Solved

LYNC 2010 Edge Issue

Posted on 2013-01-13
17
4,046 Views
Last Modified: 2013-02-21
We have recently setup a lync 2010 enviroment.  We have a lync server (Standard Edition) and a lync edge server.  The communication between internal clients performs as expected.  External clients can connect and use the IM feature.  The connection immediatly drops with a network error when we attempt to initiate a call.

The network is as follows:
Lync Server -- 10.104.220.178/24
Lync Edge Server -- 10.104.220.64/24 (Internal)
Lync Edge Server -- 10.104.250.2/24 (External)

We are NATing a public IP to the External address.
We are using internally assigned certificates for the LYNC and LYNC Edge Internal and a public SAN certificate.  We get the following error when we start a lync communication session on the LYNC edge server.  We believe that this may be the issue on why external client cannot communicate with our internal client.
Certificate error Message
0
Comment
Question by:ButlerTechnology
  • 8
  • 4
  • 3
  • +1
17 Comments
 
LVL 56

Expert Comment

by:Cliff Galiher
Comment Utility
What client are you using to start the session? And what are your port configurations on your NAT device? It sounds like a breakdown on the AV side of things.
0
 
LVL 26

Accepted Solution

by:
Leon Fester earned 167 total points
Comment Utility
You can enable logging on the Lync/OCS client so that you can see what is causing the connection to drop.
http://technet.microsoft.com/en-us/library/gg195661(v=ocs.14).aspx

Another logging tool is the Lync Server logging tool:
http://technet.microsoft.com/en-us/library/gg558599(v=ocs.14).aspx

Another test from external can be found on:
https://www.testocsconnectivity.com/
Click on the tab "Lync/OCS Server" and use the "Lync Server Remote Connectivity Test"

This should give you more detailed error reporting.
0
 
LVL 6

Author Comment

by:ButlerTechnology
Comment Utility
We are using Lync 2010 client.  We have the following ports open: 5061, 5060, 443, 3478, 1152, 44.
0
 
LVL 56

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 167 total points
Comment Utility
44and 1152 should not be necessary for lync services. Everything looks good for the external side though. On the internal side, 5062 is also necessary and if that is blocked, would generate the symptoms you describe,
0
 
LVL 26

Expert Comment

by:Leon Fester
Comment Utility
Did you take this test yet?
https://www.testocsconnectivity.com/
Click on the tab "Lync/OCS Server" and use the "Lync Server Remote Connectivity Test"

It is a site provided by Microsoft themselves and the error reporting is much more detailed than the information you've provided here...
0
 
LVL 6

Author Comment

by:ButlerTechnology
Comment Utility
We are waiting for our ISP to update our DNS entries.  We will run the OCS test as soon as that happens.
0
 
LVL 26

Expert Comment

by:Leon Fester
Comment Utility
You only need the DNS entries for the autodiscovery tests.
Run them manually and enter the IP adderss of your Edge Server.

In fact, I actually posted 3 different tests that you could use.
0
 
LVL 6

Author Comment

by:ButlerTechnology
Comment Utility
I tried the TestOCSConnectivity, but it requires a FQDN to process.  I am hoping that once our records get updated to use that test.

I used the client logging and reviewed the log under the trace folder.  I did not notice any entries that would identify a failure.  I will be quiet honest that I may not be sure what I would be looking for.

I won't be able to test the logs on the server till the weekend.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 18

Assisted Solution

by:Netflo
Netflo earned 166 total points
Comment Utility
Hi,

I would take a look at the following link: http://technet.microsoft.com/en-us/library/gg425891(v=ocs.14).aspx which may prove useful to double check that all ports required are open to your DMZ and from the DMZ to your LAN, assuming LAN and DMZ outbound are open.

Have  you also setup your correct DNS - including SRV records? I believe this may be your issue, as this would have a direct impact on what you're trying to achieve. Have a look at this link: http://technet.microsoft.com/en-us/library/gg412787(v=ocs.14).aspx

Hope this helps, let us know how you get along.
0
 
LVL 6

Author Comment

by:ButlerTechnology
Comment Utility
I have been testing using the Remote Connectivty Analyzer.  

It displays a "Operations time out" when testing remote connectivity using the auto-discover area.

It connects successfull when using the FQDN of the server on port 5061.

It does not connect successfully when using the FQDN of the server on port 443.  The same message when using auto-discovery is displayed.  The test does show that the port (443) was opened successfully.

Other information that may/may not be helpful.  The Lync Server Audio/Video Edge service is set to start automatically, but is not started.  I start the service and it starts and stops.  The IIS Default Web Site is bound to the same certificate as the External Lync Connection.
0
 
LVL 18

Expert Comment

by:Netflo
Comment Utility
On your Lync servers run the installation media and perform the 'setup or remove Lync server components' this should apply and changes to your infrastructure that is pending or not working. Reboot your servers following this change and does all services start up correctly?
0
 
LVL 6

Author Comment

by:ButlerTechnology
Comment Utility
Netflo

I took your recommendation and the Lync Server Audio/Video Edge service is now starting up as one would expect.  The certificate error moves forward a bit.
I am getting the following error:

Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Test Steps
ExRCA is attempting to obtain the SSL certificate from remote server sip.company.com on port 443.
ExRCA wasn't able to obtain the remote SSL certificate.
Additional Details
The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.

The certificate is a SAN issued by godaddy.  The certificate has the following entires:

sip.company.com
lyncedge.company.com
0
 
LVL 18

Expert Comment

by:Netflo
Comment Utility
Considering the error being received can you try and initiate a call via Lync from external to internal? Do you get the network error?
0
 
LVL 6

Author Comment

by:ButlerTechnology
Comment Utility
We are able to communicate with IM between internal and external clients.  We get a error message when we attempt to initiate a phone or video call.  It attempts to make the connection and then fails with a network error.
0
 
LVL 18

Expert Comment

by:Netflo
Comment Utility
Disable your AV on the remote clients and try again.

I personally had this problem and this was due to Kaspersky blocking TURN packets, hence the error when trying to make a call.
Work around for me was to tell Kaspersky not to scan network traffic for Communicator.exe.
0
 
LVL 6

Author Comment

by:ButlerTechnology
Comment Utility
NetFlo
I took your recommendation and we have success.  I then tried several other machines without adjusting the AV and they are working.  I tried the LYC/OCS Test site and it is still failing on the certificate issue.   I spoke with our network manager and he has been making tweaks and such.  The bottom line is that we are working without a clear understanding of what was the actual solution.

We are still having some issues the meeting stuff that I will post in a new thread since this one has clear up the initial issues.  I will be awarding points to all since there was no clear solution.
0
 
LVL 6

Author Closing Comment

by:ButlerTechnology
Comment Utility
It is unknown what the the issues was, but the advise from all is greatly appreciated and very helpful.
0

Featured Post

Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Join & Write a Comment

Suggested Solutions

Normally after a failure of Domain Controller, when promoting new DC the DC is renamed, we will discuss the options in Dcpromo to re-create the DC with the same name. Scenario: You are a small IT shop with two Domain Controllers (Domain Contr…
Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now