Cannot connect to Live Communications Server 2003 through a network address translation (NAT) device (834469)


The information in this article applies to:

  • Microsoft Office Live Communications Server 2003
  • Microsoft Windows Messenger 5.0

SYMPTOMS

When you try to connect a Microsoft Windows Messenger 5.0 real-time communications client to Microsoft Office Live Communications Server 2003 through a Transmission Control Protocol (TCP) connection, the connection does not work.

CAUSE

This issue occurs if you try to connect to Live Communications Server through one of the following devices:
  • A network address translation (NAT) device
  • A firewall device
  • A proxy device
This issue occurs because of the way that the Session Initiation Protocol (SIP) client must communicate with the Live Communications Server computer. To complete the SIP connection, Live Communications Server must establish a connection back to the SIP client's listening address.

RESOLUTION

To resolve this issue and to permit Windows Messenger clients to connect to Live Communications Server through devices that perform network address translation, configure a Transport Layer Security (TLS) connection between the Windows Messenger clients and Live Communications Server. To do this, follow these steps:
  1. Install a computer certificate on the Live Communications Server Home Server computer. For information about how to request a certificate, search on "Request a certificate" in the Help and Support Center for Microsoft Windows Server 2003.
  2. Start the Live Communications Server tool.
  3. Expand Servers, right-click the Home Server that you want to configure, and then click Properties.
  4. Click the Connections tab, and then click Add.
  5. In the Transport type list, click TLS, and then click Change Certificate.

    Note If you have multiple Home Servers, you must leave the Authenticate remote server (TLS Mutual) check box selected.
  6. In the Select Certificate dialog box, click the computer certificate that you want to use, and then click OK.
  7. Verify that 5061 appears in the Listen on this port box, click OK, and then click OK again.
  8. On the client computer, start Windows Messenger.
  9. On the Tools menu, click Options.
  10. Click the Accounts tab, and then under SIP Communications Service Account, click Advanced.
  11. Click Configure settings, click TLS, and then type the fully qualified domain name of the Live Communications Server Home Server in the Server name or IP address box.
  12. Click OK, and then click OK again.
  13. If you receive the following message, click OK:The changes you have made to your sign-in information won't take effect until the next time you sign in.
  14. If you are not already signed out of Windows Messenger, sign out and then sign back in to Windows Messenger.

MORE INFORMATION

When you try to connect to Live Communications Server through a NAT device, the NAT device translates the source IP address of the TCP packet from your client computer. However, the NAT device does not modify the IP address that is in the Contact header of the SIP packet. When Live Communications Server detects that the SIP client requests a response on an IP address that is different from the source IP address, Live Communications Server rejects the SIP client's REGISTER request. In this scenario, Live Communications Server returns a 400 Invalid Contact Information response. This response helps to prevent a malicious user from connecting to Live Communications Server as a different user.

REFERENCES

For additional information about how to configure TLS connections in Live Communications Server, see the "Configuring a Home Server and Windows Messenger for TLS" section of the Microsoft Office Live Communications Server 2003 Deployment Guide. This guide is located in the Documentation folder of the Microsoft Office Live Communications Server CD.

Also, see the "Enabling Outside User Scenarios" document. This document provides an alternative to using Virtual Private Networks and describes how to deploy Microsoft Office Live Communications Server 2003 to permit outside users to connect by using Transport Layer Security. To download this document, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=b714e88b-c2db-4709-a3f9-6a9d49a48db9&displaylang=en

Modification Type:MajorLast Reviewed:5/17/2004
Keywords:kbprb KB834469 kbAudEndUser kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.