Configuring R2 A/V Edge Service for NAT


OCS 2007 R2 introduced support for configuring a firewall to perform Network Address Translation (NAT) for the A/V Edge external interface. This option is available only with the Single Consolidated Topology as shown in figure 1.0.


When configuring the A/V Edge for NAT it’s possible that remote users (both employees and federated) will be able to establish IM connectivity and view presence data but not escalate the conversation to an audio session. The call will typically appear to connect but then drop within about 5 seconds with the error message: The call was disconnected because you stopped receiving audio from firstName lastName. Please try the call again.”


Figure 1.0 – Typical AV Edge Configured for NAT


EdgeSingleConsolidatedR2(ISO)_AVNAT



Cause:


The error only occurs when remote users are trying to establish a MOC to MOC audio conference with an internal user (with 2 remote MOC clients, the audio stream is point to point between them via the Internet).


The error is caused by a change in R2 A/V Edge service behavior. When the “External IP address is translated by NAT” checkbox is checked, it signals the A/V Edge service to provide the Pool front end server with the IP address associated with A/V Edge’s external FQDN. That IP address is then returned to the remote client via in-band provisioning and if it happens to be the NAT’d IP address of the A/V Edge service instead of the Public IP address, the remote MOC client will not be able to connect.


Detection:



A Snooper trace of the Communicator-uccapi-0.uccapilog will look something like this:


Figure 1.1 – Snooper trace showing sample A/V Conference Initiation


AVNATSnooperTrace(contoso) 



Trace of Failed Connection:


200OK from Address Exchange (16:18:07.558)a=candidate: list indicates which IP Addresses are available to the remote endpoint. Note that all candidates are non-routable in this trace.


AddressExchangeBAD


200OK from Candidate Promotion (16:18:13.246)a=candidate: list indicates which IP Addresses the remote endpoint will attempt to connect to. The remote endpoint will fail when trying to connect to 10.45.16.5


CandidatePromotionBAD


For comparison, the trace from a successful connection below shows that the remote endpoint will attempt to connect to a publicly routable IP address (which will NAT to the A/V Edge service’s private IP address) and the audio conferencing session will be established.


Trace of Successful Connection:


200OK from Address Exchange (16:18:07.558)a=candidate: list indicates which IP Addresses are available to the remote endpoint. Note that 4 of the candidates are publicly addressable in this trace.


AddressExchangeGOOD


200OK from Candidate Promotion (16:18:13.246)a=candidate: list indicates which IP Addresses the remote endpoint will attempt to connect to. The remote endpoint will succeed when trying to connect to 63.123.155.5


CandidatePromotionGOOD



Prevention:



To avoid this issue perform the following 4 steps as part of the A/V Edge service configuration. And keep in mind they are unique to the single consolidated Edge topology.


Step 1 Configure the firewall to perform DNAT inbound and SNAT outbound for the A/V Edge external interface


In any location with multiple Edge Servers deployed behind a load balancer, the external firewall cannot function as a network address translation (NAT) device. However, in a site with only a single Edge Server deployed, the external firewall can be configured as a NAT.


If you do so, configure the NAT as a destination network address translation (DNAT) for inbound traffic—in other words, configure any firewall filter used for traffic from the Internet to the Edge Server with DNAT, and configure any firewall filter for traffic going from the Edge Server to the Internet (outbound traffic) as a source network address translation (SNAT). The A/V Edge server external interface will have a private IP address, as shown in Figure 1.2.


Figure 1.2 Sample AV Edge configuration for NAT


  AVEdgeNATIPAddress - Adobe Copy 


 


Step 2  Configure the Edge server to resolve the FQDN associated with public A/V Edge service to the public IP Address, not the NAT’d IP address. Using Figure 1.0 for reference; assume your A/V Edge service has a public IP address of 63.123.155.5 and a NAT’d IP address of 10.45.16.5; if you run CMD.exe from the Edge server and type ping av.contoso.com it must return 63.123.155.5


Step 3 Configure the A/V Edge service to support NAT by checking the “External IP address is translated by NAT” checkbox



Step 4 Restart the Edge server (or at least the A/V Edge service) to force the changes to take effect


Remember, if the A/V Edge external interface is not publicly addressable, federated A/V conferencing with OCS 2007 R1 clients is not an option.


Comments (17)

  1. Anonymous says:

    From OCS Team blog: Rick Varvel, a Microsoft Principal Consultant has just started his blog and his first

  2. Anonymous says:

    You wrote: if you run CMD.exe from the Edge server and type ping av.contoso.com it must return 63.123.155.5

    But did not say how I get that external IP that is on the firewall in there – do I add it in the host file, put the IP address on the nic?

    Thanks,

  3. Anonymous says:

    I have the same problem but I cannot find the configuration dialog that you show in figure 1.2. I have been through all the administration and config screens I can find but cannot find the option "External IP Address is translated by NAT" ANy pointers in the right direction would be much appreciated!

  4. Anonymous says:

    Hi Mark, 63.123.155.5 is only published in your external DNS. The 3 IP addresses bound to the external NIC in the Single Consolidated Edge server will be:

    10.45.16.3, 10.45.16.4, and 10.45.16.5

    You’d then configure your firewall to NAT 63.123.155.5 to 10.45.16.5

    The key is that when you’re on your Edge server and ping av.contoso.com it returns the public IP Address for av.contoso.com so that the remote client will be provided that IP address instead of the NAT’d IP address which it can’t reach.

