Symptoms

The IM Notification Agent on the Access Edge is failing with the following Application Log events:

Event ID: 10162
Type: Error
Source: ForefrontNotificationAgent
Description:
“ERROR: Microsoft.FSO.IMClient.dll.IMClient.RaiseLoginDone(“<System.Boolean success><System.String message>”) – Error occured logging in to server: 80072746: .”

AND

Event ID: 10161
Type: Error
Source: ForefrontNotificationAgent
Description:
“ERROR: ForefrontNotificationAgent.exe.NotificationAgent.imClient_LoginDone(“<System.Object sender><FSOIMClient.ReportSuccessEventArgs e>”) – Failed to login.”

More information

You have correctly setup the IM Notification Agent account per the instructions found here on TechNet for an Access Edge server.  You have verified the notification account id and password are accurate by logging in with the notification account from a remote client. Your IM Notification Agent settings look as follows:

IM Notification Agent settings

Use ForefrontRTCProxy Service Credentials: Unchecked
Transport: TLS
Username: domain\userid
Password: *****
SIP URI: sip:userid@company.com
Home or Pool Server: Director FQDN

SIP Logging on the director server shows a “SIP/2.0 301 Redirect request to Home Server” message with no response from the home pool.  This tells us that the Director server is treating the Forefront Notification Agent as an inside client and thus is trying to redirect the “client” to the notification account’s home pool.  The Director server should proxy the request, not redirect.  Remote user connections cannot be redirected.  Read here for more information on how a director behaves with internal vs. external clients. Changing the Home or Pool server settings to point to the notification account’s home pool FQDN does not solve the problem.

Resolution

Option 1

In the Home or Pool Server field add the FQDN entry for Access Edge external interface (sip.company.com).  However just changing the entry is not enough, you’ll also want to specify the port as follows “sip.company.com:443”.  This is of course assuming that your AE external interface FQDN is sip.company.com.  Make sure the Access Edge server correctly identifies the external FQDN to the correct IP address.  Changing to the AE FQDN will route the Forefront Notification Agent login request through the Access Edge service and then to the next hop server (Director).  The Director will then properly process the login request as a remote client.

Further SIP logging on the Director reveals a successful “Routed a request on behalf of an application” followed by a successful response from the account’s home pool.

IM Notification Agent settings

Use ForefrontRTCProxy Service Credentials: Unchecked
Transport: TLS
Username: domain\userid
Password: *****
SIP URI: sip:userid@company.com
Home or Pool Server: sip.company.com:443

Option 2

Another recent fix that was brought to my attention was to enter the SIP URI without the “sip:” prefix.  Your settings would be as follows:

IM Notification Agent settings

Use ForefrontRTCProxy Service Credentials: Unchecked
Transport: TLS
Username: domain\userid
Password: *****
SIP URI: userid@company.com (without sip: prefix)
Home or Pool Server: sip.company.com:443

Cause

As for the cause, I cannot speak to what is specifically causing this issue as I feel this is either a bug in the Forefront notification agent OR an error in the documentation.

Read the post from the Windows Security team to get some information on the new guide…

http://technet.microsoft.com/en-us/library/cc264463.aspx

Steve Riley elaborates on some of the new security features in Vista that eliminate the need for the "power users" security group.  In fact, "power users" in Vista is there only for backwards compatibility.

Excerpt:

"I’ve seen some conversations lately about the Power Users group — how powerful is it, really, and why did we remove the group from Windows Vista?"

Read the rest of Steve’s post here…

MS recently updated three documents covering NAP (Network Access Protection).  Good reference materials for your ever growing library.

• Introduction to Network Access Protection
• Network Access Protection Policies in Windows Server 2008
• Network Access Protection Platform Architecture

My favorite security guru, Mr. Steve Riley posted another good article on a new scam that may find it’s way into your mailbox soon.  Be prepared now…

Excerpt:

“Looks like spammers have found yet another way to worm (ha ha) themselves into the computers of the unsuspecting. In my junk email folder this morning, I saw this message:

From: Question It [mailto:question_it@fanboxapps.com]
Sent: Monday, January 07, 2008 2:34
To: Steve Riley
Subject: Ratul has asked you a question on FanBox

<link>

Ratul asked you a question. View the question <big link here> and answer it.

FanBox.com is the web-based desktop that instantly turns every computer into your computer. It includes over 10,000 web applications and games to choose from, including the Question It application.

This email was sent by Ratul while using the Question It application on FanBox. Go here <another link> to learn more or stop receiving emails from friends using Question It. FanBox: 255 G Street #723, San Diego, CA 92101, USA”

Read the rest of Steve’s post here…

I had the pleasure of watching Steve Riley speak a while back and his enthusiasm is contagious and he really knows how to drive home the point.

Steve writes…

“This week, I’m attending and spoke at a cybercrime conference in Singapore. One of the presenters made a very good point, and I want to share it with you.

When considering how to protect your data, don’t consider how valuable it might be to an attacker. Always, instead, consider how valuable it is to you.”

Read the rest of his post here…

First brought to my attention by Elan Shudnow and created by DigiCert, this online utility is a must for any administrator deploying Exchange 2007, Exchange 2010 or any application (OCS) that requires Subject Alternative Names (SAN) certificates.  This utility adds a graphical interface to the New-ExchangeCertificate Powershell command.  Simply enter your information into the fields provided and the tool will automatically generate the required Powershell command.

Click here for the Exchange 2007 CSR tool…

Click here for the Exchange 2010 CSR tool…

Other Useful Links

U-B Tech’s Certificate Manager for Exchange 2007 – A free, easy to use downloadable GUI that enabled you to…

1. Manage your current server certificates.
2. Enable certificates for Exchange 2007 Services (POP, IMAP, SMTP, IIS, UM).
3. Generate an Exchange 2007 Certificate Signing Request and process the Certificate Authority answer.
4. Generate an Exchange 2007 Self-Signed certificate (not for production use).
5. Easily include additional subject names in a single certificate.
6. Import & Export ability for existing certificates.

The Microsoft Office Visio 2007 Connector for Microsoft Baseline Security Analyzer (MBSA) lets you view the results of an MBSA scan in a clear, comprehensive Microsoft Office Visio 2007 network diagram.