Nov 17

Frontend Server Validation fails on Federation

Running a validation on the Frontend server (Standard or Enterprise edition show a similar error message:

DNS Resolution succeeded: InternalIP
TLS connect succeeded: InternalIP:5061
Routing trust check and MTLS connectivity: Received a failure SIP response
Routing trust check and MTLS connectivity: MTLS connection establishment succeeded but received a SIP
failure response. This usually indicates lack of routing trust between the remote
server and the current machine. Check the local and remote server certificates for any
misconfiguration. In addition, check whether the local server is recognized
as a trusted server by the remote server.

Suggested Resolution: Routing trust check and/or MTLS connection establishment failed.
This is usually caused by the remote server not accepting the certificate presented by the
current machine. Check the local and remote server certificates for any
misconfiguration. In addition, check whether the local server is recognized
as a trusted server by the remote server.

You probably already checked:

 – Both certificates issued are trusted by both machines

– The edge server validation wizard succeeds.

 I found this KB article that states the following:

The following are examples of situations that cause the Communications Server 2007 Access Edge Server validation error message that is mentioned in the “Symptoms” section:

  • The Communications Server 2007 Access Edge Server is in a combined configuration. Additionally, the Communications Server 2007 Access Edge Server is not being load balanced. This configuration requires a single internal interface (network adapter) that has an FQDN that contains the host name of the Communications Server 2007 Access Edge Server. If the host name of the Communications Server 2007 Access Edge Server is mapped to a CNAME record in the Domain Name System (DNS) zone that represents its FQDN, the Communications Server 2007 Access Edge Server Validation Wizard generates the error message.
  • The Communications Server 2007 Access Edge Server is in an expanded configuration. Additionally, the Communications Server 2007 Access Edge Server is being load balanced by a hardware load balancer. This configuration requires that the load balancer’s VIP be mapped to an FQDN in the local DNS resource that is being shared by the Communications Server 2007 Access Edge Servers. Usually, the FQDN to which the VIP is mapped does not contain a host name of the Communications Server 2007 Access Edge Servers. Therefore, the FQDN generates the validation error message.
  • The Communications Server 2007 Access Edge Server will check the Mutual Transport Layer Security (MTLS) Web server certificates that are assigned to the Communications Server 2007 Access Edge Server or to the Communications Server 2007 Access Edge Servers for the Subject Name value. Additionally, the Communications Server 2007 Access Edge Server will try to match this Subject Name value with the host name of the Communications Server 2007 Access Edge Server in Windows Management Instrumentation (WMI). If the Subject Name value and the host name do not match, the Communications Server 2007 Access Edge Server Validation Wizard generates the validation error message.

In most cases the last bullet point will be true…. So you can make sure the WMI computername matches the certificate or ignore this error message.

Remark: Changing the computername will fail the Access Edge server to start. You need to change the certificate name.

Permanent link to this article: http://www.reijling.nl/?p=196

16 comments

Skip to comment form

  1. As a Newbie, I am permanently browsing online for articles that can be of assistance to me. Thank you

  2. Good article!!!

  3. Good sait, its very interesting//

  4. Interesting posti for me//

  5. Interesting sait for me//

  6. Interesting for me//
    /

  7. Beautiful post, great ))

  8. Very helpful and interesting information. I found what I have been searching for years. Thank you so much. And keep writing!

  9. Good Article

  10. Do you people have a facebook fan page? I looked for one on twitter but could not discover one, I would really like to become a fan!

  11. thanks for sharing such article useful information.

  12. great blog If you are the type to update your blog regulary, then you have gained one daily reader in me today. keep up the super work.

    • Uggs on 18/01/2011 at 23:02

    very good publish, i definitely love this website, keep on it

    • Aavisek on 12/02/2011 at 10:16

    Hey I am facing the same error, I have checked the certificate in the EDGE server and the frontend server and both are OK also EDGE validation test success. But fronted validation is still failing. Please help

    • Mark on 01/07/2011 at 16:12

    The last bullet point not only does not make sense (you have the edge checking its own certificate, which is pointless!), but it is not a copy of the KB article you quote either. (The MS article correctly states that it is the access server that check the certificate.) Also, what exactly does “So you can make sure the WMI computername matches the certificate or ignore this error message.” mean? WMI is an interface, so how can an interface match a certificate? Please state precicely what is meant including commands. Many thanks.

    • Jeroen on 16/07/2011 at 21:31
      Author

    Hi Mark,

    Thank you for the remark. It seems that you are knowledgeable. It might be my English and writing it for “not to” techies. Could you perhaps share you thoughts on how to update the entry?

Leave a Reply

Your email address will not be published.