| Author |
Message |
Steve Schofield
Guest
|
 Posted:
Sun Jan 09, 2005 5:31 am Post subject:
Can't get LCS through a firewall |
|
|
I've setup an lcs2005 standard server in a virtual 2005 instance. I have
this working ok with clients on this Internal network. Now I'm testing
clients that access this from the outside, I temporarily just want to test
connectivity to see if this works outside before proceeding with
certificates. I'm using TCP for authentication and port 5060. I have port
5060 open on the firewall to the server running LCS2005. When I do a
network trace I get a SIP 2.0/ 401 Not Authorized in the trace. I've tried
both NTLM and Kerberos protocols and still can't log in. This client that
I'm trying to log in isn't part of the AD domain but the credentials I'm
using are correct cause these are the same creds I used on internal client
testing. Both with machines in and out of the domain. What other type of
logging is available to help troubleshoot authentication issues? I've read
the docs, googled and am out of ideas. I've changed some of the data to
protect the real data but hopefully you get the idea.
Here is the two network packets
First one
E�zx@?�iBD�+�uTiYP�A XCREGISTER sip:lcs.mydomain.com SIP/2.0
Via: SIP/2.0/TCP 55.55.55.55:40420
Max-Forwards: 70
From:
<sip:steve@lcs.mydomain.com>;tag=96077ba9f58d46f8bb6b691f903480b8;epid=f7dd557406
To: <sip:steve@lcs.mydomain.com>
Call-ID: 116eda398091460d9ef9bc122bf1322d
CSeq: 1 REGISTER
Contact: <sip:55.55.55.55:40420;transport=tcp>;methods="INVITE, MESSAGE,
INFO, SUBSCRIBE, OPTIONS, BYE, CANCEL, NOTIFY, ACK, REFER,
BENOTIFY";proxy=replace
User-Agent: RTC/1.3.5369 (Messenger 5.1.0639)
Supported: com.microsoft.msrtc.presence, adhoclist
ms-keep-alive: UAC;hop-hop=yes
Event: registration
Allow-Events: presence
Content-Length: 0
Second Packet with 401 Unauthorized error
E�z�@n�YBDi��+iYu�P�?*,SIP/2.0 401 Unauthorized
Date: Sat, 08 Jan 2005 23:14:04 GMT
WWW-Authenticate: NTLM realm="SIP Communications Service",
targetname="VMSSTEST.lcs.mydomain.com"
WWW-Authenticate: Kerberos realm="SIP Communications Service",
targetname="sip/VMSSTEST.lcs.mydomain.com"
Via: SIP/2.0/TCP 55.55.55.55:40420;ms-received-port=3627;ms-received-cid=900
From:
<sip:steve@lcs.mydomain.com>;tag=96077ba9f58d46f8bb6b691f903480b8;epid=f7dd557406
To: <sip:steve@lcs.mydomain.com>;tag=18C33309E14B8DD0DC4C9B837F1712DB
Call-ID: 116eda398091460d9ef9bc122bf1322d
CSeq: 1 REGISTER
Content-Length: 0
Any information would be appreciated.
Steve Schofield
Microsoft MVP - ASP/ASP.NET
ASPInsider Member - MCP
http://www.orcsweb.com/
Powerful Web Hosting Solutions
#1 in Service and Support |
|
| Back to top |
|
 |
Steve Schofield
Guest
|
| Posted:
Sun Jan 09, 2005 5:51 am Post subject:
Re: Can't get LCS through a firewall |
|
|
Nevermind I got it working, i'm not a 100% sure yet but i think it has
something to do with SRV and DNS resolution. Once I pointed both of the
clients outside the firewall to the server that is holding the _sip SRV
record, this worked fast and w/o any issues. Now i have to understand this
better but at least I got it working in concept. Can you use a hosts file
for resolution to the SRV record? Any coments or suggestions on this topic
I'd surely appreciate.
Thanks again,
Steve Schofield
Microsoft MVP - ASP/ASP.NET
ASPInsider Member - MCP
http://www.orcsweb.com/
Powerful Web Hosting Solutions
#1 in Service and Support
"Steve Schofield" <steve@deviq.com> wrote in message
news:%23kHJtod9EHA.3624@TK2MSFTNGP10.phx.gbl...
| Quote: | I've setup an lcs2005 standard server in a virtual 2005 instance. I have
this working ok with clients on this Internal network. Now I'm testing
clients that access this from the outside, I temporarily just want to test
connectivity to see if this works outside before proceeding with
certificates. I'm using TCP for authentication and port 5060. I have
port 5060 open on the firewall to the server running LCS2005. When I do a
network trace I get a SIP 2.0/ 401 Not Authorized in the trace. I've
tried both NTLM and Kerberos protocols and still can't log in. This
client that I'm trying to log in isn't part of the AD domain but the
credentials I'm using are correct cause these are the same creds I used on
internal client testing. Both with machines in and out of the domain.
