locked
SfB 2015 Edge Server - SIP/2.0 504 Server time-out RRS feed

  • Question

  • Have deployment topology:

    SfB 2015 Server Standard (on Windows Server 2012R2), previously updated from Lync 2013 Server by another administrator.
    SfB 2015 Edge server (on Windows Server 2016), new clean installation was performed. As I can see - certificates, network routes are fine.

    SfB Edge server uses internal DNS server, which resolves internal network names and public internet. External users can access our public DNS located in DMZ.

    I created only A-records in our public DNS: sip.domain.com, sipexternal.domain.com, lyncdiscover.domain.com, lyncdiscoverexternal.domain.com which resolves to external IP-address of SfB Edge server (single IP with different ports for access, A/V and web-conferencing were used).

    Internal users are located in SIP-domain "domain.local". We are planning to allow external access to SfB infrastructure, move users to SIP-domain "domain.com". So on our internal DNS-servers I created new zone DOMAIN.COM, added sipinternal.domain.com, lyncdiscoverinternal.domain.com, all resolves to IP-address of SfB FE server. Added A-record for internal IP-address of SfB Edge server.

    External user gets this error:

    1 Login: FAIL (hr = 0x80ef01f8) 

     VerifyOnEnableEvent result return 10
         ONENABLE_FAIL_SERVER_NOT_REACHABLE
       status=0x80ef01f8
        ACTION: SERVER NOT REACHABLE
            NO MORE SERVER TO TRY
        ACTION : PERMANENT ERROR
    1.1 Lync-autodiscovery: FAIL (hr = 0x80004005) 
    Lync autodiscovery completed with hr: 0X80004005 sipint:  sipext:  authint:  authext:  ucwaint:  ucwaext:  wts:  ucwaurl:  telemetryurl:  isServiceInRefresh: 0 isTempError: 0Lync autodiscovery completed with hr: 0X80004005 sipint:  sipext:  authint:  authext:  ucwaint:  ucwaext:  wts:  ucwaurl:  telemetryurl:  isServiceInRefresh: 0 isTempError: 0
    1.2 DNSAutoDiscovery: PASS



    Lync-autodiscovery I do not want to use, just DNS-autodiscovery using A records.

     Search-CsClsLogging `
        <##> -OutputFilePath $output_file <##> `
        <##> -StartTime "2020-06-04 17:35:00" <##> `
        <##> -EndTime "2020-06-04 17:37:00" <##> `
        <##> -Uri "sip:test_skype@domain.com" <##> `
        <## > -CallId c95767865bf3488ab91fbf04ab2a2ec1 <##> `
        <##> -Computers skypeedge.domain.com,lync.domain.local <##> `

    TL_INFO(TF_PROTOCOL) [skypeedge\skypeedge]160C.16A8::06/04/2020-14:35:07.657.0000344E (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(261)) [3741166560] 
    Trace-Correlation-Id: 3741166560
    Instance-Id: A7
    Direction: incoming;source="external edge";destination="internal edge"
    Peer: 46.56.113.137:32890
    Message-Type: request
    Start-Line: REGISTER sip:domain.com SIP/2.0
    From: <sip:test_skype@domain.com>;tag=25c247b99d;epid=650755d4b5
    To: <sip:test_skype@domain.com>
    Call-ID: 1310cb27f0cd491ab38646b0d57be95b
    CSeq: 1 REGISTER
    Contact: <sip:192.168.8.100:52156;transport=tls;ms-opaque=9d8a2ccb65>;methods="INVITE, MESSAGE, INFO, OPTIONS, BYE, CANCEL, NOTIFY, ACK, REFER, BENOTIFY";proxy=replace;+sip.instance="<urn:uuid:F9A4F2F4-87EF-597A-98D8-D890BDF7D446>"
    Via:  SIP/2.0/TLS 192.168.8.100:52156
    Max-Forwards: 70
    Content-Length: 0

