Why Are My Users Unable to Use Communicator 2007 R2 to Transfer Files?
Communicator 2007 R2 is designed to allow users to initiate file transfers directly between two Communicator 2007 R2 clients. However, sometimes the Communicator 2007 R2 file transfer will fail. This article helps you figure out what is going on behind the scenes to prevent the Office Communicator 2007 R2 client from performing the transfer of files.
Author: Mike Adkins
Publication date: February 2010
Product version: Microsoft Office Communicator 2007 R2
The Microsoft Office Communicator 2007 R2 client is designed to allow users to initiate file transfers between two Office Communicator 2007 R2 clients. However, sometimes when a user wants to transfer a file to another user quickly, the Communicator 2007 R2 file transfer will fail. When this occurs it is time to figure out what is going on behind the scenes to prevent the Office Communicator 2007 R2 client from performing the transfer of files. This article offers a few suggestions to help eliminate this "gotcha" from your to do list.
The first thing the Communicator 2007 R2 client looks for before starting a file transfer is which group policies are enabled for Communicator 2007 R2. Following are names and descriptions of two policies that pertain directly to Communicator 2007 R2 file transfers.
Prevent File Transfer: This Communicator 2007 R2 group policy removes the "send a file" icon from the Communicator 2007 R2 client’s conversation window and from the Communicator 2007 R2 client’s contact menu.
Allow Transferring of Unencrypted Files: This policy controls the ability to send or receive unencrypted files using Microsoft Office Communicator File Transfer. This policy can be used if Communicator must transfer files to instant messaging (IM) clients that do not support encryption. The default for Communicator 2007 is to transfer files with encryption. However, the file transfer feature in Communicator 2005 was not designed to encrypt file transfers. This group policy provides a form of backward compatibility between Communicator 2007 and Communicator 2005 clients by allowing the transfer of unencrypted files between the two Communicator clients.
If these policies are applied to organizational units (OUs) in your domain's Active Directory directory service, it is possible that a Microsoft Office Communications Server 2007 R2 enabled user or the computer that they are logged onto is a member of an OU that has one if not both of these domain group policies applied to it. If that's the case, the file transfer functionality of the Communicator 2007 R2 client could be inadvertently blocked.
The easiest way is to locate the domain group policies that are applied locally to your Windows client. This can be done by using the Resultant Set of Policies (RSOP) tool from the Windows desktop.
Type rsop.msc in the Start Search field, and then press Enter.
This gives you a list of the User and Computer domain group policies that are applied to your Windows client (Figure 1).
In the left pane, expand the User Configuration and Computer Configuration nodes to locate the Administrative Templates folder under each node.
Under Administrative Templates (if the Communicator polices are applied), you will see the Communicator polices folder. Open it and view the policies that are inherited from your local Active Directory to your Communicator 2007 R2 client.
If the Prevent file transfer, or the Allow transferring unencrypted files, or both policies are enabled, contact your Active Directory administrator and notify them of the issue. They will be able to research the issue in your domain's Active Directory and make the needed changes to the Communicator group policies that are applied to your user or computer account. If these Communicator policies (Figure 1) are disabled or not applied through the Active Directory's domain group policy, then they will not have a negative impact on Communicator peer to peer file transfers.
Figure 1. Resultant Set of Policy-Computer policies take precedence over User level policies
The second thing that your Communicator 2007 R2 client will check is the Office Communications Server 2007 R2 Intelligent IM Filter. The Intelligent IM Filter is a security application that is built into Communications Server 2007 R2. This application is designed to filter all IM messages for file transfer information and apply the configured policies to any file transfer request. The file transfer policies of the Intelligent IM Filter are checked during the SIP signaling phase of the file transfer process. If the Intelligent IM Filter is configured to block all file transfers or block certain file types from being transferred, Communicator 2007 R2 will not complete a file transfer request.
The Communications Server 2007 R2 Administrative Tools will allow access to the Communications Server 2007 R2 pool that is hosting the IIM service.
In Communications Server 2007 R2 Administrative Tools, expand the Forest node and the Enterprise Pools node. Locate the pool that your Communicator 2007 R2 clients sign in to and right click it.
From the menu, select Filtering Tools, and then select Intelligent Instant Messaging Filter.
Click the File Transfer Filter tab and make sure that Enable file transfer filtering is enabled and that Block all file extensions is disabled. Enabling Block only file extension in the list below blocks file transfers of files that have the listed file extensions.
