externalinternal SIP Proxy a w.

Thomas BinderUC Voice ArchitectMicrosoft

ICE – Edge Media Connectivity in Lync 2013

NETW401

What is A/V Edge Server actually doing?How do we find the optimal media path?How do I read client logs?

It’s interesting!Understand call flowsIt will help you troubleshoot!

Session Objectives And Takeaways

AgendaThe challengeThe solutionThe usageCall flows

About me

Austria, Vienna

Field hockeyCommunications CoEUC Voice Architect MCMSince 2007

[email protected]

What you should already knowScope400 levelLimited to media scenarios

AssumptionsBasic understanding of SIP and RTPBasic understanding of the Lync server rolesBasic understanding of a typical Lync topology

Terms & AcronymsCandidatePossible combination of IP address and port for media channel

ICEInteractive Connectivity Establishment

STUNSimple Traversal of UDP through NATSession Traversal Utilities for NAT

TURNTraversal Using Relay NAT

The Challenge

Alice Bob

Charlie

SIP Proxy

Registrar

Corporate firewall

SignalingMedia

NAT NAT

Corporate firewall

Challenge 1: NATNetwork Address Translation

FunctionTranslates one or more internal addresses to one external addressAllows connections from private networkBlocks connection from public networks

TradeoffSecurity vs. usabilityBlocks unwanted trafficMight also block wanted traffic

Alice

NAT

Challenge 2: Corporate FirewallsThough more scrutinized, goals are similarSharing of IP addressesControlling data traffic from the internet

Two firewalls isolate via perimeter network

internal

OuterFirewall

InnerFirewall

external

Signaling SolutionSIP ProxyReachable: on the InternetProxies all SIP traffic

SIP Proxy RegistrarAlice

Putting it togetherSignaling uses SIP ProxyMedia flows over separate channelPre-ICE endpoints uses local IPs & portsNo media can be sent between (a) and (w)

external internal

NAT OuterFirewall

SIP Proxy

InnerFirewall

a w

Solution: ICE, STUN, TURN

external internal

NAT OuterFirewall

STUN/TURNServer

SIP Proxy

InnerFirewall

a w

Add a AV Edge ServerSTUN reflects NAT addresses (b) and (e)TURN relays media packets (c) (d) (x) (y)

ICE exchanges candidates and determines optimal media pathAll three protocols based IETF standards/drafts

be

c

d

x

y

Public Providers

Ice Ice Baby

Reverse proxy

External

Edgeserver

FederatedNetwork

ExternalUsers

Perimeter network

Internal

UC end points

EE pool

IP-PSTN gateway

PBX

Mediation Server (optional)

PSTN

Front-end

Back-end

ICE endpointsClients and server

Terminates mediaAudioVideoDesktop/Application Sharing1:1 File Transfer(Not: PowerPoint sharing)

Edge ServerProvides STUN and TURNDoes not terminate any mediaIs not an ICE endpoint

SBA/SBS ExchangeUM

Five phases of ICEDuring sign-inRequesting token from Media Relay Authentication Service (MRAS)

When establishing a callCandidate Discovery Candidate Exchange Connectivity ChecksCandidate Promotion

Credentials for Remote Client

OuterFirewall

InnerFirewall

Endpoint AV Edge

SIP Register

200 OKms-user-logon-data: RemoteUser<mrasUri>sip:Mras.contoso.com

SIP Service

<location>internet</location>

200 OK<hostName>edge.contoso.com<udpPort>3478<tcpPort>443<username> 77qq8yXccBc2lwOmFy<password> Wnujl0eo00YkV/5dg=<duration>480

Service

200 OK

MRAS

AccessEdge

Front EndServer

Credentials for anonymous user

OuterFirewall

InnerFirewall

Endpoint AV Edge

SIP Invite

200 OK<hostName>94.245.124.238<udpPort>3478<tcpPort>443<username> 77qq8yXccBc2lwOF<password> Wnujl0eo00YkV/5g=<duration>480