    TL_INFO(TF_DIAG) [skypeedge\skypeedge]160C.16A8::06/04/2020-14:35:07.657.0000344F (SIPStack,SIPAdminLog::WriteDiagnosticEvent:SIPAdminLog.cpp(827)) [3741166560] $$begin_record
    Severity: information
    Text: The message has a locally hosted domain
    SIP-Start-Line: REGISTER sip:domain.com SIP/2.0
    SIP-Call-ID: 1310cb27f0cd491ab38646b0d57be95b
    SIP-CSeq: 1 REGISTER
    Peer: 46.56.113.137:32890
    Data: domain="domain.com"
    $$end_record

    TL_ERROR(TF_DIAG) [skypeedge\skypeedge]160C.165C::06/04/2020-14:35:19.903.0000348A (SIPStack,SIPAdminLog::WriteDiagnosticEvent:SIPAdminLog.cpp(833)) [3741166560] $$begin_record
    Severity: error
    Text: Message was not sent because the connection was closed
    SIP-Start-Line: REGISTER sip:domain.com SIP/2.0
    SIP-Call-ID: 1310cb27f0cd491ab38646b0d57be95b
    SIP-CSeq: 1 REGISTER
    Peer: lync01.domain.local:5061
    $$end_record

    TL_INFO(TF_DIAG) [skypeedge\skypeedge]160C.165C::06/04/2020-14:35:19.903.0000348B (SIPStack,SIPAdminLog::WriteDiagnosticEvent:SIPAdminLog.cpp(827)) [3741166560] $$begin_record
    Severity: information
    Text: Routed a locally generated response
    SIP-Start-Line: SIP/2.0 504 Server time-out
    SIP-Call-ID: 1310cb27f0cd491ab38646b0d57be95b
    SIP-CSeq: 1 REGISTER
    Peer: 46.56.113.137:32890
    $$end_record

    TL_INFO(TF_PROTOCOL) [skypeedge\skypeedge]160C.165C::06/04/2020-14:35:19.903.0000348D (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(261)) [3741166560] 
    Trace-Correlation-Id: 3741166560
    Instance-Id: A9
    Direction: outgoing;source="local";destination="external edge"
    Peer: 46.56.113.137:32890
    Message-Type: response
    Start-Line: SIP/2.0 504 Server time-out
    From: <sip:test_skype@domain.com>;tag=25c247b99d;epid=650755d4b5
    To: <sip:test_skype@domain.com>;tag=E51FA8F4899DF00301FA45B9D41BC326
    Call-ID: 1310cb27f0cd491ab38646b0d57be95b
    CSeq: 1 REGISTER
    Via: SIP/2.0/TLS 192.168.8.100:52156;received=46.56.113.137;ms-received-port=32890;ms-received-cid=4300
    Content-Length: 0

    TL_WARN(TF_DIAG) [skypeedge\skypeedge]160C.165C::06/04/2020-14:35:19.904.0000348F (SIPStack,SIPAdminLog::WriteDiagnosticEvent:SIPAdminLog.cpp(830)) [3741166560] $$begin_record
    Severity: warning
    Text: Routing error occurred; check Result-Code field for more information
    Result-Code: 0xc3e93c7f SIPPROXY_E_ROUTING_MSG_SEND_CLOSED
    SIP-Start-Line: REGISTER sip:domain.com SIP/2.0
    SIP-Call-ID: 1310cb27f0cd491ab38646b0d57be95b
    SIP-CSeq: 1 REGISTER
    Peer: lync01.domain.local:5061
    $$end_record

    TL_INFO(TF_PROTOCOL) [skypeedge\skypeedge]160C.1660::06/04/2020-14:35:21.377.000034A1 (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(261)) [222625767] 
    Trace-Correlation-Id: 222625767
    Instance-Id: AC
    Direction: incoming;source="external edge";destination="internal edge"
    Peer: 46.56.113.137:32888
    Message-Type: request
    Start-Line: REGISTER sip:domain.com SIP/2.0
    From: <sip:test_skype@domain.com>;tag=338bc65581;epid=650755d4b5
    To: <sip:test_skype@domain.com>
    Call-ID: 15298e8f9f9340eb94dbde4be0afd75d
    CSeq: 1 REGISTER
    Contact: <sip:192.168.8.100:52158;transport=tls;ms-opaque=38683b3d28>;methods="INVITE, MESSAGE, INFO, OPTIONS, BYE, CANCEL, NOTIFY, ACK, REFER, BENOTIFY";proxy=replace;+sip.instance="<urn:uuid:F9A4F2F4-87EF-597A-98D8-D890BDF7D446>"
    Via:  SIP/2.0/TLS 192.168.8.100:52158
    Max-Forwards: 70
    Content-Length: 0

    TL_INFO(TF_DIAG) [skypeedge\skypeedge]160C.1660::06/04/2020-14:35:21.377.000034A2 (SIPStack,SIPAdminLog::WriteDiagnosticEvent:SIPAdminLog.cpp(827)) [222625767] $$begin_record
    Severity: information
    Text: The message has a locally hosted domain
    SIP-Start-Line: REGISTER sip:domain.com SIP/2.0
    SIP-Call-ID: 15298e8f9f9340eb94dbde4be0afd75d
    SIP-CSeq: 1 REGISTER
    Peer: 46.56.113.137:32888
    Data: domain="domain.com"
    $$end_record

    TL_ERROR(TF_DIAG) [skypeedge\skypeedge]160C.1660::06/04/2020-14:35:35.903.000034B4 (SIPStack,SIPAdminLog::WriteDiagnosticEvent:SIPAdminLog.cpp(833)) [222625767] $$begin_record
    Severity: error
    Text: Message was not sent because the connection was closed
    SIP-Start-Line: REGISTER sip:domain.com SIP/2.0
    SIP-Call-ID: 15298e8f9f9340eb94dbde4be0afd75d
    SIP-CSeq: 1 REGISTER
    Peer: lync01.domain.local:5061
    $$end_record

    TL_INFO(TF_DIAG) [skypeedge\skypeedge]160C.1660::06/04/2020-14:35:35.904.000034B5 (SIPStack,SIPAdminLog::WriteDiagnosticEvent:SIPAdminLog.cpp(827)) [222625767] $$begin_record
    Severity: information
    Text: Routed a locally generated response
    SIP-Start-Line: SIP/2.0 504 Server time-out
    SIP-Call-ID: 15298e8f9f9340eb94dbde4be0afd75d
    SIP-CSeq: 1 REGISTER
    Peer: 46.56.113.137:32888
    $$end_record

    TL_INFO(TF_PROTOCOL) [skypeedge\skypeedge]160C.1660::06/04/2020-14:35:35.904.000034B7 (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(261)) [222625767] 
    Trace-Correlation-Id: 222625767
    Instance-Id: AE
    Direction: outgoing;source="local";destination="external edge"
    Peer: 46.56.113.137:32888
    Message-Type: response
    Start-Line: SIP/2.0 504 Server time-out
    From: <sip:test_skype@domain.com>;tag=338bc65581;epid=650755d4b5
    To: <sip:test_skype@domain.com>;tag=E51FA8F4899DF00301FA45B9D41BC326
    Call-ID: 15298e8f9f9340eb94dbde4be0afd75d
    CSeq: 1 REGISTER
    Via: SIP/2.0/TLS 192.168.8.100:52158;received=46.56.113.137;ms-received-port=32888;ms-received-cid=4500
    Content-Length: 0

    TL_WARN(TF_DIAG) [skypeedge\skypeedge]160C.1660::06/04/2020-14:35:35.904.000034B9 (SIPStack,SIPAdminLog::WriteDiagnosticEvent:SIPAdminLog.cpp(830)) [222625767] $$begin_record
    Severity: warning
    Text: Routing error occurred; check Result-Code field for more information
    Result-Code: 0xc3e93c7f SIPPROXY_E_ROUTING_MSG_SEND_CLOSED
    SIP-Start-Line: REGISTER sip:domain.com SIP/2.0
    SIP-Call-ID: 15298e8f9f9340eb94dbde4be0afd75d
    SIP-CSeq: 1 REGISTER
    Peer: lync01.domain.local:5061
    $$end_record

    TL_INFO(TF_PROTOCOL) [skypeedge\skypeedge]160C.1660::06/04/2020-14:35:37.551.000034C4 (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(261)) [4215924845] 
    Trace-Correlation-Id: 4215924845
    Instance-Id: B1
    Direction: incoming;source="external edge";destination="internal edge"
    Peer: 46.56.113.137:32864
    Message-Type: request
    Start-Line: REGISTER sip:domain.com SIP/2.0
    From: <sip:test_skype@domain.com>;tag=c96cef4f36;epid=650755d4b5
    To: <sip:test_skype@domain.com>
    Call-ID: 72e82f26f75b4611afcda707c05130eb
    CSeq: 1 REGISTER
    Contact: <sip:192.168.8.100:52160;transport=tls;ms-opaque=28bd3f1085>;methods="INVITE, MESSAGE, INFO, OPTIONS, BYE, CANCEL, NOTIFY, ACK, REFER, BENOTIFY";proxy=replace;+sip.instance="<urn:uuid:F9A4F2F4-87EF-597A-98D8-D890BDF7D446>"
    Via:  SIP/2.0/TLS 192.168.8.100:52160
    Max-Forwards: 70
    Content-Length: 0

    TL_INFO(TF_DIAG) [skypeedge\skypeedge]160C.1660::06/04/2020-14:35:37.552.000034C5 (SIPStack,SIPAdminLog::WriteDiagnosticEvent:SIPAdminLog.cpp(827)) [4215924845] $$begin_record
    Severity: information
    Text: The message has a locally hosted domain
    SIP-Start-Line: REGISTER sip:domain.com SIP/2.0
    SIP-Call-ID: 72e82f26f75b4611afcda707c05130eb
    SIP-CSeq: 1 REGISTER
    Peer: 46.56.113.137:32864
    Data: domain="domain.com"
    $$end_record

    TL_ERROR(TF_DIAG) [skypeedge\skypeedge]160C.1660::06/04/2020-14:35:51.903.000034D1 (SIPStack,SIPAdminLog::WriteDiagnosticEvent:SIPAdminLog.cpp(833)) [4215924845] $$begin_record
    Severity: error
    Text: Message was not sent because the connection was closed
    SIP-Start-Line: REGISTER sip:domain.com SIP/2.0
    SIP-Call-ID: 72e82f26f75b4611afcda707c05130eb
    SIP-CSeq: 1 REGISTER
    Peer: lync01.domain.local:5061
    $$end_record

    TL_INFO(TF_DIAG) [skypeedge\skypeedge]160C.1660::06/04/2020-14:35:51.904.000034D2 (SIPStack,SIPAdminLog::WriteDiagnosticEvent:SIPAdminLog.cpp(827)) [4215924845] $$begin_record
    Severity: information
    Text: Routed a locally generated response
    SIP-Start-Line: SIP/2.0 504 Server time-out
    SIP-Call-ID: 72e82f26f75b4611afcda707c05130eb
    SIP-CSeq: 1 REGISTER
    Peer: 46.56.113.137:32864
    $$end_record

    TL_INFO(TF_PROTOCOL) [skypeedge\skypeedge]160C.1660::06/04/2020-14:35:51.904.000034D4 (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(261)) [4215924845] 
    Trace-Correlation-Id: 4215924845
    Instance-Id: B3
    Direction: outgoing;source="local";destination="external edge"
    Peer: 46.56.113.137:32864
    Message-Type: response
    Start-Line: SIP/2.0 504 Server time-out
    From: <sip:test_skype@domain.com>;tag=c96cef4f36;epid=650755d4b5
    To: <sip:test_skype@domain.com>;tag=E51FA8F4899DF00301FA45B9D41BC326
    Call-ID: 72e82f26f75b4611afcda707c05130eb
    CSeq: 1 REGISTER
    Via: SIP/2.0/TLS 192.168.8.100:52160;received=46.56.113.137;ms-received-port=32864;ms-received-cid=4700
    Content-Length: 0

