Microsoft KB Archive/834469

= Cannot connect to Live Communications Server 2003 through a network address translation (NAT) device =

Article ID: 834469

Article Last Modified on 5/17/2004

-

APPLIES TO


 * Microsoft Office Live Communications Server 2003
 * Microsoft Windows Messenger 5.0

-





SYMPTOMS
When you try to connect a Microsoft Windows Messenger 5.0 real-time communications client to Microsoft Office Live Communications Server 2003 through a Transmission Control Protocol (TCP) connection, the connection does not work.



CAUSE
This issue occurs if you try to connect to Live Communications Server through one of the following devices:
 * A network address translation (NAT) device
 * A firewall device
 * A proxy device

This issue occurs because of the way that the Session Initiation Protocol (SIP) client must communicate with the Live Communications Server computer. To complete the SIP connection, Live Communications Server must establish a connection back to the SIP client's listening address.



RESOLUTION
To resolve this issue and to permit Windows Messenger clients to connect to Live Communications Server through devices that perform network address translation, configure a Transport Layer Security (TLS) connection between the Windows Messenger clients and Live Communications Server. To do this, follow these steps:  Install a computer certificate on the Live Communications Server Home Server computer. For information about how to request a certificate, search on &quot;Request a certificate&quot; in the Help and Support Center for Microsoft Windows Server 2003. Start the Live Communications Server tool. Expand Servers, right-click the Home Server that you want to configure, and then click Properties. Click the Connections tab, and then click Add. In the Transport type list, click TLS, and then click Change Certificate.

Note If you have multiple Home Servers, you must leave the Authenticate remote server (TLS Mutual) check box selected. In the Select Certificate dialog box, click the computer certificate that you want to use, and then click OK.</li> Verify that 5061 appears in the Listen on this port box, click OK, and then click OK again.</li> On the client computer, start Windows Messenger.</li> On the Tools menu, click Options.</li> Click the Accounts tab, and then under SIP Communications Service Account, click Advanced.</li> Click Configure settings, click TLS, and then type the fully qualified domain name of the Live Communications Server Home Server in the Server name or IP address box.</li> Click OK, and then click OK again.</li> If you receive the following message, click OK:

The changes you have made to your sign-in information won't take effect until the next time you sign in.

</li> If you are not already signed out of Windows Messenger, sign out and then sign back in to Windows Messenger.</li></ol>

<div class="moreinformation_section">

MORE INFORMATION
When you try to connect to Live Communications Server through a NAT device, the NAT device translates the source IP address of the TCP packet from your client computer. However, the NAT device does not modify the IP address that is in the Contact header of the SIP packet. When Live Communications Server detects that the SIP client requests a response on an IP address that is different from the source IP address, Live Communications Server rejects the SIP client's REGISTER request. In this scenario, Live Communications Server returns a 400 Invalid Contact Information response. This response helps to prevent a malicious user from connecting to Live Communications Server as a different user.

<div class="references_section">