locked
OCS with Multiple Internal no routed Networks, all can see the Front End and internal of Edge Server RRS feed

  • Question

  • Hello

    We have a bit of a complex network but the short version is, schools vpn into a central network.  Down this VPN they can see the Front End Server and the interenal network of the Edge Server.  But they cannot route between each other.

    According to this website http://www.shudnow.net/2009/08/29/office-communications-server-2007-r2-audiomedia-negotiation/

    When two internal users cannot negotiate a media link between the two they should use the inernal network card of the Edge Server to route between them.  At the momemnt I can connect Internal to External, External to External but when it comes to internal to internal it seems to connect for a few seconds but then disconnects before video can be shown.

    Is it correct that they should use the inernal network card of the edge server, if so I will look further into the problem or do I have to look at some how getting routing working between schools (probably wont be allowed due to the spread of viruses etc).

    cheers

    Ian
    Thursday, September 3, 2009 8:26 AM

Answers

  • Jeff, I believe you meant 40, not 30.  Check the minimum number of port section here: http://technet.microsoft.com/en-us/library/dd572230%28office.13%29.aspx.  Technically, 30 would work, but 40 is recommended as a minimum because when you escalate a conference from peer to peer to a multiparty conference, double the ports are utilized temporarily.

    And just a side note about 3478 UDP and TCP 443.  3478 UDP will always be attempted first.  During ICE negotiation, if it determines that 3478 UDP is unavailable, TCP 443 is then returned to the client during ICE negotiation.  I've pretty much tested every connection attempt as I described in my article and validated all of them as well as using 3478 first and then blocking then and successfully saw 443 returned as a result in negotiation.

    Btw, if you guys want to learn more about all this stuff, you guys can watch the following webcast.  It goes into some pretty good detail:
    https://www.microsoft.com/events/series/unifiedcommunications.aspx?tab=Webcasts&seriesid=104&webcastid=4636
    Friday, September 4, 2009 12:44 AM

All replies

  • Hi Ian,

    as far as I understand your setup, you have one central OCS Pool and your schools are connected via VPN connections.

    Important to understand is that media connections in Peer to Peer communication always are negotiated and initiated between those two peers directly.
    If you've more than two communication peers, media communications goes via the A/V conferencing server (MCU) of your OCS Pool.

    So in your scenario it must be possible to communicate between peers in different locations over all required protocols if you would like to support Peer to Peer A/V communication.

    This scenario doesn't have to do anything with your edge server. The edge server comes into play if you've at least one communication peer outside your network which is conected via internet. Like remote users, federated users or anonymous users.

    Cheers

    Michael
    Thursday, September 3, 2009 9:43 AM
  • Hi Ian

    I have read this article you are referring to. And I find it hard to believe he is wrong he actually has some really good stuff out there. But it has been my experience that all calls are peer to peer when inside your LAN. But based on that article I am going to review the sip traces I have taken in the past and see if I can see the internal NIC address being given as part of the negotiation process. I will let you know shortly.


    Mitch Roberson |MCITP:Enterprise Server Admin, Messaging |MCTS:OCS with Voice Achievement |MCT
    Thursday, September 3, 2009 2:04 PM
  • Elan's article is correct.  If two internal clients attempt a peer-to-peer media (or Desktop Sharing) session and are unable to connect due to firewalls filtering the required media ports between them then (if an Edge server is deployed and configured) then they will attempt to contact the Internal Edge interface over 443 and 3478.  In this case the media port range of 1024-65535 is not required as the clients will each use only those two ports for media.

    If an Edge server does not exist and internal client networks are filtered, then it's recommended to reduce the media port range down to 30 defined ports and then open only those ports on the firewalls.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Thursday, September 3, 2009 6:02 PM
    Moderator
  • Jeff, I believe you meant 40, not 30.  Check the minimum number of port section here: http://technet.microsoft.com/en-us/library/dd572230%28office.13%29.aspx.  Technically, 30 would work, but 40 is recommended as a minimum because when you escalate a conference from peer to peer to a multiparty conference, double the ports are utilized temporarily.

    And just a side note about 3478 UDP and TCP 443.  3478 UDP will always be attempted first.  During ICE negotiation, if it determines that 3478 UDP is unavailable, TCP 443 is then returned to the client during ICE negotiation.  I've pretty much tested every connection attempt as I described in my article and validated all of them as well as using 3478 first and then blocking then and successfully saw 443 returned as a result in negotiation.

    Btw, if you guys want to learn more about all this stuff, you guys can watch the following webcast.  It goes into some pretty good detail:
    https://www.microsoft.com/events/series/unifiedcommunications.aspx?tab=Webcasts&seriesid=104&webcastid=4636
    Friday, September 4, 2009 12:44 AM
  • Thanks very much for replying.  Didnt mean to question what you/he had put, when we tried it didnt work and wanted to check that bit before diving into fault finding (had limited time/knowledge on the project).  We have since tried again and it has worked.  Thanks very much for all your replies, if it wasnt for articles and forums like these my job would be a whole lot harder.  Its actually turned out better than I thought.  The bit about it only using the two ports when communicating with the internal side as well has certainly helped. 

    If I ever meet any of you Ill certainly be buying lots of pints :)

    Ian

    Sunday, September 6, 2009 10:21 AM
  • Elan

    Thanks for the good info. I had just never noticed the behaviour before  but when i did a trace sure enough it had the edge in the trace.

    thanks again. always  good to learn more on the forums.
    Mitch Roberson |MCITP:Enterprise Server Admin, Messaging |MCTS:OCS with Voice Achievement |MCT
    Monday, September 7, 2009 2:41 AM
  • Another tidbit of information is that the Communicator UCCP log in the Tracing Directory in the user's windows profile shows the ICE negotiation.  It'll show where the client connects and over what port it uses to establish the A/V session.
    Wednesday, September 9, 2009 9:44 PM