locked
Problem external access and proxy RRS feed

  • Question

  • I have an Enterprise Edition Pool (only one frontend) and an Edge Server. We use Forefront TMG as Reverse Proxy. All Clients also use the Forefront TMG also as Proxy for access to the internet.
    I am now experiencing problems with A/V from remote users and federated contacts. All calls are failing showing only

    "Callee media connectivity diagnosis info";CalleeMediaDebug="application-sharing:ICEWarn=0x9,LocalSite=172.17.CC.CC:22730,LocalMR=172.17.YYY.YY:3478,RemoteSite=62.47.XX.XX:7597"

    I checked the communication with wireshark and i found out that SIP signaling is correct, but the internal clients is routing the traffic not through the AV Edge Sever but over the web proxy (e.g. the TMG) and TMG is blocking the ports (i added a TMG rule for the UDP/TCP 50.000-59999 but it seemes lower and higher ports where used too).

    I guess the internal clients wants to build up a direct connection for the A/V traffic with the extenal client. If the internal client would route A/V traffic through Access Edge it would work.....

    Is there any documentation what must be considered when using a proxy for the clients?

    Friday, May 18, 2012 10:36 AM

Answers

  • We added a permanent route on the Edge to the Client subnet. For know it seemes that this has fixed the problem...

    I will keep you updated!


    • Edited by Ewald Murgg Wednesday, May 30, 2012 2:00 PM
    • Proposed as answer by Kent-Huang Thursday, May 31, 2012 2:53 AM
    • Marked as answer by Kent-Huang Thursday, May 31, 2012 10:26 AM
    Wednesday, May 30, 2012 2:00 PM

All replies

  • Hi,

    1. Is there an issue when doing call between one User External and one User Internal?

    2. When these two users are external , they will attempt peer to peer.  Because they can successfully connect to each other, they utilize peer to peer media. The ports utilized here are TCP/UDP 1024-65535. Because these users connect directly to each other for media, they have no need to connect to the Edge for Audio/Video. In this case, the users still connected to the Access/Edge over port 443 and/or 5061. Thus, please be assured that the ports range are allowed on two endpoints. Make sure there are not outgoing traffic blocked by some routers filters from your home network where remote users sign on.

    3. The ports on Reverse Proxy mainly use for address book, meeting content, group expansion etc. For Av traffic, please make sure 5000-59999, udp 3478, tcp 443 and 5062 are allowed on Edge Server.

    http://technet.microsoft.com/en-us/library/gg425891.aspx

    4. In addition, please check whether you've the necessary firewall ports open between at your Access Edge http://technet.microsoft.com/en-us/library/gg425882.aspx

    5. Turn on Logging on both of the Lync clients. After reproducing the problem, try to collect the logs.

    Regards,

    Kent

    • Edited by Kent-Huang Monday, May 21, 2012 6:33 AM
    Monday, May 21, 2012 6:16 AM
  • Hello,

    ad 1. yes the problem occures with one user external trying to reach an user internal. If both users are external it is working (means the peer to peer media is working).

    As i mentioned above, all internal users can only reach internet over a web proxy (a TMG). When an internal user tries to make a call to an external user i can see the web proxy blocking ports (high ports) for that conversation.

    Monday, May 21, 2012 11:03 PM
  • emu78,

    Your post shows

    "Callee media connectivity diagnosis info";CalleeMediaDebug="application-sharing:ICEWarn=0x9,LocalSite=172.17.CC.CC:22730,LocalMR=172.17.YYY.YY:3478,RemoteSite=62.47.XX.XX:7597"

    172.17.cc.cc im assuming is a FE or internal client 

    172.17.yyy.yy should be your edge server

    and 62.47.xx.xx the public ip of your remote user or the external ip of their AV edge server

    Can you post what the TMG says for the reason it blocks the high ports?


    BBB

    Monday, May 21, 2012 11:57 PM
  • hello

    i had same problem, and after disable local antivirus problem solved, try connection without antivirus,

    in my case antivirus was kaspersky.

    Sunday, May 27, 2012 8:13 AM
  • Hi emu78,
    Is there any update on the issue? If you have fixed the issue, please kindly share the solution with us.

    Regards,
    Kent

    Tuesday, May 29, 2012 8:36 AM
  • We added a permanent route on the Edge to the Client subnet. For know it seemes that this has fixed the problem...

    I will keep you updated!


    • Edited by Ewald Murgg Wednesday, May 30, 2012 2:00 PM
    • Proposed as answer by Kent-Huang Thursday, May 31, 2012 2:53 AM
    • Marked as answer by Kent-Huang Thursday, May 31, 2012 10:26 AM
    Wednesday, May 30, 2012 2:00 PM