UC Voice Architect Microsoft ICE Edge Media Connectivity in Lync 2013 NETW401 What is AV Edge Server actually doing How do we find the optimal media path How do I read client logs Its interesting ID: 414028
Download Presentation The PPT/PDF document "Thomas Binder" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1Slide2
Thomas BinderUC Voice ArchitectMicrosoft
ICE – Edge Media Connectivity in Lync 2013
NETW401Slide3
What is A/V Edge Server actually doing?
How do we find the optimal media path?
How do I read client logs?
It’s interesting!Understand call flowsIt will help you troubleshoot!
Session Objectives
And
TakeawaysSlide4
Agenda
The challengeThe solution
The usage
Call flowsSlide5
About me
Austria, Vienna
Field hockey
Communications
CoE
UC Voice Architect
MCM
Since 2007
tbinder
@microsoft.comSlide6
What you should already know
Scope400 level
Limited to media scenarios
AssumptionsBasic understanding of SIP and RTPBasic understanding of the Lync server rolesBasic understanding of a typical Lync topologySlide7
Terms & Acronyms
CandidatePossible combination of IP address and port for media channel
ICE
Interactive Connectivity EstablishmentSTUNSimple Traversal of UDP through NATSession Traversal Utilities for NATTURNTraversal Using Relay NATSlide8
The Challenge
Alice
Bob
Charlie
SIP Proxy
Registrar
Corporate firewall
Signaling
Media
NAT
NAT
Corporate firewallSlide9
Challenge 1: NAT
Network Address TranslationFunction
Translates one or more internal addresses to one external address
Allows connections from private networkBlocks connection from public networksTradeoffSecurity vs. usabilityBlocks unwanted trafficMight also block wanted traffic
Alice
NATSlide10
Challenge 2: Corporate Firewalls
Though more scrutinized, goals are similar
Sharing of IP addresses
Controlling data traffic from the internetTwo firewalls isolate via perimeter networkinternal
Outer
Firewall
Inner
Firewall
externalSlide11
Signaling Solution
SIP Proxy
Reachable: on the Internet
Proxies all SIP traffic
SIP Proxy
Registrar
AliceSlide12
Putting it together
Signaling uses SIP Proxy
Media flows
over separate channelPre-ICE endpoints uses local IPs & portsNo media can be sent between (a) and (w)
external
i
nternal
NAT
Outer
Firewall
SIP
Proxy
Inner
Firewall
a
wSlide13
Solution
: ICE, STUN, TURN
external
i
nternal
NAT
Outer
Firewall
STUN/
TURN
Server
SIP
Proxy
Inner
Firewall
a
w
Add a
AV Edge Server
STUN reflects NAT addresses (b) and (e)
TURN relays media packets (c) (d) (x) (y)
ICE exchanges candidates
and
determines optimal media path
All three protocols based IETF standards/drafts
b
e
c
d
x
ySlide14
Public
Providers
Ice
Ice
Baby
Reverse
proxy
External
Edge
server
Federated
Network
External
Users
Perimeter network
Internal
UC end points
EE pool
IP-PSTN
gateway
PBX
Mediation Server
(optional)
PSTN
Front-end
Back-end
ICE endpoints
Clients and server
Terminates media
Audio
Video
Desktop/Application Sharing
1:1 File Transfer
(Not: PowerPoint sharing)
Edge Server
Provides STUN and TURN
Does not terminate any media
Is not an ICE endpoint
SBA/SBS
Exchange
UMSlide15
Five phases of ICE
During sign-inRequesting token from Media Relay Authentication Service (MRAS)
