Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco VCS Lync gateway communication with Microsoft Lync 2013 Edge - Lync clients calling via an Edge server

Dear community, 

 

After a successful VCS Lync Gateway B2BUA with Microsoft FEP deployment for Cisco video to MS Lync 2013 client interoperability I am experiencing the following problem / lack of information in the deployment guide. 

I want to enable MS Lync clients on the Internet to be able to call Cisco TP endpoints and Jabber clients on the internal network through MS Lync Edge. 

The guide details this implementation with VCS Expressway TURN services/capabilities, but my goal is not to use VCS Expressway in the media path, but only to use Microsoft Lync Edge server. 

The guide states:

"To enable call connectivity with Lync clients calling via an Edge server, the B2BUA needs to have TURN services properly configured to point to a VCS Expressway with TURN enabled."

Is this mandatory ? 

In the media path diagrams, two options are given for a media path of a Lync client calling via a MS Lync Edge server:

  • One media path is through the MS Edge server
  • Another media path is through the VCS Expressway

My goal is to only enable and use one path - through the MS Edge Server. 

What I am missing in the guide is the precise information, how the VCS Lync Gateway B2BUA communicates with the MS Lync Edge server ? 

In the VCS IP Port Usage for Firewall Traversal Deployment document, it only states that port 3478 UDP outbound needs to be open from the Lync gateway VCS to the MS Lync Edge. Is this true, is it only one TURN UDP port ?

The MS Edge server has two interfaces, internal facing and Internet facing.

On the internal facing interface MS Lync Edge has 1 IP address on the external Internet facing interface it has 3 public IP addresses.

For example:

  • .34 for Access
  • .35 for Web Conferencing and 
  • .36 for A/V

To which of these IPs, is the VCS Lync gateway trying to establish a session ?

What are the source ports on the VCS Lync gateway for this session ? 

Is UDP 3478 the only destination port towards MS Lync Edge ?

Are connections established only in the direction VCS Lync gateway to MS Edge ?

How does media flow through these ports and on which ports ?

Can I NAT/PAT the VCS Lync Gateway source IP address and port when establishing a connection to the MS Lync Edge from the VCS Lync Gateway ?

Can I NAT/PAT the MS Lync Edge destination IP address when establishing a connection to the MS Lync Edge from the VCS Lync Gateway ?

 

Thank you and best regards,

 

Mihail

Everyone's tags (1)
16 REPLIES

Hi Mihail,Can you point us

Hi Mihail,

Can you point us toward the pages within the Deployment guide where you refer to "In the media path diagrams, two options are given for a media path of a Lync client calling via a MS Lync Edge server:" I'm not entirely sure but I think you might be getting the wrong end of the stick with the way the B2BUA operate in conjunction with Lync. If its the diagram I think you are looking at (page 13), it's not particularly clear what is going on)

Are you saying that you want clients in the Lync domain to call out via the edge to the standards world? I believe that the Edge in this example is used for external Lync clients to route media into the Lync domain, then across to the VCS via the B2BUA.

I think that if you are after calling standard based endpoint directly via the Lync Edge, then you actually want another type of solution more akin to a bridge. Perhaps something like that offered by PEXIP (surprisingly from the team that was the old Tandberg!). This should allow you to properly bridge the worlds (I haven't quite tested this as yet, as I am still in the process of getting the requirements together to test).

IMHO, there are some drawbacks with the Cisco way of doing things:

  1. With Lync 2013, you are now required to have Microsoft Interoperability Licence on the VCS (or cluster) that has the B2BUA, and if you follow the suggested deployment guide you will have a separate VCS running the B2BUA. Think $$$$$. For us with 50 separate organisations to manage, this would cost literally millions.
  2. You don't get decent content sharing. When sharing content from Standards world to Lync world, the content stream is shown to the Lync client as a single video stream - you lose the secondary stream. When going from Lync to the Standards world, you are completely stuffed as this doesn't work period.

For us, this is a costly and broken implementation.

The PEXIP solution essentially (as I understand it) allows you to federate with your Lync Deployment on one side, and accept a standards based call from the other, then truly convert this to a Lync call with RDP sharing (non interactive). As I have said, we are still in the planning to test stage.

Of course, you could also wait for Microsoft to release a solution - the rummer is that they are working on it and it will be released next year.

Anyhow let us know a bit more detail.

 

Cheers

Chris

New Member

Hi Chris,  My intention is

Hi Chris, 

 

My intention is very simple - I just want to achieve, for Lync 2013 clients in the lync.example.com domain, registered on the Internet to be able to call Cisco Telepresence endpoints in the internal network on the vcs.example.com domain. 

I am not considering any additional third party solution for now, although I am aware of the limitations and caveats.

 

Mihail 

Hi Mihail,Did you looked over

Hi Mihail,

Did you looked over Appendix 1, Page 59 and on in the "Microsoft Lync and Cisco VCS Deployment Guide (X8.1)"? Maybe this helps answer your question?

Whilst we don't employ this solution per-se, we do have a test area, however, the vast majority of our devices are assigned a public IP rotatable address, whether they are internal or external. I have a feeling that we wouldn't need TURN in our environment. A basic test did seem to connect without TURN, but I will need to double check this when I back in.

Cheers

Chris

New Member

Hi Mihail,I am also dealing

Hi Mihail,

I am also dealing with the same issue. Were you able to find a solution to this ?

