Today's post comes courtesy of Wes Glockzin, Support Escalation Engineer in Texas, wesglock at microsoft dot com.
The following is a synopsis of an issue I had and things I learned with customer that is using three OCS 2007 R2 Edge servers load balanced and NAT/firewalled both internally and externally.
At first, all the edges external interfaces were non-routable IP’s with only the external VIP being a real, routable IP. SIP traces indicated internet clients were never reaching the AVMCU. We discovered that if a single edge was used the external IP could be 10.x.x.x but when we threw in the other two, for a total of three it wouldn’t work. At this point, the customer decided to make all external edge interfaces real, routable IP’s. With their particular network, having the WebConf and Access IP 10.x.x.x would have been extremely difficult and I had to agree and kind of made no sense at the time. However, we did see the client hit the VIP once with STUN and TURN but after that it hit the individual real IP’s. This makes sense because if userA is connected to edge1 and another user, userB is connected to edge2, who ever generates the call, the other user will start talking to the generators real IP thus it moves over. We assumed that a true NAT can only be in effect with a single edge topology.
The following are key gotchas to keep in mind when deploying multiple edges load balanced and NAT/firewalled internally and externally.