Server 2)
5. MP-RDP-WA1.inucoda.net (Web Access Server 1)
6. MP-RDP-WA2.inucoda.net (Web Access Server 2)
inucoda.net is an network that is the Domain that all servers are joined to via 2 Domain Controllers splits between each ESXi Host.
My outside domain that you can get to from the web is ucoda.net
The connection brokers have all servers used including session hosts added to the server pool and are configured in HA mode. They use a SQL Server 2012 Fail-over cluster that is on a separate set of VMs for their database and the DNS is configured as round
robin. MP-RDP-CB.inucoda.net. There are two entries of this each with one of the two IPs of the CB1 and CB2 servers.
On each CB server there is a RDS License server role installed with CALs installed and activated/registered. Both LIC servers have been added to the RDS deployment properties.
The GW servers each have the NLB role installed with an extra network adepter for NLB use. There is a DNS name of MP-RDP-GW.inucoda.net that points to the NLB IP of the GW Cluster. Also both GW servers were added to the GW Server Farm part of the the
GW properties.
The WA servers are also in a NLB Cluster with an extra adapter and a DNS of MP-RDP-WA.inucoda.net pointing to the NLB IP.
Up steam from our inside Windows Domain at our ISP level there is a DNS entry of MP-RDP-WA.ucdoa.net and it points to the NLB IP of the WA NLB Cluster. (This is not a public IP, we require you be on our VPN to be able to access the IP).
For certificates we have a Comodo issued wildcard of *.ucoda.net with the corresponding Comodo Root Trust and Intermediate Certs. We also have a wildcard *.inucoda.net created by our inside CA.
The *.inucoda.net cert is used for the CB SSO, CB Publishing, and GW while the *.ucoda.net cert is used for the WA.
All session hosts have been configured to use the *.inucoda.net for their RDP sessions.
I can confirm that the *ucoda.net cert is used for the WA part and all other parts are reporting the *inucoda.net, all with no errors or warnings.
For each session collection only one session host is used with no apps, (just RDP). Security is set to only use NLA, SSL 1.0, High.
On each session host I have verified that the *inucoda and *ucoda certs are installed and the internal CA and Comodo CA/Intermediate CA is installed in the correct stores. I have also verified that COM Security has the domain\TS Web Access group set
with full perms for the Access and Launch/Activation. Also for WMI Root\CMIV2\TermicalServcies Security has the domain\Ts Web Access group set with full perms. Lastly each group/user that has access to RDS is listed in the Remote Desktop users.
I've checked that both WA servers are listed in the TS Web Access group.
The GW servers RAS/RAP policies are set to be pretty open for testing with using any port, any network resource, and Domain Users and Domain Admins listed.
I have been trying to connect with Windows 8 and Windows 7 clients as the domain\administrator account. Some of my session hosts connect fine and other don't . It's always the same ones that connect and don't connect. I can't find any difference
between the. I've also blown away my entire RDS and started over with just a 3 server single node model with no NLB or RR DNS and the same exact error happens on certain servers. I have sense gone back to the 6 server setup described here
and again the same error on the same session hosts.
I have also tried Negotiate and RDS Compatible and disabling NLA only for security. No change. Now here is the interesting part. If I remove GW servers from RDS by just saying not to use them (not actually uninstalling them or anything), all
session hosts connect just fine every time. When I first did my RDS setup I got he same error with code 0x607 for every connection attempt and found i had to set the RAS/RAP to use any network resource instead of Domain Computers. However, it is
currently set like that and some still don't connect. So it works with out the GW servers just fine. It also works without them in the 6 node setup as well as the 3 node setup.
I don't want to use it without the GW servers because since I am using all inside subnets with a VPN I have to add the CB IP/Name to my host file or it will not resolve and give an error about reaching the Connection Broker. Because I want to use a HA setup
this is no good as there are two servers for it. That's why I use the NLB IP of the WA and publish it with outside DNS with our ISP.
Any ideas at all??
Thanks,
ChrisHi All,
I'm the original poster and if you have been following this I was never fully able to get things working. Sometimes it would just work and other times it would just fail with the 607 error. I have finally got it all working
for over a week now with multiple systems using it! Below is a rather large explanation of what I had to do and what I learned about RDP. I've included links to guides that helped a lot.
