No announcement yet.

OCS 2007 Access Edge server via ISA 2006 - failing external Validation test

  • Filter
  • Time
  • Show
Clear All
new posts

  • OCS 2007 Access Edge server via ISA 2006 - failing external Validation test

    Hi there

    I've built an OCS Access Edge server with the aim of federating with a vendor we have a close relationship with.

    The Access Edge server is in a perimeter network configured on a ISA 2006 server (standard 3-leg config, internal, dmz and internet).

    The Front End server is in the internal lan.

    I followed the instructions in this document as closely as I could:

    However, when our partner vendor runs the Federation validation test, it fails with the following error:


    Federation Validation Test For

    SIP Domain:
    SIP Access Edge:
    Validation Test Result: Failure
    Validation Test Details: Testing connectivity for console input server Check machine on ##.###.###.#:5061 : tls : FAIL No connection could be made because the target machine actively refused it ##.###.###.#:5061


    Now, not being an ISA 2006 expert (or indeed an OCS 2007 expert...) I'm trying to establish the basic cause of the above error i.e. is it the ISA server that is blocking a protocol or a port, or is it an issue with the Access Edge server itself, or even an issue between the OCS Access Edge server and the OCS Front End server in the internal lan.

    I'm leaning towards the issue being with the ISA server, but having closely followed the above document, I am not sure what I can do now to test.

    Within the error message above it says 'No connection could be made because the target machine actively refused it ##.###.###.##:5061'

    I'm assuming by 'target machine' it means the external ip of the nic on the ISA server which is configured as the external address of the Access Edge server (via NAT, the internal address of the Access Edge server in the perimeter network is a 192.168.#.# address).

    Can anyone advise on what this error is being caused by, or even how to work out what the error is caused by?

    I found a link to this test on another forum (thanks to Mark King)

    I ran the test externally and this was the result:


    Connectivity Test Failed
    Test Details

    Testing the Remote Connectivity of user EMAIL GONE.

    The specified user failed to register successfully with the OCS Server.

    Test Steps

    Attempting to Resolve the host name in DNS.

    Host successfully Resolved

    Testing TCP Port 443 on host to ensure it is listening/open.

    The port was opened successfully.

    Testing SSLCertificate for validity.

    The certificate passed all validation requirements.validation checks.

    Testing OCS remote sign in through Access Edge Server: Port Number (, for SignInAddress (EMAIL GONE).

    The specified user failed to register successfully with the OCS Server.

    Tell me more about this issue and how to resolve it
    Given that the test confirms that the OCS server/port is listening/open, I'm unsure of why I still failed to remotely logon, is this an obvious issue?

    Another thing, don't know if it is related:

    I've just came across something in my OCS Front-End server which I'm not happy about.

    I was going to double-check the steps I took (from the Syngress book 'How to Cheat at Administering OCS 2007') when I noticed I had missed a step out.

    The fella who wrote the Edge server chapter states at a certain point that you must go back to the Front-End server and configure it for correct communication with the Edge server.

    He says re-run the OCS setup.exe file and go into Deploy Standard Edition server again, and select 'Configure Server'.

    However when I go into this, the 'Deploy Server' and everything below is grayed out, and the 'Prepare Active Directpry' button is set to 'partial'.

    I then checked the FE server, and under Forest>General Settings and under Forest, Schema Version and Prep State it now says 'Information not available in this view'.

    This is news to me, we've had our OCS server running perfectly internally for a year and a half now.

    When I click on the 'Prepare Active Directory' button, 'Prep Schema' and 'Prep Forest' are ticked ok, but 'Prep Current Domain' for some reason is set as 'Run' as if its never been done before.

    When I run through the 'Prep Current Domain' wizard, it completes with the following failure:

    Create Permission Settings of UsersContainer Failure
    [0x8007200A] The specified directory service attribute or value does not exist.

    I have no idea what this means, the only thing I can think of is some other admin has been playing about with AD.

    Could this be the reason I am unable to access OCS from a remote location?

    The guy from the book says I should be going into 'Configure Server' and configuring for 'external user access' and 'routing directly to and from internal pools and servers'.