Tuesday, July 01, 2008 7:43 AM
for our customer we built a Testlab to do some testing around their potential OCS EE Expanded Edition topology with remote access.
We built the whole internal infrastructure and a simulated remote access scenario, which consists of a edge infrastructure (one A/V edge and one consolidated Web conferencing/Access Edge) and a internet isimulation which has been built through connecting a client to our external ISA interface and simulating internet with hosts-file entries and static routing. The edge servers are routed (not NATed) on both sides (Private DMZ & Public DMZ).
Edge is implemented with one ISA 2006 which has External/LAN/Private DMZ/Public DMZ Interfaces and is our Reverse Proxy.
Authentication is done via a OCS SE director. Actually there are no Load Balancers implemented.
Everything runs fine. No Validation wizard failures on every OCS Server. Remote Access is running without failures, if we connect from our “simulated internet client” Client2 to our LAN Client 3 (same LAN subnet as OCS infrastructure). The same happens if we connect from a client (Client 1) behind a router, one hop away from OCS infrastructure internal LAN (no access lists, just routing) to Client 3 (same LAN as OCS infrastructure. No problems including A/V, Live Meeting from remote or internal, IM and so on. The only case which doesn’t run is the A/V communication from Client 1 (Internet simulation) to Client2 (subnet behind OCS LAN). IM runs fine, but A/V always fails with “Media Connectivity failure after a few seconds”. If we do some firewall logging , it seems that both clients try connecting directly to each other or starting connection attempts from the “External interface of the A/V Edge! to Client 1 which is naturally forbidden on our ISA.
Are there any problems known in such a scenario with STUN/ICE/TURN ? it seems that the SDP candidates are not found correctly.
A/V Connectivity with all clients in a conference is possible because the RTP Streams go centrally to the MCU!
Could it be, that STUN/ICE/TURN has a problem if Public Interfaces (Edge) and our Internet simulation are supplied with private IP ranges (10.x.x.x/192.168.x.x.x) just for testing purposes?
Does anybody has an idea?
Thursday, August 07, 2008 5:49 PM
This actually sounds like a routing issue on the AV edge. I would need to know more. but it sounds like it is trying to route the internal traffic across the external NIC. Which will have a problem. I would see about adding a route entry to point it to the NIC you want it to go.
Thursday, August 07, 2008 7:43 PM
Have you read this document?
Designing Your Perimeter Network for Office Communications Server 2007 White Paper
Did you open all required ports?
TCP and UDP 50000 - 59999 (that's right 10000 ports open)