I have an existing OCS 2007 R2 install (single server internal, single Edge Server). It's been running for a while, and now I am trying to change its configuration. We have been using a NIC directly connected to the public network for A/V Edge, as R1 required, and I am changing it so that the A/V Edge is connected to the public Internet via NAT, behind our ISA server.
As required, we have our internal DNS server configured so that the A/V Edge machine pulls up the public IP address when it queries the A/V Edge FQDN. In addition, I went into the A/V Edge configuration, and told it to enable NAT.
Internal clients can use the A/V fine. However, external clients are doing something very strange. A packet capture on the external client machine show that it sets up the conversation with the usual chatter to the access and conferencing edge servers. Suddenly, instead of trying to access the A/V Edge's public IP, it tries accessing our base domain name's IP address via HTTPS. In other words, instead of looking up av.domain.com, it looks up domain.com. Then, after that, it does actually try the correct public IP address of the A/V Edge Server via port 3478 (TURN).
But here's where it gets weird. After a little more back-and-forth with the access and conferencing edge servers, it then tries the STUN conversation (over ports in the 50,000+ range) with the internal private IP address of our OCS server. Needless to say, these queries go nowhere, and the client is unable to get the audio/video.