Office Communicator client signs into OCS in one of two ways:
1) The OCS server hostname is manually specified in Communicator, or,
2) “Automatic Sign-In” via a DNS query on the SIP domain (the domain portion of the user’s SIP address) which returns the OCS server (or pool).
This is true for clients running both inside and outside your internal network (’outside’ meaning outside the firewall, on the Internet).
The DNS records for automatic sign-in are always front-and-centre when trouble-shooting any Communicator sign-in issues, so I’ll recap the format of the DNS SRV records most commonly needed:
- _sipinternaltls._tcp.<sip domain> (Internal TLS)
- _sipinternal._tcp.<sip domain> (Internal TCP)
- _sip._tls.<sip domain> (External TLS)
- _sip._tcp.<sip domain> (External TCP *)
From a DNS sign-in perspective, Communicator does not know or care whether it is on an internal or external network – it queries for the DNS SRV records in the order listed above, and will attempt a connection on the first match (the hostname specified by the SRV record).
* Although Communicator will search for the external TCP SRV record of the format “sip._tcp.<sip domain>” external connections must use TLS (on the Edge Access).
The DNS SRV record returns a hostname representing the OCS Enterprise Pool or Standard Server. A DNS A record lookup is then performed to get an IP address to connect to.
If no records DNS SRV records are found, Office Communicator performs an explicit DNS A record lookup up in the following order (until it gets a successful match):
- sipinternal.<sip domain>
- sip.<sip domain>
- sipexternal.<sip domain>
Note: In the Communicator R2 client, it appears that the format “sip.<sip domain>” (#6 above) is tried before “sipinternal.<sip domain>”, and #7 is not attempted at all.
InsideOCS has a free downloadable tool, the Automatic Sign-In Troubleshooting Tool, that will query for all of the automatic sign-in DNS records and show which ones exist, and which one will be used.
For more details all the automatic sign-in process and it’s requirements, see:
- Automatic Office Communicator Sign-In (Part 1 – The Correct DNS Service Location (SRV) Record)
- Automatic Office Communicator Sign-In (Part 2 – ensuring the correct Subject Name on the Certificate)
- Automatic Office Communicator Sign-In (Part 3 – ensuring the client trusts the issuing Certificate Authority)
Note: the manual configuration of Office Communicator clients can be automated through the Microsoft Office Communicator Group Policy.
For additional information, see the following links:
- Microsoft OCS 2007 TechNet Library – Required DNS Records for Automatic Client Sign-In
- Microsoft OCS 2007 R2 TechNet Library – Office Communicator Sign-in and Discovery
- Microsoft TechNet Office Communications Server 2007 – 3.2 Configure DNS for Your Pool
- Microsoft TechNet Article on DNS Records for an OCS Pool and How to Create Them
- Jeff Schertz – OCS 2007 – DNS Lookups with OCS Automatic Configuration
Twitter
LinkedIn
Hi.
I have a pretty large deployment in progress. One thing I dont really understand.
I have one external srv record. _sip._tls.. This points to my server in a datacenter in Atlanta.
I also want a pool in the UK, Australia, and Singapore.
Since I only have one srv record externally for my domain, that means for an internet user, they will always start first by hitting my datacenter in Atlanta, then the director takes over and sends the traffic back to Singapore?
In Singapore, UK, Australia I will have a front end server, a director an edge server, and isa firewall and possibly a mediation server.
[...] OCS server or pool to sign into via DNS SRV records (this process is well documented – my posting DNS Records and Office Communicator Automatic Client Sign-In describes it). Normally the SRV record resolves to the FQDN of the OCS standard edition host or OCS [...]
[...] DNS Records and Office Communicator Automatic Client Sign-In [...]
[...] DNS Records and Office Communicator Automatic Client Sign-In [...]
[...] the SIP domain of the user attempting to sign-in. The SRV record must be of a particular format. See my previous blog post on what the format of the DNS record should be. The SIP domain is the right-hand-side of the [...]
[...] previous post, DNS Records and Office Communicator Automatic Client Sign-In, summarizes how Communicator uses DNS to connect to the [...]