    TL_WARN(TF_DIAG) [skypeedge\skypeedge]160C.1660::06/04/2020-14:35:51.904.000034D6 (SIPStack,SIPAdminLog::WriteDiagnosticEvent:SIPAdminLog.cpp(830)) [4215924845] $$begin_record
    Severity: warning
    Text: Routing error occurred; check Result-Code field for more information
    Result-Code: 0xc3e93c7f SIPPROXY_E_ROUTING_MSG_SEND_CLOSED
    SIP-Start-Line: REGISTER sip:domain.com SIP/2.0
    SIP-Call-ID: 72e82f26f75b4611afcda707c05130eb
    SIP-CSeq: 1 REGISTER
    Peer: lync01.domain.local:5061
    $$end_record

    So it seems like SfB Edge could not connect to internal SfB server, but firewall does not drop anything between edge and internal servers in both directions.

    From internal network I can successfully sign in as test_skype@domain.com or any other user from both SIP-domains on a non-domain computer. When I try to log in with SfB Client installed on SfB Edge server, I also unable to log in as ANY user, even using internal DNS with configured A-records in DOMAIN.COM and DOMAIN.LOCAL zones. I receive password prompt, and then "Contacting server and signing in..." infinitely.

    When signing in to SfB Client from external computer I get "The server is temporarily unavailable". Log I provided earlier just shows this situation.

    Please excuse me for my English )) Need help to solve my problem.


    Thursday, June 4, 2020 3:37 PM

All replies

  • Hi Александр Николаевич Егоров,

    What is your environment, on-premises or hybrid?

    Can user with domain.local sign in client from Internet?

    About the issue, you can add the following CNAME record to your domain:

    • DNS record type: CNAME
    • Name: sip
    • Value/Destination: sipdir.online.lync.com

    If you want to configure hybrid connectivity, please read this article: https://docs.microsoft.com/en-us/SkypeForBusiness/hybrid/plan-hybrid-connectivity?toc=/SkypeForBusiness/sfbhybridtoc/toc.json.

    Please note that all users should be created in the on-premises Active Directory first, and then synchronized to Azure AD.


    Best Regards,
    Sharon Zhao


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Friday, June 5, 2020 5:34 AM
  • Thanks for reply!

    We use on-premise deployment only.
    No user can sign in from internet using DOMAIN.LOCAL or DOMAIN.COM SIP-domain.

    For now I am willing to install new SFB Front End pool in my organization, migrate all users to it and then try configure external access again. After that I will add the same services as is old pool.

    Friday, June 5, 2020 6:57 AM
  • Hi Александр Николаевич Егоров,

    The cause of this issue seems related to the configuration of Edge server. You can refer to the following article to check the settings: http://blog.schertz.name/2016/03/skype-for-business-2015-edge-server-deployment/.

    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.


    Best Regards,
    Sharon Zhao


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Friday, June 5, 2020 9:43 AM
  • Have read this article, as many others ))

    Let's start again.

    Certificates are fine, I have no doubts about them, otherwise I could see SCHANNEL errors in event logs on internal frontend servers and external clients. Internal cert was taken from internal CA with default parameters plus added external SIP domain. External cert was also taken from internal CA, Subject Name was set to FQDN of edge server, Subject Alternative Name was set to SIP, SIPEXTERNAL, LYNCDISCOVER, LYNCDISCOVEREXTERNAL with domain.local and domain.com suffixes. Root CA cert of course was installed to external client.

    Network routes also fine, I can ping and open via telnet all necessary ports from internal network to edge and from edge to internal frontend servers.

    Internal adapter has no default gateway, route was configured by hand. Internal DNS servers where configured.