Service

200 OK

AccessEdge

Front EndServer

MRAS

Demo

Log Analysis: acquiring MRAS credentials

allocate UDP

allocate TCP

Endpoint NAT/Firewall AV Edge

a

b

d

c

e

a

edcb

local remote

defa

ult

candid

ate

s

c

MRAS

NIC 1

UDPTCP

Address DiscoveryAudio/Video

allocate TCP

Endpoint AV Edge

a

b c

a

cb

local remote

defa

ult

candid

ate

s

c

MRAS

NIC 1

UDPTCP

Address DiscoveryApplication Sharing/File Transfer

NAT/Firewall

Endpoint AV Edge

a

b

d

c

e

a

edcb

local remote

defa

ult

candid

ate

s

f

c

MRAS

NIC 1

NIC 2

UDPTCP

Address DiscoveryOther sources

NAT/Firewall

f

Address Exchange

Endpoint

a

a

e

dcb

local remote

defa

ult

candid

ate

s

c

NIC

AVEdge c

e

Endpoint

a

e

dcb

remote local

defa

ult

candid

ate

s

c

NIC

NAT/Firewall NAT/Firewall

b

d

w v

z

x

y

v

z

yxw

y

v

z

yxw

y

SIP INVITEc :: a, b, c, d, e

183 Session progressy :: v, w, x, y, z

200 OKy :: v, w, x, y, z

AVEdge

SIP

Demo

Log Analysis: Candidates

Connectivity Checks Determine all possible UDP and TCP port pairingsEdge Server can bridge between IPv4 and IPv6STUN packets sent between port pairs in orderSTUN packet response indicates connectivityStop checks when candidate pair has bi-directional connectivity

Candidate PromotionSelect highest order candidate with validated connectivityIPv4 before IPv6Direct before relayUDP before TCP

SIP invite with final candidate pair in SDP200 OK with final candidate pair in SDP Media is on optimal, validated path

Demo

Log Analysis: Final Candidates

Topology

NAT OuterFirewall

InnerFirewall

AV Edge

Home 1Lync

Home 2Lync

Work 1Lync

AV MCUExchange UM

Mediation Server

Work 2

UDP/TCP50,000....UDP/TCP59,999

UDP 3478

TCP 443

Inside/Inside

OuterFirewall

InnerFirewall

AV Edge

Work 1Lync

AV MCUExchange UM

Mediation Server

Work 2w1

w2w2

UDP/TCP50,000....UDP/TCP59,999

UDP 3478

TCP 443

w1

w2w1

Inside/Outside

OuterFirewall

InnerFirewall

AV Edge

Home 1Lync

Work 1Lync

AV MCUExchange UM

Mediation Server

h1

w1w1

UDP/TCP50,000....UDP/TCP59,999

UDP 3478

TCP 443

w1

h1

h1

h1

h1

Inside/Outside

OuterFirewall

InnerFirewall

AV Edge

Home 1Lync

h1

h2h2

UDP/TCP50,000....UDP/TCP59,999

UDP 3478

TCP 443

h1

h1

h1

h1

NAT

Home 2Lync

h2

h2

h2

AV Edge: 2007 to 2007

AV Edge2007

w2 UDP/TCP50,000....UDP/TCP59,999

UDP 3478

TCP 443

w2

OuterFirewall

OuterFirewall

InnerFirewall

InnerFirewall

Home 1Lync

Work 2Lync

AV MCU

w2

AV Edge2007

UDP/TCP50,000....UDP/TCP59,999

UDP 3478

TCP 443

w1

w1

w1Work 1Lync

AV MCU

AV Edge: Tunnel Mode

AV EdgeOCS R2/Lync

w2 UDP/TCP50,000....UDP/TCP59,999

UDP 3478

TCP 443

w2

OuterFirewall

OuterFirewall

InnerFirewall

InnerFirewall

Home 1Lync

Work 2Lync

AV MCU

w2

AV EdgeOCS R2/Lync

UDP/TCP50,000....UDP/TCP59,999

UDP 3478

TCP 443

w1

w1

w1Work 1Lync

AV MCU

OuterFirewall

OuterFirewall

AV Edge: Interop

AV EdgeOCS 2007

w2 UDP/TCP50,000....UDP/TCP59,999

UDP 3478

TCP 443

w2

InnerFirewall

InnerFirewall

Home 1Lync

Work 2Lync

AV MCU

w2

AV EdgeOCS R2/Lync

UDP/TCP50,000....UDP/TCP59,999

UDP 3478

TCP 443

w1

w1

w1Work 1Lync

AV MCU

Source Port Destination Port

TCP 50,000-59,999 TCP 443

UDP 3478 UDP 3478

Any TCP 443

Any UDP 3478

50,000 requirements - MinimumOCS 2007Requires 50,000-59,999 TCP/UDP outbound and inbound

OCS 2007 R2, Lync 2010, Lync 2013For compatibility with OCS 2007, 50,000-59,999 TCP/UDP outbound and inboundRequires “50,000-59,999 TCP outbound”

Source IP Destination IP

A/V Edge service interface Any

A/V Edge service interface Any

Any A/V Edge service interface

Any A/V Edge service interface

50,000 requirements - OptimalPort range open Port range closed

443 TCP3478 UDP

50,000port

range

443 TCP3478 UDP

50,000port

range

443 TCP3478 UDP

50,000port

range

443 TCP3478 UDP

50,000port

range

Edge Pool with DNS LB and NAT

443 TCP3478 UDP

50,000port

range

443 TCP3478 UDP

50,000port

range

OuterFirewall

InnerFirewall

External user might be behind firewall outside

your control

Firewall MUST allow hairpin:

public IP to public IP

Certificate within Edge Pool

OuterFirewall

InnerFirewall

Endpoint AV Edge

SIP Register

SIP Service

Service

MRAS

AccessEdge

Front EndServer

AV Edge

MRAS

allocate UDP

allocate TCP

SIPUDPTCP

Troubleshoot?Inbound provisioning without “MRAS”AV Edge Server is not configured at pool

“MRAS” credentials not providedNo connectivity between Front End Server and AV Edge Server internal interface

Wrong AV Edge Server FQDN?Firewall? Port 5062 TCP from FE to Edge required

No STUN/TURN candidatesNo connectivity between client and AV Edge Server on port 443 TCP and 3478 UDP

Wrong AV Edge Server FQDN?Firewall? Port 443 TCP and 3478 UDP from endpoint to Edge requiredHardware Load Balancer dropping/corrupting packets?

TURN candidates internal NATed IP addressAV Edge Server not aware of of external IP address

Where are the logs?Lync 2013Activate “Turn on logging in Lync”%localappdata%\Microsoft\Office\15.0\Lync\Tracing

Lync 2010 and earlierActivate “Turn on logging in Lync”Logs in “%userprofile%\tracing”

Live MeetingHKEY_CURRENT_USER\Software\Microsoft\Tracing\uccp\LiveMeeting"EnableFileTracing"= DWORD:00000001Logs in “%userprofile%\tracing”

UccApilog.log search tipsMRASFinds inband provisioningMRAS requestMRAS provisioning

a=candidateFinds candidate exchange

a=remote-candidateFinds promoted candidates that were used for call

More toolsSynthetic transaction: Test-CsAVEdgeConnectivityhttp://technet.microsoft.com/en-us/library/jj205138.aspx

Pre-Call Diagnosticshttp://technet.microsoft.com/en-us/library/dn451255.aspx

PortQryhttp://www.microsoft.com/en-us/download/details.aspx?id=17148

Telnettelnet <AV Edge internal FQDN> 5062 from Front Endtelnet <AV Edge internal FQDN> 443 from internal clienttelnet <AV Edge external FQDN> 443 from external client

ResourcesOffice Protocolshttp://msdn.microsoft.com/en-us/library/cc307432(v=office.12).aspx

Lync 2013 Debugging Tool (includes snooper)http://www.microsoft.com/en-us/download/details.aspx?id=35453

What is A/V Edge Server actually doing?How do we find the optimal media path?How do I read client logs?

