locked
Audio and video calls not working RRS feed

  • Question

  • I'm in the process of trying to set up an OCS testbed prior to deployment.  As I was having a lot of problems with the Enterprise expanded topology, I started over using the Enterprise consolidated topology.  For the most part, everything is now working... with one exception.

     

    As long as all the clients and OCS Server are on the same LAN (either direct or VPN) audio and video conferencing (two party or multiparty) works fine.  However, as soon as one person tries starting up a (two party) call, on different LANs, the failures start.  It appears to be related to the firewall NAT handling.  In other words, if the firewall has NAT enabled, IM works, but audio and video calls fail.

     

    In other words, if Client A, Client B, and the OCS Server are on the same LAN, everything is fine.  However, if Client A and the OCS Server are on the same LAN and Client B is on a different LAN behind a NATting firewall (e.g., a person trying to connect from their home network) all attempts to entablish an audio or video call between Client A and B will fail.

     

    The Enterprse Consolidated OCS Server system is connected directly to the Internet with a static IP address.  The firewall is configured to allow traffic on ports 443, 444, 3478, 5060, 5061, and 5062.  As this is a consolidated topology, there are no (explicit) edge servers involved.  This OCS Server is part of a domain containing separate AD and SQL Server machines.

     

    Does anyone have any idea what must configuration changes need to be made to the firewall to allow this configuration to work?

     

    Thank in advance.

     

    - Mark

     

    Friday, September 26, 2008 8:06 PM

All replies

  • You will need to add the OCS Edge (A/V MCU).  Without it, audio will be treated like a peer to peer call was handled in Netmeeting for example.  In that configuration, no external or NAT type of connections are supported.

     

    Saturday, September 27, 2008 12:39 AM
  • > You will need to add the OCS Edge (A/V MCU).

     

    I tried to do this, and when I tried to add an A/V Edge server to the Enterprise Consolidated configuration, the installation wizard indicated it was not supported ("Edge Server cannot coexist with Enterprise Edition Server.")  I did this by going to the OCS 2007 setup, choosing the Enterprise Consolidated Topology (the first choice) to set up the OCS Server.  After that, I tried to use the "Deploy Other Server Roles" to set up an A/V Edge server (the third choice) and then choosing Deploy Edge Server.

     

    Did I miss something?

     

    - Mark

     

    Saturday, September 27, 2008 2:44 AM
  • Ahh I see the issue.  The Edge server is a physically seperate server from the pool.  It should not be a member of the domain, it is located in the DMZ.

     

    So you will need to setup an OCS2007 Std Edition Edge Server in the DMZ.

     

    Please review the planning guide (just glance over it) I think it will become very clear by the diagrams there.

     

    Saturday, September 27, 2008 3:12 AM
  • Ahh I see the issue.  The Edge server is a physically seperate server from the pool.

     

    Yep.  This I understand.

     

    > So you will need to setup an OCS2007 Std Edition Edge Server in the DMZ.

     

    So, are you saying I need to deploy a Std Editions Edge Server with a Enterprise Consolidated topoligy?

     

    > Please review the planning guide (just glance over it) I think it will become very clear by the diagrams there.

     

    I have looked this, and other documents (Edge Server Deployment, Enterprise Edition Deployment, Security Guide, etc. as well as the OCS 2007 Resource Kit book) over many times.  I must say it is not clear at all.

     

    BTW, my first attempt at doing an Enterprise Expanded topoligy resulted in pretty much the same problem.  Here is a pointer to the forum entry:

     

        http://forums.microsoft.com/unifiedcommunications/ShowPost.aspx?PostID=3918474&SiteID=57

     

    With all the problems I was having getting the expanded topology to work, I figured I'd step back to a "simpler" configurations to try and get things all sorted out.  Unfortunately, I've seem to arrive at the same set of issues in either topology.

     

    Still scratching my head trying to puzzle things out.  It seems the basic problem is related to having the OCS Server directly on the Internet (via static IP) and two clients behind NATting firewalls.

     

    - Mark

     

    Saturday, September 27, 2008 2:31 PM
  • Direct NAT'ing from external direct to the pool is not supported.  Totally hoses you on all aspects of security.

     

    A single Std Edition server in the DMZ as an edge will work.. does not matter at all what the internal server(s) considt of.

    Sunday, September 28, 2008 1:41 AM
  • > Direct NAT'ing from external direct to the pool is not supported.  Totally hoses you on all aspects of security.

     

    OK.  From what I know about VoIP and other Telco stuff, this is not a surprise.  Although the documentation is really confusing in this area.

     

    > A single Std Edition server in the DMZ as an edge will work.. does not matter at all what the internal server(s) considt of.

     

    Just to make sure I understand... are you suggesting a dual homed machine as an Edge server, one side to the Internet and the other to the DMZ?  I'll give this a try.  Although I am not hopeful, as my post to the other thread indicated, I was using an AV Edge server (direct to the Internet on one side and the DMZ with the OCS Servers on the other) and was still running into this same problem when I attempted (at least) a multiparty audio conference call.

     

    I guess this really boils down to: does OCS support clients for A/V conferencing behind a NATting firewall?  Assuming there is an A/V edge server direct to the Internet?

     

    Thank you for your comments and suggestions.

     

    - Mark

     

    Sunday, September 28, 2008 6:18 PM
  • More info.

     

    I've tried to configure an OCS 2007 STD Edition A/V Edge Server and cannot get it to assign the created cirtificate.  I have tried several times, and even tried to assign a cirtificate which worked with the test OCS 2007 Enhanced Server deployment I tried earlier, and they all fail with "Certiificate wizard failed to save the supplied settings.  Please retry the operation."  Unfortunately, there is no other information (in particular, nothing in the event log) so this is pretty useless.

     

    Any ideas?

     

    - Mark

    Monday, September 29, 2008 4:06 PM
  • I have had ZERO success after spending the past day and a half trying to get the certificate recommendations in the Edge Server Deployment documentation to work.  All I get are failures trying to assign the created cirtificates with NO indication as to what is wrong.

     

    This, combined with all of the failures and problems I have had with the installations and testing I have done with OCS 2007 (enhanced and consolidated topologies) over the past two weeks, I can only conclude OCS 2007 deployed with the servers and clients on different networks behind NATting filewalls (a very common configuration) simply DOES NOT work.  The only configuration I was able to get to work was where all the clients and servers were on the same network (either directly or via VPN).

     

    And this was only with simple A/V calls & conferencing.  I hate to think what I would run into trying to deploy the rest of OCS.

     

    I would love to be proved wrong... but I am not hopeful.

     

    - Mark the frustrated.

     

    Tuesday, September 30, 2008 2:51 PM
  •  

    Okay take a breath Smile

     

    First, to make life easy, you need to run the Edge Planning Tool - 

     http://www.microsoft.com/downloads/details.aspx?FamilyID=149e5dd5-eaae-46b6-afba-01c31e88a275&displaylang=en

     

    This will tell you exactly what the cert should look like.

     

    Second, if you are trying to run the tool from the Edge Server.  Remember the edge server is NOT a part of the domain, so if you are pointing to an internal PKI cert server, chances are it will fail as the outside edge is normally deployed with a public CA, but if you know what you are doing, you can get past it.

     

    You need to run the cert tool on the OCS server, dload or export the cert then install it on the edge server.  Make sure the edge server TRUSTS the CA.

     

    The tool will output everythign you need to know as well as a custom doc section that will look like the following:

    ----

    The Office Communications Server Administrator Report is a report that has all of the configuration information that an Office Communications Server Administrator would need to set up the edge servers.

    The report has five sections:

    • Edge Report
    • Reverse Proxy Report
    • Next Hop Report
    • Edge Server Configuration Documentation
    • Internal Director / Pool Configuration Documentation

    The first three reports are broken down into sections, each displaying information about the settings needed to be configured.

    The final two reports contain customized documentation that you can use to set up the edge servers.

    Note: The settings provided by this tool are based on available best practices and the information you provide. You bear the risk of using the settings. Microsoft gives no express warranties, guarantees or conditions.

    -----

     

    You will need to deploy edge, activate edge, configure edge,  configure certs (Where you should be stuck at).

     

    When you run the wiz, make sure you select "Mark as exportable"  external facing cert will be sip.company.com (SN and SAN).

    Private or internal edge cert will be access edge FQDN or accessedgeservername.company.com.

     

    All you should have to do after is assign the cert from the AE deploy page.

