Good day!

I am in stuck with Skype for business Edge deployment.

We use topology with 3 separate ip addresses behind the NAT.

So we have 3 external ip on Edge: 10.1.1.10,11,12 and one internal 10.1.20.10.

So, 10.1.1.10 is an edge access (sip) address.

Route added, certificates assignes, services started, no errors in log.

If I check edge locally with netstat I see:

netstat -a -b | findstr "10:443"
TCP    10.1.1.10:443        MyEdgeHostName:0            LISTENING

All Skype for business services are started.

Problem is when I try to check 443 port with

C:\Users\Admin>telnet 10.1.1.10 443
Connecting To 10.1.1.10...Could not open connection to the host, on port 443:
Connect failed

So Lync client cannot connect from external with error server unavailable.

And I checked with MS remote connectivity analyzer - the same error - that host sip.contoso.com (edge external DNS name) doesn't listen 443 port.

Also I check telnet 10.1.1.10 5061, 4443 - it works.

Windows server firewall is disabled.

May you help me with this please ?

Thanks'.

• Edited by skywww Friday, July 24, 2015 6:47 PM

Hi

Has any changes been made to your external firewall (not windows firewall)? or perhaps your public IP may have changed? External DNS zone set up correctly? Is sip.domain.com still pointing to the correct IP?

Any changes to your SfB topology - download the latest one from AD and ensure the bindings are still as you'd expect on the edge server.

Check your external firewall NAT rules haven't changed.

Check also the static routes haven't changed between your edge internal IP and the LAN.

Sounds networking to be the issue. if there was a problem with SfB then the services wouldn't have started.

thanks

Hi Mark, thanks' for your reply.

that's new installation - rules on FW just created.I checked them with wireshark (sniffer) - I see that reqs come from outside - it means that fw rules work correctly.

External DNS and topology correct.

The issue with Edge because telnet 10.1.1.10 443 doesn't work even running locally on Edge.

One more thing I found now (I rebooted server - it appears with start) - a message in windows Lync Server log (not a error/warning) - info message:

Event ID 14348
Event source LS Protocol Stack
Text:
A configured transport was successfully started.
Transport:TLS, IP address:10.1.1.10, Port:5061, with special options enabled:
Authenticate remote servers (TLS Mutual)
Allow client connections (without certificate)

I am not sure that it is correct - "without certificate" but I don't know exactly.

Have you configured the external interface on the edge server with 3 IP addresses (multi-homed) or have you created 3 individual interfaces on the external side?

Good day!

I configured 3 ip addresses (multi homed) - access ip is a main and webconf, a/v are additional ip.

Hi

Actually re-reading your original post you say you can telnet to 10.1.1.10 on port 4443? Port 4443 is not used on the edge server sourcing from the internet to the access edge service, but is required outbound to the internet for skype directory search.

4443 is used on the internal edge IP address for replication. 443 is used and 5061 on the inside address for SIP. These should be going to 10.1.20.10.

On your edge server I assume you have configured your default gateway on the external interface and not on the internal one? And you have added in your static routes on the edge server to route to your internal LAN subnets?

route add <Lan Subnet> mask X.X.X.X.X 10.0.20.254 metric 1 /p

assuming 10.0.20.254 is your internal dmz gateway?

Also have you added the domain name of your AD to the name suffix on the edge server?

Can the edge server reach the internal CA to check for CRLs for the certificate?

Can the edge server reach external CRLs from your public CA on http? Have you installed the trusted root and intermediate certificates to the server as well as the public cert issued to it?

If all above does not work

try and re-export the configuration from the Lync Export-CsConfiguration -filename c:\edge.zip

and run the deployment wizard on the edge again steps 1 to 4

reboot and try again. Also try updating to the latest CU on the FE and Edge.

thanks

Hi,

Agree with Mark Vale.

As these ports can't telnet on local computer, please rerun step 2 on Edge Server and then test again.

Best Regards,

Eason Huang