locked
CWA R2 Desktop Sharing Doesn't Work If Client is NAT'ng RRS feed

  • Question

  • hi all, this one makes me want to pull out my hair (sorry don't have any hair left:)

    1. if a client is using a publicly available ip address (i.e., NOT behind a firewall or AP) sharing desktop works like a charm. however 2. if a client is behind a firewall or AP (i.e., ip address NAT'ng is happening) sharing desktop gives the error "Cannot start desktop sharing session currently".

    we thought that its the Linksys firewall/AP but we tried it on different place (Internet Cafe) and its the same thing. we looked at the logs on our Symantec FW and both connections are using the same rule that we created.

    all DNS info (CNAME) have been done, i.e., as and download and all certs (Public or 3rd party) have been done too. right now, i am lost why this is happening. perhaps CWA gurus will be able to ligthen this situation up.

    kind regards,
    dmc
    Wednesday, September 30, 2009 3:30 PM

Answers

  • ok, don't laugh at me... i found the issue and it was so stupid of me to not see it. anyways the problem is because there is no DNS resolving for the A/V on the edge server. what makes me wonder is why would it work on a client that doesn't do any NAT'ng at all ?

    hmmm, anyways... mystery resolved. thank you for all your input.

    • Marked as answer by golfer_kuno Thursday, October 8, 2009 2:57 PM
    Thursday, October 8, 2009 2:57 PM

All replies

  • Desktop Sharing is actually media traversal and the CWA server requires access to over the media port range to the Edge Server, can you verify that range (50,000-59,000) is open between CWA and Edge Internal?


    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Wednesday, September 30, 2009 4:15 PM
    Moderator
  • i am assuming yes since they are both on the same subnet. CWA is 192.168.2.75 and Edge (inside address) is 192.168.2.73. there is no firewall running on the CWA or the Edge box. from your professional experience what is the best way for me to test whether i can talk from the CWA to Edge's ports 50K - 59K? can i just telnet to these ports? if yes, what would i see?

    BTW - here is an additional info, CWA box is also our FE OCS R2 server. local IP for OCS is 192.168.2.74 and on the same NIC we just added another IP for CWA 192.168.2.75.

    many thanks.

    Wednesday, September 30, 2009 7:06 PM
  • Do you have the checkbox selected on the A/V Edge properties indicating that the A/V Edge is behind a NAT?  Do you have the same problem with audio and video?  If audio and video work but desktop sharing does not then the problem is likely that you have the 50000-59999 port range open for UDP only.  Audio and video with work with UDP but desktop sharing will not.

    If none of them work then you probably have a STUN problem.  Make sure that the external A/V Edge FQDN is resolvable and connectable from inside your network.

    As for your port question, unfortunately there's no easy way to test.  Those ports are only opened after the endpoints have negotiated the media ports.
    Mike Stacy | Evangelyze Communications | http://www.evangelyze.net/cs/blogs/mike
    Thursday, October 1, 2009 11:32 PM
    Moderator
  • Are you publishing CWA with ISA?  Is this common to Windows 7 machines or also on XP?

    There are several threads on this which we are still trying to find a common theme.. 

    http://social.microsoft.com/Forums/en-US/communicationsserversetup/thread/7ead1073-b701-4d76-8651-2b66df92a143/

    and

    http://social.microsoft.com/Forums/en-US/communicationsserversetup/thread/5d57afaa-645a-4a5f-b2f0-c1de6d6ba38e


    I have deployed this in several environment successfully using XP, Vista, 7.  ISA 2006 SP1 is a requirement if you are publishing with ISA.
    Mark King | C/D/H | MCTS:OCS | MCSE: Messaging | MCITP:Enterprise Administrator | CCNA
    Thursday, October 1, 2009 11:56 PM
  • Are you publishing CWA with ISA?  Is this common to Windows 7 machines or also on XP?

    There are several threads on this which we are still trying to find a common theme.. 

    http://social.microsoft.com/Forums/en-US/communicationsserversetup/thread/7ead1073-b701-4d76-8651-2b66df92a143/

    and

    http://social.microsoft.com/Forums/en-US/communicationsserversetup/thread/5d57afaa-645a-4a5f-b2f0-c1de6d6ba38e


    I have deployed this in several environment successfully using XP, Vista, 7.  ISA 2006 SP1 is a requirement if you are publishing with ISA.
    Mark King | C/D/H | MCTS:OCS | MCSE: Messaging | MCITP:Enterprise Administrator | CCNA

    hi mark, no we are not using ISA, it's going via our Symantec firewall. do we need to use ISA for this to work properly? is ISA a must? and going back to the original question, why would desktop sharing work if the client is not NAT'ng? this is the part that confuses me. thanks again.
    Friday, October 2, 2009 2:49 PM
  • Do you have the checkbox selected on the A/V Edge properties indicating that the A/V Edge is behind a NAT?  Do you have the same problem with audio and video?  If audio and video work but desktop sharing does not then the problem is likely that you have the 50000-59999 port range open for UDP only.  Audio and video with work with UDP but desktop sharing will not.

    If none of them work then you probably have a STUN problem.  Make sure that the external A/V Edge FQDN is resolvable and connectable from inside your network.

    As for your port question, unfortunately there's no easy way to test.  Those ports are only opened after the endpoints have negotiated the media ports.
    Mike Stacy | Evangelyze Communications | http://www.evangelyze.net/cs/blogs/mike

    just an FYI - we are not using ISA. where would i find this checkbox re: A/V indicating that its behind a NAT? thank you.
    Friday, October 2, 2009 8:31 PM
  • It's on the A/V Edge Server properties window.  Take a look at this article for a screenshot highlighting the location:
    http://blogs.technet.com/ucedsg/archive/2009/02/06/we-have-the-edge.aspx


    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Friday, October 2, 2009 9:00 PM
    Moderator
  • ok, don't laugh at me... i found the issue and it was so stupid of me to not see it. anyways the problem is because there is no DNS resolving for the A/V on the edge server. what makes me wonder is why would it work on a client that doesn't do any NAT'ng at all ?

    hmmm, anyways... mystery resolved. thank you for all your input.

    • Marked as answer by golfer_kuno Thursday, October 8, 2009 2:57 PM
    Thursday, October 8, 2009 2:57 PM
  • Ah, yes; that'll do it. 

    When not using NAT on the A/V Edge roles the service will pass it's associated IP address as a desitnation to client to connect to.  But when you enable the option on the A/V Edge properties to use a NAT'd address, then the A/V Edge resolves the A/V Edge FQDN and passes that address to the remote client.  If the Edge server is unable to resolve that address or incorrectly resolves the non-routable address then it will pass the client the unreachable internal IP instead of the reachable external IP.

    See this article for more details: http://blogs.pointbridge.com/Blogs/mcgillen_matt/Pages/Post.aspx?_ID=61

    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Thursday, October 8, 2009 4:10 PM
    Moderator
  • Hi,

    Where can I find the A/V Edge properties box?
    Is it in the Office Communications Server 2007 R2 mmc or the CWA one?


    Thank you very much in advance,
    @ndyP
    Tuesday, October 20, 2009 10:46 PM