First a small recap of my environment.
Using all windows server 2012.
Using two Gateways, Connection Brokers, and Web Access servers.
Two domain names, ucoda.net for external connection via web to web access servers and inucoda.net to inside windows domain that all servers are members of.
No external client systems are domain members, all just workstations.
Using two wildcard *.domain certs for both domain names.
External wildcard cert is from Comodo CA and internal wildcard cert is from my internal CA.
Now for how I setup the RDS environment.
I used this guide for setting up high availability of the connection brokers.
http://blogs.msdn.com/b/rds/archive/2012/06/27/rd-connection-broker-high-availability-in-windows-server-2012.aspx
I used a back end SQL Server 2012 that was configured in a two node failover cluster for maximum HA. As you can see by the guide it uses round robin DNS for load balancing the two CBs and does not require any hardware or software NLB.
For both the two gateways and web access servers you need to use some kind of NLB. You can use the MS NLB to create a virtual Cluster IP and set a DNS record for you gateway and web access name to point to that cluster IP. HOWEVER! If you are
in a virtualized vmware environment as I am then you have some other things to do. I can not comment as to Hyper-V setups, only vmware on ESXi-5.1. If you use MS NLB then you must use it in Multicast mode and not Unicast. You must also setup static
ARPs on your Layer 3 router/firewall and Layer 2 switches. The static ARP should match the NLB cluster IPs to the NLB Cluster MAC address. Below are the guides for a Cisco Cat switch and ASA firewall.
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1006525
http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/mode_fw.html#wp1224694 see adding a static arp section.
Now in the end I still was not fully happy with MS NLB as it is not Layer 7 aware and can only check the network health. So I ditched my MS NLB for a linux solution. HAProxy. It is a software NLB that is Layer 7 aware and easy to setup.
I used two Ubuntu Server 12 VMs with 1 GB RAM, 8GB HDD, and 1 vCPU each. I also used Keepalived to setup virtual cluster IPs for HAProxy to use with failover. so the HAProxy NLB is in high availability mode as well.
Setup HAProxy on Ubuntu
http://www.networkinghowtos.com/howto/compile-haproxy-from-source-on-ubuntu/
Configure HAProxy and Keepalved
http://leowadsworth.com/blog/2012/02/21/high-availability-load-balanced-web-servers-using-ubuntu-10-04-haproxy-keepalived-apache/ Skip the install part and see just the config parts for HAProxy and Keepalived.
Now once NLB is done and you have DNS pointing to it you need to add both Gateways to a Gateway Web Farm. Not required for the Web Access Servers only the Gateways. for the Web Access server you only need NLB with a common DNS.
Setup Gateway Farm
http://technet.microsoft.com/en-us/library/cc732370.aspx
Also as my client systems are not a part of the domain and have different subnets I needed to set the gateway RAP and CAP to allow users to connetc to any network resource.
Now that the main configuration was done and running I had to fix/fine tune/and mess with a bunch of other things!
There should be a domain user group account called TS Web Access Computers. It should be populated with the Web Access server computers. However in my deployment it was empty! great. However, I also found other documentation that states
it should be populated with the Gateway servers. So for me I added both Gateways, Web Access, and Connection Broker Servers. I figured it can't hurt.
Now this group account needs to be added to COM security and WMI security for terminal services. Below is a guide for both of these. I applied this configuration to every single system including all session hosts.
http://technet.microsoft.com/en-us/library/ee891251%28v=ws.10%29.aspx
Now something interesting. Most of my systems were all server 2012 but a few were 2008R2 that had been upgraded in place to 2012. For these systems the above config is till needed but you will find on the local systems user groups a TS Web Access Computers
group. This is not in the local groups for 2012 but got merged over from 2008 R2. So for it I also added the domain\TS Web Access Computers group to the local TS Web Access Computers group and added the local one to COM and WMI security as well.
Further into local user groups. On all systems in the deployment there is a local RDS Management Server group and it should have both Connection Broker servers listed. I found this to be true on all my session hosts but
on the Connection Brokers them self they only have their own server listed but not the other connection broker server. I added both to each. I also found a few of my systems had a third ? SID account listed that was no longer was a real
account in the domain. I removed it. Possibly from how many freaking times I had to re do my setup.
