OCS R2 Audio video fails externally

Posted on 2011-09-22
Medium Priority
Last Modified: 2013-11-29
I ahv an OCS R2 STD deployment that includes an Edge Server and an FTMG server.  The issue I am having is with external Audio and\or Video connections.  Internal connections work fine.  I ahve tested an Externally signed in user to an internal user and also a federated to internal user, both fail.
I have checked ports and all teh things I can think of.  the following are errors I am seeing:

On the FE server

OCS Protocol Stack 1001 14502
A significant number of connection failures have occurred with remote server <edgeservername>.<company>.net IP 172.xxx.xxx.xxx. There have been 207 failures in the last 180 minutes. There have been a total of 8186 failures.
The specific failure types and their counts are identified below.
Instance count - Failure Type
7895 80072746
120 80072745
115 8007274D
This can be due to credential issues, DNS, firewalls or proxies. The specific failure types above should identify the problem.

and when I run the A/V validation on the FE:

Connecting to A/V Authentication Edge Server to get credentials            A/V Authentication Edge Server: Could not contact A/V Authentication Edge Server.
To resolve this error, check for the following
1. The outbound proxy is reachable.
2. The outbound proxy and A/V Authentication Edge Server are in trusted server list of each other.
3. The outbound proxy and A/V Authentication Edge Server have valid certificates.
4. Conference Server certificate is valid.
5. A/V Authentication Edge Server Gruu is correct.
[0xC3FC200D] One or more errors were detected

validation on the Edge returns no errors.
There is not a firewall between the edge and FE servers.
Suggestions of items to check?
I looked at the FE\Global properties\Edge servers and it shows the fqdn and 5062.  the edge server has A/V authentication port set to 5062.

Question by:DayneJake

Expert Comment

ID: 36959954
Your edge server, are you using NAT for your three "public" IP or are they sitting out on the internet directly.  If you are using NAT, do you have an internal DNS record for av.domain.com (change to whatever you actually called your external Audio/Video IP) to the public IP Address (yes - public, not DMZ or internal IP) of your AV service.  


Assisted Solution

ecalonllc earned 1000 total points
ID: 36967967
to coincide with dawho9 question, please also ensure you have the proper AV ports pass-thru to your DMZ. here is a good diagram of what ports are used for AV in Lync http://www.msexchange.org/img/upl/image0151313261656956.jpg

if your forefront edge server public ips arent behind a NAT, please create the create corresponding rules in the firewall policy to allow passage. keep in mind you need a reverse proxy setup for lync external users. i.e address book search etc will fail without it, im currently working on a much more technical issue with lync ews not deployed issue(s)

Author Comment

ID: 36968390
THis is an OCSR2 deployment.
The Edge has 4 NICs.  3 for edge roles (Nat'd form real world to DMZ addresses) and 1 for internal.
What I am finding are TLS connection failures between the Edge ionternal interface and the FE.

Running the following on the edge gives me an error:
certutil -ping -config <CA-FQDN>\CA
Connecting to <CA-FQDN>\CA...
Server could not be reached: The RPC server is unavailable. 0x800706ba (WIN32: 1722)
CertUtil: -ping command FAILED: 0x800706ba (WIN32: 1722)
CertUtil: The RPC server is unavailable.

Looking into the CA now.

Accepted Solution

Sourabh-Exchange earned 1000 total points
ID: 37886407
This does not point me to the CA issue. Please check if you have the LDAP port open to reach to your CA.

do you have any Internal Firewall ? if yes Please let me know the firewall name.

looks like NAT issue to me. and the issue is not on the External side. i am sure two external contacts are able to make calls to each other. also check if you are getting "limited external calling" error on the communicator

- Sourabh

Author Comment

ID: 37943190
Ended up a firewall issue that I was not told was in place.

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

My previous article  (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_4466-A-beginners-guide-to-installing-SCCM2007-on-Windows-2008-R2-Server.html)detailed one possible method to get SCCM 2007 installed an…
Know what services you can and cannot, should and should not combine on your server.
How to fix display issue, screen flickering issue when I plug in power cord to the machine. Before I start explaining the solution lets check out once the issue how it looks like after I connect the power cord. most of you also have faced this…
Watch the video to know the simple way to remove or recover or reset lost or forgotten passwords of Outlook PST file. With Kernel Outlook Password Recovery tool such operation is very easy to perform. It is a freeware with limitation to use with 500…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question