externalinternal sip proxy a w
TRANSCRIPT
Thomas BinderUC Voice ArchitectMicrosoft
ICE – Edge Media Connectivity in Lync 2013
NETW401
What is A/V Edge Server actually doing?How do we find the optimal media path?How do I read client logs?
It’s interesting!Understand call flowsIt will help you troubleshoot!
Session Objectives And Takeaways
AgendaThe challengeThe solutionThe usageCall flows
About me
Austria, Vienna
Field hockeyCommunications CoEUC Voice Architect MCMSince 2007
What you should already knowScope400 levelLimited to media scenarios
AssumptionsBasic understanding of SIP and RTPBasic understanding of the Lync server rolesBasic understanding of a typical Lync topology
Terms & AcronymsCandidatePossible combination of IP address and port for media channel
ICEInteractive Connectivity Establishment
STUNSimple Traversal of UDP through NATSession Traversal Utilities for NAT
TURNTraversal Using Relay NAT
The Challenge
Alice Bob
Charlie
SIP Proxy
Registrar
Corporate firewall
SignalingMedia
NAT NAT
Corporate firewall
Challenge 1: NATNetwork Address Translation
FunctionTranslates one or more internal addresses to one external addressAllows connections from private networkBlocks connection from public networks
TradeoffSecurity vs. usabilityBlocks unwanted trafficMight also block wanted traffic
Alice
NAT
Challenge 2: Corporate FirewallsThough more scrutinized, goals are similarSharing of IP addressesControlling data traffic from the internet
Two firewalls isolate via perimeter network
internal
OuterFirewall
InnerFirewall
external
Signaling SolutionSIP ProxyReachable: on the InternetProxies all SIP traffic
SIP Proxy RegistrarAlice
Putting it togetherSignaling uses SIP ProxyMedia flows over separate channelPre-ICE endpoints uses local IPs & portsNo media can be sent between (a) and (w)
external internal
NAT OuterFirewall
SIP Proxy
InnerFirewall
a w
Solution: ICE, STUN, TURN
external internal
NAT OuterFirewall
STUN/TURNServer
SIP Proxy
InnerFirewall
a w
Add a AV Edge ServerSTUN reflects NAT addresses (b) and (e)TURN relays media packets (c) (d) (x) (y)
ICE exchanges candidates and determines optimal media pathAll three protocols based IETF standards/drafts
be
c
d
x
y
Public Providers
Ice Ice Baby
Reverse proxy
External
Edgeserver
FederatedNetwork
ExternalUsers
Perimeter network
Internal
UC end points
EE pool
IP-PSTN gateway
PBX
Mediation Server (optional)
PSTN
Front-end
Back-end
ICE endpointsClients and server
Terminates mediaAudioVideoDesktop/Application Sharing1:1 File Transfer(Not: PowerPoint sharing)
Edge ServerProvides STUN and TURNDoes not terminate any mediaIs not an ICE endpoint
SBA/SBS ExchangeUM
Five phases of ICEDuring sign-inRequesting token from Media Relay Authentication Service (MRAS)
When establishing a callCandidate Discovery Candidate Exchange Connectivity ChecksCandidate Promotion
Credentials for Remote Client
OuterFirewall
InnerFirewall
Endpoint AV Edge
SIP Register
200 OKms-user-logon-data: RemoteUser<mrasUri>sip:Mras.contoso.com
SIP Service
<location>internet</location>
200 OK<hostName>edge.contoso.com<udpPort>3478<tcpPort>443<username> 77qq8yXccBc2lwOmFy<password> Wnujl0eo00YkV/5dg=<duration>480
Service
200 OK
MRAS
AccessEdge
Front EndServer
Credentials for anonymous user
OuterFirewall
InnerFirewall
Endpoint AV Edge
SIP Invite
200 OK<hostName>94.245.124.238<udpPort>3478<tcpPort>443<username> 77qq8yXccBc2lwOF<password> Wnujl0eo00YkV/5g=<duration>480
Service
200 OK
AccessEdge
Front EndServer
MRAS
Demo
Log Analysis: acquiring MRAS credentials
allocate UDP
allocate TCP
Endpoint NAT/Firewall AV Edge
a
b
d
c
e
a
edcb
local remote
defa
ult
candid
ate
s
c
MRAS
NIC 1
UDPTCP
Address DiscoveryAudio/Video
allocate TCP
Endpoint AV Edge
a
b c
a
cb
local remote
defa
ult
candid
ate
s
c
MRAS
NIC 1
UDPTCP
Address DiscoveryApplication Sharing/File Transfer
NAT/Firewall
Endpoint AV Edge
a
b
d
c
e
a
edcb
local remote
defa
ult
candid
ate
s
f
c
MRAS
NIC 1
NIC 2
UDPTCP
Address DiscoveryOther sources
NAT/Firewall
f
Address Exchange
Endpoint
a
a
e
dcb
local remote
defa
ult
candid
ate
s
c
NIC
AVEdge c
e
Endpoint
a
e
dcb
remote local
defa
ult
candid
ate
s
c
NIC
NAT/Firewall NAT/Firewall
b
d
w v
z
x
y
v
z
yxw
y
v
z
yxw
y
SIP INVITEc :: a, b, c, d, e
183 Session progressy :: v, w, x, y, z
200 OKy :: v, w, x, y, z
AVEdge
SIP
Demo
Log Analysis: Candidates
Connectivity Checks Determine all possible UDP and TCP port pairingsEdge Server can bridge between IPv4 and IPv6STUN packets sent between port pairs in orderSTUN packet response indicates connectivityStop checks when candidate pair has bi-directional connectivity
Candidate PromotionSelect highest order candidate with validated connectivityIPv4 before IPv6Direct before relayUDP before TCP
SIP invite with final candidate pair in SDP200 OK with final candidate pair in SDP Media is on optimal, validated path
Demo
Log Analysis: Final Candidates
Topology
NAT OuterFirewall
InnerFirewall
AV Edge
Home 1Lync
Home 2Lync
Work 1Lync
AV MCUExchange UM
Mediation Server
Work 2
UDP/TCP50,000....UDP/TCP59,999
UDP 3478
TCP 443
Inside/Inside
OuterFirewall
InnerFirewall
AV Edge
Work 1Lync
AV MCUExchange UM
Mediation Server
Work 2w1
w2w2
UDP/TCP50,000....UDP/TCP59,999
UDP 3478
TCP 443
w1
w2w1
Inside/Outside
OuterFirewall
InnerFirewall
AV Edge
Home 1Lync
Work 1Lync
AV MCUExchange UM
Mediation Server
h1
w1w1
UDP/TCP50,000....UDP/TCP59,999
UDP 3478
TCP 443
w1
h1
h1
h1
h1
Inside/Outside
OuterFirewall
InnerFirewall
AV Edge
Home 1Lync
h1
h2h2
UDP/TCP50,000....UDP/TCP59,999
UDP 3478
TCP 443
h1
h1
h1
h1
NAT
Home 2Lync
h2
h2
h2
AV Edge: 2007 to 2007
AV Edge2007
w2 UDP/TCP50,000....UDP/TCP59,999
UDP 3478
TCP 443
w2
OuterFirewall
OuterFirewall
InnerFirewall
InnerFirewall
Home 1Lync
Work 2Lync
AV MCU
w2
AV Edge2007
UDP/TCP50,000....UDP/TCP59,999
UDP 3478
TCP 443
w1
w1
w1Work 1Lync
AV MCU
AV Edge: Tunnel Mode
AV EdgeOCS R2/Lync
w2 UDP/TCP50,000....UDP/TCP59,999
UDP 3478
TCP 443
w2
OuterFirewall
OuterFirewall
InnerFirewall
InnerFirewall
Home 1Lync
Work 2Lync
AV MCU
w2
AV EdgeOCS R2/Lync
UDP/TCP50,000....UDP/TCP59,999
UDP 3478
TCP 443
w1
w1
w1Work 1Lync
AV MCU
OuterFirewall
OuterFirewall
AV Edge: Interop
AV EdgeOCS 2007
w2 UDP/TCP50,000....UDP/TCP59,999
UDP 3478
TCP 443
w2
InnerFirewall
InnerFirewall
Home 1Lync
Work 2Lync
AV MCU
w2
AV EdgeOCS R2/Lync
UDP/TCP50,000....UDP/TCP59,999
UDP 3478
TCP 443
w1
w1
w1Work 1Lync
AV MCU
Source Port Destination Port
TCP 50,000-59,999 TCP 443
UDP 3478 UDP 3478
Any TCP 443
Any UDP 3478
50,000 requirements - MinimumOCS 2007Requires 50,000-59,999 TCP/UDP outbound and inbound
OCS 2007 R2, Lync 2010, Lync 2013For compatibility with OCS 2007, 50,000-59,999 TCP/UDP outbound and inboundRequires “50,000-59,999 TCP outbound”
Source IP Destination IP
A/V Edge service interface Any
A/V Edge service interface Any
Any A/V Edge service interface
Any A/V Edge service interface
50,000 requirements - OptimalPort range open Port range closed
443 TCP3478 UDP
50,000port
range
443 TCP3478 UDP
50,000port
range
443 TCP3478 UDP
50,000port
range
443 TCP3478 UDP
50,000port
range
Edge Pool with DNS LB and NAT
443 TCP3478 UDP
50,000port
range
443 TCP3478 UDP
50,000port
range
OuterFirewall
InnerFirewall
External user might be behind firewall outside
your control
Firewall MUST allow hairpin:
public IP to public IP
Certificate within Edge Pool
OuterFirewall
InnerFirewall
Endpoint AV Edge
SIP Register
SIP Service
Service
MRAS
AccessEdge
Front EndServer
AV Edge
MRAS
allocate UDP
allocate TCP
SIPUDPTCP
Troubleshoot?Inbound provisioning without “MRAS”AV Edge Server is not configured at pool
“MRAS” credentials not providedNo connectivity between Front End Server and AV Edge Server internal interface
Wrong AV Edge Server FQDN?Firewall? Port 5062 TCP from FE to Edge required
No STUN/TURN candidatesNo connectivity between client and AV Edge Server on port 443 TCP and 3478 UDP
Wrong AV Edge Server FQDN?Firewall? Port 443 TCP and 3478 UDP from endpoint to Edge requiredHardware Load Balancer dropping/corrupting packets?
TURN candidates internal NATed IP addressAV Edge Server not aware of of external IP address
Where are the logs?Lync 2013Activate “Turn on logging in Lync”%localappdata%\Microsoft\Office\15.0\Lync\Tracing
Lync 2010 and earlierActivate “Turn on logging in Lync”Logs in “%userprofile%\tracing”
Live MeetingHKEY_CURRENT_USER\Software\Microsoft\Tracing\uccp\LiveMeeting"EnableFileTracing"= DWORD:00000001Logs in “%userprofile%\tracing”
UccApilog.log search tipsMRASFinds inband provisioningMRAS requestMRAS provisioning
a=candidateFinds candidate exchange
a=remote-candidateFinds promoted candidates that were used for call
More toolsSynthetic transaction: Test-CsAVEdgeConnectivityhttp://technet.microsoft.com/en-us/library/jj205138.aspx
Pre-Call Diagnosticshttp://technet.microsoft.com/en-us/library/dn451255.aspx
PortQryhttp://www.microsoft.com/en-us/download/details.aspx?id=17148
Telnettelnet <AV Edge internal FQDN> 5062 from Front Endtelnet <AV Edge internal FQDN> 443 from internal clienttelnet <AV Edge external FQDN> 443 from external client
ResourcesOffice Protocolshttp://msdn.microsoft.com/en-us/library/cc307432(v=office.12).aspx
Lync 2013 Debugging Tool (includes snooper)http://www.microsoft.com/en-us/download/details.aspx?id=35453
What is A/V Edge Server actually doing?How do we find the optimal media path?How do I read client logs?