It’s interesting!Understand call flowsIt will help you troubleshoot!

Session Objectives And Takeaways

Edge is awesome!

Related ContentCLNT402 Understanding Lync 2013 Mobile Media FlowsJames Ooi Shyh Wei, Kaushal Mehta

CLNT300 Securing external and mobile access in Lync 2013 Francois Doremieux, Rui Maximo

MEET402 Technical deep-dive into Lync-Skype VideoWilliam Looney, Senthil Velayutham, Carl OlivierWednesday, 8.30am

MEET303 Lync Meetings and Edge? Why does it matter? Why do I need it? John WeberWednesday, 4pm

MEET400 Meetings and Media - the detailed view Johan Delimon, Tommy ClarkeThursday, 10.45am

Monday, February 17th

Exhibit Hall Hours 6:00pm – 8:00pm

6:00pm – 8:00pm Welcome Reception

Tuesday, February 18th

Exhibit Hall Hours 8:00am – 9:00am (Breakfast), 10:30am – 5:00pm

8:00am – 9:00am Breakfast (Exhibit Hall) 9:00am –10:30am General Session10:30am – 5:00pm Expo Hall Hours11:00am – 12:15pm Sessions & Hands-on Labs12:15pm – 2:00pm Lunch2:00pm – 5:00pm Sessions & Hands-on Labs5:00pm – 7:00pm Ask the Experts

Wednesday, February 19th

Exhibit Hall Hours 10:30am – 4:30pm

7:30am – 8:30am Breakfast8:30am – 11:30am Sessions & Hands-on Labs10:30am – 4:30pm Expo Hall Hours11:30am – 1:00pm Lunch1:00pm – 5:45pm Sessions & Hands-on Labs6:30pm – 9:30pm Attendee Party

Thursday, February 20th

Exhibit Hall Hours 9:00am – 12:00pm

8:00am – 9:00am Breakfast9:00am – 12:00pm Expo Hall Hours9:00am – 12:15pm Sessions & Hands-on Labs12:15pm – 1:30pm Lunch and Departures

Ask the ExpertsLocation: Meal Hall located on Level 1 in Pinyon Ballroom 4-8 Tuesday, February 18

TABLE TOPICS:Best Practices, Business Value, Clients & Mobility, Lync Meetings and Video, Lync Online, Networking, Platform, Server & Manageability, Voice, Lync Feedback Sessions

Meet face-to-face with the foremost experts in the Lync field and ask them the questions that have you stumped.

Location: Breakout rooms located on Level 1 5:00pm-7:00pm

GROUPS INCLUDE:Manageability – Pinyon 2Meetings & Web Experiences – Bluethorn 4-6Mobility – Bluethorn 7-9Presence & Chat – Pinyon 1Voice & Video – Bluethorn 1-3

Come participate in targeted Feedback Sessions to hear about the high-priority feature asks and help us improve the next release!

Lync Feedback

These sessions are meant to be informational, providing an understanding of the workload and conversational, to discuss your user scenarios and desired improvements.

Birds of a FeatherBirds of a Feather flock together! Join daily breakfast discussions of relevant topics by sitting in the separately designated areas of the Meal Hall. Seating will be sorted in a different way for each Birds of a Feather breakfast:Wednesday, February 19:Where are you from? Asia/Pacific, Eastern & Central Europe, Latin America, Middle East & Africa, US (West, Central & East) and Canada, Western Europe

Thursday, February 20:What is your interest?Best Practices, Business Value, Clients & Mobility, Lync Meetings and Video, Lync Online, Networking, Platform, Server & Manageability, Voice

#LyncConf14

/msftLYNC

/microsoft-lync

/MSFTLync

Lync Launch PadYou’ve launched Lync. Now Launch this.MS Pavilion – Expo Hall

Fill out evaluations to win prizesFill out evaluations on MyLync or MyLync Mobile.Prizes awarded daily.

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.