  5. Anonymous says:

    All,

    As Rick’s great blog described, in a Consolidated Edge deployment when using NAT the actual External NIC on the Edge Server will have a non-routable IP address.  In Rick’s example he said it was 10.45.16.5.  

    Clearly, no external clients can connect to that IP address.    

    Rick said next to configure "your firewall to NAT 63.123.155.5 to 10.45.16.5".  

    A server behind a NAT firewall doesn’t know it’s behind a NAT firewall.  In the case of the OCS Edge we explicitly tell it about the NAT(using the check box), and about it’s external IP address.  

    That way, when returning candidates, during the discover process of call setup, it will return its external IP address, instead of the IP address bound to it’s physical NIC(which is a private IP address).  

    It’s also important, that any DNS record for the AV Edge, point to the External Public IP address.

    Hopefully that clarifies that points Rick made earlier.  

    Cheers,

    Craig

  6. Anonymous says:

    Hi Rick,

    I guess from your info, you have configured your public 63.123.155.5 address on your AVEdge server as you have configured this IP for use in figure 1.2 above.

    However, is this right? You have later stated that only your private addresses are configured on the edge server which is as I would expect. How else did you make the public IP available as a valid IP to choose from in the AVEdge properties dialog? I have only got my private addresses to choose from in here.

    Thanks for the article; hits the nail on the head!

    Brian.

  7. Anonymous says:

    I have the same question as BrianCain.  I have our consolidated edge set up with three private IPs and our firewall set up to NAT a public IP to the private.  I went into the hosts file on the edge server and made an entry for our ocs AV FQDN with the public IP so that when I ping it from the edge, I get the public IP returned.  I do not understand why you show a public IP in the figure 1.2 above.

  8. Anonymous says:

    Hi Rick,

    Sorry there is typo on the previous post.

    We are very confused with figure 1.2. I CAN NOT select the public IP address from the list, because the list is about the nic ip of the av edge server.

    Please please help………….

    Notmen

  9. Anonymous says:

    I guess I’m getting confused by the fact that your figure 1.2 has a public IP in it. Can you help explain?

    Many thanks,

    Brian

  10. Anonymous says:

    Hi All,

    Just got the things work!!!

    Here is my settings.

    *** I have no dns access from the DMZ where the consolidated edge server placed ****

    1. I use the private ip of av edge external nic in figure 1.2 instead of the public ip………

    2. In the av edge server host file, add entry to resolve the av edge external FQDN to public ip of av edge. In Rick’s example, it should be <av.contoso.com 63.123.155.5>.

    3. Most important………. Add a A record in the inside DNS server to resolve the internal FQDN of av edge server "av edge internal nic ip". In Rick’s example, it should be <ocsedge.contoso.net 172.25.33.20>.

    A very obvious symtop is before I make change in Point 3, any audio or video calling takes few seconds before the pop up appear on the callee side, no matter the caller is insider or outsider.

    After Point 3, all callings appear at once at the callee side.

    Hope this help all other brothers…..

    Notmen.

  11. Anonymous says:

    Hi Rick,

    We are very confused with figure 1.2. I can select the public IP address from the list, because the list is about the nic ip of the av edge server.

    Please please help………….

    Notmen

  12. Anonymous says:

    Ok – I answered my own question!

    For others struggling to find the dialog box shown in fig. 1.2:

    On your edge server goto: start->run-> type in compmgmt.msc

    At the bottom of the left hand pane you should notice a new entry – Office communications server. Right click it, choose properties, edge interfaces, click configure next to the A/V edge server section.

    Sounds really obvious now, but I completely missed this simple step for days because I kept going to server manager instead!

    Sam

  13. Anonymous says:

    Chances are that, if you live in one of the green countries from the picture below (courtesy of Wikipedia

  14. Anonymous says:

    Is there any doc describe A/V call flow between External User and (External or Internal) user in OCS 2007 R2?

  15. Anonymous says:

    Hi,

    Did anyone find a solution as to why the Public IP appeared in the diagram?

    Matt

  16. Anonymous says:

    Hi all,

    I’ve got exactly the same problem as the one described here.

    But in my case, I only have a single test server (with just 1 NIC) that handles all the roles, so there is no edge server.

    The problem is that when I go to the A/V Conferencing server properties, I have fewer options: I do not have the "External IP address is translated by NAT" checkbox and there is no place for Media port range for example.

    How can I figure this out?

  17. K Mortazavi says:

    HI

    I have OCS 2007 R2 Ent.Edition

    configuration is ok and all validation is ok

    my problem is when external user want to communicate with internal user (audio call ) communicate not ok

    i capture packets and found the problem is when the call answered , external user want send "STUN2 protocol packet" with private ip address to private ip address of internal user computer.

    but when external user want to talk with PSTN or … the call was answerd successfull

    I want a good soloution for my problem.

    PLEASE HELP ME and mail for me a soloution .. mortazavi.kazem@gmail.com

    thanks