Today's post comes courtesy of Wes Glockzin, Support Escalation Engineer in Texas, wesglock at microsoft dot com.
The following is a synopsis of an issue I had and things I learned with customer that is using three OCS 2007 R2 Edge servers load balanced and NAT/firewalled both internally and externally.
At first, all the edges external interfaces were non-routable IP’s with only the external VIP being a real, routable IP. SIP traces indicated internet clients were never reaching the AVMCU. We discovered that if a single edge was used the external IP could be 10.x.x.x but when we threw in the other two, for a total of three it wouldn’t work. At this point, the customer decided to make all external edge interfaces real, routable IP’s. With their particular network, having the WebConf and Access IP 10.x.x.x would have been extremely difficult and I had to agree and kind of made no sense at the time. However, we did see the client hit the VIP once with STUN and TURN but after that it hit the individual real IP’s. This makes sense because if userA is connected to edge1 and another user, userB is connected to edge2, who ever generates the call, the other user will start talking to the generators real IP thus it moves over. We assumed that a true NAT can only be in effect with a single edge topology.
The following are key gotchas to keep in mind when deploying multiple edges load balanced and NAT/firewalled internally and externally.
Ensure sticky is set properly for all three external VIPs as well as the internal VIP.
Verify timeouts for the sticky settings.
Ensure you are SNAT on the WebConf, Access for external…and that's SNAT defined as the client NEVER sees the "real" IP always going through the VIP for Webconf and access.
It appears that the AV Edge external interface can be either SNAT or DNAT, the application doesn't really care through normal operation. Through SIP signaling, you will be pointed (as a client from the internet) directly to the REAL IP of the edge server that is hosting the conference so from a networking perspective, as long as a client from the internet can talk to both the AV Edge external interface VIP as well as all the AV Edge external interface real IPs, all should be good.
The Edge internal interface VIP is required to be pure SNAT.
Ensure that the "3way" handshake on 443 as a keep alive, with a 30 second dead timer, and everything fails over to the next server flawlessly.