Microsoft KB Archive/911786

= You cannot sign in to a server that is running Communicator 2007, Live Communications Server 2005, or Live Communications Server 2003 through a Cisco PIX firewall =

Article ID: 911786

Article Last Modified on 11/7/2007

-

APPLIES TO


 * Microsoft Office Live Communications Server 2005 Enterprise Edition
 * Microsoft Office Live Communications Server 2005 Standard Edition
 * Microsoft Office Live Communications Server 2003
 * Microsoft Office Communicator 2007
 * Microsoft Office Communicator 2005
 * Microsoft Windows Messenger 5.1
 * Microsoft Windows Messenger 5.0

-



SYMPTOMS
Consider the following scenario. You use a real-time communications (RTC) client to sign in to one of the following programs:
 * Microsoft Office Live Communications Server 2003
 * Microsoft Office Live Communications Server 2005
 * Microsoft Office Communicator 2007

Additionally, the server that is running Live Communications Server or Communicator 2007 is using a Cisco PIX firewall. In this scenario, the sign-in process may fail. Additionally, you may receive the following error message:

You have been signed out of SIP Communications Service because that service has been temporarily shutdown. Please try again later

Note This error message may vary depending on the client program that you are using.

Additionally, you may experience intermittent presence issues. You may also experience issues when you try to send or to receive instant messaging (IM) messages.



CAUSE
Some versions of Cisco PIX firewalls and virtual private network (VPN) solutions have built-in program-inspection functions for the Session Initiation Protocol (SIP). However, the built-in program-inspection functions are not fully compatible with real-time communications (RTC) client 5.0 or with later versions of RTC client. RTC client includes Microsoft Windows Messenger 5.0, Microsoft Windows Messenger 5.1, and Microsoft Office Communicator 2005.

This problem occurs only if you are not using Transport Layer Security (TLS) to help secure the communication between the client program and the server that is running Live Communications Server or Communicator 2007. In other words, the Cisco device cannot examine the traffic if the communication is encrypted.

By default, Communicator 2007 uses TLS. However, you can configure Communicator 2007 to use TCP as the transport. If you use TCP, the fixup SIP function will break the connectivity.



RESOLUTION
To resolve this problem, use one of the following methods:  Implement TLS security from the RTC client computer to the server that is running Live Communications Server. By doing this, you encrypt the SIP traffic between the client and the server that is running Live Communications Server or Communicator 2007. Therefore, data inspection does not occur on the intermediary device.  Disable the fixup SIP function on the Cisco PIX firewall, on the Cisco ASA firewall, or on the VPN device. To do this, run the following command:
 * 1) no fixup protocol SIP 5060 



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.



MORE INFORMATION
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

Additional query words: vpn WM5.x sip

Keywords: kbtshoot kbprb KB911786

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.