After a successful VCS Lync Gateway B2BUA with Microsoft FEP deployment for Cisco video to MS Lync 2013 client interoperability I am experiencing the following problem / lack of information in the deployment guide.
I want to enable MS Lync clients on the Internet to be able to call Cisco TP endpoints and Jabber clients on the internal network through MS Lync Edge.
The guide details this implementation with VCS Expressway TURN services/capabilities, but my goal is not to use VCS Expressway in the media path, but only to use Microsoft Lync Edge server.
The guide states:
"To enable call connectivity with Lync clients calling via an Edge server, the B2BUA needs to have TURN services properly configured to point to a VCS Expressway with TURN enabled."
Is this mandatory ?
In the media path diagrams, two options are given for a media path of a Lync client calling via a MS Lync Edge server:
My goal is to only enable and use one path - through the MS Edge Server.
What I am missing in the guide is the precise information, how the VCS Lync Gateway B2BUA communicates with the MS Lync Edge server ?
In the VCS IP Port Usage for Firewall Traversal Deployment document, it only states that port 3478 UDP outbound needs to be open from the Lync gateway VCS to the MS Lync Edge. Is this true, is it only one TURN UDP port ?
The MS Edge server has two interfaces, internal facing and Internet facing.
On the internal facing interface MS Lync Edge has 1 IP address on the external Internet facing interface it has 3 public IP addresses.
To which of these IPs, is the VCS Lync gateway trying to establish a session ?
What are the source ports on the VCS Lync gateway for this session ?
Is UDP 3478 the only destination port towards MS Lync Edge ?
Are connections established only in the direction VCS Lync gateway to MS Edge ?
How does media flow through these ports and on which ports ?
Can I NAT/PAT the VCS Lync Gateway source IP address and port when establishing a connection to the MS Lync Edge from the VCS Lync Gateway ?
Can I NAT/PAT the MS Lync Edge destination IP address when establishing a connection to the MS Lync Edge from the VCS Lync Gateway ?
Thank you and best regards,
Can you point us toward the pages within the Deployment guide where you refer to "In the media path diagrams, two options are given for a media path of a Lync client calling via a MS Lync Edge server:" I'm not entirely sure but I think you might be getting the wrong end of the stick with the way the B2BUA operate in conjunction with Lync. If its the diagram I think you are looking at (page 13), it's not particularly clear what is going on)
Are you saying that you want clients in the Lync domain to call out via the edge to the standards world? I believe that the Edge in this example is used for external Lync clients to route media into the Lync domain, then across to the VCS via the B2BUA.
I think that if you are after calling standard based endpoint directly via the Lync Edge, then you actually want another type of solution more akin to a bridge. Perhaps something like that offered by PEXIP (surprisingly from the team that was the old Tandberg!). This should allow you to properly bridge the worlds (I haven't quite tested this as yet, as I am still in the process of getting the requirements together to test).
IMHO, there are some drawbacks with the Cisco way of doing things:
For us, this is a costly and broken implementation.
The PEXIP solution essentially (as I understand it) allows you to federate with your Lync Deployment on one side, and accept a standards based call from the other, then truly convert this to a Lync call with RDP sharing (non interactive). As I have said, we are still in the planning to test stage.
Of course, you could also wait for Microsoft to release a solution - the rummer is that they are working on it and it will be released next year.
Anyhow let us know a bit more detail.
My intention is very simple - I just want to achieve, for Lync 2013 clients in the lync.example.com domain, registered on the Internet to be able to call Cisco Telepresence endpoints in the internal network on the vcs.example.com domain.
I am not considering any additional third party solution for now, although I am aware of the limitations and caveats.
Did you looked over Appendix 1, Page 59 and on in the "Microsoft Lync and Cisco VCS Deployment Guide (X8.1)"? Maybe this helps answer your question?
Whilst we don't employ this solution per-se, we do have a test area, however, the vast majority of our devices are assigned a public IP rotatable address, whether they are internal or external. I have a feeling that we wouldn't need TURN in our environment. A basic test did seem to connect without TURN, but I will need to double check this when I back in.
