[tweetmeme source=”stalehansen” only_single=false]I had a mind boggling troubleshooting session the other day where the problem was audio and video through consolidated OCS EDGE server behind NAT’ed in interfaces. After running Network Monitor and analyzing the SIPlogs on all involved machines:

• Inside Client
• Customer OCS Front End
• Customer OCS EDGE
• Outside Federated Client
• Firewall

The Symptoms

• SIP, Presence and IM working fine
• The call gets connected but fails with no media connectivity after just a few seconds
• No RTP traffic on any machine in Network Monitor
• In the SIP log we could see that the client used NAT AV EDGE IP, not public IP
  • Therefore no media connectivity because the external client and external EDGE cant reach that IP
  • When Internal Client and Federated Client was on the same subnet audio and video worked fine

The Solution

Read Rick Varvel’s blog post up and down and studied all the fine print and found that the Internal Client has to be able to resolve the Public IP of the AV EDGE server. This is an issue when the internal DNS is authoritative for the external domain without all external entries. 

Below are the complete steps to set up OCS 2007 R2 EDGE when behind NAT

1. Implement OCS 2007 R2 EDGE with at least two NIC’s
   • One Internal
   • One or more External
   • When you have more than one external NIC beware of the Strong Host Model feature in Server 2008 where NIC’s don’t share gateways and media flow works different
2. Configure the firewall to perform DNAT inbound and SNAT outbound for the A/V Edge external interface
3. Configure the Internal NIC with an IP address and FQDN that is resolvable from you internal subnets
4. Configure the External NIC’s with NAT’ed IP addresses, not the public ones because you are behind NAT
5. Make sure that the OCS 2007 R2 EDGE server can resolve all the external FQDN’s with the public IP addresses
   • Add them in the external DNS
   • Or add them in the local hosts file
6. Make sure that the A/V EDGE public IP and FQDN is resolvable from the Internal Client subnets
7. Make sure that the OCS 2007 R2 EDGE server knows it is behind NAT
   • On your edge server goto: start->run-> type in compmgmt.msc
   • Expand Services And Applications
   • Expand Office Communications Server
   • Right-click the OCS EDGE entry and choose properties
   • Under A/V EDGE server make sure that the “External IP address is translated by NAT” check mark is checked
   • Press apply and exit
   • Restart the OCS EDGE services

Resources

Rick Varvel: http://blogs.technet.com/rickva/archive/2009/04/03/Configuring-A_2F00_V-Edge-Service-for-NAT.aspx
Mino – The UC Guy: http://theucguy.wordpress.com/2009/03/04/the-ocs-2007-r2-edge-and-nat/
Elan Shudnow – Audio/Media Negotiation: https://msunified.net/2009/08/30/office-communications-server-2007-r2-audiomedia-negotiation/
Inside OCS – Ports required for OCS 2007 R2 EDGE: http://blog.insideocs.com/2008/08/20/what-ports-do-i-need-to-open-on-my-firewall/
msunified.net – Single consolidated EDGE server clarified: https://msunified.net/2009/07/01/single-consolidated-edge-server-clarified/