Integrating OCS with Avaya S87XX 1

[simreal]

Has anyone successfully integrated Microsoft Communications Server with An Avaya S87XX or similar platform?

I am trying to setup a pilot so we can test some functionality but I can't even get the TR/87 media test to pass.

When I run the test I get:

FAILED because of a time out waiting for a response from the AE Service Server. Please check the server logs for exceptions 

Possible errors: 
-Port 4723 is disabled on interface eth0. 
-Invalid server certificate chain. 
-CN in certificate was not found in the host authorization list. 
-The AES Server and Web Server are not using the same certificate. The AES Server and Web Server must be restarted after the certificate is added. Please use the Maintenance -> Service Controller page to restart the AE Server and Web Server.

I know the port is open. I believe the certificates are correct but I don't know CA very well so I'm not possative about that.

Any help would be appreciated. I'm using the integration manual from May of 2008. I have following it to the letter.

-Simreal

 

[Laff3r]

Hey Simreal

Did you find any solution for your problem?
Cause i have the same problem as you.

//Laff3r

 

[simreal]

No ... I have been working with various T3 engineers at avaya and we have yet to find the solution.


Some tips I'll give you though ...

1) make sure the hostname of the AES is in the Host AA table. I put every variation I could comeup with. IP, hostname, hostname<domainname>, localhost, 127.0.0.1, etc.

2) make sure your FQDN for the AES matches the hostname. (i.e. if you hostname is aeserver ... then your FQDN should be something like aeserver.mycompany.com This is important for the server Certificate.

3) Make absolute sure the CA authority your company is using is Enterprise CA running on Enterprise Windows 2003 or better.

4) make sure your Server certificate has client and server auth. at the bottom of the certificate you should see the following:
Extended Key Usage:
serverAuth
clientAuth


5) make sure your TR/87 port is enabled in the ports section of Network interface configs.

6) make sure that after you enable the 4723 TR/87 port you reboot the AE server.

7) make sure your server certificate is issue by the same authority as your trusted certificate. (this establishes the chain of trust)


8) I recommend downloading "Windows Support Tools" from Microsoft. There is an application in that package called ldp.exe. you can use this app to test connectivity to your Active Directory. This won't help you with the TR/87 test but it's good to have for the next couple of test.

 

[simreal]

I forgot to mention ... the CA can use the "Computer" template in Enterprise CA to issue the client/server auth for the cert.

 

[Laff3r]

Hi Simreal

I was told that when the admin make the cerfiticate he cant use the Computer template, cause then the server need to login to the domain. And what i can see, we dont do that ?
Am i wrong ? and any solution for that .

 

[Laff3r]

Hi Simreal

I got it fixed.
So now i move on to the next step.
Did you get any further ?

 

[simreal]

I was able to get my TR/87 tests to pass.

The kicker was the AES server needed to be in the same domain.

In my case the server was aes1 (hostname) so my dns entry was aes1.fnb.fnni.com then the server certificate needed to reflect that DN.

I also found my firewall was blocking port 389 (Active Directory) and thats required for the first test even though the info it's checking against isnt valid.

Once I fixed that my first test passed.


Then I had to make sure to get my enterprise directory config right. This includes having the E164 telephone number added to the AD record for each user as well as the sip address for each user.

THis got me all three tests passing now.

I just have to figure out why OCS client calls are failing now.

 

[Laff3r]

Hi simreal

I have been away for some time. But back again.
Did you finish your OCS implement ?

 

[simreal]

I haven't. in fact I haven't make a shred of progress since I got the AES portion taken care of. I pass all of my TR/87 tests now but the OCS side isn't setup yet.

When I try to make a call from OCS it rings the other persons OCS client but the phones are not involved.

 

[Laff3r]

I have a problem with the last test(3rd). Maybe you can help me out here. Get this error msg.

# Verify TR/87 Makecall: FAILED because MakecallResponse was not received.
Input Parameters - From SIP URI: sip:laff3r@xxxxxxxx.lan, From Tel URI: tel:+4XXXXXX610, To Tel URI: tel:+4xXXXXX611

 

[simreal]

I had the same problem with the third test.

The solution ended up being the configuration of Enterprise directory in the AES.

I ended up using ldp.exe from Microsoft "Windows Support Tools" and determining what configuration I needed.

The login information and base search dn are very important. Once I had those correctly configured I was able to see all of my users and then my TR/87 test 3 passed.

 

[Laff3r]

All my test succes now. So thats great.
But cant dial from the OCS client.
On the client it says "No phone system connection"
Anything you have tryed ?

 

[Laff3r]

This error from the logfile.

2009-06-24 18.30.44,858 gov.nist.core.LogWriter logError
WARNING: gov.nist.javax.sip.stack.TLSMessageProcessor.run(TLSMessageProcessor.java:169) [Close the socket, because the client certificate is invalid or can not find CN on the authorized host list]
2009-06-24 18.30.44,859 gov.nist.core.LogWriter logError
WARNING: Problem Accepting Connection
java.security.cert.CertificateException: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at gov.nist.javax.sip.stack.TLSPeerValidator.<init>(TLSPeerValidator.java:125)
at gov.nist.javax.sip.stack.TLSMessageProcessor.run(TLSMessageProcessor.java:165)
at java.lang.Thread.run(Thread.java:595)
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:345)
at gov.nist.javax.sip.stack.TLSPeerValidator.<init>(TLSPeerValidator.java:123)
... 2 more

 

[simreal]

I haven't tried anything yet. Unfortunately I am in a large organization and the OCS does not fall into my scope of responsability.

So I have to rely on someone else and that teams is very busy lately. We're schedule in the next few weeks to work on this so I'll post an update as soon as I have something.

I would certainly appreciate any info you gain on solving the issue.

 

[Laff3r]

I am up running now, with call in and out

 

[simreal]

Any tips yu can provide for my OCS woes?

I would certainly appreciate the help.

 

[Laff3r]

Do you have the error No phone system connection in your ocs client ?

 

[simreal]

No ... When I place a call from the OCS client the chat window opens, I see the client trying to make the call, I hear ringing in my pc speakers and the other person hears ringing in their speakers.

If they click answer on their client we get a 2 way audio chat session between our PCs. The PBX is never involved and no errors are noted.

 

[Laff3r]

What if you try dial outside the pbx ?

 

[simreal]

I dont even have an option to make an outside call. Do you mean call a different number for a contact and specify an outside number?