Solved

LYNC 2010 Edge Issue

Posted on 2013-01-13
17
4,071 Views
Last Modified: 2013-02-21
We have recently setup a lync 2010 enviroment.  We have a lync server (Standard Edition) and a lync edge server.  The communication between internal clients performs as expected.  External clients can connect and use the IM feature.  The connection immediatly drops with a network error when we attempt to initiate a call.

The network is as follows:
Lync Server -- 10.104.220.178/24
Lync Edge Server -- 10.104.220.64/24 (Internal)
Lync Edge Server -- 10.104.250.2/24 (External)

We are NATing a public IP to the External address.
We are using internally assigned certificates for the LYNC and LYNC Edge Internal and a public SAN certificate.  We get the following error when we start a lync communication session on the LYNC edge server.  We believe that this may be the issue on why external client cannot communicate with our internal client.
Certificate error Message
0
Comment
Question by:ButlerTechnology
  • 8
  • 4
  • 3
  • +1
17 Comments
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 38773263
What client are you using to start the session? And what are your port configurations on your NAT device? It sounds like a breakdown on the AV side of things.
0
 
LVL 26

Accepted Solution

by:
Leon Fester earned 167 total points
ID: 38777726
You can enable logging on the Lync/OCS client so that you can see what is causing the connection to drop.
http://technet.microsoft.com/en-us/library/gg195661(v=ocs.14).aspx

Another logging tool is the Lync Server logging tool:
http://technet.microsoft.com/en-us/library/gg558599(v=ocs.14).aspx

Another test from external can be found on:
https://www.testocsconnectivity.com/
Click on the tab "Lync/OCS Server" and use the "Lync Server Remote Connectivity Test"

This should give you more detailed error reporting.
0
 
LVL 6

Author Comment

by:ButlerTechnology
ID: 38796150
We are using Lync 2010 client.  We have the following ports open: 5061, 5060, 443, 3478, 1152, 44.
0
 
LVL 56

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 167 total points
ID: 38796188
44and 1152 should not be necessary for lync services. Everything looks good for the external side though. On the internal side, 5062 is also necessary and if that is blocked, would generate the symptoms you describe,
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 38800261
Did you take this test yet?
https://www.testocsconnectivity.com/
Click on the tab "Lync/OCS Server" and use the "Lync Server Remote Connectivity Test"

It is a site provided by Microsoft themselves and the error reporting is much more detailed than the information you've provided here...
0
 
LVL 6

Author Comment

by:ButlerTechnology
ID: 38801038
We are waiting for our ISP to update our DNS entries.  We will run the OCS test as soon as that happens.
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 38801188
You only need the DNS entries for the autodiscovery tests.
Run them manually and enter the IP adderss of your Edge Server.

In fact, I actually posted 3 different tests that you could use.
0
 
LVL 6

Author Comment

by:ButlerTechnology
ID: 38812692
I tried the TestOCSConnectivity, but it requires a FQDN to process.  I am hoping that once our records get updated to use that test.

I used the client logging and reviewed the log under the trace folder.  I did not notice any entries that would identify a failure.  I will be quiet honest that I may not be sure what I would be looking for.

I won't be able to test the logs on the server till the weekend.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 18

Assisted Solution

by:Netflo
Netflo earned 166 total points
ID: 38833472
Hi,

I would take a look at the following link: http://technet.microsoft.com/en-us/library/gg425891(v=ocs.14).aspx which may prove useful to double check that all ports required are open to your DMZ and from the DMZ to your LAN, assuming LAN and DMZ outbound are open.

Have  you also setup your correct DNS - including SRV records? I believe this may be your issue, as this would have a direct impact on what you're trying to achieve. Have a look at this link: http://technet.microsoft.com/en-us/library/gg412787(v=ocs.14).aspx

Hope this helps, let us know how you get along.
0
 
LVL 6

Author Comment

by:ButlerTechnology
ID: 38868335
I have been testing using the Remote Connectivty Analyzer.  

It displays a "Operations time out" when testing remote connectivity using the auto-discover area.

It connects successfull when using the FQDN of the server on port 5061.

It does not connect successfully when using the FQDN of the server on port 443.  The same message when using auto-discovery is displayed.  The test does show that the port (443) was opened successfully.

Other information that may/may not be helpful.  The Lync Server Audio/Video Edge service is set to start automatically, but is not started.  I start the service and it starts and stops.  The IIS Default Web Site is bound to the same certificate as the External Lync Connection.
0
 
LVL 18

Expert Comment

by:Netflo
ID: 38872085
On your Lync servers run the installation media and perform the 'setup or remove Lync server components' this should apply and changes to your infrastructure that is pending or not working. Reboot your servers following this change and does all services start up correctly?
0
 
LVL 6

Author Comment

by:ButlerTechnology
ID: 38873342
Netflo

I took your recommendation and the Lync Server Audio/Video Edge service is now starting up as one would expect.  The certificate error moves forward a bit.
I am getting the following error:

Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Test Steps
ExRCA is attempting to obtain the SSL certificate from remote server sip.company.com on port 443.
ExRCA wasn't able to obtain the remote SSL certificate.
Additional Details
The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.

The certificate is a SAN issued by godaddy.  The certificate has the following entires:

sip.company.com
lyncedge.company.com
0
 
LVL 18

Expert Comment

by:Netflo
ID: 38886765
Considering the error being received can you try and initiate a call via Lync from external to internal? Do you get the network error?
0
 
LVL 6

Author Comment

by:ButlerTechnology
ID: 38897145
We are able to communicate with IM between internal and external clients.  We get a error message when we attempt to initiate a phone or video call.  It attempts to make the connection and then fails with a network error.
0
 
LVL 18

Expert Comment

by:Netflo
ID: 38897349
Disable your AV on the remote clients and try again.

I personally had this problem and this was due to Kaspersky blocking TURN packets, hence the error when trying to make a call.
Work around for me was to tell Kaspersky not to scan network traffic for Communicator.exe.
0
 
LVL 6

Author Comment

by:ButlerTechnology
ID: 38916001
NetFlo
I took your recommendation and we have success.  I then tried several other machines without adjusting the AV and they are working.  I tried the LYC/OCS Test site and it is still failing on the certificate issue.   I spoke with our network manager and he has been making tweaks and such.  The bottom line is that we are working without a clear understanding of what was the actual solution.

We are still having some issues the meeting stuff that I will post in a new thread since this one has clear up the initial issues.  I will be awarding points to all since there was no clear solution.
0
 
LVL 6

Author Closing Comment

by:ButlerTechnology
ID: 38916013
It is unknown what the the issues was, but the advise from all is greatly appreciated and very helpful.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Normally after a failure of Domain Controller, when promoting new DC the DC is renamed, we will discuss the options in Dcpromo to re-create the DC with the same name. Scenario: You are a small IT shop with two Domain Controllers (Domain Contr…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now