It’s interesting!Understand call flowsIt will help you troubleshoot!
Session Objectives And Takeaways
Edge is awesome!
Related ContentCLNT402 Understanding Lync 2013 Mobile Media FlowsJames Ooi Shyh Wei, Kaushal Mehta
CLNT300 Securing external and mobile access in Lync 2013 Francois Doremieux, Rui Maximo
MEET402 Technical deep-dive into Lync-Skype VideoWilliam Looney, Senthil Velayutham, Carl OlivierWednesday, 8.30am
MEET303 Lync Meetings and Edge? Why does it matter? Why do I need it? John WeberWednesday, 4pm
MEET400 Meetings and Media - the detailed view Johan Delimon, Tommy ClarkeThursday, 10.45am
Monday, February 17th
Exhibit Hall Hours 6:00pm – 8:00pm
6:00pm – 8:00pm Welcome Reception
Tuesday, February 18th
Exhibit Hall Hours 8:00am – 9:00am (Breakfast), 10:30am – 5:00pm
8:00am – 9:00am Breakfast (Exhibit Hall) 9:00am –10:30am General Session10:30am – 5:00pm Expo Hall Hours11:00am – 12:15pm Sessions & Hands-on Labs12:15pm – 2:00pm Lunch2:00pm – 5:00pm Sessions & Hands-on Labs5:00pm – 7:00pm Ask the Experts
Wednesday, February 19th
Exhibit Hall Hours 10:30am – 4:30pm
7:30am – 8:30am Breakfast8:30am – 11:30am Sessions & Hands-on Labs10:30am – 4:30pm Expo Hall Hours11:30am – 1:00pm Lunch1:00pm – 5:45pm Sessions & Hands-on Labs6:30pm – 9:30pm Attendee Party
Thursday, February 20th
Exhibit Hall Hours 9:00am – 12:00pm
8:00am – 9:00am Breakfast9:00am – 12:00pm Expo Hall Hours9:00am – 12:15pm Sessions & Hands-on Labs12:15pm – 1:30pm Lunch and Departures
Ask the ExpertsLocation: Meal Hall located on Level 1 in Pinyon Ballroom 4-8 Tuesday, February 18
TABLE TOPICS:Best Practices, Business Value, Clients & Mobility, Lync Meetings and Video, Lync Online, Networking, Platform, Server & Manageability, Voice, Lync Feedback Sessions
Meet face-to-face with the foremost experts in the Lync field and ask them the questions that have you stumped.
Location: Breakout rooms located on Level 1 5:00pm-7:00pm
GROUPS INCLUDE:Manageability – Pinyon 2Meetings & Web Experiences – Bluethorn 4-6Mobility – Bluethorn 7-9Presence & Chat – Pinyon 1Voice & Video – Bluethorn 1-3
Come participate in targeted Feedback Sessions to hear about the high-priority feature asks and help us improve the next release!
Lync Feedback
These sessions are meant to be informational, providing an understanding of the workload and conversational, to discuss your user scenarios and desired improvements.
Birds of a FeatherBirds of a Feather flock together! Join daily breakfast discussions of relevant topics by sitting in the separately designated areas of the Meal Hall. Seating will be sorted in a different way for each Birds of a Feather breakfast:Wednesday, February 19:Where are you from? Asia/Pacific, Eastern & Central Europe, Latin America, Middle East & Africa, US (West, Central & East) and Canada, Western Europe
Thursday, February 20:What is your interest?Best Practices, Business Value, Clients & Mobility, Lync Meetings and Video, Lync Online, Networking, Platform, Server & Manageability, Voice
#LyncConf14
/msftLYNC
/microsoft-lync
/MSFTLync
Lync Launch PadYou’ve launched Lync. Now Launch this.MS Pavilion – Expo Hall
Fill out evaluations to win prizesFill out evaluations on MyLync or MyLync Mobile.Prizes awarded daily.
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.