What other type of logging is available to help troubleshoot
authentication issues? I've read the docs, googled and am out of ideas.
I've changed some of the data to protect the real data but hopefully you
get the idea.
Here is the two network packets
First one
E�zx@?�iBD�+�uTiYP�A XCREGISTER sip:lcs.mydomain.com SIP/2.0
Via: SIP/2.0/TCP 55.55.55.55:40420
Max-Forwards: 70
From:
sip:steve@lcs.mydomain.com>;tag=96077ba9f58d46f8bb6b691f903480b8;epid=f7dd557406
To: <sip:steve@lcs.mydomain.com
Call-ID: 116eda398091460d9ef9bc122bf1322d
CSeq: 1 REGISTER
Contact: <sip:55.55.55.55:40420;transport=tcp>;methods="INVITE, MESSAGE,
INFO, SUBSCRIBE, OPTIONS, BYE, CANCEL, NOTIFY, ACK, REFER,
BENOTIFY";proxy=replace
User-Agent: RTC/1.3.5369 (Messenger 5.1.0639)
Supported: com.microsoft.msrtc.presence, adhoclist
ms-keep-alive: UAC;hop-hop=yes
Event: registration
Allow-Events: presence
Content-Length: 0
Second Packet with 401 Unauthorized error
E�z�@n�YBDi��+iYu�P�?*,SIP/2.0 401 Unauthorized
Date: Sat, 08 Jan 2005 23:14:04 GMT
WWW-Authenticate: NTLM realm="SIP Communications Service",
targetname="VMSSTEST.lcs.mydomain.com"
WWW-Authenticate: Kerberos realm="SIP Communications Service",
targetname="sip/VMSSTEST.lcs.mydomain.com"
Via: SIP/2.0/TCP
55.55.55.55:40420;ms-received-port=3627;ms-received-cid=900
From:
sip:steve@lcs.mydomain.com>;tag=96077ba9f58d46f8bb6b691f903480b8;epid=f7dd557406
To: <sip:steve@lcs.mydomain.com>;tag=18C33309E14B8DD0DC4C9B837F1712DB
Call-ID: 116eda398091460d9ef9bc122bf1322d
CSeq: 1 REGISTER
Content-Length: 0
Any information would be appreciated.
Steve Schofield
Microsoft MVP - ASP/ASP.NET
ASPInsider Member - MCP
http://www.orcsweb.com/
Powerful Web Hosting Solutions
#1 in Service and Support
|
|
|
| Back to top |
|
|
Steve Schofield
Guest
|
| Posted:
Sun Jan 09, 2005 9:35 am Post subject:
Re: Can't get LCS through a firewall |
|
|
nevermind it was the SRV records, all is wells
steve
"Steve Schofield" <steve@deviq.com> wrote in message
news:%239zowzd9EHA.3940@tk2msftngp13.phx.gbl...
| Quote: | Nevermind I got it working, i'm not a 100% sure yet but i think it has
something to do with SRV and DNS resolution. Once I pointed both of the
clients outside the firewall to the server that is holding the _sip SRV
record, this worked fast and w/o any issues. Now i have to understand
this better but at least I got it working in concept. Can you use a hosts
file for resolution to the SRV record? Any coments or suggestions on this
topic I'd surely appreciate.
Thanks again,
Steve Schofield
Microsoft MVP - ASP/ASP.NET
ASPInsider Member - MCP
http://www.orcsweb.com/
Powerful Web Hosting Solutions
#1 in Service and Support
"Steve Schofield" <steve@deviq.com> wrote in message
news:%23kHJtod9EHA.3624@TK2MSFTNGP10.phx.gbl...
I've setup an lcs2005 standard server in a virtual 2005 instance. I have
this working ok with clients on this Internal network. Now I'm testing
clients that access this from the outside, I temporarily just want to
test connectivity to see if this works outside before proceeding with
certificates. I'm using TCP for authentication and port 5060. I have
port 5060 open on the firewall to the server running LCS2005. When I do
a network trace I get a SIP 2.0/ 401 Not Authorized in the trace. I've
tried both NTLM and Kerberos protocols and still can't log in. This
client that I'm trying to log in isn't part of the AD domain but the
credentials I'm using are correct cause these are the same creds I used
on internal client testing. Both with machines in and out of the domain.
What other type of logging is available to help troubleshoot
authentication issues? I've read the docs, googled and am out of ideas.
I've changed some of the data to protect the real data but hopefully you
get the idea.
