We have a fairly standard OCS 2007 R1 setup with one internal server hosting internal roles and one consolidated Edge hosting all the edge roles.
When we start a meeting that works fine, or a chat session is also OK with internal or external users, however A/V will not connect so we get no video to the external users.
We do have the edge with two nics, the external nic has two publicly adressable IP's with different external fqdn's of sip.company.com (201.x.x.69) and av.company.com (201.x.x.70) We have external certificates on the public interfaces and internal certificates on the internal interfaces.
The specific config is: Internal Interface: 192.168.0.5 Edge Access: Federation external : 201.x.x.70 5061 Edge Access: Remote access ext: 201.x.x.70 5061 Edge Access: Internal IP: 192.168.0.5 5061 Web Conference: External IP : 201.x.x.70 : 443 Web Conference: Internal IP : 192.168.0.5 : 8057 A/V Edge : External IP / Port (TCP) : 201.x.x.69 : 443 A/V Edge : External Port Range : 50000-59999 A/V Edge : Internal IP/Port (TCP) : 192.168.0.5 : 443 A/V Edge : A/V Authentication Port : 192.168.0.5 : 5062 (Not sure if this should have a certificate for the internal or the external FQDN, I think internal, but I have tried it with both and it does not work on either)
For some of the common gotchas I have 'verified' the internal A/V server and it is all OK including the internal to external A/V authentication. On the internal server the internal A/V auth is set correctly in both the global config and the Pool A/V config.
There is an external firewall but it does have holes for all the external ports required (I have even tried turning it off)
Symptoms: External client (client is a live meeting client behind a generic NAT firewall, internal IP of client is 172.16.0.155, external interface of client router is 145.x.x.32) Client connects to a meeting but does not get video or audio : "The video connection was lost, try to reconnect" The log pwconsole-debug30.txt shows nothing really usefull, just. DOAVConferenceB: generating event of type = kDisconnectedFromAVMCUByStack with message: kDisconnectedFromAVMCU
A wireshark trace run on the external NIC of the Edge server reveals: Incomming STUN binding requests from the 145.x.x.32 to 201.x.x.69 (All good) The Edge responds with a Outgoing STUN binding request from 201.x.x.70 to 172.16.0.155 (Impossible!)
The edge never sends any packets back to the 145.x.x.32 address so it will never connect.
I hae tried this from several different clients in different locations with different network configurations, allways with the same responses that the edge server will only ever try to connect to the internal IP's of the external clients and never sends any packets to the router where the client is located.
I have tried everything that I can and cannot figure it out.
We worked on this for a while and eventually found that it is an incompatibility with OCS Edge and RRAS on the same server. This installation is in an isolated environment for security reasons and we only had a limited number of servers, so the OCS Edge is also the RRAS server for the workstations.
This is a new incompatibility for MS (we are in the process of getting them to change the documentation) but it is as follows. If RRAS is on the same server as the OCS Edge and the edge server has two external IP's and NAT is enabled in RRAS then the NAT in RRAS interferes with the external IP for the A/V edge and stops it from responding to STUN requests propperly.
This only happens if the first IP declared on the external NIC is NOT the one used for the A/V Edge. There is therefore a relatively simple work around of changing the order of the IP addresses in the external NIC so that the first IP (the one shown in the normal pannel not the advanced view) is the one that is used for the A/V Edge. If this is done then everything works.
Hope this may help someone else eventually ;o)
Richard
Marked as answer byRichard RamshawTuesday, March 24, 2009 9:51 AM
You should use the External FQDN for AV Authentication Cert Make sure that you do not use a UCC cert (no SANs) because I had a support request to Microsoft and apparently if a UCC cert is used then only the last entry in the SAN is used!- Belgian Unified Communications Community : http://www.pro-exchange.be -
We worked on this for a while and eventually found that it is an incompatibility with OCS Edge and RRAS on the same server. This installation is in an isolated environment for security reasons and we only had a limited number of servers, so the OCS Edge is also the RRAS server for the workstations.
This is a new incompatibility for MS (we are in the process of getting them to change the documentation) but it is as follows. If RRAS is on the same server as the OCS Edge and the edge server has two external IP's and NAT is enabled in RRAS then the NAT in RRAS interferes with the external IP for the A/V edge and stops it from responding to STUN requests propperly.
This only happens if the first IP declared on the external NIC is NOT the one used for the A/V Edge. There is therefore a relatively simple work around of changing the order of the IP addresses in the external NIC so that the first IP (the one shown in the normal pannel not the advanced view) is the one that is used for the A/V Edge. If this is done then everything works.
Hope this may help someone else eventually ;o)
Richard
Marked as answer byRichard RamshawTuesday, March 24, 2009 9:51 AM