Now on the Connection Brokers local group accounts there is a RDS Remote Access Servers group. It should have all the Gateway and Web Access Server listed here. In my setup I found only the Web Access Servers were listed and no Gateways.
GREAT! This only needs to be populated on the Connection Broker Servers. There is also a RDS End Point Servers group and it should have every Session Host server listed. Again only needed on the Connection Brokers.
That concludes user accounts/groups.
Now onto the fun land of Certs!
Something you need to make sure works is Revocation Checks!!!!!! It needs to pass from both the external client systems and internal server systems. I had two certs used. I used my *ucoda.net (external) for my Web Access Server Deployment and
my *inucoda.net (Internal) for The Gateway and both Connection Broker parts.
My external was issued by Comodo so it passed rev checks just fine. While my internal was issued from my internal CA and needed some work. For the internal servers it could pass a rev check fine as it used the LDAP path in the CRL CDP
part of the cert. However my clients are external and not part of the domain. So it can't use LDAP. To check rev checks I used:
certutil -f –urlfetch -verify <your_certificate>.cer
You can download it for Windows 7 and 8 systems from:
http://www.microsoft.com/en-us/download/details.aspx?id=7887 win 7
http://www.microsoft.com/en-us/download/details.aspx?id=28972 win 8
To get it to pass on my client systems I had to add a CRL CDP http point that they could access instead of the LDAP point. In short on you internal CA you need to add a CRL that uses the FILE path to publish rev lists to a file share. The file share
is located on a server that has IIS and public access. You then create a virtual directory with read rights to the that share in IIS and add a CRL HTTP point using the external FQDN of public web server for the CRL site. Below is a guide
to do all of this.
http://blogs.technet.com/b/configmgrteam/archive/2009/05/01/how-to-publish-the-crl-on-a-separate-web-server.aspx
Now once this is done you need to re generate a new cert and apply it to your RDS environment so it has the updated CRL CDP.
Now after this I was able to pass using certutil tool. But! wait there's more! When I tried to connect to a server using normal RDP (not the full web access and gateway deployment), just direct to the end server I still got the warning about
a rev check fail! I just didn't get it! After a ton of researching it appears that RDP will only use LDAP and OCSP CDPs and not HTTP. Great! So while it passes the rev check from the tool it still fails for RDP.
So next was to add a OCSP CDP and Online Responder. I chose to add the Online Responder role to my public web server where I had just added the HTTP CRL CDP. Below are a few guides about setting this up and configuring your CA
to use it.
http://www.windowsitpro.com/content1/topic/online-certificate-status-protocol-ocsp-in-windows-server-2008-and-vista--103523/catpath/security
http://blogs.technet.com/b/askds/archive/2009/06/24/implementing-an-ocsp-responder-part-i-introducing-ocsp.aspx
http://www.sysads.co.uk/2012/10/install-and-configure-ca-online-responder-ad-cs-part3/
I fond all helpful. Now here comes a part that drove me NUTS!. All these guides show that after installing the Online Responder role it automatically adds a ocsp webapp to IIS! This is to be the CDP point you add to
the CA. THIS IS NOT TRUE FOR 2012! It does not add the IIS config what so ever. Luckily I manged to find this:
certutil -vocsproot
You need to run that command on the web server where you installed the Online Responder role. It will add the IIS config and app pool!
Now once this is all done and tested you need to re issue the cert again so it has the new OCSP CDP in it and install it in RDS deployment.
Finally after this I received no rev check errors for RDP!
Some more things on certs.
For all my servers I installed the internal and external cert to their computer personal store and made sure the corresponding root and intermediate root certs were installed in the correct stores. I also did this on my external client systems. Be
sure to add your internal CA's root cert to the trusted root store of you client systems or again the certs generated from it will not pass fully as the client system will not know to trust the CA that issued the cert.
