Unable to resolve DNS SRV Record – 404 Not Found and 504 Server time-out

This issue might happen with Skype federation (PIC) or OCS/Lync federation. It’s a simple issue, but directly related to an incorrect configuration that we saw some customers doing.

Don’t forget that Lync Server has ports requirement so that federation can work correctly. We can check these requirements on the following TechNet article:

Port summary – Single consolidated edge with private IP addresses using NAT in Lync Server 2013
http://technet.microsoft.com/en-us/library/gg425891.aspx

This is just a reference for one possible topology on Lync Server. If you access this article, you will be able to find links for other topologies and their port requirements.

We should use these articles to request to our Security team to open the ports – otherwise we end up with Federation and External Access issues because the firewall is blocking the necessary ports.

While troubleshooting an issue related to federation, we identified that users couldn’t communicate PIC or federated users due to a fail in the DNS resolution. In the Skype federation, the Skype user will be able to find the Lync user and add him. Skype will understand the federation with your Lync environment, but it will see the user with Presence Unknown.

On Lync Server, the Lync user will also see the Skype user (or the federated), although with Presence Unknown, and while trying to send messages, he will receive an error message with ID 404. Checking the UCCAPI logs of the user, we are going to find something like this:

404edge

In this case, the main problem is that it was configured on the Edge External NIC, the IP address of a public DNS, but the firewall was blocking 54/TCP and 53/UDP ports. These ports are used for DNS queries and, because of this, the Edge Server was unable to resolve names and communicate with domains that were unknown to it.

The table below, taken from the TechNet article, contains the necessary ports for DNS queries:

Role/Protocol/TCP or UDP/Port Source IP address Destination IP address Notes
Access/DNS/TCP/53 Edge Server Access Edge service Any DNS query over TCP
Access/DNS/UDP/53 Edge Server Access Edge service Any DNS query over UDP

After resolving this issue with DNS queries, the Edge was able to resolve names correctly, but even so we were having issues to communicate with partners. While sending IM, the error we got this time was ID 504. The user was receiving IM, but was unable to send them:

504edge

Once again, the issue was related to port 5061. Due to a misconfiguration on the firewall rule, it was blocking Outbound traffic. Port 5061 is essential for the federation and it needs to be open in both directions, Inbound and Outbound.

Role/Protocol/TCP or UDP/Port Source IP address Destination IP address Notes
Access/SIP(MTLS)/TCP/5061 Any Edge Server Access Edge service For federated and public IM connectivity using SIP
Access/SIP(MTLS)/TCP/5061 Edge Server Access Edge service Any For federated and public IM connectivity using SIP

When deploying the Edge Server, please check all the requirements. Ports mentioned on this post are only part of it – in order to have Voice and Video working correctly, additional ports are used. Take special attention to the traffic direction, as sometimes your firewall will only be configured to allow in one direction.