Strange AV issues, one-way speech and forced to open TCP50k range incoming for external users

Ok guys I have a very strange Lync problem and I was hoping that you can help.

Infrastructure overview:

  • Cisco ASA Firewall, 3 Leg (DMZ, Internal, WAN) in routed mode
  • 1 Lync 2013 Edge Server, 1 Interface with 3 public IPs in DMZ segment, 1 Interface in Internal segment.  Gateway/DNS info set on public interface. No route to internal network because it is directly connected so not required.  Added Lync FE internal IP to hosts file.
  • 1 Lync 2013 Standard Edition, in same internal segment as the Edge internal interface
  • Also have TMG for web services, but this is a bit out of scope
  • All servers are virtualized on Hyper-V server on Win2k12
  • All servers have Win2k12 OS

What are the problems:

  • For our own Lync users who work externally, voice only works if TCP/UCP Ports 50000-59999 are opened incoming on the Public AV Edge IP.
  • Calls between 2 external users have one-way speech or fail, even with above ports opened
  • I see the Edge server sending TCP RSTs to some incoming connections, even for calls that succeed. It is not the ASA firewall, it's the Edge server itself.

What are my findings:

  • The Technet documentation clearly states that TCP 50000-59999 should only be opened for federation with OCS 2007, which is not the case.
  • Media connections should be multiplexed using UDP port 3478 and TCP 443, isn't it? That doesn't seem to work.
  • I tried disabling the Windows firewall on the Edge server
  • Already deactivated TCP autotuning on the Edge server (Hyper-V guest machine). I had similar issues on a different installation and this was the solution there.
  • When I close the incoming UDP/TCP ports on public edge ip, I get an A/V Authentication 504 error on the internal Lync Mediation server, which let me conclude the Lync FE tries to talk to the Edge PUBLIC interface??? When I ping both servers from each other, I get replies with the internal IPs
  • The firewall works in routed mode so both DMZ and inside are directly connected networks and routable, but I created firewall rules that blocks connection between the Lync FE and the public Edge IPs.
  • On the Edge server, AV.sipdomain.tld, sip.sipdomain.tld, webcon.sipdomain.tld are resolved on their public IPs

ANYONE have an idea what is happening here?


September 9th, 2013 5:15am

Hi, Have you checked the firewall rules again and again :) , to see if the ports are opened correctly ? Also you mention 3 public IP's in the DMZ segment. Are you using

3 x public IP's on the DMZ NIC of the Edge server ?

or

3 x DMZ IP on the DMZ NIC of the edge and doing one to one NAT'ing of those 3 DMZ IP's to the corresponding 3 public ip addresses on specific ports ?

Free Windows Admin Tool Kit Click here and download it now
September 9th, 2013 5:48am

Hi, Have you checked the firewall rules again and again :) , to see if the ports are opened correctly ? Also you mention 3 public IP's in the DMZ segment. Are you using

3 x public IP's on the DMZ NIC of the Edge server ?

or

3 x DMZ IP on the DMZ NIC of the edge and doing one to one NAT'ing of those 3 DMZ IP's to the corresponding 3 public ip addresses on specific por

September 9th, 2013 7:29am

Hi,

Please restart your Lync services on Edge server.

Please verify the Edge configuration(FQDN, Ports) defined in Topology Builder is correct. Make sure you did not enable NAT.

Please also check public DNS entry for av.domain.com and make sure you can resolve the correct public IP address for that.

You can go to https://www.testocsconnectivity.com/ to test the Audio/Video connectivity and go to http://www.digicert.com/help/ to test the certificate.

For your reference, here is a good article talking about the Audio/Video ports knowledge.

http://www.shudnow.net/2010/12/06/lync-server-2010-port-ranges-and-audiomedia-negotiation

Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.

Please also refer to External A/V Firewall and Port Requirements

http://technet.microsoft.com/en-us/library/gg425882.aspx

Free Windows Admin Tool Kit Click here and download it now
September 10th, 2013 2:21am

Hi,

Please restart your Lync services on Edge server.

Please verify the Edge configuration(FQDN, Ports) defined in Topology Builder is correct. Make sure you did not enable NAT.

Please also check public DNS entry for av.domain.com and make sure you can resolve the correct public IP address for that.

You can go to https://www.testocsconnectivity.com/ to test the Audio/Video connectivity and go to http://www.digicert.com/help/ to test the certificate.

For your reference, here is a good article talking about the Audio/Video ports knowledge.

http://www.shudnow.net/2010/12/06/lync-server-2010-port-ranges-and-audiomedia-negotiation

Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.

Please also refer to External A/V Firewall and Port Requirements

http://technet.microsoft.com/en-us/library/gg425882.aspx

September 10th, 2013 3:32am
No one else with an idea what could be wrong here?
Free Windows Admin Tool Kit Click here and download it now
September 11th, 2013 2:29am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics