Lync external client to internal client not connecting for audio

Posted on 2013-06-03
Medium Priority
Last Modified: 2014-01-06

I have setup a demo lync environment including an edge server.
I have tested all my configurations (ie: edge ports, srv records, certs etc ) and all comes back positive.

My external client (test.user@contoso.com) can connect through edge and can IM internal and other external lync clients however when i try to add audio, i get "Call could not complete due to network issues".

For the sake of testing I have turned off all firewall aspects to my network to confirm that the firewall is not the culprit.

Attached is the logs from the external lync client (Test User). I was hoping someone would be able to spot the problem.

Question by:SxS777
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
  • +1
LVL 35

Expert Comment

ID: 39226544
Nothing attached here, but....
First make sure, all services are running on Lync Edge...
If this is o.k, it may depend on, how you setup your Lync Edge and published it to the internet.
I observed such issues, if you use different ports instead of different IPs. As all the services usually try to connect to port 443, this may fail for clients, which expect the traffic on this port.

Author Comment

ID: 39227018
Thanks for responding.

Please see re-attached.

Lync services are all running on the edge and remote clients are able to log on and IM. Only audio is not working. I can also telnet to said ports.

The strange thing is that I do not see relay candidates on the font end for such calls even though all call scenarios in an edge enabled lync environment should have at least on media relay candidate.

Im concerned that this is the cause which could be a deeper problem.

Look forward to your response.


Author Comment

ID: 39227021
Not sure why not attaching. Trying again here.
10 Questions to Ask when Buying Backup Software

Choosing the right backup solution for your organization can be a daunting task. To make the selection process easier, ask solution providers these 10 key questions.

LVL 24

Expert Comment

by:Mohammed Hamada
ID: 39228175
Few questions to begin with.

1- Do you have Public certificate assigned to the external network on Edge server?
2- have you created routing for the internal NIC to the subnet which Front end is on?
3- Have you opened the port range for AV for both protocols TCP and UDP (50000-59999) ?
4- Have you created a static NAT Rule (1:1)  on your firewall allowing traffic to come from outside hit your public IP and then be NATTEd to the DMZ IP assigned to the AV on your Lync topology ?

If you can get a snapshot of your Edge configuration from your Lync topology that would be good step to start with.

another thing,  go to http://testexchangeconnectivity.com/ and test Lync remote connectivity and make sure you tick this option "Perform Audio/Video Server Connectivity Test" and run the test and post your result here.
LVL 24

Accepted Solution

Mohammed Hamada earned 2000 total points
ID: 39228247
Looking at the file you have attached, it seems that it takes a while for you to log in to lync client? . How are you logged in remotely? from your own network or from a different network ?

I can see you're getting unauthorized message in the beginning but then you get the 200 OK after couple of login attempts.

"SIP/2.0 401 Unauthorizedms-user-logon-data: RemoteUserDate: Mon, 03 Jun 2013 20:52:04 GMTWWW-Authenticate: NTLM realm="SIP Communications Service", targetname="W15-LYNC-SE1.Contoso.com", version=4WWW-Authenticate: TLS-DSK realm="SIP Communications Service", targetname="W15-LYNC-SE1.Contoso.com", version=4, sts-uri="https://sip.majuda.co:4443/CertProv/CertProvisioningService.svc"From: <sip:test.user@contoso.com>;tag=ed22608227;epid=319917a2c5To: <sip:test.user@contoso.com>;tag=BBEC516A5687A462823EF734F546884ACall-ID: d1698293b8c9460784cae432c92ec961CSeq: 1 REGISTERVia: SIP/2.0/TLS;received=X.X.X.43;ms-received-port=38370;ms-received-cid=1300Server: RTC/5.0Content-Length: 0ms-diagnostics-public: 1033;reason="Previous hop server component did not report diagnostic information";Domain="contoso.com";PeerServer="W15-LYNC-SE1.Contoso.com""

Checking your access edge FQDN also it appears that you also have no SSL certificate bind to the External network or not installed on the firewall  port 443 is not open as well.

The Public Certificate for edge needs to be installed on the Firewall so end point party can see that you have a certificate.

Type in public access edge fqdn e.g. (sip.domain.com) and test if this website can read your SSL certifiicate details.


Author Comment

ID: 39230017
Hi guys,

thanks for the good info.

It is suprising you picked up on a cert error as the certs have been loaded. The edge service did not want to load correctly until the certs were installed.

This is a test environment so I have all firewall aspects disabled and running the entire lync infrastructure on the same subnet to reduce configuration problems.

I was hoping to get it stable and then start tightening security.

I dont leave the system running when we are not working so that is probably why you could not hit port 443.

Question - I am not running an exchange server in this configuration. Is it required?

Below are the failed results from  testexchangeconnectivity: It seems to say SSL is OK but ssl checker says ssl is not OK. Any ideas on this?

             Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
        Tell me more about this issue and how to resolve it
      Additional Details
       Couldn't sign in. Error: Error Message: The endpoint was unable to register. See the ErrorCode for specific reason..
Error Type: RegisterException.
Deregister Reason: None.
Response Code: 504.
Response Text: Server time-out.


Author Comment

ID: 39230100
Update to last post.

testexchangeconnectivity returning OK for all tests including AV however adding audio to sessions is still failing "due to network connectivity".

LVL 24

Expert Comment

by:Mohammed Hamada
ID: 39230641
The AV part is a bit tricky because it involves so many configurations on Edge/Firewall and FE side.

How are you configuring your Edge server, 2 NICs or one? and could you please describe the IP addresses on each NIC. for instance the Internal is it in the Subnet of front end? and the External NIC or DMZ. how is it configured?

How is your edge configured on the topology.
If the IPs on the topology is not configured properly there's a possibility you will always face an issue.

The Firewall needs to have static NAT configuration on each IP for AV.
you will need STUN port enabled for UDP/TCP as well Port number 3478.
LVL 24

Expert Comment

by:Mohammed Hamada
ID: 39230647
Oh and you don't really need Exchange Server, Lync doesn't need Exchange server to run..but if it happens that you have Exchange then you can enable Unified Messaging integration with Lync.
LVL 35

Expert Comment

ID: 39230686
Just another tool to check, what the client can see.
You should try it from outside your network.

I have seen the same error as moh10ly, what I'm wondering is port 4443, what is usually used internal.

I would be interested to see something like a network diagram, which shows, which IP adresses (at least the end number) and ports you use from edge to firewall and from the firewall to the outside world.

As I said before, I have seen this in situations, where the external IP was shared with different ports. Changing the configuration to three different IPs all listening on Port 443, the problems went away.

Obvious to say, that each IP, which is published to the internet needs to present a cert containing the name of the corresponding edge leg. Also the other side has to trust the root cert, which issued your external edge certs. For public certs this is usually the case.

Author Comment

ID: 39245952
Still working. Will update shortly

Expert Comment

ID: 39550526
We faced the same Problem after a Migration from Lync 2010 to Lync 2013 with the new Edge Server for 2013.
The Solution was, like moh10ly already pointed out, to set a persistent route on the edge Server to find the way to the Front End Server:
route add xx.xx.0.0 mask xx.xx.xx.xx if xx metric 1 -p

To get the Infertace (if) you have to use route print.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I'm Dumb-phoned(ed) Last week, I noticed this message when adding events to my Google Calendar: On June 27th (2015), Google is removing SMS as a notification option for Google Calendar events.  Their assumption is that enough people have smart p…
Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question