Hi,
So this is one of those kinda detailed problems that will come down to a slight oversight on my config, so just so it's clear I'm going to spell out our network configuration first:
- Lync Enterprise Front End Pool - Lync-EFE.ewx.local - Pool IP 192.168.70.26
- Single Lync Enterprise Front End Machine (so far) - Lync-EFE1.ewx.local
- Lync Edge Pool - lyncedge.ewx.dmz
- Single Lync Edge Machine - edge1.ewx.dmz
- Internal Nic
- 192.168.70.16
- No Gateway configured
- No DNS configured - hosts file entries for front end pool.
- External Nic
- 10.20.1.11 - Access Edge Service
- 10.20.1.12 - Web Conf Edge Services
- 10.20.1.13 - A/V Edge Service - NAT enabled on 41.160.87.46
- Default gateway configured
- DNS lookups from DMZ server (with no knowledge of internal machines)
- Public Ips
- 41.160.87.44 - webconf.ewx.co.za - firewall routes to 10.20.1.12
- 41.160.87.43 - av.ewx.co.za - firewall routes to 10.20.1.13
- 41.160.87.46 - access.awx.co.za - firewall routes to 10.20.1.11
So I think that's everything. Yes unfortunately we do no not have a second firewall for our dmz. However we do have the traffic physically seperated on a different interface and there is no rule that allows traffic from the dmz onto the local
network. I know this isn't absolutely correct, but I'm working with what we've got for now.
Everything appears to work fine - we have internal and external clients, desktop lync, polycom phones, and mobile apps, and everything signs in, makes calls and appears to operate correctly.
The only problem we have is with federation. If I add a federated contact we get the dead-end presence unknown message. However if I look at the trace logs for the edge server, first I saw this message:
TL_WARN(TF_DIAG) [lyncedge\edge1]130C.28E4::11/23/2013-10:23:42.768.00000007 (SIPStack,SIPAdminLog::WriteDiagnosticEvent:SIPAdminLog.cpp(805)) [3549713091] $$begin_record
Severity: warning
Text: Host name resolution failure
Result-Code: 0xc3e93c82 SIPPROXY_E_DNS_HOST_NAME_QUERY_FAIL
SIP-Start-Line: SUBSCRIBEsip:x@y.com SIP/2.0
SIP-Call-ID: 0e50809a6020906e4b3313f074820817
SIP-CSeq: 1 SUBSCRIBE
Source: lync-efe.domain.local:50478
Data: fqdn="lyncedge.ewx.dmz"
$$end_record
So it appears that the edge server is trying to resolve it's own host name for some reason. When I added a hosts entry to point to itself on 192.168.70.16, I started to get this message:
TL_INFO(TF_PROTOCOL) [lyncedge\edge1]22C4.0FA4::11/23/2013-22:34:03.105.000003F9 (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(265)) [3437591884]
Trace-Correlation-Id: 3437591884
Instance-Id: 126
Direction: outgoing;source="local";destination="internal edge"
Peer: lync-efe.domain.local:60367
Message-Type: response
Start-Line: SIP/2.0 504 Server time-out
From: "Adam Pawsey" <sip:adam.pawsey@ewx.co.za>;tag=49050841-E5074EEA;epid=0004f2820817
To: <x@y.com>;tag=AA0F8B96EA03894CB0F713FC64412B6A
Call-ID: d4849628de6469f2d10c176809820817
CSeq: 1 SUBSCRIBE
Via: SIP/2.0/TLS 192.168.70.26:60367;branch=z9hG4bK04BF2F5B.04CC0888594F780E;branched=FALSE;ms-received-port=60367;ms-received-cid=600
Via: SIP/2.0/TLS 192.168.70.202:53765;branch=z9hG4bK1083881357A5F3BC;ms-received-port=53765;ms-received-cid=1700
Content-Length: 0
ms-diagnostics: 1046;reason="Failed to connect to a federated peer server";fqdn="lyncedge.ewx.dmz:5061";ip-address="192.168.70.16";peer-type="FederatedPartner";winsock-code="10061";winsock-info="The
peer actively refused the connection attempt";source="access.ewx.co.za"
ms-edge-proxy-message-trust: ms-source-type=EdgeProxyGenerated;ms-ep-fqdn=lyncedge.ewx.dmz;ms-source-verified-user=verified
$$end_record
So basically I don't understand why it is trying to route traffic from the external interface to the internal interface. Anyone got any ideas what obvious mistake I've made?
Thanks,
Adam.