cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5510
Views
15
Helpful
21
Replies

Cisco VCS X6.1 and MS Lync 2010 over TLS

Evgeniy.Glazkov
Level 1
Level 1

Hello all!

I have a problem integrating CiscoVCS(X6.1) and Lync 2010.

I could not setup VCS Control to Lync connection over TLS, but I done it with TCP.

If I try TLS, there are Event="Outbound TLS Negotiation Error", Detail="bad packet length" records in the VCS Control event log.

Both VCS and Lync certificates are from same trusted CA with their FQDNs  as the subject names, and both VCS and Lync FQDNs with PTRs are in DNS. Of course, VCS and Lync FQDNs, which is subjects of certificates, used in VCS zone peer and Lync trusted app destination host.

Calls to VCS is from IP of the Lync FEP. We don`t use any HLB and Directors. Also, VCS is standalone, without any balancers or clustering.

Signaling from Lync is done, but as I see, VCS cannot send any data back.

Lync is on Server 2008 R2 x64

Thanks for any suggestions!

1 Accepted Solution

Accepted Solutions

In reflection of the c20 post, which software image do you run on the VCS?

with:

[   ] s42700x6_1_0.tar.gz     21-Apr-2011 12:39  266M  


or without:
[   ] s42701x6_1_0.tar.gz     21-Apr-2011 12:43  266M 

encryption?

Please remember to rate helpful responses and identify

View solution in original post

21 Replies 21

Martin Koch
VIP Alumni
VIP Alumni

How did you try to convert the certificate for the VCS? If with  openssl on the VCS X6.1, there is a bug and the cert would not work.

Besides that recheck the IP/DNS config and what you find in:

Please remember to rate helpful responses and identify

Hello, Martin! Thanks for your answer!

Yes, I convert the certificate exactly with openssl, as it described in "Cisco_VCS_Certificate_Creation_and_Use_Deployment_Guide"

openssl pkcs12 -in cert_inf.pfx -out cert_inf.pem

Also, I find in google, that there is an -nodes openssl key, that point openssl to don`t encrypt private key when export to .pem

but, I did not do this, I follow instructions in documentation.

I recheck all of the IP/DNS/Certificate settings many and many times.

Apparently, this is an openssl and VCS X6.1 bug, as you said.

How can I workaround this?

Thanks for help!

Hi!

You can use for example an other linux box which supports the RC2 cipher which the .pfx file uses.

In general its a VCS limitation not a openssl bug, its just that the installed version of openssl does not support RC2

If you do not have any linux machine with openssl, you can get yourself a linux cd and run it

in a virtualization enviroment on your computer: http://www.ubuntu.com/download/ubuntu/download

Recent debian / ubuntu distibutions worked fine for me.

Please vote answeres.

Ciphers on X6.1

Cipher commands (see the `enc' command for more details)


aes-128-cbc    aes-128-ecb    aes-192-cbc    aes-192-ecb    aes-256-cbc


aes-256-ecb    base64         bf             bf-cbc         bf-cfb


bf-ecb         bf-ofb         cast           cast-cbc       cast5-cbc


cast5-cfb      cast5-ecb      cast5-ofb      des            des-cbc


des-cfb        des-ecb        des-ede        des-ede-cbc    des-ede-cfb


des-ede-ofb    des-ede3       des-ede3-cbc   des-ede3-cfb   des-ede3-ofb


des-ofb        des3           desx           rc4            rc4-40


And here on a ubuntu system:

Cipher commands (see the `enc' command for more details)
aes-128-cbc    aes-128-ecb    aes-192-cbc    aes-192-ecb    aes-256-cbc
aes-256-ecb    base64         bf             bf-cbc         bf-cfb
bf-ecb         bf-ofb         cast           cast-cbc       cast5-cbc
cast5-cfb      cast5-ecb      cast5-ofb      des            des-cbc
des-cfb        des-ecb        des-ede        des-ede-cbc    des-ede-cfb
des-ede-ofb    des-ede3       des-ede3-cbc   des-ede3-cfb   des-ede3-ofb
des-ofb        des3           desx           rc2            rc2-40-cbc
rc2-64-cbc     rc2-cbc        rc2-cfb        rc2-ecb        rc2-ofb
rc4            rc4-40

Cipher commands (see the `enc' command for more details)
aes-128-cbc    aes-128-ecb    aes-192-cbc    aes-192-ecb    aes-256-cbc
aes-256-ecb    base64         bf             bf-cbc         bf-cfb
bf-ecb         bf-ofb         cast           cast-cbc       cast5-cbc
cast5-cfb      cast5-ecb      cast5-ofb      des            des-cbc
des-cfb        des-ecb        des-ede        des-ede-cbc    des-ede-cfb
des-ede-ofb    des-ede3       des-ede3-cbc   des-ede3-cfb   des-ede3-ofb
des-ofb        des3           desx           rc2            rc2-40-cbc
rc2-64-cbc     rc2-cbc        rc2-cfb        rc2-ecb        rc2-ofb
rc4            rc4-40

Please remember to rate helpful responses and identify

Martin, i think, you have not understood me.

I generated PFX certificates chain with private key exported on my own microsoft CA,

then I convert PFX to PEMs with openssl on HP-UX machine, as it described in documentation.

Also, I find this: http://www.codesalot.com/2011/openssl-in-x6-0/

Now I try to completely generate certificate for VCS with openssl on HP-UX

And yesterday I find this article
http://blogs.msdn.com/b/scottos/archive/2009/04/03/resolved-ocs-2007-r2-pic-fails-against-aol.aspx

Your previous answer and this got me thinking

May be, I should to arrange chipers on my Lync server in correct order?

I don`t now necessary order to make it work...

And yet I read somewhere, that "bad packet length" in TLS negotiation may mean that one of the parties does not understand zero-length packets

Hi Evgeniy,

i'm triyng to setup TLS between MS Lync and VCS. at this point i have a Microsoft CA, and i did exported root ca and imported into VCS ok. Now as far as i know, now i need to request VCS Certificates to Microsoft CA, but i have a problem with it, im not able to create a certificate able to include as subject name and alternate subject name the cluster fqdn and vcs's fqdn, and im not able either to export the certificate, can you tellme how can it be done?

thanks.

Hello!

What exactly you cannot do?

Actions may differ depending on policy of your Microsoft CA.

Usually you should start mmc.exe, then Add/remove snap in - Certificates - computer account

Go to Personal - Certificates

Right Click - All tasks - advanced task - create advanced certificate request.

Next - Next - select cert template, for example, "Web Server" - Next - expand "details" - properties, there enter all the information - Common Name, subject alternate names, and select "Make private key exportable" on "Private key" tab, "Server authentication,client authentication" on Extended - extended key usage

Then, you can export cert and private key into pfx (when cert will be enrolled by ca)

Hi,

now it is working, i had to enable the export for the private key on the CA, and enable the adition of alternate names as well, now is working,

thanks,

Evgeniy.Glazkov
Level 1
Level 1

I tried now to install new lync server on Server 2008 Std(not R2), and the situation remained the same.

I do not know what to think =(((

I also had something in my mind if I once red something related to the OS,

but anyhow if I see it right Lync (and I think OCS R2) have to be on 64 bit Servers,

so it must be 2008R2-64.

I found some article regarding a service pack on win xp causing some tls connection

with the same errorr.

Did you change anything regarding the default on your CA?

Could you try the openssl from ubuntu instead of the one from HPUX, maybe it behaves different.

If not this other linux box might be used to debug with openssl a bit further, ....

Besides that, try to follow the guides, ....

Maybe somebody else had seen the:

     Event="Outbound TLS Negotiation Error", Detail="bad packet length"

and can give you a hint if its a common problem with a known fix, ...

Martin

Please remember to rate helpful responses and identify

Martin, thank you for your answer!

Of course, OS is 64 bit. In other way Linc and OCS does not installs.

I'll try to use openssl on ordinary Linux and explain the results.

I searched over the internet, but does not found that someone else encountered this issue.

I think that I one puzzled this problem ...

Can you post a tcpdump of the TLS negoiation? Speciffically need to see the client hello that is sent from the VCS.

OK the VCS should be offering 34 suites not 16.

Copy your release key and options keys to a safe place.

Copy your root ca, private key, and client certificate to a safe place

Make sure you have physical access to the VCS as you'll have to re-enter the IP from the front panel

This procedure will wipe the config from the VCS so make note of any settings you may need to rebuild the config

From telnet or ssh login as admin.

Enter the command xcommand defaultvaluesset level: 3

Enter the command xcommand defaultlinksadd

Enter the command xcommand boot

When the VCS reboots re-enter the IP on the front panel

After the reboot login to the web interface as admin

Re-add your release keys and options keys

Install VCS x6.1 even if the box is already running x6.1

After the reboot you'll have a clean VCS

Check on the alarms that you'll be seeing, follow the instructions for each to clear them.

You can then start to reconfigure the box.

Ryan, how VCS resetting may affect on number of chipers that VCS offers now?