none
Cannot connect to edge through port 5061

    Question

  • Doing the autodiscover check through Microsoft connectivity web tool, it works great going through port 443.  But this is what I get going through port 5061 on the manual check:

    Attempting to Resolve the host name sip.domain.com in DNS.
    Host successfully Resolved
    Additional Details
    IP(s) returned: (correct IP)
    Testing TCP Port 5061 on host sip.domain.com to ensure it is listening/open.
    The port was opened successfully.
    Testing SSLCertificate for validity.
    The SSLCertificate failed one or more certificate

    Also, this is the message from the sametime gateway that is trying to connect to our edge server:

    [9/21/12 11:44:07:578 EDT] 00000016 SipProxyConne W CWSPX0030W: Unable to connect to client: address = sip.domain.com:5061.

    Any help would be great.

    Thanks

    Jason


    Jason Hopp

    Tuesday, September 25, 2012 12:33 PM

Answers

  • Got on with MS, and our port 5061 was fine.  They did not have a public cert on their end.  Once they got that, it started working.

    Jason Hopp

    • Marked as answer by Jason Hopp Thursday, October 04, 2012 5:53 PM
    Thursday, October 04, 2012 5:53 PM

All replies

  • Hi

    I'd start with the certificate.

    1. is it valid= does the service start on the edge?

    2. Is the certificate public or internal?

    if you run a nslookup towards the sipfederation record do you get a hit on that one?


    /Tim

    Tuesday, September 25, 2012 12:40 PM
  • I am kind of new at this, so as far as I know the cert is valid.  It is up to date and public.  It does not expire until next year.

    The cert prop service is started.

    And the _sipfederationtls._tcp SRV record returns port 5061, the svr hostname is sip.domain.com, and the IP it returns is the internet address that we are using.

    Hope that helps.


    Jason Hopp

    Tuesday, September 25, 2012 1:17 PM
  • ok, then we start with the configuration.

    Your edge server configuration, 2 Nics one going towards your FE Lync server on the inside and one published to the Internet.

    Two certificates deployed to the different nics. The one facing the internet should be the one saying sip.domain.com and the one on the internal Nic should say the name of the edge server.

    Also add the fqdn on the edge server.

    Disable IP6 on the edge server.

    Ports opened on the fw for communication, both to the Internet and facing the internal Lync server.


    /Tim

    Tuesday, September 25, 2012 1:34 PM
  • Edge Server config:

    Internal NIC on the internal DMZ with a route to FE network.  Internal cert set on internal NIC.

    External NIC on the external DMZ, NAT'd to outside address.  Public cert, named sip.domain.com, on external NIC.

    IPv6 is disabled on edge.

    Confirmed that all ports are open.

    Can you clarify a little bit on the fqdn on the edge server?  I believe I have that done as well, just want to make sure.

    Thanks.


    Jason Hopp

    Tuesday, September 25, 2012 1:42 PM
  • Tim,

    Can you verify that Federation was enabled in topology Builder, Site level?

    .

    Drago


    http://www.lynclog.com

    Tuesday, September 25, 2012 1:45 PM
  • yes Federation is enabled in topology builder

    Jason Hopp

    Tuesday, September 25, 2012 2:03 PM
  • Ok, lets go back to basics. On the edge server, in Lync management shell, run Stop-CsWindowsService. Once completed, Open Even Viewer, navigate to Application and Service Logs, Lync Server, and clean all events. Run Start-CsWindowsService in Lync shell, make sure all services have started (or failed to start), go back to even viewer and examine the startup events. Look for obvious errors, especially ones related to Access Edge service. Look for proper binding on IPs, ports and certificates.

    .

    Drago


    http://www.lynclog.com

    Tuesday, September 25, 2012 5:53 PM
  • Hi,Jason,

    Would you please check the port you specified for the SRV record sip.domain.com?I supposed it was 443,if so when you perform remote connectivity test manaully you should change the default port 5061 to 443 in "Specify Lync Access Edge Server Port Number". Also you can verify the Access Edge port you defined in the topology.

    Regards,

    Sharon


    Sharon Shen

    TechNet Community Support

    ************************************************************************************************************************

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.

    Wednesday, September 26, 2012 6:48 AM
  • Got on with MS, and our port 5061 was fine.  They did not have a public cert on their end.  Once they got that, it started working.

    Jason Hopp

    • Marked as answer by Jason Hopp Thursday, October 04, 2012 5:53 PM
    Thursday, October 04, 2012 5:53 PM
  • what do you mean by 'They did not have a public cert on their end'?

    We have a wildcard Thawte certificate for more then 10 years now. I cannot believe that MS can't check that...

    Also: why is it working with the test on 443 and not 5061?

    I have the same problem over here....


    Kind regards / Met vriendelijke groet, IS Group Rob Mulder Kantoorautomatiseerder Wielingenstraat 8 T 0299 476 185 1441 ZR Purmerend F 0299 476 288 www.is.nl / www.isenterprise.com KvK Hoorn 36049256

    Friday, May 09, 2014 12:10 PM