Strange AV issues, one-way speech and forced to open TCP50k range incoming for external users

Ok guys I have a very strange Lync problem and I was hoping that you can help.

Infrastructure overview:

  • Cisco ASA Firewall, 3 Leg (DMZ, Internal, WAN) in routed mode
  • 1 Lync 2013 Edge Server, 1 Interface with 3 public IPs in DMZ segment, 1 Interface in Internal segment.  Gateway/DNS info set on public interface. No route to internal network because it is directly connected so not required.  Added Lync FE internal IP to hosts file.
  • 1 Lync 2013 Standard Edition, in same internal segment as the Edge internal interface
  • Also have TMG for web services, but this is a bit out of scope
  • All servers are virtualized on Hyper-V server on Win2k12
  • All servers have Win2k12 OS

What are the problems:

  • For our own Lync users who work externally, voice only works if TCP/UCP Ports 50000-59999 are opened incoming on the Public AV Edge IP.
  • Calls between 2 external users have one-way speech or fail, even with above ports opened
  • I see the Edge server sending TCP RSTs to some incoming connections, even for calls that succeed. It is not the ASA firewall, it's the Edge server itself.

What are my findings:

  • The Technet documentation clearly states that TCP 50000-59999 should only be opened for federation with OCS 2007, which is not the case.
  • Media connections should be multiplexed using UDP port 3478 and TCP 443, isn't it? That doesn't seem to work.
  • I tried disabling the Windows firewall on the Edge server
  • Already deactivated TCP autotuning on the Edge server (Hyper-V guest machine). I had similar issues on a different installation and this was the solution there.
  • When I close the incoming UDP/TCP ports on public edge ip, I get an A/V Authentication 504 error on the internal Lync Mediation server, which let me conclude the Lync FE tries to talk to the Edge PUBLIC interface??? When I ping both servers from each other, I get replies with the internal IPs
  • The firewall works in routed mode so both DMZ and inside are directly connected networks and routable, but I created firewall rules that blocks connection between the Lync FE and the public Edge IPs.
  • On the Edge server, AV.sipdomain.tld, sip.sipdomain.tld, webcon.sipdomain.tld are resolved on their public IPs

ANYONE have an idea what is happening here?


  • Edited by Neburoner Monday, September 09, 2013 9:35 AM
September 9th, 2013 12:11pm

Someone must have had this before, please advice
Free Windows Admin Tool Kit Click here and download it now
September 23rd, 2013 7:21am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics