• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 8570
  • Last Modified:

Lync external client to internal client not connecting for audio


I have setup a demo lync environment including an edge server.
I have tested all my configurations (ie: edge ports, srv records, certs etc ) and all comes back positive.

My external client (test.user@contoso.com) can connect through edge and can IM internal and other external lync clients however when i try to add audio, i get "Call could not complete due to network issues".

For the sake of testing I have turned off all firewall aspects to my network to confirm that the firewall is not the culprit.

Attached is the logs from the external lync client (Test User). I was hoping someone would be able to spot the problem.

  • 5
  • 4
  • 2
  • +1
1 Solution
Nothing attached here, but....
First make sure, all services are running on Lync Edge...
If this is o.k, it may depend on, how you setup your Lync Edge and published it to the internet.
I observed such issues, if you use different ports instead of different IPs. As all the services usually try to connect to port 443, this may fail for clients, which expect the traffic on this port.
SxS777Author Commented:
Thanks for responding.

Please see re-attached.

Lync services are all running on the edge and remote clients are able to log on and IM. Only audio is not working. I can also telnet to said ports.

The strange thing is that I do not see relay candidates on the font end for such calls even though all call scenarios in an edge enabled lync environment should have at least on media relay candidate.

Im concerned that this is the cause which could be a deeper problem.

Look forward to your response.

SxS777Author Commented:
Not sure why not attaching. Trying again here.
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Mohammed HamadaSenior IT ConsultantCommented:
Few questions to begin with.

1- Do you have Public certificate assigned to the external network on Edge server?
2- have you created routing for the internal NIC to the subnet which Front end is on?
3- Have you opened the port range for AV for both protocols TCP and UDP (50000-59999) ?
4- Have you created a static NAT Rule (1:1)  on your firewall allowing traffic to come from outside hit your public IP and then be NATTEd to the DMZ IP assigned to the AV on your Lync topology ?

If you can get a snapshot of your Edge configuration from your Lync topology that would be good step to start with.

another thing,  go to http://testexchangeconnectivity.com/ and test Lync remote connectivity and make sure you tick this option "Perform Audio/Video Server Connectivity Test" and run the test and post your result here.
Mohammed HamadaSenior IT ConsultantCommented:
Looking at the file you have attached, it seems that it takes a while for you to log in to lync client? . How are you logged in remotely? from your own network or from a different network ?

I can see you're getting unauthorized message in the beginning but then you get the 200 OK after couple of login attempts.

"SIP/2.0 401 Unauthorizedms-user-logon-data: RemoteUserDate: Mon, 03 Jun 2013 20:52:04 GMTWWW-Authenticate: NTLM realm="SIP Communications Service", targetname="W15-LYNC-SE1.Contoso.com", version=4WWW-Authenticate: TLS-DSK realm="SIP Communications Service", targetname="W15-LYNC-SE1.Contoso.com", version=4, sts-uri="https://sip.majuda.co:4443/CertProv/CertProvisioningService.svc"From: <sip:test.user@contoso.com>;tag=ed22608227;epid=319917a2c5To: <sip:test.user@contoso.com>;tag=BBEC516A5687A462823EF734F546884ACall-ID: d1698293b8c9460784cae432c92ec961CSeq: 1 REGISTERVia: SIP/2.0/TLS;received=X.X.X.43;ms-received-port=38370;ms-received-cid=1300Server: RTC/5.0Content-Length: 0ms-diagnostics-public: 1033;reason="Previous hop server component did not report diagnostic information";Domain="contoso.com";PeerServer="W15-LYNC-SE1.Contoso.com""

Checking your access edge FQDN also it appears that you also have no SSL certificate bind to the External network or not installed on the firewall  port 443 is not open as well.

The Public Certificate for edge needs to be installed on the Firewall so end point party can see that you have a certificate.

Type in public access edge fqdn e.g. (sip.domain.com) and test if this website can read your SSL certifiicate details.

SxS777Author Commented:
Hi guys,

thanks for the good info.

It is suprising you picked up on a cert error as the certs have been loaded. The edge service did not want to load correctly until the certs were installed.

This is a test environment so I have all firewall aspects disabled and running the entire lync infrastructure on the same subnet to reduce configuration problems.

I was hoping to get it stable and then start tightening security.

I dont leave the system running when we are not working so that is probably why you could not hit port 443.

Question - I am not running an exchange server in this configuration. Is it required?

Below are the failed results from  testexchangeconnectivity: It seems to say SSL is OK but ssl checker says ssl is not OK. Any ideas on this?

             Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
        Tell me more about this issue and how to resolve it
      Additional Details
       Couldn't sign in. Error: Error Message: The endpoint was unable to register. See the ErrorCode for specific reason..
Error Type: RegisterException.
Deregister Reason: None.
Response Code: 504.
Response Text: Server time-out.

SxS777Author Commented:
Update to last post.

testexchangeconnectivity returning OK for all tests including AV however adding audio to sessions is still failing "due to network connectivity".

Mohammed HamadaSenior IT ConsultantCommented:
The AV part is a bit tricky because it involves so many configurations on Edge/Firewall and FE side.

How are you configuring your Edge server, 2 NICs or one? and could you please describe the IP addresses on each NIC. for instance the Internal is it in the Subnet of front end? and the External NIC or DMZ. how is it configured?

How is your edge configured on the topology.
If the IPs on the topology is not configured properly there's a possibility you will always face an issue.

The Firewall needs to have static NAT configuration on each IP for AV.
you will need STUN port enabled for UDP/TCP as well Port number 3478.
Mohammed HamadaSenior IT ConsultantCommented:
Oh and you don't really need Exchange Server, Lync doesn't need Exchange server to run..but if it happens that you have Exchange then you can enable Unified Messaging integration with Lync.
Just another tool to check, what the client can see.
You should try it from outside your network.

I have seen the same error as moh10ly, what I'm wondering is port 4443, what is usually used internal.

I would be interested to see something like a network diagram, which shows, which IP adresses (at least the end number) and ports you use from edge to firewall and from the firewall to the outside world.

As I said before, I have seen this in situations, where the external IP was shared with different ports. Changing the configuration to three different IPs all listening on Port 443, the problems went away.

Obvious to say, that each IP, which is published to the internet needs to present a cert containing the name of the corresponding edge leg. Also the other side has to trust the root cert, which issued your external edge certs. For public certs this is usually the case.
SxS777Author Commented:
Still working. Will update shortly
We faced the same Problem after a Migration from Lync 2010 to Lync 2013 with the new Edge Server for 2013.
The Solution was, like moh10ly already pointed out, to set a persistent route on the edge Server to find the way to the Front End Server:
route add xx.xx.0.0 mask xx.xx.xx.xx if xx metric 1 -p

To get the Infertace (if) you have to use route print.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

  • 5
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now