locked
A\V edge server Firewall Rules & Voice Flow RRS feed

  • Question

  •  

    1.       If you have two external clients making a voice call with the MOC client. Does the RTC stream go point to point or does it go via the A\V edge server

    2.       If an internal MOC client makes a voice call to an external MOC client is the traffic stream

    a.       MOC Internal => A\V Edge => MOC external

    Or

    b.      MOC Internal => Front End => A\V Edge => MOC external

    3.       The key reason for asking question 2 relates to what  firewall rules needed between the A\V Edge server and the internal network. Ie does the firewall need to allow A\V Edge to any IP or A\V edge to Front End only.

     

    Thanks for any help.

    Wednesday, August 22, 2007 3:06 PM

Answers

  • Hi,

    According to the OCS Technical Overview doc,

     

    "Communicator clients continue to support peer-to-peer A/V communication for users both inside and outside the corporate firewall."

     

    It seems like the A/V is required only for A/V conferences. And in the case of conferences, the "OCS Edge Server Deploy" doc shows the folowing chart (which looks like the ports need to be opened to any IP, not just the Front-End)

     

    Regards,

    Matt

     

    Firewall

    Policy Rules

    Figure Mapping

    Internal

    Local Port: 443 TCP (STUN/TCP)

    Direction: Outbound (for internal users to send media to external users)

    Remote Port: Any

    Local IP: The internal IP address of the A/V Edge Server

    Remote IP: Any IP address

    12

    Local Port: 5062 TCP (SIP/MTLS)

    Direction: Outbound (For authentication of A/V  users)

    Remote Port: Any

    Local IP:  The internal IP address of the A/V Edge Server.

    Remote IP: Any IP Address

    13

    Local Port: 3478 UDP (STUN/UDP)

    Direction: Outbound (for internal users to send media to external users)

    Remote Port: Any

    Local IP: The internal IP address of the A/V Edge Server

    Remote IP: Any IP Address

    Note: If you are using ISA Server as your firewall, you must configure the rule for send/receive.

    14

    External

    Local Port: 443 TCP (STUN/TCP)

    Direction: Inbound (for external users access to media and A/V sessions)

    Remote Port: Any

    Local IP: The external IP address of the A/V Edge Server

    Remote IP: Any IP Address

    8

    Local Port Range: 50,000-52,999 TCP (RTP /TCP)

    Direction: Inbound/Outbound (for media transfer)

    Remote Port: Any

    Local IP: The external IP address of the A/V Edge Server. This IP address must be a publicly routable IP address.

    Remote IP: Any IP Address

    9

    Local Port: 3478 UDP (STUN/UDP)

    Direction: Inbound (for external users connecting to media or A/V sessions)

    Remote Port: Any

    Local IP: The external IP address of the A/V Edge Server

    Remote IP: Any IP Address

    Note: If you are using ISA Server as your firewall, you must configure the rule for send/receive.

    10

    Local Port Range: 50,000-52,999 UDP (RTP/UDP)

    Direction: Inbound/Outbound (for media transfer)

    Remote Port: Any

    Local IP: The external IP address of the A/V Edge Server. This IP address must be a publicly routable IP address.

    Remote IP: Any IP Address

    11

    Thursday, August 23, 2007 4:28 PM
  • BTW, I just tested this and peer-to-peer voice calls with one on the inside and one on the outside don't work without the edge server set up properly.

     

    I had a voice client on the inside network and one on the outside and tried to initiate a voice call. I didn't have the A/V edge server configured and no voice calls were possible. The signalling worked fine - both clients could see that a voice call was being initiated, but the actual voice traffic (UDP) never made it.

     

    I looked at a network capture on the inside client and it showed that it was trying to send UDP packets to the remote client over the internet, but it was sending them to a 192.168.x.x address! That was the private IP of the remote client at the far side over the internet... very strange that it wouldn't be using the NATed IP.

     

    So I checked the Edge server deploy docs a little more and I found this:

     

    When You Need an Audio/Video Edge Server

    Add an A/V Edge Server if you want to make it possible to share audio and video with external users, such as vendors or employees who are working from home. With an A/V Edge Server, users can:

    ·         Add audio and video data to meetings with external participants.

    ·         Share audio and video directly with an external user (point-to-point).

     

    OK - so that contradicts the other statement a little bit. But I can verify that this is definitely the case; you do need the Edge A/V if you want to do an internal-external voice call, even if it is peer-to-peer.

     

     

    Regards,

    Matt

     

    Thursday, August 30, 2007 2:39 PM

All replies

  • Hi,

    According to the OCS Technical Overview doc,

     

    "Communicator clients continue to support peer-to-peer A/V communication for users both inside and outside the corporate firewall."

