Remove From My Forums

Limited external calling

Question
0

Sign in to vote

We have a small lab deployment with one standard OCS and one Edge server; users in the internal network connect to the OCS without problems. Users outside the firewall can connect via the Edge server public interface, but the communicator icon display the warning "Limited external calls".

The validation of edge server runs ok; validation of A/V conferencing server in the internal OCS has an error in the Connectivity check sections:

"This operation has timed out", for the task "Connecting to A/V Authentication Edge Server to get credentials".

I tried the following configuration:

- put the FQDN of edge server in forest configuration, as Access Edge and A/V Edge server

- put the FQDN of edge server in "host Autorization" for the domain in frontend properties

- selected the Edge server Authentication service in the properties for A/V conferencing in the domain (port 5062)

- all certificates seems to be ok

- firewall configuration seems to be ok

When I try to start a call between internal and external workstations the called one rings, but the call doesn't connect. Sniffing the traffic the external communicator tries to contact directly the private address. I believe this is due to the "limited external calling" issue.

Any info about which operation is performed by the task ? Whose credentials is the OCS trying to get ?

Thanks

Fabrizio

Thursday, October 25, 2007 12:09 PM

Answers

1

Sign in to vote

Hello! After a lot of trouble and configuration changes, I set up 2 virtual machines and installed everything from scratch; since the 2 new servers work correctly, I compared the configurations.

The only differences are:

- enforced NTLM security instead of Kerberos

- Edge server not listed in the authorized hosts

After I made the changes in the production environment and restarted service, the problem disappeared. This does not make sense to me, the problem should not be related to the authentication system or the authorized servers, but at least now I have a working environment.

I hope this could help

Fabrizio

Thursday, November 8, 2007 11:32 AM
0

Sign in to vote

Hello Diego.

Yes, now the Edge server validation is completed. Note that I have Kerberos configured now. yes, I mean the host authorization tab for the front end.

Now the internal and external users are able to make audio calls in both directions. As far as I can see from the network sniffer, the external communicator starts sending TLS packets to the external EDGE interface, then the real time traffic in UDP with same addresses. When I had the error the external communicator tries to reach the private IP address of the other party, and of course this does not work.

I did not trace the traffic in the internal network, but I expext that traffic for signaling and real time packets is direct between the Edge private interface and the internal clients. Probably there is some traffic between edge and OCS while searching for the URI, number normalization etc.

Friday, November 9, 2007 1:17 PM
0

Sign in to vote

yes, the port is 5062

Friday, November 9, 2007 1:18 PM

All replies

0

Sign in to vote

Hello Fabrizio!

I am experiencing the same issue you are having. Did you find a solution ?

let me know if you did please

thanks in advanced

Tuesday, November 6, 2007 5:27 PM
1

Sign in to vote

Hello! After a lot of trouble and configuration changes, I set up 2 virtual machines and installed everything from scratch; since the 2 new servers work correctly, I compared the configurations.

The only differences are:

- enforced NTLM security instead of Kerberos

- Edge server not listed in the authorized hosts

After I made the changes in the production environment and restarted service, the problem disappeared. This does not make sense to me, the problem should not be related to the authentication system or the authorized servers, but at least now I have a working environment.

I hope this could help

Fabrizio

Thursday, November 8, 2007 11:32 AM
0

Sign in to vote

Hello Fabrizio!

Are you now able to validate the A/V Edge Server ?

I enforced NTLM security instead of Kerberos. But still having the same issue

When you say that your Edge Server is not listed on the Authorized Hosts. Are you refering to the Host Authorization Tab on the Front End Server Properties ?

I don't have any host specified here and still having the same issue.

I take it that now you are able to have internal users connected to the internal server make audio calls to external users connected to the external server ? Do you know what the communication flow is ?

Does the Edge Server communicates directly to with the internal clients or does it forward the requests to the Front End Server ?

thanks

Thursday, November 8, 2007 3:56 PM
0

Sign in to vote

What port did you configure ocs to connect to A/V auth on the edge? Default is 5062, I think... (You can configure it by rerunning setup on the ocs)

Friday, November 9, 2007 11:56 AM
0

Sign in to vote

Hello Diego.

Yes, now the Edge server validation is completed. Note that I have Kerberos configured now. yes, I mean the host authorization tab for the front end.

Now the internal and external users are able to make audio calls in both directions. As far as I can see from the network sniffer, the external communicator starts sending TLS packets to the external EDGE interface, then the real time traffic in UDP with same addresses. When I had the error the external communicator tries to reach the private IP address of the other party, and of course this does not work.

I did not trace the traffic in the internal network, but I expext that traffic for signaling and real time packets is direct between the Edge private interface and the internal clients. Probably there is some traffic between edge and OCS while searching for the URI, number normalization etc.

Friday, November 9, 2007 1:17 PM
0

Sign in to vote

yes, the port is 5062

Friday, November 9, 2007 1:18 PM
0

Sign in to vote

My Problem seems to be that the traffic going out from the Edge server is coming out from then external interface, not the internal, when trying to reach an internal client, so the firewall is blocking it.

I am using port 5062 for authentication. All my validations complete successfully.

Please take a look at the link below

http://forums.microsoft.com/OCS2007/ShowPost.aspx?PostID=1412736&SiteID=57

Did you have to implement this group policy/registry on your OC clients ?

If I use the registry key above, I am able to call the external clients, howerver, the external clients can not call me.

I also added a manual route to use my internal interface for traffic going to my inside lan.

Thanks for your help !

Friday, November 9, 2007 2:13 PM
0

Sign in to vote

Hello. I did not implement any specific group policy for the clients but yes, I had to specify a static network route in the edge server to reach the private subnet where the clients are connected.

And, of course, the public routable IP address for the external interface of the edge is a must. No way to have workind audio calls without.

Hope this help.

Fabrizio

Monday, November 12, 2007 3:27 PM

Answered by:

Limited external calling

Question

Answers

All replies