OCS 2007 R2 introduced support for configuring a firewall to perform Network Address Translation (NAT) for the A/V Edge external interface. This option is available only with the Single Consolidated Topology as shown in figure 1.0.
When configuring the A/V Edge for NAT it’s possible that remote users (both employees and federated) will be able to establish IM connectivity and view presence data but not escalate the conversation to an audio session. The call will typically appear to connect but then drop within about 5 seconds with the error message: “The call was disconnected because you stopped receiving audio from firstName lastName. Please try the call again.”
Figure 1.0 – Typical AV Edge Configured for NAT
The error only occurs when remote users are trying to establish a MOC to MOC audio conference with an internal user (with 2 remote MOC clients, the audio stream is point to point between them via the Internet).
The error is caused by a change in R2 A/V Edge service behavior. When the “External IP address is translated by NAT” checkbox is checked, it signals the A/V Edge service to provide the Pool front end server with the IP address associated with A/V Edge’s external FQDN. That IP address is then returned to the remote client via in-band provisioning and if it happens to be the NAT’d IP address of the A/V Edge service instead of the Public IP address, the remote MOC client will not be able to connect.
A Snooper trace of the Communicator-uccapi-0.uccapilog will look something like this:
Figure 1.1 – Snooper trace showing sample A/V Conference Initiation
Trace of Failed Connection:
200OK from Address Exchange (16:18:07.558) – a=candidate: list indicates which IP Addresses are available to the remote endpoint. Note that all candidates are non-routable in this trace.
200OK from Candidate Promotion (16:18:13.246) – a=candidate: list indicates which IP Addresses the remote endpoint will attempt to connect to. The remote endpoint will fail when trying to connect to 10.45.16.5
For comparison, the trace from a successful connection below shows that the remote endpoint will attempt to connect to a publicly routable IP address (which will NAT to the A/V Edge service’s private IP address) and the audio conferencing session will be established.
Trace of Successful Connection:
200OK from Address Exchange (16:18:07.558) – a=candidate: list indicates which IP Addresses are available to the remote endpoint. Note that 4 of the candidates are publicly addressable in this trace.
200OK from Candidate Promotion (16:18:13.246) – a=candidate: list indicates which IP Addresses the remote endpoint will attempt to connect to. The remote endpoint will succeed when trying to connect to 220.127.116.11
To avoid this issue perform the following 4 steps as part of the A/V Edge service configuration. And keep in mind they are unique to the single consolidated Edge topology.
Step 1 – Configure the firewall to perform DNAT inbound and SNAT outbound for the A/V Edge external interface
In any location with multiple Edge Servers deployed behind a load balancer, the external firewall cannot function as a network address translation (NAT) device. However, in a site with only a single Edge Server deployed, the external firewall can be configured as a NAT.
If you do so, configure the NAT as a destination network address translation (DNAT) for inbound traffic—in other words, configure any firewall filter used for traffic from the Internet to the Edge Server with DNAT, and configure any firewall filter for traffic going from the Edge Server to the Internet (outbound traffic) as a source network address translation (SNAT). The A/V Edge server external interface will have a private IP address, as shown in Figure 1.2.
Figure 1.2 Sample AV Edge configuration for NAT
Step 2 – Configure the Edge server to resolve the FQDN associated with public A/V Edge service to the public IP Address, not the NAT’d IP address. Using Figure 1.0 for reference; assume your A/V Edge service has a public IP address of 18.104.22.168 and a NAT’d IP address of 10.45.16.5; if you run CMD.exe from the Edge server and type ping av.contoso.com it must return 22.214.171.124
Step 3 – Configure the A/V Edge service to support NAT by checking the “External IP address is translated by NAT” checkbox
Step 4 – Restart the Edge server (or at least the A/V Edge service) to force the changes to take effect
Remember, if the A/V Edge external interface is not publicly addressable, federated A/V conferencing with OCS 2007 R1 clients is not an option.