Solved

Lync external client to internal client not connecting for audio

Posted on 2013-06-03
12
6,815 Views
Last Modified: 2014-01-06
Hi,

I have setup a demo lync environment including an edge server.
I have tested all my configurations (ie: edge ports, srv records, certs etc ) and all comes back positive.

My external client (test.user@contoso.com) can connect through edge and can IM internal and other external lync clients however when i try to add audio, i get "Call could not complete due to network issues".

For the sake of testing I have turned off all firewall aspects to my network to confirm that the firewall is not the culprit.

Attached is the logs from the external lync client (Test User). I was hoping someone would be able to spot the problem.

Thanks,
0
Comment
Question by:SxS777
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 35

Expert Comment

by:Bembi
ID: 39226544
Nothing attached here, but....
First make sure, all services are running on Lync Edge...
If this is o.k, it may depend on, how you setup your Lync Edge and published it to the internet.
I observed such issues, if you use different ports instead of different IPs. As all the services usually try to connect to port 443, this may fail for clients, which expect the traffic on this port.
0
 

Author Comment

by:SxS777
ID: 39227018
Hi,
Thanks for responding.

Please see re-attached.

Lync services are all running on the edge and remote clients are able to log on and IM. Only audio is not working. I can also telnet to said ports.

The strange thing is that I do not see relay candidates on the font end for such calls even though all call scenarios in an edge enabled lync environment should have at least on media relay candidate.

Im concerned that this is the cause which could be a deeper problem.

Look forward to your response.

Thanks.
0
 

Author Comment

by:SxS777
ID: 39227021
Not sure why not attaching. Trying again here.
Lync-UccApi-0.UccApilog.zip
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 39228175
Few questions to begin with.

1- Do you have Public certificate assigned to the external network on Edge server?
2- have you created routing for the internal NIC to the subnet which Front end is on?
3- Have you opened the port range for AV for both protocols TCP and UDP (50000-59999) ?
4- Have you created a static NAT Rule (1:1)  on your firewall allowing traffic to come from outside hit your public IP and then be NATTEd to the DMZ IP assigned to the AV on your Lync topology ?

If you can get a snapshot of your Edge configuration from your Lync topology that would be good step to start with.

another thing,  go to http://testexchangeconnectivity.com/ and test Lync remote connectivity and make sure you tick this option "Perform Audio/Video Server Connectivity Test" and run the test and post your result here.
0
 
LVL 23

Accepted Solution

by:
Mohammed Hamada earned 500 total points
ID: 39228247
Looking at the file you have attached, it seems that it takes a while for you to log in to lync client? . How are you logged in remotely? from your own network or from a different network ?

I can see you're getting unauthorized message in the beginning but then you get the 200 OK after couple of login attempts.

"SIP/2.0 401 Unauthorizedms-user-logon-data: RemoteUserDate: Mon, 03 Jun 2013 20:52:04 GMTWWW-Authenticate: NTLM realm="SIP Communications Service", targetname="W15-LYNC-SE1.Contoso.com", version=4WWW-Authenticate: TLS-DSK realm="SIP Communications Service", targetname="W15-LYNC-SE1.Contoso.com", version=4, sts-uri="https://sip.majuda.co:4443/CertProv/CertProvisioningService.svc"From: <sip:test.user@contoso.com>;tag=ed22608227;epid=319917a2c5To: <sip:test.user@contoso.com>;tag=BBEC516A5687A462823EF734F546884ACall-ID: d1698293b8c9460784cae432c92ec961CSeq: 1 REGISTERVia: SIP/2.0/TLS 12.0.0.199:63255;received=X.X.X.43;ms-received-port=38370;ms-received-cid=1300Server: RTC/5.0Content-Length: 0ms-diagnostics-public: 1033;reason="Previous hop server component did not report diagnostic information";Domain="contoso.com";PeerServer="W15-LYNC-SE1.Contoso.com""

Checking your access edge FQDN also it appears that you also have no SSL certificate bind to the External network or not installed on the firewall  port 443 is not open as well.

The Public Certificate for edge needs to be installed on the Firewall so end point party can see that you have a certificate.

Type in public access edge fqdn e.g. (sip.domain.com) and test if this website can read your SSL certifiicate details.

http://www.sslshopper.com/ssl-checker.html
0
 

Author Comment

by:SxS777
ID: 39230017
Hi guys,

thanks for the good info.

It is suprising you picked up on a cert error as the certs have been loaded. The edge service did not want to load correctly until the certs were installed.

This is a test environment so I have all firewall aspects disabled and running the entire lync infrastructure on the same subnet to reduce configuration problems.

I was hoping to get it stable and then start tightening security.

I dont leave the system running when we are not working so that is probably why you could not hit port 443.

Question - I am not running an exchange server in this configuration. Is it required?


Below are the failed results from  testexchangeconnectivity: It seems to say SSL is OK but ssl checker says ssl is not OK. Any ideas on this?

             Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       Couldn't sign in. Error: Error Message: The endpoint was unable to register. See the ErrorCode for specific reason..
Error Type: RegisterException.
Deregister Reason: None.
Response Code: 504.
Response Text: Server time-out.

Thanks.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:SxS777
ID: 39230100
Update to last post.

testexchangeconnectivity returning OK for all tests including AV however adding audio to sessions is still failing "due to network connectivity".

:(
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 39230641
The AV part is a bit tricky because it involves so many configurations on Edge/Firewall and FE side.

How are you configuring your Edge server, 2 NICs or one? and could you please describe the IP addresses on each NIC. for instance the Internal is it in the Subnet of front end? and the External NIC or DMZ. how is it configured?

How is your edge configured on the topology.
If the IPs on the topology is not configured properly there's a possibility you will always face an issue.

The Firewall needs to have static NAT configuration on each IP for AV.
you will need STUN port enabled for UDP/TCP as well Port number 3478.
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 39230647
Oh and you don't really need Exchange Server, Lync doesn't need Exchange server to run..but if it happens that you have Exchange then you can enable Unified Messaging integration with Lync.
0
 
LVL 35

Expert Comment

by:Bembi
ID: 39230686
Just another tool to check, what the client can see.
http://www.insideocs.com/Tools/RUCT/RUCT.htm
You should try it from outside your network.

I have seen the same error as moh10ly, what I'm wondering is port 4443, what is usually used internal.

I would be interested to see something like a network diagram, which shows, which IP adresses (at least the end number) and ports you use from edge to firewall and from the firewall to the outside world.

As I said before, I have seen this in situations, where the external IP was shared with different ports. Changing the configuration to three different IPs all listening on Port 443, the problems went away.

Obvious to say, that each IP, which is published to the internet needs to present a cert containing the name of the corresponding edge leg. Also the other side has to trust the root cert, which issued your external edge certs. For public certs this is usually the case.
0
 

Author Comment

by:SxS777
ID: 39245952
Still working. Will update shortly
0
 
LVL 1

Expert Comment

by:1eEurope
ID: 39550526
We faced the same Problem after a Migration from Lync 2010 to Lync 2013 with the new Edge Server for 2013.
The Solution was, like moh10ly already pointed out, to set a persistent route on the edge Server to find the way to the Front End Server:
route add xx.xx.0.0 mask 255.255.0.0 xx.xx.xx.xx if xx metric 1 -p

To get the Infertace (if) you have to use route print.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Microsoft has released remote PowerShell capabilities to all commercial Office 365 customers. So you can be controlled via PowerShell and not from the Office 365 admin center Download Windows PowerShell Module for Lync Online http://www.micros…
Let’s list some of the technologies that enable smooth teleworking. 
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now