Here is the two network packets
First one
E�zx@?�iBD�+�uTiYP�A XCREGISTER sip:lcs.mydomain.com SIP/2.0
Via: SIP/2.0/TCP 55.55.55.55:40420
Max-Forwards: 70
From:
sip:steve@lcs.mydomain.com>;tag=96077ba9f58d46f8bb6b691f903480b8;epid=f7dd557406
To: <sip:steve@lcs.mydomain.com
Call-ID: 116eda398091460d9ef9bc122bf1322d
CSeq: 1 REGISTER
Contact: <sip:55.55.55.55:40420;transport=tcp>;methods="INVITE, MESSAGE,
INFO, SUBSCRIBE, OPTIONS, BYE, CANCEL, NOTIFY, ACK, REFER,
BENOTIFY";proxy=replace
User-Agent: RTC/1.3.5369 (Messenger 5.1.0639)
Supported: com.microsoft.msrtc.presence, adhoclist
ms-keep-alive: UAC;hop-hop=yes
Event: registration
Allow-Events: presence
Content-Length: 0
Second Packet with 401 Unauthorized error
E�z�@n�YBDi��+iYu�P�?*,SIP/2.0 401 Unauthorized
Date: Sat, 08 Jan 2005 23:14:04 GMT
WWW-Authenticate: NTLM realm="SIP Communications Service",
targetname="VMSSTEST.lcs.mydomain.com"
WWW-Authenticate: Kerberos realm="SIP Communications Service",
targetname="sip/VMSSTEST.lcs.mydomain.com"
Via: SIP/2.0/TCP
55.55.55.55:40420;ms-received-port=3627;ms-received-cid=900
From:
sip:steve@lcs.mydomain.com>;tag=96077ba9f58d46f8bb6b691f903480b8;epid=f7dd557406
To: <sip:steve@lcs.mydomain.com>;tag=18C33309E14B8DD0DC4C9B837F1712DB
Call-ID: 116eda398091460d9ef9bc122bf1322d
CSeq: 1 REGISTER
Content-Length: 0
Any information would be appreciated.
Steve Schofield
Microsoft MVP - ASP/ASP.NET
ASPInsider Member - MCP
http://www.orcsweb.com/
Powerful Web Hosting Solutions
#1 in Service and Support
|
|
|
| Back to top |
|
|
Gabe Matteson
Guest
|
| Posted:
Tue Jan 11, 2005 1:03 am Post subject:
Re: Can't get LCS through a firewall |
|
|
are you using an access proxy to allow outside users access to the live com
server?
"Steve Schofield" <steve@deviq.com> wrote in message
news:%23kHJtod9EHA.3624@TK2MSFTNGP10.phx.gbl...
| Quote: | I've setup an lcs2005 standard server in a virtual 2005 instance. I have
this working ok with clients on this Internal network. Now I'm testing
clients that access this from the outside, I temporarily just want to test
connectivity to see if this works outside before proceeding with
certificates. I'm using TCP for authentication and port 5060. I have
port 5060 open on the firewall to the server running LCS2005. When I do a
network trace I get a SIP 2.0/ 401 Not Authorized in the trace. I've
tried both NTLM and Kerberos protocols and still can't log in. This
client that I'm trying to log in isn't part of the AD domain but the
credentials I'm using are correct cause these are the same creds I used on
internal client testing. Both with machines in and out of the domain.
What other type of logging is available to help troubleshoot
authentication issues? I've read the docs, googled and am out of ideas.
I've changed some of the data to protect the real data but hopefully you
get the idea.
Here is the two network packets
First one
E�zx@?�iBD�+�uTiYP�A XCREGISTER sip:lcs.mydomain.com SIP/2.0
Via: SIP/2.0/TCP 55.55.55.55:40420
Max-Forwards: 70
From:
sip:steve@lcs.mydomain.com>;tag=96077ba9f58d46f8bb6b691f903480b8;epid=f7dd557406
To: <sip:steve@lcs.mydomain.com
Call-ID: 116eda398091460d9ef9bc122bf1322d
CSeq: 1 REGISTER
Contact: <sip:55.55.55.55:40420;transport=tcp>;methods="INVITE, MESSAGE,
INFO, SUBSCRIBE, OPTIONS, BYE, CANCEL, NOTIFY, ACK, REFER,
BENOTIFY";proxy=replace
User-Agent: RTC/1.3.5369 (Messenger 5.1.0639)
Supported: com.microsoft.msrtc.presence, adhoclist
ms-keep-alive: UAC;hop-hop=yes
Event: registration
Allow-Events: presence
Content-Length: 0
Second Packet with 401 Unauthorized error
E�z�@n�YBDi��+iYu�P�?*,SIP/2.0 401 Unauthorized
Date: Sat, 08 Jan 2005 23:14:04 GMT
WWW-Authenticate: NTLM realm="SIP Communications Service",
targetname="VMSSTEST.lcs.mydomain.com"
WWW-Authenticate: Kerberos realm="SIP Communications Service",
targetname="sip/VMSSTEST.lcs.mydomain.com"
Via: SIP/2.0/TCP
55.55.55.55:40420;ms-received-port=3627;ms-received-cid=900
From:
sip:steve@lcs.mydomain.com>;tag=96077ba9f58d46f8bb6b691f903480b8;epid=f7dd557406
To: <sip:steve@lcs.mydomain.com>;tag=18C33309E14B8DD0DC4C9B837F1712DB
Call-ID: 116eda398091460d9ef9bc122bf1322d
CSeq: 1 REGISTER
Content-Length: 0
Any information would be appreciated.
