Solved

LYNC 2010 Edge Issue

Posted on 2013-01-13
17
4,119 Views
Last Modified: 2013-02-21
We have recently setup a lync 2010 enviroment.  We have a lync server (Standard Edition) and a lync edge server.  The communication between internal clients performs as expected.  External clients can connect and use the IM feature.  The connection immediatly drops with a network error when we attempt to initiate a call.

The network is as follows:
Lync Server -- 10.104.220.178/24
Lync Edge Server -- 10.104.220.64/24 (Internal)
Lync Edge Server -- 10.104.250.2/24 (External)

We are NATing a public IP to the External address.
We are using internally assigned certificates for the LYNC and LYNC Edge Internal and a public SAN certificate.  We get the following error when we start a lync communication session on the LYNC edge server.  We believe that this may be the issue on why external client cannot communicate with our internal client.
Certificate error Message
0
Comment
Question by:ButlerTechnology
  • 8
  • 4
  • 3
  • +1
17 Comments
 
LVL 57

Expert Comment

by:Cliff Galiher
ID: 38773263
What client are you using to start the session? And what are your port configurations on your NAT device? It sounds like a breakdown on the AV side of things.
0
 
LVL 26

Accepted Solution

by:
Leon Fester earned 167 total points
ID: 38777726
You can enable logging on the Lync/OCS client so that you can see what is causing the connection to drop.
http://technet.microsoft.com/en-us/library/gg195661(v=ocs.14).aspx

Another logging tool is the Lync Server logging tool:
http://technet.microsoft.com/en-us/library/gg558599(v=ocs.14).aspx

Another test from external can be found on:
https://www.testocsconnectivity.com/
Click on the tab "Lync/OCS Server" and use the "Lync Server Remote Connectivity Test"

This should give you more detailed error reporting.
0
 
LVL 6

Author Comment

by:ButlerTechnology
ID: 38796150
We are using Lync 2010 client.  We have the following ports open: 5061, 5060, 443, 3478, 1152, 44.
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 57

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 167 total points
ID: 38796188
44and 1152 should not be necessary for lync services. Everything looks good for the external side though. On the internal side, 5062 is also necessary and if that is blocked, would generate the symptoms you describe,
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 38800261
Did you take this test yet?
https://www.testocsconnectivity.com/
Click on the tab "Lync/OCS Server" and use the "Lync Server Remote Connectivity Test"

It is a site provided by Microsoft themselves and the error reporting is much more detailed than the information you've provided here...
0
 
LVL 6

Author Comment

by:ButlerTechnology
ID: 38801038
We are waiting for our ISP to update our DNS entries.  We will run the OCS test as soon as that happens.
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 38801188
You only need the DNS entries for the autodiscovery tests.
Run them manually and enter the IP adderss of your Edge Server.

In fact, I actually posted 3 different tests that you could use.
0
 
LVL 6

Author Comment

by:ButlerTechnology
ID: 38812692
I tried the TestOCSConnectivity, but it requires a FQDN to process.  I am hoping that once our records get updated to use that test.

I used the client logging and reviewed the log under the trace folder.  I did not notice any entries that would identify a failure.  I will be quiet honest that I may not be sure what I would be looking for.

I won't be able to test the logs on the server till the weekend.
0
 
LVL 18

Assisted Solution

by:Netflo
Netflo earned 166 total points
ID: 38833472
Hi,

I would take a look at the following link: http://technet.microsoft.com/en-us/library/gg425891(v=ocs.14).aspx which may prove useful to double check that all ports required are open to your DMZ and from the DMZ to your LAN, assuming LAN and DMZ outbound are open.

Have  you also setup your correct DNS - including SRV records? I believe this may be your issue, as this would have a direct impact on what you're trying to achieve. Have a look at this link: http://technet.microsoft.com/en-us/library/gg412787(v=ocs.14).aspx

Hope this helps, let us know how you get along.
0
 
LVL 6

Author Comment

by:ButlerTechnology
ID: 38868335
I have been testing using the Remote Connectivty Analyzer.  

It displays a "Operations time out" when testing remote connectivity using the auto-discover area.

It connects successfull when using the FQDN of the server on port 5061.

It does not connect successfully when using the FQDN of the server on port 443.  The same message when using auto-discovery is displayed.  The test does show that the port (443) was opened successfully.

Other information that may/may not be helpful.  The Lync Server Audio/Video Edge service is set to start automatically, but is not started.  I start the service and it starts and stops.  The IIS Default Web Site is bound to the same certificate as the External Lync Connection.
0
 
LVL 18

Expert Comment

by:Netflo
ID: 38872085
On your Lync servers run the installation media and perform the 'setup or remove Lync server components' this should apply and changes to your infrastructure that is pending or not working. Reboot your servers following this change and does all services start up correctly?
0
 
LVL 6

Author Comment

by:ButlerTechnology
ID: 38873342
Netflo

I took your recommendation and the Lync Server Audio/Video Edge service is now starting up as one would expect.  The certificate error moves forward a bit.
I am getting the following error:

Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Test Steps
ExRCA is attempting to obtain the SSL certificate from remote server sip.company.com on port 443.
ExRCA wasn't able to obtain the remote SSL certificate.
Additional Details
The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.

The certificate is a SAN issued by godaddy.  The certificate has the following entires:

sip.company.com
lyncedge.company.com
0
 
LVL 18

Expert Comment

by:Netflo
ID: 38886765
Considering the error being received can you try and initiate a call via Lync from external to internal? Do you get the network error?
0
 
LVL 6

Author Comment

by:ButlerTechnology
ID: 38897145
We are able to communicate with IM between internal and external clients.  We get a error message when we attempt to initiate a phone or video call.  It attempts to make the connection and then fails with a network error.
0
 
LVL 18

Expert Comment

by:Netflo
ID: 38897349
Disable your AV on the remote clients and try again.

I personally had this problem and this was due to Kaspersky blocking TURN packets, hence the error when trying to make a call.
Work around for me was to tell Kaspersky not to scan network traffic for Communicator.exe.
0
 
LVL 6

Author Comment

by:ButlerTechnology
ID: 38916001
NetFlo
I took your recommendation and we have success.  I then tried several other machines without adjusting the AV and they are working.  I tried the LYC/OCS Test site and it is still failing on the certificate issue.   I spoke with our network manager and he has been making tweaks and such.  The bottom line is that we are working without a clear understanding of what was the actual solution.

We are still having some issues the meeting stuff that I will post in a new thread since this one has clear up the initial issues.  I will be awarding points to all since there was no clear solution.
0
 
LVL 6

Author Closing Comment

by:ButlerTechnology
ID: 38916013
It is unknown what the the issues was, but the advise from all is greatly appreciated and very helpful.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have been working as System Administrators since 2003. I recently started working as a FreeLancer and was amazed to find out that very few people are taking full advantage of their Windows Server Machines. Microsoft Windows Server comes with so…
I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question