Now you also need to install a cert for each session host to use for RDP. I really recommend wildcards as it much easier to just use a *domain cert for RDS deployment and install it on each session host for RDP than to have unique ones for
each session host. You use to be able to easily add a RDP cert in 2008R2 to a session host. This is now gone in 2012. So to do it you need to use the power shell. Below is guide on how to do this.
http://blog.skadefro.dk/2012/08/windows-server-2012-server-8-remote.html
Now I also used a little utility to help check that my certs were installed on each server correctly. I found on a few of my servers where one of my certs was missing the private key or had other problems. This free tool from DigiCert can help and
can also be used to test certs for rev checks.
https://www.digicert.com/util/
Lastly there is the issue of what RDP version you are using. For me my systems they are all server 2012. I found the only way to get SSO to fully work without a 2nd login prompt was to update all my Windows 7 RDP clients to the latest RDP.
http://blogs.msdn.com/b/rds/archive/2012/10/23/rdp-8-0-update-for-windows-7-sp1-released-to-web.aspx
Well after all that I was able to access every RDSH in my environment without a single error! It has been a ridiculously long and pain full journey. I think MS needs to do more work and documentation of 2012
RDS as it's changed so much, needs a better way to issue session host certs for RDP instead of just the power shell, and needs more documentation and clarity on RDP rev checks. I hope this helps others and if anyone wants to see what my configs
look like for HAProxy if they decide to use it feel free to ask.
Thanks and Good Luck!
Chris -
CSCum57517 - ASDM launcher is not working with Java 7u51 - 1
I am running 1.7.0_51_b13 with ADSM 7.1.5(100) and I still have the issue. Bug stiill exists in the hotfix.
I was able to solve the issue by enrolling and authenticating the ASA with an internal CA, configuring internal DNS to point to the common name used in the cert, and using the hostname in ASDM (similar to harold's solution but using internal issued cert rather than external cert).
-
Exchange 2013 servers not sharing Free / Busy
Some of the users on EXMB01 are not able to see users calendar Free / Busy information on EXMB02.
In our exchange 2013 (CU5) environment the following server: mailbox EXMB01 and EXMB02, CAS EXCAS01, EXCAS02 and EXCAS03. Server are Windows server 2012, mail domain is mail.domain.com and does not match our internal network of local.domain.xyz
(Non standard was setup before me). All setting point to mail.domain.com for mail configuration. External cert from a CA was added to all three CAS servers.
USER1 on EXMB01
USER2 on EXMB02
USER3 on EXMB02
Was able to get USER1 to see a USER3 can see all Free/Busy, subject, location now (only set the Free/Busy time) . Added USER02 see Free / Busy, subject, location (also only set Free/Busy time). Added my own calendar to the USERS01 to the
USERS01 outlook and can see my Free/Busy, subject, location. I only have by default Free/Busy time set no one else added.
What settings to I check first? Is their a PowerShell command to reset a users calendar permissions? Is something not set correctly on the servers?http://public.wsu.edu/~brians/errors/their.html
Get-MailboxFolderPermission
https://technet.microsoft.com/en-us/library/dd335061
Set-MailboxFolderPermission
https://technet.microsoft.com/en-us/library/ff522363
Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." -
Running out of memory despite having set je.maxMemory to a moderate value
I have set je.maxMemory to 20MB (je.maxMemory=20000000) and allowed a max heap size of 512MB (-Xms256M -Xmx512M).
After two hours of running my web service, I'm running out of memory. After having profiled my service (using Yourkit Java Profiler 1.10.6), I can see the following:
Name Objects ShallowSize RetainedSize
byte[] 16711 124124880 124124880
com.sleepycat.je.tree.BIN 181 24616 116254200
com.sleepycat.je.tree.Node[] 187 98736 115743184
com.sleepycat.je.tree.LN 7092 226944 115253600
java.util.concurrent.ConcurrentHashMap$HashEntry 554 17728 78328944
java.util.concurrent.ConcurrentHashMap$HashEntry[] 1053 34728 77489632
java.util.concurrent.ConcurrentHashMap 117 5616 71812072
java.util.concurrent.ConcurrentHashMap$Segment[] 118 10304 71807912
java.util.concurrent.ConcurrentHashMap$Segment 1052 42080 71798808
com.sleepycat.je.tree.IN 6 672 45592352
java.lang.String 135888 4348416 14152664The memory profiler claims further, that com.sleepycat.je.tree.BIN is responsible for 71% of all heap memory.