If changes need to be made here, you will need to collaborate with your Communications Server 2007 R2 administrators to make sure these changes are part of the network's security policy.
|Make sure that the characters asterisk (*), question mark (?), backslash (\), angle brackets (<>), or vertical bar (|) do not appear in the name of the file that you are trying to transfer. These characters will not be recognized by the receiving Communications Server 2007 R2 client as part of a valid file name.|
Client firewalls are the next topic that comes to mind as a typical show stopper of Communicator 2007 R2 file transfers. All Windows XP, Windows Vista, and Windows 7 clients ship with their version of the Windows firewall. Windows firewalls are configurable through domain group policies and local group policies just like the Communicator 2007 R2 client is. The configuration element that is deployed with the installation of the Communicator 2007 R2 client is firewall exceptions. Exceptions are the opening of ports that are blocked by the Windows firewall so installed client or server applications can communicate with other peers and services on the network. The Communicator 2007 R2 client requires the use of TCP ports 6891 through 6900 for the Trivial File Transfer Protocol (TFTP). Firewalls that are provided by a third-party vendor may need to be configured through their own administrative policies to accommodate the local client’s port exceptions. This exception can be configured through local network security policies by local network administrators. Visit the vendor’s website for configuration information.
Using the Communicator 2007 R2 client for file transfers in a same subnet scenario is ideal. In this scenario, there should be no physical constraints that will block the file transfer between the two clients. But let's face it; what is ideal is not always, well, I guess I could say, is very seldom realistic. Using the Communicator 2007 R2 client on a routed internal network that uses Internet technologies to provide WAN access to other networks across the Internet is a more realistic description of the typical day-to-day usage of the Communicator 2007 R2 client. This opens up the issue of network security. The two basic forms of network security that the Communicator 2007 R2 file transfer client will face are network firewall configurations and the use of Network Address Translation (NAT).
Because the Communicator 2007 R2 client will not be listening on the TCP ports 6891 through 6900 until the actual SIP initiation of the file transfer is complete, you cannot use the usual methods for troubleshooting network client connectivity issues. Using Windows command line tools such as Netstat.exe and the Telnet client will not work in this situation so you will have to do the following:
Download Microsoft Network Monitor 3.3 at http://go.microsoft.com/fwlink/?LinkId=101189.
Install Netmon 3.3 on each Communicator 2007 R2 client that is involved with the file transfer.
Take a network capture from each client while trying to accomplish the file transfer as shown in Figure 2.
Review the network captures while using an IPV4 Address filter of the opposite Communicator 2007 R2 client. You will want to search for TCP connections on ports 6891 through 6900 between the two clients. Look in the capture for the three-way TCP handshake as described in the Knowledge Base article 172983 "Explanation of the Three-Way Handshake via TCP/IP" http://go.microsoft.com/fwlink/?LinkId=181545.
If the TCP three-way handshake is not completing, the TCP connection between the two Communicator 2007 R2 clients is probably not routing correctly between the two Communicator 2007 R2 clients. This is a good time to get your network personnel involved with the issue so they can make valid determinations about the issue with routing.
Figure 2. Packets with [SYN] and [SYN ACK] prove that TCP routing is working
The Communicator 2007 R2 client can transfer files to and from networks that are protected by NAT. The purpose of NAT is to hide an IP network configuration from external clients that have to access it. NAT configurations that are in use on a routed network may not be able to provide an optimal solution for the Communicator 2007 R2 peer to peer file transfer utility. To use NAT for bidirectional internetwork communications each network will need a gateway that is configured to use NAT for IP traffic to the other protected network.
The Communicator 2007 R2 file transfer functionality is a reliable, efficient, and secure way to transfer information between the Communicator 2007 R2 clients on your network. The Communications Server 2007 R2 Intelligent IM Filter’s use of SIP signaling for establishing the file transfer provides a secure and responsible method for coordinating the relay of the file transfer between the two Communicator 2007 R2 clients. Being able to share files with others that you are in a private IM or AV session with is a great convenience that all of us can enjoy. The default use of encryption for the file transfer provides the assurance that you private information will reach its destination without being exposed to others either accidentally or intentionally.
Here are some resources you can check out to help you troubleshoot the file transfer process between your Communicator 2007 R2 clients:
Visit the Communications Server main page at http://go.microsoft.com/fwlink/?LinkId=132607.
View the complete Communications Server documentation library at http://go.microsoft.com/fwlink/?LinkId=132106.
Follow tweets from the Communications Server team at http://go.microsoft.com/fwlink/?LinkId=167909.
Download the Communications Server content as a Word document at http://go.microsoft.com/fwlink/?LinkId=133609.
Download the Communications Server content as a compiled help file at http://go.microsoft.com/fwlink/?LinkId=160355. (Scroll down to the Additional Information section and download OCSDocumentation.chm.)