none
Lync Client Behind A Proxy

    Question

  • Can anyone confirm if the Lync client can be configured to route traffic via a proxy, or to use the proxy settings defined in IE?

    I have the following scenario...

    The environment is heavily locked down, and PC's only have access to the Internet via a defined IE proxy.  Internal IM, presence and communication all work fine.  We have configured federation with some remote organizations.  IM and presence works fine to these orgs, but when any A/V or application sharing is attempted, the media fails.  I can see from traces this is when the client tries (and fails) to access the A/V edge of the remote federated parties edge server.

    I've looked at the Lync settings, reg settings, group policy ADM and documentation, and cant find anything to a) confirm if this behavior is correct or b) any way to work around it.

    There must be other Lync implementations in hardened environments like this.  Opening up outbound ports is out of the question, so what other options do i have?

    Dave

    Monday, June 18, 2012 10:55 AM

All replies

  • Do your clients have access to your edge servers internal interface

    SIP/TLS 443 IN

    DNS 53 OUT

    HTTP 80 OUT

    SIP/MTLS 5061 IN/OUT

    PSOM/TLS 443 IN

    RTP/TCP50000-59999 IN/OUT

    RTP/UDP 5000-59999 IN/OUT

    STUN/TCP 3478 IN/OUT

    STUN/UDP 3478 IN/OUT


    Please remember to click “Mark as Answer” if this resolved the issue.

    Monday, June 18, 2012 4:36 PM
  • These ports should be open from Clients to the internal edge interface, and all DNS entries are in place for clients to resolve the edge pool name and individual edge server names.  However.  I've read some other forum posts indicating that SIP./AV./WEBCON. DNS entries also need to exist internally.  Could this be the issue and why the client is trying to communicate directly out?


    • Edited by Dave Simm Wednesday, June 20, 2012 8:14 AM
    Tuesday, June 19, 2012 10:44 AM
  • You need to have DNS records that match the names listed in the edge.  Go into topology builder and look at the edge pools.  You should see something about external settings.  Make sure that the listed name can be resolved publicly.  If there is a NAT in front of the server you will need to fill out the "NAT enabled public IP address used" with the public IP being used for AV.


    Please remember to click “Mark as Answer” if this resolved the issue.

    Wednesday, June 20, 2012 5:06 AM
  • Jay, you missed the key word in my last post "internally".  Functionally, everything about the edge server is working fine.  Clients can login internally and externally.  Media flows from internal to external clients is fine.  All SIP/AV/WEBCON DNS entries are fine in public DNS along with supporting SRV records.  These interfaces are Nat'd and the AV address is correctly assigned.

    My problem only occurs when an AV session is attempted with a federated partner...

    When any AV or sharing is attempted, from the internal network, to the federated partner, i can see the Lync client attempting to make connections out to the remote federated partners AV edge (something which it will never be able to do as it's behind a proxy with no direct Internet access).  This is what I'm trying to address.

    Should the SIP/AV/WEBCON address exist INTERNALLY on the corporate DNS servers for internal clients to resolve?  Is this what i have missed?

    Is there anyway to instruct the Lync client to route traffic bound for the Internet via a proxy?

    Surely there must be someone else with this scenario in a locked down environment?

    Wednesday, June 20, 2012 8:19 AM
  • Hi,

    There was never a need from Microsoft to create webconf or AV records in your internal DNS even there is no document which mention that these records should be created.

    have you allowed your users to resolve external domain names through proxy or not. is your internal and external domain name same?

    have you enable the required ports between client and Edge internal interface.


    If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

    Friday, June 22, 2012 11:19 PM
  • i think it is not problem of proxy,

    do you have external users? does it work  between external and internal users?

    i think it wouldn't, because i think you don't have routes in edge server.

    make sure that you have correct routes in your edge server.

    in every normal organization users are behind proxy, but they don't have same  problem. my users are also behind proxy, but they have full functionality with federated users, so think about your edge configuration.

    Thursday, July 5, 2012 9:58 PM
  • Hi Dave,

    No need for the SIP/AV/WEBCON DNS address internally.  but you do need the "internal" dns name of the edge to be resolved.  Do you have a monitoring server deployed? if yes, if you find a failed call im going to have a guess and say that its failing with an error something like"failed to establish media when one client is internal and the other remote"

    Things to check:

    1. DNS entry for "internal" edge server name

    2. that UDP 3478 is open to edge server internal IP from ALL Lync clients

    3. make sure that the "register this entry in DNS" is not ticked on the Internet NIC's on the edge server (have seen this when lync client trying to use the MRAS service on the wrong IP address)

    Cheers

    Jason


    My UC Thoughts

    Thursday, July 5, 2012 10:38 PM
  • BTW:The proxy in Internet Explorer leverage only Web traffic like RGS, DLX, ABS, MEX and so on,... if your Proxy don`t know the URL like https://pool.sipdomain.com/RgsClients/Tab.aspx or the simple url your Lync can`t reach the FE/Webserver they do not have all the functions based on IIS, does not affect the audio/video media path!

    The media path between internal User and federated user traverse the internal NIC Edge interface, proxy component, external NIC to the federated org. external Edge, proxy and so on, depending the workload. In your position I would troubleshoot on Edge Server (OCSlogger) and search for ICE errors.

    Go take a look in there.

    http://technet.microsoft.com/en-us/library/gg425891.aspx


    Friday, July 6, 2012 12:24 PM
  • does  your internal client have a route to your Edge server?

    Is there no issue with ICE/TURN?

    If you have a monitoring server, you can easely see that by looking the user report details.

    Rgds

    Jean-Marc

    Thursday, August 2, 2012 12:32 PM
  • Hi Dave.

    I think I am in a similar situation ..Have you found a solution.The suggestions here seems to be for federated users .

    Will the  meeting request work if i do not have an edge server just through the corporate proxy ?if so what ports needs to be opened. how will the client pass the requests through the corporate proxy?


    Shiva

    Saturday, April 20, 2013 11:17 AM
  • Jay, did you ever get this figured out.  I have a similar type issue.  We do not do any federation, but when getting invites to meetings from remote companies our thick Lync client launches and tries to go directly out through the firewall on ort 443 (blocked on the firewall) versus going out through the proxy correctly.
    • Proposed as answer by ReneDa Thursday, November 19, 2015 9:08 AM
    • Unproposed as answer by ReneDa Thursday, November 19, 2015 9:08 AM
    Wednesday, August 6, 2014 8:05 PM
  • Hi,

    i have a similar issue right now, our internal clients try´s to connect directly to the partner federation webconf edge and will be blocked by our internal firewall. Is this the right way? Why does the client don`t use our Edge Server?

    BR

    Rene

    Thursday, November 19, 2015 9:24 AM