locked
OCS AV edge issue RRS feed

  • Question

  • I have what appears to be a firewall configuration issue in my OCS Test deployment. My server with the edge role running on it has a public IP (**.***.170.59) assigned to a dedicated nic and is sitting infront of a firewall configured as follows:

    Outbound Rules:

    #  Service Name Action LAN Users WAN Servers Log
    1 RTP/UDP ALLOW always **.***.170.59 Any Always
    2 RTP/TCP ALLOW always **.***.170.59 Any Always
    3 Any(ALL) BLOCK always **.***.170.59 Any Always
    Default Any ALLOW always Any Any Never

     

    Inbound Rules:

    #  Service Name Action LAN Server IP address WAN Users Log
    1 HTTPS ALLOW always **.***.170.59 Any Always
    2 RTP/UDP ALLOW always **.***.170.59 Any Always
    3 RTP/TCP ALLOW always **.***.170.59 Any Always
    4 STUN ALLOW always **.***.170.59 Any Always
    5 Any(ALL) ALLOW always **.***.170.60 Any Always
    6 Any(ALL) ALLOW always **.***.170.58 Any Always
    7 Any(ALL) ALLOW always **.***.170.57 Any Always
    Default Any BLOCK always Any Any Never

     

     

     

    Services:

    #

    Service Type

    Ports

    1

    RTP/TCP (TCP)

    50000 - 59999

    2

    STUN (UDP)

    3478

    3

    RTP/UDP (UDP)

    50000 - 59999

     

    **.***.170.57,  **.***.170.58 and  **.***.170.60 terminate on an ISA server which then NAT's the relivant other ports to the other roles on the edge server - each role has a separate nic and is on a separate subnet to the internal network.

     

    When I try and make a voice call I get a "the call cannot be connected" error – if I take out the outbound rule 3 it will allow the call to connect and both audio and video work. If I enable that rule whilst in a call the call stays connected and I can still hear the other person but they cannot hear(or see) me. Looking at the firewall logs from the firewall whilst in a successful call (rule 3 unticked) it looks like the source port is within the 50,000 – 59,999 range but the destination port isn’t - is this correct?

     

    2008-10-12 12:11:34.070                UDP Packet - Source:**.***.170.59,57976 Destination:**.***.180.57,22016 - [Any(ALL) rule match]

    2008-10-12 12:11:34.133                UDP Packet - Source:**.***.170.59,59256 Destination:**.***.180.57,11520 - [Any(ALL) rule match]

    please let me know if you have any suggestions or if any more details are required - surely someone has come across this before?

    Sunday, October 12, 2008 10:41 PM

All replies

  • James, I'm not sure what firewall appliance you have, but what exactly is the purpose of that Outbound Rule #3?  Some devices I've used in the past would treat that rule as overriding even in a top-down application since it's a specific BLOCK.  Since most devices inherently drop all connection EXCEPT for what is configured, then you I wouldn't think you'd need to include that rules.  Since it works correctly without that rule I'd think that you shouldn't be adding it back in.

     

    Wednesday, October 15, 2008 7:44 PM
    Moderator