    Wednesday, October 1, 2008 4:04 AM
  •  

    Visiting my happy place to reduce stress  

     

    OK.  I actually did download the Edge Planning tool about a week ago, but never ran it because, from the documentation, it did not appear it was really needed.

     

    Yesterday, I did run it to see what differences would show up between what it suggested and what I had actually configured.  Probably the major differences were related to servers I had not configured because, from the documentation, they were not needed because I wasn;t going to be implementing the functionality they were documented to support.

     

    I was actually about to get all the certs configured on my previous test by doing a colsolidated Edge Server configuration instead of just the A/V server.

     

    Anyway, I've torn that all down and have started up building a full Enterprise Enhanced topology configuration.  One thing I learned from the recent "exercises" is I will have to configure *everything* not just the pieces I think I need (from the documentation).  This, combined with the Edge Planning tool should get me a lot further.

     

    I'll let you know.

     

    - Mark

     

    Thursday, October 2, 2008 4:03 PM
  • OK.  I've finally managed to get everything reconfigured, using the information from the Edge Server Planning tool and the various other documents.  The result is I have several machines on the DMZ LAN (FES, A/V Server, etc.) and several machines dual-homed to the DMZ LAN and the Internet(e.g., the edge servers).

     

    The only machine I have not yet configured is the HTTP reverse proxy server, as I'm not trying to do any web stuff; just IM, audio, and video.

     

    I'm still having problems getting the OCS Client to connectfrom the Internet.

     

    The sign-in address is correct, and in the advanced options I have it set for a manual configuration with the Access Edge Server's name as the "External server" using TLS.  It isn't clear what, if anything, I should have for the "Inernal server".

     

    If I leave the internal server name blank, I get an error (in the event log) indicating the client could not connect to the access edge server on port 5061.  Which is up and running and listening on the port.

     

    If I use the (DMZ) name of the FES, I get an error indicating the client could not connect because it could nto resolve the name, followed by the port 5061 error.  The same thing occurs if I use the pool name.

     

    If I try an OCS client on the DMZ, and set the "Internal server" name to be the FES things work a whole lot better.  Although there is a problem where once I establish a two party video call, the video works fine for about a minute, after which the remote video in the OCS client (on both ends) freezes and a little bit later (about 15 seconds or so) the connection is dropped/ended.

     

    So, at this point, using the Edge Server Planning tool and the available documentation, setting up all the required certificates (as recommended by the planning tool), etc., it STILL isn't working.

     

    - Mark

    Thursday, October 9, 2008 3:25 PM
  • Mark;

     

    Can you please confirm, you have Front-End Servers & A/V Servers in the DMZ as well as Edge Servers?

     

     

    Rob

    Thursday, October 9, 2008 4:21 PM
  • The DMZ contains the FES, Web Conf Server, A/V Server, and Archiving & CDR Server.  (Along with the AD and SQL Servers.)

     

    The three edge servers (Access, A/V, and Web) are dual homed to the DMZ and directly to the Internet.  They use Windows firewall to allow the necessary port access on both NICs.

     

    - Mark

     

     

    Thursday, October 9, 2008 4:26 PM
  • Thanks for the clarification.

     

    The only servers that should be in your DMZ are the Edge Server(s) & ISA server(s)...assuming you are using ISA to publish ABS, etc.  The rest of the infrastructure should be on your internal network.  The Edge Server supports NAT on the Access Edge & Web Conferencing roles but the A/V Edge role requires a Publically routable IP.  The Edge Server also provides an additional layer of security...so no need to expose your internal infrastructure directly to the Internet (not supported either).

     

    Are you Edge Servers a consolidated Edge design or have you split the A/V Edge role off to another box?  Do you have all the required DNS records in your public and private DNS zones?  And, depending on your setup, do your certificates contain the necesarry SANs?

     

    Sorry if I'm repeating questions that were already asked...just trying to get a picture of your setup.

     

    Rob

    Thursday, October 9, 2008 5:50 PM
  • Hi Rob.

     

    > The only servers that should be in your DMZ are the Edge Server(s) & ISA server(s)...assuming you are using ISA to publish ABS, etc.  The rest of the infrastructure should be on your internal network.  The Edge Server supports NAT on the Access Edge & Web Conferencing roles but the A/V Edge role requires a Publically routable IP.  The Edge Server also provides an additional layer of security...so no need to expose your internal infrastructure directly to the Internet (not supported either).

