none
Desktop Sharing fails when connecting to federated site

    Domanda

  • IM connectivity between the local site and external federated sites are is working fine.  Internal desktop sharing is also working fine.  However attempts to share the desktop with an external federated site fails the same way whether the request is made from the local or external client. 

    The client reports, "Sharing failed to connect due to network issues. Try again...".

    Logging shows the following error:

    ms-client-diagnostics: 25; reason="A federated call failed to establish due to a media connectivity failure where both endpoints are internal";CallerMediaDebug="application-sharing:ICEWarn=0x4000220,LocalSite=10.12.2.6:13768,LocalMR=12.222.165.163:56562,RemoteSite=10.8.4.151:21252,RemoteMR=205.140.233.120:58123,PortRange=1025:65000,LocalMRTCPPort=56562,RemoteMRTCPPort=58123,LocalLocation=2,RemoteLocation=2,FederationType=1"

    It appears that Lync is sending the internal IP address of the other client to the federated site, and obviously that client can't connect to the internal address.

    So it appears to me that NAT isn't working properly.  I am advised by the firewall guy that NAT is configured, but I still suspect that something is missing, such as outbound NAT mapping.

    Based on another link with a somewhat similar problem, I made sure that hostname av.company.com resolved to the external IP address, but that didn't fix anything.

    I've scoured over the Lync Edge settings.  The NAT address is the external address of the AV port, and the three external ports are properly configured with their DMZ IP addresses.

    Any ideas, especially what I might tell the firewall guy what to configure?


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    venerdì 1 giugno 2012 17:07

Risposte

  • In my case, I did have a misconfiguration.  If you have an edge with three IP addresses on the external side, make sure that in your topology that the NAT address is set to the address of the AV port.  This is something that just isn't well documented.  But fixing that didn't do anything until we rebooted all the Lync servers.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    • Contrassegnato come risposta Ed CrowleyMVP giovedì 2 agosto 2012 14:32
    giovedì 2 agosto 2012 14:32

Tutte le risposte

  • Hi,Ed,

    What do you mean federated sites?Are they in separate forests and federated with the local site with enabling federation on Lync Edge server or they are branch sites?

    Would you please verify that if the A/V conferencing works well between the federated sites users and internal users?And make sure you have configured the correct Public A/V Edge IP addresses in the NAT enabled public IP address used sites in Topology Builder and published it.

    Anyway,please make sure STUN/UDP/3478  and STUN/TCP/443 inbound and outbound traffic are not blocked by firewall,also the TCP 50000-59999.Besides you can use wireshark or netmon to trace the network traffic to find out what blocks the traffic.

    Here are some similar cases for your reference.

    http://social.technet.microsoft.com/Forums/en-US/ocsconferencing/thread/898d047b-0771-4360-bdef-aebbd3845ac1 

    http://social.technet.microsoft.com/Forums/en-US/ocsedge/thread/a694cce2-cc18-43bf-a99c-af1b60328862 

    Hope these helpful!

    B/R

    Sharon

     


    Sharon Shen

    TechNet Community Support

    ************************************************************************************************************************

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.

    lunedì 4 giugno 2012 08:36
  • Hi,again,

    Another useful information just for your reference.

    Lync workload poster http://blogs.technet.com/b/drrez/p/lync_2010_workloads.aspx 

    http://www.shudnow.net/2012/04/25/lync-2010-edge-servers-and-ip-requirements-nat-vs-public-ip/ 

    B/R

    Sharon


    Sharon Shen

    TechNet Community Support

    ************************************************************************************************************************

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.

    lunedì 4 giugno 2012 08:46
  • Thank you, I am familiar with both of those references.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    lunedì 4 giugno 2012 15:34
  • Thank you for your response.

    By federated sites, I mean two completely separate Lync organizations.  For the purpose of our testing, the two organizations are my own consulting firm's Lync 2010 server, and my customer's, who's having the problems.  The customer has identicial problems trying to do desktop sharing with another business partner, who also has Lync Server 2010.  All sites are configured for dynamic federation, i.e., partner domain federation and anonymous user access to conferences, and all users are configured with a policy that allows communication with federated, public and outside users.

    A/V conferencing works fine internally.  In the published topology, NAT is properly configured with the address of the external AV port address.

    The firewall guy tells us that STUN/UDP/3478, STUN/TCP/443 and TCP ports 50000-59999 are open between the Edge and the Internet.

    I have seen those cases and they don't seem to be the same as mine.  The message being reported doesn't seem to indicate a blocked port, does it?  It's indicating that "both endpoints are internal".  I can't find anything on the Internet about that particular error.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."


    lunedì 4 giugno 2012 15:46
  • Thank you for your response.

    By federated sites, I mean two completely separate Lync organizations.  For the purpose of our testing, the two organizations are my own consulting firm's Lync 2010 server, and my customer's, who's having the problems.  The customer has identicial problems trying to do desktop sharing with another business partner, who also has Lync Server 2010.  All sites are configured for dynamic federation, i.e., partner domain federation and anonymous user access to conferences, and all users are configured with a policy that allows communication with federated, public and outside users.

    A/V conferencing works fine internally.  In the published topology, NAT is properly configured with the address of the external AV port address.

    The firewall guy tells us that STUN/UDP/3478, STUN/TCP/443 and TCP ports 50000-59999 are open between the Edge and the Internet.

    I have seen those cases and they don't seem to be the same as mine.  The message being reported doesn't seem to indicate a blocked port, does it?  It's indicating that "both endpoints are internal".  I can't find anything on the Internet about that particular error.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."


    we do have a similar problems. and so far cant resolve'em. I'v posted my case here - maybe it'll push you forward.

    http://social.technet.microsoft.com/Forums/en-US/ocsedge/thread/4b6b75c6-9451-4cd9-83de-875d2f6de384

    giovedì 2 agosto 2012 07:50
  • In my case, I did have a misconfiguration.  If you have an edge with three IP addresses on the external side, make sure that in your topology that the NAT address is set to the address of the AV port.  This is something that just isn't well documented.  But fixing that didn't do anything until we rebooted all the Lync servers.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    • Contrassegnato come risposta Ed CrowleyMVP giovedì 2 agosto 2012 14:32
    giovedì 2 agosto 2012 14:32