I identified an issue today, at a site externally provisioned (EdgePool) Polycom CX600, CX700 and CX3000. Most running .4044 or .4100. (I was subsequently able to identify a site with what appears to be the same issue where the LPE devices registered against a standard Edition Lync 2010 Server and a Dialogic SBA. All the registrars had 3rd party public certificates (GlobalSign).The phones were failing to sign-in, Logger and Snooper reveled a TLS error:
TL_ERROR(TF_CONNECTION) 06D8.0EF8::01/30/2014-10:52:11.726.007895ff (SIPStack,SIPAdminLog::TraceConnectionRecord:SIPAdminLog.cpp(160))$$begin_recordLogType: connectionSeverity: errorText: The connection was closed before TLS negotiation completed. Did the remote peer accept our certificate?Local-IP: 77.xxx.xxx.xx:443Peer-IP: 77.xxx,xx,xx:49175Connection-ID: 0x212600Transport: TLS$$end_record
A network trace reveled the edge server sending an RST, following the client and server TLS Hello.
With a certificate from an internal private CA present on the front-end pool / standard edition server / SBA, ensuring a SAN was present in the certificate for strict DNS compliance, the LPE devices were able to successfully authenticate. We were able to update the device to .4100 and then to .4420 (January 2013). Once updated the externally provisioned devices were able to authenticate via the edge pool with the 3rd party public CA.
A contact at Microsoft advised that earlier version of the LPE firmware had the GlobalSign Root CA certificate:
embedded, this certificate expired 2014-01-28 12:00:00 UTC. It would appear that after this certificates that chained to the GlobalSign Root were not constructing the chain to the newer valid root.