    External adapter has default gateway, I can access the Internet, but no external DNS servers where configured, internal servers are used instead (configured on internal adapter). Internal DNS servers have our external domain zone with sip,sipinternal,lyncdiscover,lyncdiscoverinternal A-records. Also added SRV-records _SIP._TLS and _SIPINTERNAL._TLS pointing to internal front-end server. I think I can remove SIP and SIPINTERNAL A-records and _sip._tls also.

    External access was configured in SfB Control Panel - added policy with necessary settings, granted test user this external access policy, allowed external access in edge server configuration.

    For now I am migrating all users and services to another frontend pool, after that I will reconfigure topology to use edge server by new frontend pool. Not finished yet, and I hope after moving Central Management Store I will be able to log in from external clients.

    Sunday, June 7, 2020 1:34 AM
  • Installed new SfB Front End pool using Standard Edition. New OS is Windows Server 2016. All SFB servers in topology where updated to CU 11. I have additional SQL server with archiving and monitoring databases.

    Yesterday I successfully migrated CMS to new SFB pool, replication is going fine, several tests also show no problems. It must be I do not know yet which tests should be run to find my problem.

    Edge server was reassigned to use new next-hop pool in topology, and this pool was also associated to Edge server. All is fine, as I can see.

    One error is in Event Log on old SFB pool server, but it must not interfere with external access for users. Error is as follows:
    "LS Centralized Logging Agent"
    C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Tracing\CLS_WPP_06-04-2020-09-21-09.cache
    Exception: NetworkCacheDirForAgent  not set in Cls Configuration.

    And other files mentioned same way. This is not a problem for me.

    Monday, June 8, 2020 4:55 PM
  • Hi Александр Николаевич Егоров,

    Now, can user connect front-end server from Internet normally?


    Best Regards,
    Sharon Zhao


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Wednesday, June 10, 2020 9:05 AM
  • No. If anyone could - I should mention of that ))

    Still working on it. I don't know what exactly goes wrong in my environment, it must be something I missed. That is why I asked help here.

    Wednesday, June 10, 2020 8:29 PM
  • So, if you have nothing to ask me to help you to help me, I will again describe my situation on edge server. 

    Double-checked configuration on edge. Network adapters are fine, just as I mentioned in the first post of this thread. Internal adapter has no default gateway, it was manually added with ROUTE ADD. Internal DNS work fine. Telnet opens all necessary ports - 5061,4443,443,80 on internal SFB Front End server. Oh, replication goes fine! This is enough to say if internal network is routeable!

    External adapter has default gateway, no DNS configured. I can telnet some external web-servers, microsoft.com in example.

    So network is absolutely no doubt fine.

    Certificates. All have private key. 
    Internal cert has Subject CN=servername.domain.com, issued by internal CA using deployment wizard. No errors about it on edge or Front End servers. Replication goes fine, again.

    External cert has Subject CN=servername.domain.com,
    Subject Alternative Name:
    DNS Name=sip.domain.com
    DNS Name=sip.domain.local
    DNS Name=sipexternal.domain.com
    DNS Name=lyncdiscover.domain.com
    DNS Name=lyncdiscoverexternal.domain.com
    DNS Name=domain.com
    DNS Name=domain.local
    DNS Name=edgeserver.domain.com

    We use NAT. For testing purposes I disabled NAT in edge configuration, created a client machine in DMZ, configured it to find our external DNS and edge server. So this client should behave as an external computer in Internet, but without corporate firewall interference. MS Network Monitor shows it successfully communicate with our public DNS servers, request DNS-records and use them to locate SFB edge server. Then it communicate with it, send packets, so all works fine on this side. But log is quite the same as in first post - timeout, Routing error occurred (what does it mean?), etc.

