OCS

8 steps to configure MTLS SSL Certificate for Communicator Web Access CWA 2007 R2

Posted in OCS on July 27th, 2010 by webern – Be the first to comment
  1. create a csr by running lcscmd from the setup disk

    lcscmd /cert /action:request /ou:IT /org:Fabrikam /sn:ocscomweb01.fabrikam.com /san:ocscomweb01 /country:US /state:MI /city:City /online:false /filename:c:\ocscomweb01.csr.txt

    Depending on your setup you might have to switch places for the hostnames, some want the fqdn as subject name(sn), some want it as subject alternate name(san)

  2. go to the CA webpage, e.g. http://ad1/certsrv or wherever your CA is located
  3. ‘Request a certificate’
  4. Choose ‘submit advanced certificate request’
  5. Choose ‘Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.’
  6. Paste the CSR (read it from the file in 1) into the ‘Saved Request’ field, choose ‘Web Server’ from the ‘Certificate Template’ drop down. Submit
  7. Mark the base64 tab and download, then save the file
  8. Import the response:
    lcscmd /cert /action:importresponse /filename:<path to file saved in 6>

nginx as reverse proxy for OCS 2007 R2 Web Components

Posted in Linux, OCS, nginx on July 26th, 2010 by webern – 1 Comment

I’ve been working on this case to deploy OCS 2007 R2 in a Hosted (multi-tenant) environment to our customers and an important part of that is security.

Because of that we decided to use a reverse proxy in front of the web components server, and at first the software we chose was squid. After messing around and not getting it to work I gave up and went to give nginx a try.

With no previous nginx experience I sure as hell was excited about it, “would this actually work? how long would it take to get the configuration right? Squid took forever with scrolling through (old) configuration examples”.

To my enjoyment it was exremely easy to get up and running. Here’s a walkthrough:

  • Reverse proxy DNS name (should be available in the external DNS): ocsedgeweb.fabrikam.com
  • Web components server (with a single server in my case the pool server): ocspool01.fabrikam.com
  • Now, make sure that the reverse proxy server is able to connect to ocspool01.fabrikam.com (needs the DNS lookup and open ports — 443 presumably). You can test this by typing the following in the console on the reverse proxy:
    telnet ocspool01.fabrikam.com 443
  • Next up is to install nginx, I won’t go into the details here since it differs from distribution to distribution, but it should be fairly easy.
  • Get some certificates, yours should have the subject name ocsedgeweb.fabrikam.com. Save the certificate and private key in /etc/nginx
  • Edit /etc/nginx/nginx.conf as follows
user nobody;
worker_processes 4;
events {
	worker_connections 1024;
}

http {
	include mime.types;
	default_type application/octet-stream;

	sendfile on;
	keepalive_timeout 65;
	server {
		listen 443;
		ssl on;
		ssl_certificate /etc/nginx/certificate.crt;
		ssl_certificate_key /etc/nginx/private.key;
		ssl_session_timeout 5m;
		ssl_protocols SSLv2 SSLv3 TLSv1;
		ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
		ssl_prefer_server_ciphers on;
		server_name ocsedgeweb.fabrikam.com;
		location / {
			proxy_pass https://ocspool01.fabrikam.com:443;
			proxy_set_header Host ocsedgeweb.fabrikam.com;
			proxy_set_header X-Real-IP $remote_addr;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_max_temp_file_size 0;
			proxy_connect_timeout 30;
			proxy_read_timeout 120;
		}
	}
}

Now start nginx and try uploading a file in Live Meeting for example.

As a note: we’ve set authentication on /Abs/Ext/, /etc/place and /GroupExpansion/Ext to ‘Basic’ instead of the default ‘Windows Integrated’

OCS 2007 R2 Live Meeting A/V failure

Posted in OCS on July 26th, 2010 by webern – Be the first to comment

Been working on a case to install OCS 2007 R2 with Live Meeting capabilities and stumbled upon this weird problem.

- OCS would work
- Live meeting would work
- A/V wouldn’t work

The client gave the following error message:

—————————
Voice and Video Error Information
—————————
Your attempt to start audio or video did not succeed.
Action required: Please try again to start audio or video. Alternatively, you can try closing and reopening Live Meeting.
—————————————————————————
More details for technical support:
—————————————————————————
Message Category: 3 (kServerError)
Message Code: 24 (kAddUserRequestFailed)
Root Cause Error: 0×80004005
Root Cause Component: kAVMCU
Audio Input Device: Headset Microphone (Logitech USB Headset)
Audio Output Device: Speakers (High Definition Audio Device)
Video Input Device:
Audio Muted: No
Media State: (43,0,0,0,2,0,AddUserRequestSent)
AvMcu Uri:
Avmcu Reachable: Yes
Acp Reachable: No
Diagnostics Information:

—————————Voice and Video Error Information—————————Your attempt to start audio or video did not succeed.

Action required: Please try again to start audio or video. Alternatively, you can try closing and reopening Live Meeting.

—————————————————————————
More details for technical support:
—————————————————————————
Message Category: 3 (kServerError)
Message Code: 24 (kAddUserRequestFailed)
Root Cause Error: 0×80004005
Root Cause Component: kAVMCU
Audio Input Device: Headset Microphone (Logitech USB Headset)
Audio Output Device: Speakers (High Definition Audio Device)
Video Input Device:
Audio Muted: No
Media State: (43,0,0,0,2,0,AddUserRequestSent)
AvMcu Uri:
Avmcu Reachable: Yes
Acp Reachable: No
Diagnostics Information:

Now, after a HECK LOAD of troubleshooting — and even reinstalling the entire solution a couple of times I found this blog post, and I couldn’t believe that in 2010 something like regional settings would still cause problems.

Anyhow, I did as the blog says and to my happiness it worked. Aye karamba! Next up is getting Squid/Pound/nginx as reverse proxy for the web components/conferencing.