locked
setting up mediation server with separate, public ip address RRS feed

  • Question

  • We have a mediation server that currently has two ip addresses configured on one nic.  Each ip address has a mapped ip (NAT) from the outside world, with a sip trunk from Intelepeer set for each ip.  Everything works great, except that sporadically we have short periods of time where no new incoming calls can be established.  Intelepeer sends the call to us, but the mediation server is not logging any traffic.  Our Juniper SSG firewall is currently the suspect.

    To test, we plan to set up the mediation server outside the firewall and see if it alleviates the problem.  What steps should I follow to do this?  Initially I will add a new nic to the system, and assign two of our public ip addresses to it.  I will alter topology builder to reflect separate ip addresses for the mediation server (currently it's set to use all).  I will put the default gateway on one of the external ip addresses, and configure static routes for the internal nic to get to the other servers - where does it need to route to?  Obviously to our front end, and av server, and I assume our edge and domain controllers.  Will the internal mediation interface ever need to talk to the external public edge interfaces?  if so, the routing might get complicated.  would it be simpler to have the default gateway on the internal nic and just set up a route for each external mediation ip to route to the intelepeer siptrunk/pstn gateway ip address?

    thanks,

    Wes

    Thursday, March 10, 2011 8:31 PM

Answers

  • A topology that will work and allow you to test bypassing the firewall is to assign two NICs to the Mediations server. Set one to an internal IP address so it can communicate with the front end server etc. However leave the gateway blank as you do not want to route external traffic from this nic. Set the other nic should be set as an external IP address with the gateway enabled (as it is an external address it will need to be the external gateway address.)

    This will ensure all traffic runs straight out bypassing your firewalls.

    (You should not need to set up static routes for the internal nic in this topology)

    • Proposed as answer by Robin.Lester Thursday, March 24, 2011 1:29 PM
    • Marked as answer by Wes Wes Wes Tuesday, April 12, 2011 2:59 PM
    Tuesday, March 22, 2011 5:40 PM
  • Thanks Robin, I actually went this direction last week.  Only thing in our case I did need a couple static routes as our domain controllers are in a different subnet than the Lync servers.  It fixed the problem - beware Juniper SSG boxes + NAT when it comes to Lync mediation traffic!
    • Marked as answer by Wes Wes Wes Tuesday, April 12, 2011 2:58 PM
    Thursday, March 24, 2011 1:55 AM

All replies

  • A topology that will work and allow you to test bypassing the firewall is to assign two NICs to the Mediations server. Set one to an internal IP address so it can communicate with the front end server etc. However leave the gateway blank as you do not want to route external traffic from this nic. Set the other nic should be set as an external IP address with the gateway enabled (as it is an external address it will need to be the external gateway address.)

    This will ensure all traffic runs straight out bypassing your firewalls.

    (You should not need to set up static routes for the internal nic in this topology)

    • Proposed as answer by Robin.Lester Thursday, March 24, 2011 1:29 PM
    • Marked as answer by Wes Wes Wes Tuesday, April 12, 2011 2:59 PM
    Tuesday, March 22, 2011 5:40 PM
  • Fireup OCS Logger on the Mediation and the Front end and take trace  for following components:

    S4, SIPSTACK and Mediation.

    You can then open the Log files in Snooper

    Thanks

     


    ------Exchange, OCS------
    Tuesday, March 22, 2011 9:45 PM
  • Thanks Robin, I actually went this direction last week.  Only thing in our case I did need a couple static routes as our domain controllers are in a different subnet than the Lync servers.  It fixed the problem - beware Juniper SSG boxes + NAT when it comes to Lync mediation traffic!
    • Marked as answer by Wes Wes Wes Tuesday, April 12, 2011 2:58 PM
    Thursday, March 24, 2011 1:55 AM
  • Hey Pesospesos,

     

    I am facing the same issue, I am able to make outside calls, but no luck with incoming calls. My mediation server is collocated with front end server. I have mediation server that currently has two IP addresses configured.  Each ip address has a mapped ip (NAT) from the outside world, with a sip trunk from Interoute set for each ip. I am getting "404 MIssing SIP Header" error in S4 & SIPStack logs...

    NIC1- 192.168.100.1 - Nated to 56.X.X.12

    NIC2 - 172.16.4.1  - NATed To - 56.X.X.22- no gateway configured on this NIC

    Pesospesos, could you please suggest the solution to incoming calls to work, as I am stuck.. I am using cisco ASA firewall..

     

    Thanks in advance..

    _Real

     



    Tuesday, April 12, 2011 10:01 AM
  • Hi Real, hmm it sounds like you may actaully have a different problem.  We did not have trouble receiving incoming calls - except every once in a while the firewall would stop accepting them or break them via NAT...
    Tuesday, April 12, 2011 2:58 PM