    I have a new question. Could I use my client machine in DMZ without turning off NAT in edge configuration? Not sure about it, simply I do not have working environment to test it ))


    Wednesday, June 10, 2020 11:38 PM
  • Found a warning in Event Log couple of minutes ago - system can not download last CRL for internal and external certificates. Downloaded CRL manually, installed on edge server, but it not helped. Again ))
    Wednesday, June 10, 2020 11:47 PM
  • Made a testlab environment. Added NAT support to edge server configuration in topology builder, gave some time to let replication complete, and successfully connected to skype for business from DMZ network. I mean this configuration:

    Edge server external IP - 172.1.1.128 (DMZ network), NAT address is 2.2.2.2 (who cares?)

    External DNS IP - 172.1.1.130

    Client computer in DMZ - 172.1.1.129

    And connection goes fine even before NAT. So I can use it for testing.

    Thursday, June 11, 2020 8:19 AM
  • Hi Александр Николаевич Егоров,

    Thanks for your update.

    So, now client in DMS can sign in client without problem.

    Due to resource limitation, we have no condition to test your scenario. Thanks for your understanding.


    Best Regards,
    Sharon Zhao


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Friday, June 12, 2020 9:50 AM
  • You did not understand. It seems you read inattentively.

    I just made test environment in my testlab, successfully deployed SFB edge server in virtual DMZ with NAT and connected to SFB from DMZ network using regular client, before NAT starts working.

    But I still can NOT login in my production environment.

    Couldn't you say "I do NOT know anything about testing and verifying configuration"? Please. Internet is full of same advices - here is some article, read please and be happy. You gave me the same advice. Thanks a lot, but it did not helped me.

    Recently I visited cource "20334 Core Solutions of Skype for Business 2015" where trainer said - sometimes he can not start SFB Edge server even using copy-paste method while installing and configuring external access. It just won't start working without any visible reason. Is this common situation? Maybe some skilled admin have an answer.

    Saturday, June 13, 2020 8:49 AM
  • Hi Александр Николаевич Егоров,

    Sorry for misunderstanding your words.

    I only deployed the test environment. About the actual production environment, I don’t know much.

    It’s a pity that I cannot provide useful support for your situation.


    Best Regards,
    Sharon Zhao


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Wednesday, June 17, 2020 8:11 AM
  • Finally found our problem. It's firewall.

    It is too smart, can monitor and protect traffic not only by IP-address or port number, but traffic signatures. It seems it somehow interfere with SIP traffic, which ruins logon process, but at the same time replication goes fine. When I connect test server directly to Internet and directly to internal LAN, all works fine.

    We are investigating what can we do with our firewall, if find out some interesting, I will post it here.

    Wednesday, June 24, 2020 7:53 PM
  • Hi Александр Николаевич Егоров,

    Thanks for your kindly sharing.


    Best Regards,
    Sharon Zhao


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Thursday, June 25, 2020 7:21 AM
  • Update.

    Discovered that firewall works fine. Actually I can not place internal FE and Edge server in different subnets. For example internal FE has IP 192.168.1.15/24 and Edge server has 192.168.90.15/24, logon process fails. Wireshark shows only replication traffic on port 4443, but there is no 5061 port. As usual I checked ping, telnet, DNS-records and nslookup with name and FQDN - all is fine. Access service on Edge server simply refuses to send authentication requests to FE on 5061 port.

    If I place Edge server in same subnet with IP 192.168.1.115/24 (i.e.) I can log in from outside network, all works fine. I asked colleagues from some other organizations, they do not know why is that happening. It was not supposed to happen.

    PS.
    Mrs. sharon_zhao, do NOT mark any post as answer. It is MY duty (not yours) to say who was my savior and how did he helped me.

    Wednesday, July 1, 2020 4:24 PM
  • Hi Александр Николаевич Егоров,

    Sure, it is your right. 


    Best Regards,
    Sharon Zhao


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Thursday, July 2, 2020 6:24 AM
  • Didn't found a solution and finally declined to move on.

    I deployed reverse proxy for WEB-service publication and now able to create web-conferences with external users and log in with mobile SfB-client, that's quite enough for our users. Unfortunately I still need Edge Server running for sound and video to function correctly, for Address Book search, for mobile access.

    Windows desktop client still unable log on.

    Wednesday, August 12, 2020 9:07 AM