 

Thanks you,

MB

Hi fusionxtra,From our point

Hi fusionxtra,

From our point of view we did resolve this, but not through the use of the VCS. We did deploy Pexip, and it just worked.

Chris

New Member

Hi,  The only solution is to

Hi, 

 

The only solution is to use the Expressway Edge or VCS Expressway and utilize its TURN capabilities.

Tested and works. 

 

Best regards,

 

Mihail

New Member

Hello Mihail,I just work on

Hello Mihail,

I just work on this Solution.

Can you please confirm me the firewall rules need for TURN & B2BUA?

 

TURN Server VCSE:

- Outbound: VCSE_TURN_IP/60000-61200 UDP > Internet/any

- Inbound: Internet/any > VCSE_TURN_IP/60000-61200 UDP

- Inbound: Internet/any > VCSE_TURN_IP/3478 UDP/TCP

 

B2BUA_VCS to TURN_VCSE:

- Outbound: B2BUA_VCS_IP/56000-57000 > VCSE_TURN_IP/3478 UDP

 

Anything more need? Or do I understand it false?

 

 

 

Thanks for help

 

New Member

Hello Marco,  There is an

Hello Marco, 

 

There is an updated diagram:

 

Yes, that is enough, for the Lync client on the Edge to utilize the Expressway-E/VCS-Expressway as a TURN server.

New Member

Hello Mihail, thanks for

Hello Mihail,

 

thanks for reply. Just want to confirm my post.

Our Environment is a little different. We have double DMZ Zones.

I try to figure out the right fw rules with your picture. Our network team told me that a direct access from VCS LAN to VCSE PUBDMZ isn´t possible.

So we think about to use our VCSE PRIVDMZ as Gateway in the middel, but there are no TURN Licence.

So can you please help me again? Are the rules correct now?

What do you think about the VCSE in the middle. Do we need them as next hop or can we connect VCS Lync Gw directly to Lync Edge?

What about rule 4 and 5. Are they not the same?

 

Thanks for reply

New Member

Hello Marco,  Your diagram is

Hello Marco, 

 

Your diagram is correct. 

The question is - are VCE and VCSE two different devices or a VCS Expressway with the Advanced Networking license and two interfaces LAN 1 and LAN 2 ?

The Lync Gateway VCS has to point to the VCS Expresssway with TURN capabilities enabled, hence you can not use the VCE device in the PRIV DMZ.

You need to connect your VCS Lync Gateway directly to Lync Edge.

 

Best

New Member

Hello Mihail,yes that´s the

Hello Mihail,

yes that´s the point of my problem.

VCE is a VCSE in privDMZ. VCSE is a VCSE in pubDMZ with TURN capabilities and just one pubIP.

At the moment our LAN Device VCS Lync GW don´t have access to pubDMZ because of security. So it´s normal that LAN don´t have access to pubDMZ, therfore we have privDMZ.

But for TURN usage we have to get access LAN to pubDMZ? This doesn´t work because of security. Are there no way to etablished the connection over the VCE (VCSE in privDMZ)? The VCE don´t have TURN capabilities and just one IP.

 

Thanks for support. Regards,

Marco

 

New Member

Hello Marco,  That is a tough

Hello Marco, 

 

That is a tough challenge, and I do not think it is possible to somehow proxy the TURN relay capabilities. 

The only viable solution might be to use your VCE in your private DMZ as a Lync Gateway VCS, or put the dedicated Lync Gateway in the same security segment where the VCE is on the firewall, hence avoiding all the hassle and possible issues. 

Best regards,

 

Mihail

It would be a question to the

It would be a question to the guys who designed the network why the GW VCS-C can not talk to the VCS -E (Expressway/"Edge") component where the Lync setup can, ...

Looks a bit strange to me that on one hand you are super strict and on the other not.

 

As this seems to be a more complex setup with some additional security demands I would recommend that you find a Cisco partner / consultant who can help you with the deployment.

 

Please remember to rate helpful responses and identify

New Member

Hi Martin, I´m not sure what

Hi Martin,

 

I´m not sure what you talking about that our Lync setup can.

We go one line. No system has access from LAN directly to PubDMZ. All services have a Gateway/Proxy in the PrivDMZ.

Do you mean Lync FE has access to VCSE in PubDMZ?

So all Lync FE´s just communicate with VCS in LAN.

 

I just want to understand you right, maybe to solve my problem.

New Member

Thanks a lot for your answer.

Thanks a lot for your answer. I think there is no way to put the services outside our LAN because of Client access rights.

I thought there would be a way to proxy the turn connection.

So I try to talk with the network team or a partner.

 

Thank you so much for great help.

New Member

Hello Mihail,

Hello Mihail,

You have added to your diagram additional connectivity between VCSExresway and LYNC Edge Server comparing to  picture from Marco.

Why is it needed and how is the media flow for call from LYNC client registered to EDGE Server to Cisco Endpoint registered Cisco VCS?

Marco has also 3478 outging port from VCS GW to Edge Server but i your diagram you have used media range from VCS GW to Edge Server.

What configuration has to be done on VCS Expressway and EDGE Server please?

Thanks a lot,

Josef

2121
Views
10
Helpful
16
Replies
CreatePlease login to create content