OCS 2007 R2 introduced support for configuring a firewall to perform Network Address Translation (NAT) for the A/V Edge external interface. This option is available only with the Single Consolidated Topology as shown in figure 1.0.
When configuring the A/V Edge for NAT it’s possible that remote users (both employees and federated) will be able to establish IM connectivity and view presence data but not escalate the conversation to an audio session. The call will typically appear to connect but then drop within about 5 seconds with the error message: “The call was disconnected because you stopped receiving audio from firstName lastName. Please try the call again.”
Figure 1.0 – Typical AV Edge Configured for NAT
The error only occurs when remote users are trying to establish a MOC to MOC audio conference with an internal user (with 2 remote MOC clients, the audio stream is point to point between them via the Internet).
The error is caused by a change in R2 A/V Edge service behavior. When the “External IP address is translated by NAT” checkbox is checked, it signals the A/V Edge service to provide the Pool front end server with the IP address associated with A/V Edge’s external FQDN. That IP address is then returned to the remote client via in-band provisioning and if it happens to be the NAT’d IP address of the A/V Edge service instead of the Public IP address, the remote MOC client will not be able to connect.
A Snooper trace of the Communicator-uccapi-0.uccapilog will look something like this:
Figure 1.1 – Snooper trace showing sample A/V Conference Initiation
Trace of Failed Connection:
200OK from Address Exchange (16:18:07.558) – a=candidate: list indicates which IP Addresses are available to the remote endpoint. Note that all candidates are non-routable in this trace.
200OK from Candidate Promotion (16:18:13.246) – a=candidate: list indicates which IP Addresses the remote endpoint will attempt to connect to. The remote endpoint will fail when trying to connect to 10.45.16.5
For comparison, the trace from a successful connection below shows that the remote endpoint will attempt to connect to a publicly routable IP address (which will NAT to the A/V Edge service’s private IP address) and the audio conferencing session will be established.
Trace of Successful Connection:
200OK from Address Exchange (16:18:07.558) – a=candidate: list indicates which IP Addresses are available to the remote endpoint. Note that 4 of the candidates are publicly addressable in this trace.
200OK from Candidate Promotion (16:18:13.246) – a=candidate: list indicates which IP Addresses the remote endpoint will attempt to connect to. The remote endpoint will succeed when trying to connect to 18.104.22.168
To avoid this issue perform the following 4 steps as part of the A/V Edge service configuration. And keep in mind they are unique to the single consolidated Edge topology.
Step 1 – Configure the firewall to perform DNAT inbound and SNAT outbound for the A/V Edge external interface
In any location with multiple Edge Servers deployed behind a load balancer, the external firewall cannot function as a network address translation (NAT) device. However, in a site with only a single Edge Server deployed, the external firewall can be configured as a NAT.
If you do so, configure the NAT as a destination network address translation (DNAT) for inbound traffic—in other words, configure any firewall filter used for traffic from the Internet to the Edge Server with DNAT, and configure any firewall filter for traffic going from the Edge Server to the Internet (outbound traffic) as a source network address translation (SNAT). The A/V Edge server external interface will have a private IP address, as shown in Figure 1.2.
Figure 1.2 Sample AV Edge configuration for NAT
Step 2 – Configure the Edge server to resolve the FQDN associated with public A/V Edge service to the public IP Address, not the NAT’d IP address. Using Figure 1.0 for reference; assume your A/V Edge service has a public IP address of 22.214.171.124 and a NAT’d IP address of 10.45.16.5; if you run CMD.exe from the Edge server and type ping av.contoso.com it must return 126.96.36.199
Step 3 – Configure the A/V Edge service to support NAT by checking the “External IP address is translated by NAT” checkbox
Step 4 – Restart the Edge server (or at least the A/V Edge service) to force the changes to take effect
Remember, if the A/V Edge external interface is not publicly addressable, federated A/V conferencing with OCS 2007 R1 clients is not an option.
From OCS Team blog: Rick Varvel, a Microsoft Principal Consultant has just started his blog and his first
You wrote: if you run CMD.exe from the Edge server and type ping av.contoso.com it must return 188.8.131.52
But did not say how I get that external IP that is on the firewall in there - do I add it in the host file, put the IP address on the nic?
Hi Mark, 184.108.40.206 is only published in your external DNS. The 3 IP addresses bound to the external NIC in the Single Consolidated Edge server will be:
10.45.16.3, 10.45.16.4, and 10.45.16.5
You'd then configure your firewall to NAT 220.127.116.11 to 10.45.16.5
The key is that when you're on your Edge server and ping av.contoso.com it returns the public IP Address for av.contoso.com so that the remote client will be provided that IP address instead of the NAT'd IP address which it can't reach.
I guess from your info, you have configured your public 18.104.22.168 address on your AVEdge server as you have configured this IP for use in figure 1.2 above.
However, is this right? You have later stated that only your private addresses are configured on the edge server which is as I would expect. How else did you make the public IP available as a valid IP to choose from in the AVEdge properties dialog? I have only got my private addresses to choose from in here.
Thanks for the article; hits the nail on the head!
I guess I'm getting confused by the fact that your figure 1.2 has a public IP in it. Can you help explain?
I have the same question as BrianCain. I have our consolidated edge set up with three private IPs and our firewall set up to NAT a public IP to the private. I went into the hosts file on the edge server and made an entry for our ocs AV FQDN with the public IP so that when I ping it from the edge, I get the public IP returned. I do not understand why you show a public IP in the figure 1.2 above.
Chances are that, if you live in one of the green countries from the picture below (courtesy of Wikipedia
Did anyone find a solution as to why the Public IP appeared in the diagram?
As Rick's great blog described, in a Consolidated Edge deployment when using NAT the actual External NIC on the Edge Server will have a non-routable IP address. In Rick's example he said it was 10.45.16.5.
Clearly, no external clients can connect to that IP address.
Rick said next to configure "your firewall to NAT 22.214.171.124 to 10.45.16.5".
A server behind a NAT firewall doesn't know it's behind a NAT firewall. In the case of the OCS Edge we explicitly tell it about the NAT(using the check box), and about it's external IP address.
That way, when returning candidates, during the discover process of call setup, it will return its external IP address, instead of the IP address bound to it's physical NIC(which is a private IP address).
It's also important, that any DNS record for the AV Edge, point to the External Public IP address.
Hopefully that clarifies that points Rick made earlier.
We are very confused with figure 1.2. I can select the public IP address from the list, because the list is about the nic ip of the av edge server.
Please please help.............
Sorry there is typo on the previous post.
We are very confused with figure 1.2. I CAN NOT select the public IP address from the list, because the list is about the nic ip of the av edge server.
Just got the things work!!!
Here is my settings.
*** I have no dns access from the DMZ where the consolidated edge server placed ****
1. I use the private ip of av edge external nic in figure 1.2 instead of the public ip.........
2. In the av edge server host file, add entry to resolve the av edge external FQDN to public ip of av edge. In Rick's example, it should be <av.contoso.com 126.96.36.199>.
3. Most important.......... Add a A record in the inside DNS server to resolve the internal FQDN of av edge server "av edge internal nic ip". In Rick's example, it should be <ocsedge.contoso.net 172.25.33.20>.
A very obvious symtop is before I make change in Point 3, any audio or video calling takes few seconds before the pop up appear on the callee side, no matter the caller is insider or outsider.
After Point 3, all callings appear at once at the callee side.
Hope this help all other brothers.....
Is there any doc describe A/V call flow between External User and (External or Internal) user in OCS 2007 R2?
I've got exactly the same problem as the one described here.
But in my case, I only have a single test server (with just 1 NIC) that handles all the roles, so there is no edge server.
The problem is that when I go to the A/V Conferencing server properties, I have fewer options: I do not have the "External IP address is translated by NAT" checkbox and there is no place for Media port range for example.
How can I figure this out?
I have the same problem but I cannot find the configuration dialog that you show in figure 1.2. I have been through all the administration and config screens I can find but cannot find the option "External IP Address is translated by NAT" ANy pointers in the right direction would be much appreciated!