     

    There may be a bit of confusion about the term "DMZ", so let me describe the physical configuration.  The FES & other servers are on a separate (internal) LAN behind a firewall.  The edge servers have one connection directly to the Internet, and the other connection to this (internal) LAN.  All of the edge server ports (Internet and internal LAN) are behind the Windows firewall on each server.  The firewall protecting the internal LAN can/does do NATting.  The external NIC connections on each edge server are all static IP addresses.

     

    > Are you Edge Servers a consolidated Edge design or have you split the A/V Edge role off to another box?

     

    Each edge server is on a separate box (enhanced configuration).  Although I did try a configuration with all the edge servers on a signal box (consolidated configuration) wit equally poor results.

     

    > Do you have all the required DNS records in your public and private DNS zones?

     

    I have everything the Edge Server Planning tool said I needed to have in place.  In other words, as far as I know, everything is correct.

     

    > And, depending on your setup, do your certificates contain the necesarry SANs?

     

    I just went through another CA exercize with our resident SharePoint/Exchange guru and verified everything to be as we believe it should be; given the information in the planning report and all of the pain he went through getting SP and Exchange to work correctly.

     

    > Sorry if I'm repeating questions that were already asked...just trying to get a picture of your setup.

     

    No problem.  This is just getting real frustrating because as far as I can tell I am doing everything the documentation says I should be doing, but OCS still doesn't work.  This is coupled with the fact I can get it to "sort of" work on the internal LAN, but very poorly.

     

    The one nagging thought I have is whether or not the reverse proxy server is needed for something else.  I currently do not have one configured because I'm only trying to get IM and AV calls and conferencing working.  In other words, is it necessary to deploy all the components because there is functionality required from a particular component even though it is not documented.

     

    - Mark

     

    Thursday, October 9, 2008 6:41 PM
  • Well, it has been more than FIVE WEEKS since I tried to deploy OCS, and IT IS STILL BROKEN.

     

    Is there anyone reading that can help?

     

    I find it hard to believe MS would release a product as broken as this appears to be... but one never knows.

     

    Probably the biggest problem is the lack of diagnostic tools.  The problems I have been having mostly relate to OCS quietly "failing" with no ability to diagnose the root problem.  Nothing in any of the logs, event vierwe, etc.

     

     

    BTW, I have read most of the available documentation, white papers, and bought a couple of Microsoft Press OCS books.  It is all very confusing and disjoint.  This is saying something since I have been in the industry for over 35 years with most of that in O/S development.

     

    - Mark

     

    Thursday, October 16, 2008 7:44 PM
  • Mark,

     

    I read through this thread and there and from the different topics to the bouncing between Standard and Enterprise it's hard to follow what does and doesn't work at this point.

     

    I'd suggest creating a new post with a short summary of (a) what you have deployed, (b) what you really want to do with OCS, and (c) what does and does not work at the moment.  At this point things appear over-complicated and it might make sense to start from the beginning and retrace your steps, or at least put together a basic design.

     

    There is no reason that a single Standard Edition Stand-Alone server shouldn't be able to get all internal clients working with IM, Audio/Video, LM, and all other OCS features.  You don't need to run an Expanded Enterprise to get the basic functionailty working, and I wouldn't even roll and Edge server into the mix until you have everything working internally first.

     

    Thursday, October 16, 2008 8:18 PM
    Moderator
  • > I'd suggest creating a new post with a short summary of (a) what you have deployed, (b) what you really want to do with OCS, and (c) what does and does not work at the moment.  At this point things appear over-complicated and it might make sense to start from the beginning and retrace your steps, or at least put together a basic design.

     

    Done: http://forums.microsoft.com/unifiedcommunications/ShowPost.aspx?PostID=4014871&SiteID=57

     

    > There is no reason that a single Standard Edition Stand-Alone server shouldn't be able to get all internal clients working with IM, Audio/Video, LM, and all other OCS features.  You don't need to run an Expanded Enterprise to get the basic functionailty working, and I wouldn't even roll and Edge server into the mix until you have everything working internally first.

     

    That is what I would have expected as well, but my experience shows quite the opposite.

     

    - Mark

    Friday, October 17, 2008 2:05 PM