In any case, com.sleepycat.je.tree.BIN claims ~ 116MB of heap memory, which is by any goodwill, exceeded the limit of 20MB.
How can this be?
How is JE ensuring that the limit is not exceeded? Is there a timer (thread) running which once a while checks the memory used and then cleans up ; or is memory usage checked creating a com.sleepycat.je.tree.BIN object?
My environment:
BDB JE 4.0.92 - used as cache loader within Jboss Cache (3.2.7.GA), running on a JBOSS Application Server, Java 1.6 (IBM) on Linux. Further details are listed in the system properties below (except some deleted security items).
System properties:
(java.lang.String, int, java.lang.StringBuffer, int)=contains
DestroyJavaVM helper thread=(java.lang.String, java.security.KeyStore$Entry, java.security.KeyStore$ProtectionParameter)
base.collection.name=CD2JAVA
bind.address=10.12.25.130
catalina.base=/work/ocrgws_test/server0
catalina.ext.dirs=/work/ocrgws_test/server0/lib
catalina.home=/work/ocrgws_test/server0
catalina.useNaming=false
com.arjuna.ats.arjuna.objectstore.objectStoreDir=/work/ocrgws_test/server0/data/tx-object-store
com.arjuna.ats.jta.lastResourceOptimisationInterface=org.jboss.tm.LastResource
com.arjuna.ats.tsmx.agentimpl=com.arjuna.ats.internal.jbossatx.agent.LocalJBossAgentImpl
com.arjuna.common.util.logger=log4j_releveler
com.arjuna.common.util.logging.DebugLevel=0x00000000
com.arjuna.common.util.logging.FacilityLevel=0xffffffff
com.arjuna.common.util.logging.VisibilityLevel=0xffffffff
com.ibm.cpu.endian=little
com.ibm.jcl.checkClassPath=
com.ibm.oti.configuration=scar
com.ibm.oti.jcl.build=20100326_1904
com.ibm.oti.shared.enabled=false
com.ibm.oti.vm.bootstrap.library.path=/opt/ibm/java-x86_64-60/jre/lib/amd64/compressedrefs:/opt/ibm/java-x86_64-60/jre/lib/amd64
com.ibm.oti.vm.library.version=24
com.ibm.util.extralibs.properties=
com.ibm.vm.bitmode=64
common.loader=${catalina.home}/lib,${catalina.home}/lib/*.jar
epo.jboss.deploymentscanner.extradirs=/work/ocrgws_test/app/
external.cert.ldap.* = ***************
file.encoding=UTF-8
file.separator=/
flipflop.activation.time=16:30
hibernate.bytecode.provider=javassist
ibm.signalhandling.rs=false
ibm.signalhandling.sigchain=true
ibm.signalhandling.sigint=true
ibm.system.encoding=UTF-8
jacorb.config.log.verbosity=0
java.assistive=ON
java.awt.fonts=
java.awt.graphicsenv=sun.awt.X11GraphicsEnvironment
java.awt.printerjob=sun.print.PSPrinterJob
java.class.path=/work/ocrgws_test/config:/usr/local/jboss-eap-4.3-cp07/bin/run.jar:/opt/ibm/java-x86_64-60/lib/tools.jar
java.class.version=50.0
java.compiler=j9jit24
java.endorsed.dirs=/usr/local/jboss-eap-4.3-cp07/lib/endorsed
java.ext.dirs=/opt/ibm/java-x86_64-60/jre/lib/ext
java.fullversion=JRE 1.6.0 IBM J9 2.4 Linux amd64-64 jvmxa6460sr8-20100401_55940 (JIT enabled, AOT enabled)
J9VM - 20100401_055940
JIT - r9_20100401_15339
GC - 20100308_AA_CMPRSS
java.home=/opt/ibm/java-x86_64-60/jre
java.io.tmpdir=/tmp
java.jcl.version=20100408_01
java.library.path=/opt/ibm/java-x86_64-60/jre/lib/amd64/compressedrefs:/opt/ibm/java-x86_64-60/jre/lib/amd64:/usr/lib64/mpi/gcc/openmpi/lib64:/usr/lib
java.naming.factory.initial=org.jnp.interfaces.NamingContextFactory
java.naming.factory.url.pkgs=org.jboss.naming:org.jnp.interfaces
java.net.preferIPv4Stack=true
java.protocol.handler.pkgs=org.jboss.net.protocol
java.rmi.server.codebase=http://10.12.25.130:8083/
java.rmi.server.hostname=10.12.25.130
java.rmi.server.randomIDs=true
java.runtime.name=Java(TM) SE Runtime Environment
java.runtime.version=pxa6460sr8-20100409_01 (SR8)
java.security.krb5.conf=/usr/local/jboss/etc/krb5.conf
java.specification.name=Java Platform API Specification
java.specification.vendor=Sun Microsystems Inc.