     

    It seems like the A/V is required only for A/V conferences. And in the case of conferences, the "OCS Edge Server Deploy" doc shows the folowing chart (which looks like the ports need to be opened to any IP, not just the Front-End)

     

    Regards,

    Matt

     

    Firewall

    Policy Rules

    Figure Mapping

    Internal

    Local Port: 443 TCP (STUN/TCP)

    Direction: Outbound (for internal users to send media to external users)

    Remote Port: Any

    Local IP: The internal IP address of the A/V Edge Server

    Remote IP: Any IP address

    12

    Local Port: 5062 TCP (SIP/MTLS)

    Direction: Outbound (For authentication of A/V  users)

    Remote Port: Any

    Local IP:  The internal IP address of the A/V Edge Server.

    Remote IP: Any IP Address

    13

    Local Port: 3478 UDP (STUN/UDP)

    Direction: Outbound (for internal users to send media to external users)

    Remote Port: Any

    Local IP: The internal IP address of the A/V Edge Server

    Remote IP: Any IP Address

    Note: If you are using ISA Server as your firewall, you must configure the rule for send/receive.

    14

    External

    Local Port: 443 TCP (STUN/TCP)

    Direction: Inbound (for external users access to media and A/V sessions)

    Remote Port: Any

    Local IP: The external IP address of the A/V Edge Server

    Remote IP: Any IP Address

    8

    Local Port Range: 50,000-52,999 TCP (RTP /TCP)

    Direction: Inbound/Outbound (for media transfer)

    Remote Port: Any

    Local IP: The external IP address of the A/V Edge Server. This IP address must be a publicly routable IP address.

    Remote IP: Any IP Address

    9

    Local Port: 3478 UDP (STUN/UDP)

    Direction: Inbound (for external users connecting to media or A/V sessions)

    Remote Port: Any

    Local IP: The external IP address of the A/V Edge Server

    Remote IP: Any IP Address

    Note: If you are using ISA Server as your firewall, you must configure the rule for send/receive.

    10

    Local Port Range: 50,000-52,999 UDP (RTP/UDP)

    Direction: Inbound/Outbound (for media transfer)

    Remote Port: Any

    Local IP: The external IP address of the A/V Edge Server. This IP address must be a publicly routable IP address.

    Remote IP: Any IP Address

    11

    Thursday, August 23, 2007 4:28 PM
  • BTW, I just tested this and peer-to-peer voice calls with one on the inside and one on the outside don't work without the edge server set up properly.

     

    I had a voice client on the inside network and one on the outside and tried to initiate a voice call. I didn't have the A/V edge server configured and no voice calls were possible. The signalling worked fine - both clients could see that a voice call was being initiated, but the actual voice traffic (UDP) never made it.

     

    I looked at a network capture on the inside client and it showed that it was trying to send UDP packets to the remote client over the internet, but it was sending them to a 192.168.x.x address! That was the private IP of the remote client at the far side over the internet... very strange that it wouldn't be using the NATed IP.

     

    So I checked the Edge server deploy docs a little more and I found this:

     

    When You Need an Audio/Video Edge Server

    Add an A/V Edge Server if you want to make it possible to share audio and video with external users, such as vendors or employees who are working from home. With an A/V Edge Server, users can:

    ·         Add audio and video data to meetings with external participants.

    ·         Share audio and video directly with an external user (point-to-point).

     

    OK - so that contradicts the other statement a little bit. But I can verify that this is definitely the case; you do need the Edge A/V if you want to do an internal-external voice call, even if it is peer-to-peer.

     

     

    Regards,

    Matt

     

    Thursday, August 30, 2007 2:39 PM
  • Thanks for your input.

    I have been told but have yet to confirm that 2 party MOC to MOC communication is point to point except when a firewall blocks the flow of traffic in which case the A\V edge is involved.

    For example two external MOC clients will try to make a point to point connection but if this is blocked they will involve the A\V edge.

    Thursday, August 30, 2007 2:48 PM
  • Were you able to get your Internal and External Clients making Audio Calls ?

     

    Were you able to verify what the communication flow is ?

     

    I have my Edge Server trying to contact my internal client but through the external interface, not the internal.

     

    thanks

    Thursday, November 8, 2007 4:24 PM
  • Hi mmcgille,
    Maybe u can answer this from your research??
    When an external moc client and an internal moc client make an audio call...does the internal client connect to the inside card of the av edge server?
    I had a problem today that when a call was trying to be connected between an external client and an internal client, the internal clients moc would ring, but when answered the call failed to connect. It wasnt until I added a route on the client to allow access to the dmz where the internal card of edge was that the calls would work.
    So it looks once the call setup has been done a peer to peer connection is setup between the ocs internal client and ocs exernal client thru the edge server, is this thru?

    Thanks
    P

    Celtic
    Wednesday, March 11, 2009 12:13 AM