From our point of view we did resolve this, but not through the use of the VCS. We did deploy Pexip, and it just worked.
The only solution is to use the Expressway Edge or VCS Expressway and utilize its TURN capabilities.
Tested and works.
I just work on this Solution.
Can you please confirm me the firewall rules need for TURN & B2BUA?
TURN Server VCSE:
- Outbound: VCSE_TURN_IP/60000-61200 UDP > Internet/any
- Inbound: Internet/any > VCSE_TURN_IP/60000-61200 UDP
- Inbound: Internet/any > VCSE_TURN_IP/3478 UDP/TCP
B2BUA_VCS to TURN_VCSE:
- Outbound: B2BUA_VCS_IP/56000-57000 > VCSE_TURN_IP/3478 UDP
Anything more need? Or do I understand it false?
Thanks for help
thanks for reply. Just want to confirm my post.
Our Environment is a little different. We have double DMZ Zones.
I try to figure out the right fw rules with your picture. Our network team told me that a direct access from VCS LAN to VCSE PUBDMZ isn´t possible.
So we think about to use our VCSE PRIVDMZ as Gateway in the middel, but there are no TURN Licence.
So can you please help me again? Are the rules correct now?
What do you think about the VCSE in the middle. Do we need them as next hop or can we connect VCS Lync Gw directly to Lync Edge?
What about rule 4 and 5. Are they not the same?
Thanks for reply
Your diagram is correct.
The question is - are VCE and VCSE two different devices or a VCS Expressway with the Advanced Networking license and two interfaces LAN 1 and LAN 2 ?
The Lync Gateway VCS has to point to the VCS Expresssway with TURN capabilities enabled, hence you can not use the VCE device in the PRIV DMZ.
You need to connect your VCS Lync Gateway directly to Lync Edge.
yes that´s the point of my problem.
VCE is a VCSE in privDMZ. VCSE is a VCSE in pubDMZ with TURN capabilities and just one pubIP.
At the moment our LAN Device VCS Lync GW don´t have access to pubDMZ because of security. So it´s normal that LAN don´t have access to pubDMZ, therfore we have privDMZ.
But for TURN usage we have to get access LAN to pubDMZ? This doesn´t work because of security. Are there no way to etablished the connection over the VCE (VCSE in privDMZ)? The VCE don´t have TURN capabilities and just one IP.
Thanks for support. Regards,
That is a tough challenge, and I do not think it is possible to somehow proxy the TURN relay capabilities.
The only viable solution might be to use your VCE in your private DMZ as a Lync Gateway VCS, or put the dedicated Lync Gateway in the same security segment where the VCE is on the firewall, hence avoiding all the hassle and possible issues.
It would be a question to the guys who designed the network why the GW VCS-C can not talk to the VCS -E (Expressway/"Edge") component where the Lync setup can, ...
Looks a bit strange to me that on one hand you are super strict and on the other not.
As this seems to be a more complex setup with some additional security demands I would recommend that you find a Cisco partner / consultant who can help you with the deployment.
Please remember to rate helpful responses and identify
I´m not sure what you talking about that our Lync setup can.
We go one line. No system has access from LAN directly to PubDMZ. All services have a Gateway/Proxy in the PrivDMZ.
Do you mean Lync FE has access to VCSE in PubDMZ?
So all Lync FE´s just communicate with VCS in LAN.
I just want to understand you right, maybe to solve my problem.
Thanks a lot for your answer. I think there is no way to put the services outside our LAN because of Client access rights.
I thought there would be a way to proxy the turn connection.
So I try to talk with the network team or a partner.
Thank you so much for great help.
You have added to your diagram additional connectivity between VCSExresway and LYNC Edge Server comparing to picture from Marco.
Why is it needed and how is the media flow for call from LYNC client registered to EDGE Server to Cisco Endpoint registered Cisco VCS?
Marco has also 3478 outging port from VCS GW to Edge Server but i your diagram you have used media range from VCS GW to Edge Server.
What configuration has to be done on VCS Expressway and EDGE Server please?
Thanks a lot,