java.specification.version=1.6
java.util.prefs.PreferencesFactory=java.util.prefs.FileSystemPreferencesFactory
java.vendor.url=http://www.ibm.com/
java.vendor=IBM Corporation
java.version=1.6.0
java.vm.info=JRE 1.6.0 IBM J9 2.4 Linux amd64-64 jvmxa6460sr8-20100401_55940 (JIT enabled, AOT enabled)
J9VM - 20100401_055940
JIT - r9_20100401_15339
GC - 20100308_AA_CMPRSS
java.vm.name=IBM J9 VM
java.vm.specification.name=Java Virtual Machine Specification
java.vm.specification.vendor=Sun Microsystems Inc.
java.vm.specification.version=1.0
java.vm.vendor=IBM Corporation
java.vm.version=2.4
javax.management.builder.initial=org.jboss.mx.server.MBeanServerBuilderImpl
javax.net.ssl.trustStore=/usr/local/jboss/etc/ldap.truststore
javax.net.ssl.trustStorePassword=password
jboss.bind.address=10.12.25.130
jboss.home.dir=/usr/local/jboss-eap-4.3-cp07
jboss.home.url=file:/usr/local/jboss-eap-4.3-cp07/
jboss.identity=30df88bc0a52e350x6e2ff59cx136c17794d5x-8000757
jboss.lib.url=file:/usr/local/jboss-eap-4.3-cp07/lib/
jboss.messaging.controlchanneludpaddress=239.1.200.4
jboss.messaging.datachanneludpaddress=239.1.200.4
jboss.partition.name=ocrgws_test_Partition
jboss.partition.udpGroup=239.1.200.4
jboss.remoting.domain=JBOSS
jboss.remoting.instanceid=30df88bc0a52e350x6e2ff59cx136c17794d5x-8000757
jboss.remoting.jmxid=luu002t.internal.epo.org_1334685694459
jboss.remoting.version=22
jboss.security.disable.secdomain.option=true
jboss.server.config.url=file:/work/ocrgws_test/server0/conf/
jboss.server.data.dir=/work/ocrgws_test/server0/data
jboss.server.home.dir=/work/ocrgws_test/server0
jboss.server.home.url=file:/work/ocrgws_test/server0/
jboss.server.lib.url=file:/work/ocrgws_test/server0/lib/
jboss.server.log.dir=/work/ocrgws_test/server0/log
jboss.server.name=luu002t_ocrgws_test_server0
jboss.server.temp.dir=/work/ocrgws_test/server0/tmp
jboss.tomcat.udpGroup=239.1.200.4
jbossmx.loader.repository.class=org.jboss.mx.loading.UnifiedLoaderRepository3
je.maxMemory=20000000
jgroups.bind_addr=10.12.25.130
jmx.console.bindcredential=3bpwdmpc
jmx.console.binddn=cn=jbossauth-ro,ou=accounts,ou=auth,dc=epo,dc=org
jmx.console.rolesctxdn=ou=roles-test,ou=jboss,ou=applications,ou=internal,dc=epo,dc=org
jndi.datasource.name=java:MainframeDS
jnp.disableDiscovery=true
jxe.current.romimage.version=15
jxe.lowest.romimage.version=15
line.separator=
mainframelogin.password=720652a1e842fc7f
mainframelogin.username=test_t
org.apache.commons.logging.Log=org.apache.commons.logging.impl.Log4JLogger
org.apache.tomcat.util.http.ServerCookie.VERSION_SWITCH=true
org.epo.jboss.application.home=/work/ocrgws_test
org.hyperic.sigar.path=/work/ocrgws_test/server0/./deploy/hyperic-hq.war/native-lib
org.jboss.ORBSingletonDelegate=org.jacorb.orb.ORBSingleton
org.omg.CORBA.ORBClass=org.jacorb.orb.ORB
org.omg.CORBA.ORBSingletonClass=org.jboss.system.ORBSingleton
org.w3c.dom.DOMImplementationSourceList=org.apache.xerces.dom.DOMXSImplementationSourceImpl
os.arch=amd64
os.name=Linux
os.version=2.6.32.46-0.3-xen
package.access=sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.,sun.beans.
package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.
path.separator=:
poll.interval.milliseconds=300000
program.name=run.sh
server.loader=
shared.loader=
spnego.config=/usr/local/jboss/etc/spnego.properties
sun.arch.data.model=64
sun.boot.class.path=/usr/local/jboss-eap-4.3-cp07/lib/endorsed/xercesImpl.jar:/usr/local/jboss-eap-4.3-cp07/lib/endorsed/xalan.jar:/usr/local/jboss-eap-4.3-cp07/lib/endorsed/serializer.jar:/opt/ibm/java-x86_64-60/jre/lib/amd64/compressedrefs/jclSC160/vm.jar:/opt/ibm/java-x86_64-60/jre/lib/annotation.jar:/opt/ibm/java-x86_64-60/jre/lib/beans.jar:/opt/ibm/java-x86_64-60/jre/lib/java.util.jar:/opt/ibm/java-x86_64-60/jre/lib/jndi.jar:/opt/ibm/java-x86_64-60/jre/lib/logging.jar:/opt/ibm/java-x86_64-60/jre/lib/security.jar:/opt/ibm/java-x86_64-60/jre/lib/sql.jar:/opt/ibm/java-x86_64-60/jre/lib/ibmorb.jar:/opt/ibm/java-x86_64-60/jre/lib/ibmorbapi.jar:/opt/ibm/java-x86_64-60/jre/lib/ibmcfw.jar:/opt/ibm/java-x86_64-60/jre/lib/rt.jar:/opt/ibm/java-x86_64-60/jre/lib/charsets.jar:/opt/ibm/java-x86_64-60/jre/lib/resources.jar:/opt/ibm/java-x86_64-60/jre/lib/ibmpkcs.jar:/opt/ibm/java-x86_64-60/jre/lib/ibmcertpathfw.jar:/opt/ibm/java-x86_64-60/jre/lib/ibmjgssfw.jar:/opt/ibm/java-x86_64-60/jre/lib/ibmjssefw.jar:/opt/ibm/java-x86_64-60/jre/lib/ibmsaslfw.jar:/opt/ibm/java-x86_64-60/jre/lib/ibmjcefw.jar:/opt/ibm/java-x86_64-60/jre/lib/ibmjgssprovider.jar:/opt/ibm/java-x86_64-60/jre/lib/ibmjsseprovider2.jar:/opt/ibm/java-x86_64-60/jre/lib/ibmcertpathprovider.jar:/opt/ibm/java-x86_64-60/jre/lib/ibmxmlcrypto.jar:/opt/ibm/java-x86_64-60/jre/lib/management-agent.jar:/opt/ibm/java-x86_64-60/jre/lib/xml.jar:/opt/ibm/java-x86_64-60/jre/lib/jlm.jar:/opt/ibm/java-x86_64-60/jre/lib/javascript.jar:/tmp/yjp201202191932.jar
sun.boot.library.path=/opt/ibm/java-x86_64-60/jre/lib/amd64/compressedrefs:/opt/ibm/java-x86_64-60/jre/lib/amd64
sun.io.unicode.encoding=UnicodeLittle
sun.java.command=org.jboss.Main -b 10.12.25.130 -Djboss.server.home.dir=/work/ocrgws_test/server0 -Djboss.server.home.url=file:/work/ocrgws_test/server0 -Djboss.server.name=luu002t_ocrgws_test_server0 -Djboss.partition.name=ocrgws_test_Partition -Depo.jboss.deploymentscanner.extradirs=/work/ocrgws_test/app/ -Dorg.epo.jboss.application.home=/work/ocrgws_test
sun.java.launcher.pid=17781
sun.java.launcher=SUN_STANDARD
sun.java2d.fontpath=
sun.jnu.encoding=UTF-8
sun.rmi.dgc.client.gcInterval=3685000
sun.rmi.dgc.server.gcInterval=3685000
system=java.io.ObjectStreamField
tomcat.util.buf.StringCache.byte.enabled=true
user.country=US
user.dir=/work/ocrgws_test
user.home=*****************
user.language=en
user.name=***********
user.timezone=Europe/Berlin
user.variant=The memory profiler claims further, that com.sleepycat.je.tree.BIN is responsible for 71% of all heap memory. In any case, com.sleepycat.je.tree.BIN claims ~ 116MB of heap memory, which is by any goodwill, exceeded the limit of 20MB. >
I'm not sure whether the profiler is reporting live objects only (referenced) or all objects (including those not yet reclaimed). If the latter, it isn't telling you how much memory is actually referenced by the JE cache.
