Office Communicator client signs into OCS in one of two ways:
1) The OCS server hostname is manually specified in Communicator, or,
2) “Automatic Sign-In” via a DNS query on the SIP domain (the domain portion of the user’s SIP address) which returns the OCS server (or pool).
This is true for clients running both inside and outside your internal network (’outside’ meaning outside the firewall, on the Internet).
The DNS records for automatic sign-in are always front-and-centre when trouble-shooting any Communicator sign-in issues, so I’ll recap the format of the DNS SRV records most commonly needed:
- _sipinternaltls._tcp.<sip domain> (Internal TLS)
- _sipinternal._tcp.<sip domain> (Internal TCP)
- _sip._tls.<sip domain> (External TLS)
- _sip._tcp.<sip domain> (External TCP *)
From a DNS sign-in perspective, Communicator does not know or care whether it is on an internal or external network – it queries for the DNS SRV records in the order listed above, and will attempt a connection on the first match (the hostname specified by the SRV record).
* Although Communicator will search for the external TCP SRV record of the format “sip._tcp.<sip domain>” external connections must use TLS (on the Edge Access).
The DNS SRV record returns a hostname representing the OCS Enterprise Pool or Standard Server. A DNS A record lookup is then performed to get an IP address to connect to.
If no records DNS SRV records are found, Office Communicator performs an explicit DNS A record lookup up in the following order (until it gets a successful match):
5. sipinternal.<sip domain>
6. sip.<sip domain>
7. sipexternal.<sip domain>
Note: In the Communicator R2 client, it appears that the format “sip.<sip domain>” (#6 above) is tried before “sipinternal.<sip domain>”, and #7 is not attempted at all.
InsideOCS has a free downloadable tool, the Automatic Sign-In Troubleshooting Tool, that will query for all of the automatic sign-in DNS records and show which ones exist, and which one will be used.
For more details all the automatic sign-in process and it’s requirements, see:
- Automatic Office Communicator Sign-In (Part 1 – The Correct DNS Service Location (SRV) Record)
- Automatic Office Communicator Sign-In (Part 2 – ensuring the correct Subject Name on the Certificate)
- Automatic Office Communicator Sign-In (Part 3 – ensuring the client trusts the issuing Certificate Authority)
Note: the manual configuration of Office Communicator clients can be automated through the Microsoft Office Communicator Group Policy.
For additional information, see the following links:
- Microsoft OCS 2007 TechNet Library – Required DNS Records for Automatic Client Sign-In
- Microsoft OCS 2007 R2 TechNet Library – Office Communicator Sign-in and Discovery
- Microsoft TechNet Office Communications Server 2007 – 3.2 Configure DNS for Your Pool
- Microsoft TechNet Article on DNS Records for an OCS Pool and How to Create Them
- Jeff Schertz – OCS 2007 – DNS Lookups with OCS Automatic Configuration