Steve Schofield
Microsoft MVP - ASP/ASP.NET
ASPInsider Member - MCP
http://www.orcsweb.com/
Powerful Web Hosting Solutions
#1 in Service and Support
|
|
|
| Back to top |
|
|
Gabe Matteson
Guest
|
| Posted:
Tue Jan 11, 2005 1:15 am Post subject:
Re: Can't get LCS through a firewall |
|
|
Thanks in advanced, also, if you set your messenger client to automatically
detect the settings it will use the srv record to find the server correct?
Thanks.
- GM
"Steve Schofield" <steve@deviq.com> wrote in message
news:%23kHJtod9EHA.3624@TK2MSFTNGP10.phx.gbl...
| Quote: | I've setup an lcs2005 standard server in a virtual 2005 instance. I have
this working ok with clients on this Internal network. Now I'm testing
clients that access this from the outside, I temporarily just want to test
connectivity to see if this works outside before proceeding with
certificates. I'm using TCP for authentication and port 5060. I have
port 5060 open on the firewall to the server running LCS2005. When I do a
network trace I get a SIP 2.0/ 401 Not Authorized in the trace. I've
tried both NTLM and Kerberos protocols and still can't log in. This
client that I'm trying to log in isn't part of the AD domain but the
credentials I'm using are correct cause these are the same creds I used on
internal client testing. Both with machines in and out of the domain.
What other type of logging is available to help troubleshoot
authentication issues? I've read the docs, googled and am out of ideas.
I've changed some of the data to protect the real data but hopefully you
get the idea.
Here is the two network packets
First one
E�zx@?�iBD�+�uTiYP�A XCREGISTER sip:lcs.mydomain.com SIP/2.0
Via: SIP/2.0/TCP 55.55.55.55:40420
Max-Forwards: 70
From:
sip:steve@lcs.mydomain.com>;tag=96077ba9f58d46f8bb6b691f903480b8;epid=f7dd557406
To: <sip:steve@lcs.mydomain.com
Call-ID: 116eda398091460d9ef9bc122bf1322d
CSeq: 1 REGISTER
Contact: <sip:55.55.55.55:40420;transport=tcp>;methods="INVITE, MESSAGE,
INFO, SUBSCRIBE, OPTIONS, BYE, CANCEL, NOTIFY, ACK, REFER,
BENOTIFY";proxy=replace
User-Agent: RTC/1.3.5369 (Messenger 5.1.0639)
Supported: com.microsoft.msrtc.presence, adhoclist
ms-keep-alive: UAC;hop-hop=yes
Event: registration
Allow-Events: presence
Content-Length: 0
Second Packet with 401 Unauthorized error
E�z�@n�YBDi��+iYu�P�?*,SIP/2.0 401 Unauthorized
Date: Sat, 08 Jan 2005 23:14:04 GMT
WWW-Authenticate: NTLM realm="SIP Communications Service",
targetname="VMSSTEST.lcs.mydomain.com"
WWW-Authenticate: Kerberos realm="SIP Communications Service",
targetname="sip/VMSSTEST.lcs.mydomain.com"
Via: SIP/2.0/TCP
55.55.55.55:40420;ms-received-port=3627;ms-received-cid=900
From:
sip:steve@lcs.mydomain.com>;tag=96077ba9f58d46f8bb6b691f903480b8;epid=f7dd557406
To: <sip:steve@lcs.mydomain.com>;tag=18C33309E14B8DD0DC4C9B837F1712DB
Call-ID: 116eda398091460d9ef9bc122bf1322d
CSeq: 1 REGISTER
Content-Length: 0
Any information would be appreciated.
Steve Schofield
Microsoft MVP - ASP/ASP.NET
ASPInsider Member - MCP
http://www.orcsweb.com/
Powerful Web Hosting Solutions
#1 in Service and Support
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in