Please look at the JE stats to see what the cache usage is, from JE's point of view.
If you believe there is a bug in JE cache management, you'll need to write a small standalone test to demonstrate it and submit it to us, since we don't know of any such bug. Also note that we'll have difficulty supporting JE 4.0 (without a support contract anyway). Please use JE 5.0, or at least 4.1.
Eviction occurs as objects are allocated, as well as in background threads. Eviction in background threads and concurrent eviction were greatly improved in JE 4.1.
--mark -
Can't Start Edge Services - Certificate Issue?
Similar to this
post, my edge services (a/v edge, web conferencing edge, etc) will not start with errors like 7023 and 7024. I went to the
Digicert Utility page linked in that post and if I enter sip.domain.com, I receive an error:
Certificate does not match name sip."domain".com
Subject
"edgeservername"."domain".com
Valid from 31/Jul/2012 to 31/Jul/2014
Issuer
"Internal CA Server"
SSL Certificate is not trusted
External Cert Info:
Subject: sip."domain".com
SANs: sip."domain".com, "edge server name"."domain".com, meet."domain".com, "av server"."domain".com, "wc server"."domain".com, dialin."domain".com
Let me know if more information about the cert or the edge server is needed. Thanks!The two DigiCert High Assurance Root CA certificates should not be in the Personal Store, but installed in the "Trusted Root Certification Authorities". I would also recommend double checking the the Current User's personal certificate store .
Have you installed the DigiCert Utility on the Edge server and tested the certificates (https://www.digicert.com/util/)?
This tool checks the certificates from the perspective of the server.
The http://www.digicert.com/help/ site checks the certificates from the perspective of an external client. If the Utility is
showing the certificates are correct but the Help site still shows the error, make sure your sip.domain.com IP is pointing to the Edge Access IP and not the Reverse Proxy.
Please mark posts as answers/helpful if it answers your question.
Blog
Lync Validator - Used to assist in the validation and documentation of Lync Server 2013.
Maybe you are looking for
-
Video songs do not have player suppport.!!
I do not find player support for video songs. Or kindly tell me how to go to next or previous video songs. Please reply ASAP Sumeet
-
Extraction from GLPCA and CLPCP
Hi Gurus, I need to extract data from tables GLPCA and GLPCP. Does anyone know how to do this or what would you reccomend me? Is there any standard extractor? Best Regards, Rodrigo.
-
Adobe AIR usage on Devices(other than mobile and TV)
Hi All, Just want to know that is adobe air is being used on other Devices except mobile and TV? For e.g. in any machine of Medical Science or automobile etc.If any one is having any idea then please share. Thanks in Advance. with Regards, Shardul
-
Workflow giving error at execution
Hi all, I am referring Ginger Gatling blog to create simple workflow https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/e0bbdb3c-d640-2a10-d3b2-e4d9b90536a6 After activating my workflow (workflow is to display material asking user ac
-
Powerbook wants to login to desktop on LAN, then freezes
I have a powerbook G4 1 GHz 15" and a G4 dual 450, both with OS X 10.3.9 on a LAN, which is protected by a Linux Smoothwall Firewall. When I startup my powerbook, while it's connected to my LAN, it wants to connect to my desktop with a loginscreen to