When
establishing a callCandidate Discovery Candidate Exchange Connectivity ChecksCandidate PromotionSlide16
Credentials for Remote Client
Outer
Firewall
Inner
Firewall
Endpoint
AV Edge
SIP
Register
200 OK
ms
-user-logon-data:
RemoteUser
<
mrasUri
>
sip:Mras.contoso.com
SIP Service
<location>internet</location>
200 OK
<hostName>edge.contoso.com<udpPort
>3478<tcpPort>443<username> 77qq8yXccBc2lwOmFy<password> Wnujl0eo00YkV/5dg=<duration>480
Service
200 OKMRASAccessEdge
Front End
ServerSlide17
Credentials for anonymous user
Outer
Firewall
Inner
Firewall
Endpoint
AV Edge
SIP
Invite
200 OK
<
hostName
>94.245.124.238
<
udpPort
>3478
<
tcpPort>443<username> 77qq8yXccBc2lwOF<password> Wnujl0eo00YkV/5g=<duration>480
Service
200 OK
Access
Edge
Front End
ServerMRASSlide18
Demo
Log Analysis: acquiring MRAS credentialsSlide19
a
llocate UDP
a
llocate TCP
Endpoint
NAT/Firewall
AV Edge
a
b
d
c
e
a
e
d
c
b
local
remote
default
candidates
c
MRAS
NIC 1
UDP
TCP
Address
Discovery
Audio/VideoSlide20
a
llocate TCP
Endpoint
AV Edge
a
b
c
a
c
b
local
remote
default
candidates
c
MRAS
NIC 1
UDP
TCP
Address
Discovery
Application
Sharing/File Transfer
NAT/FirewallSlide21
Endpoint
AV Edge
a
b
d
c
e
a
e
d
c
b
local
remote
default
candidates
f
c
MRAS
NIC 1
NIC 2
UDP
TCP
Address
Discovery
Other
sources
NAT/Firewall
fSlide22
Address Exchange
Endpoint
a
a
e
d
c
b
local
remote
default
candidates
c
NIC
AV
Edge
c
e
Endpoint
a
e
d
c
b
remote
local
default
candidates
c
NIC
NAT/Firewall
NAT/Firewall
b
d
w
v
z
x
y
v
z
y
x
w
y
v
z
y
x
w
y
SIP INVITE
c :: a, b, c, d, e
183 Session progress
y
:: v, w, x, y, z
200 OK
y :: v, w, x, y, z
AV
Edge
SIPSlide23
Demo
Log Analysis: CandidatesSlide24
Connectivity Checks
Determine all possible UDP and TCP port pairings
Edge Server can bridge between IPv4 and IPv6
STUN packets sent between port pairs in orderSTUN packet response indicates connectivityStop checks when candidate pair has bi-directional connectivitySlide25
Candidate Promotion
Select highest order candidate with validated connectivity
IPv4 before IPv6
Direct before relayUDP before TCPSIP invite with final candidate pair in SDP200 OK with final candidate pair in SDP Media is on optimal, validated pathSlide26
Demo
Log Analysis: Final CandidatesSlide27
Topology
NAT
Outer
Firewall
Inner
Firewall
AV Edge
Home 1
Lync
Home 2
Lync
Work 1
Lync
AV MCU
Exchange UM
Mediation Server
Work 2
UDP/TCP
50,000
.
.
.
.
UDP/TCP
59,999
UDP 3478
TCP 443Slide28
Inside/
I
nside
Outer
Firewall
Inner
Firewall
AV Edge
Work 1
Lync
AV MCU
Exchange UM
Mediation Server
Work 2
w1
w2
w2
UDP/TCP
50,000
.
.
.
.
UDP/TCP
59,999
UDP 3478
TCP 443
w1
w2
w1Slide29
Inside/Outside
Outer
Firewall
Inner
Firewall
AV Edge
Home 1
Lync
Work 1
Lync
AV MCU
Exchange UM
Mediation Server
h1
w1
w1
UDP/TCP
50,000
.
.
.
.
UDP/TCP
59,999
UDP 3478
TCP 443
w1
h1
h1
h1
h1Slide30
Inside/Outside
Outer
Firewall
Inner
Firewall
AV Edge
Home 1
Lync
h1
h2
h2
UDP/TCP
50,000
.
.
.
.
UDP/TCP
59,999
UDP 3478
TCP 443
h1
h1
h1
h1
NAT
Home 2
Lync
h2
h2
h2Slide31
AV Edge: 2007 to 2007
AV Edge
2007
w2
UDP/TCP
50,000
.
.
.
.
UDP/TCP
59,999
UDP 3478
TCP 443
w2
Outer
Firewall
Outer
Firewall
Inner
Firewall
Inner
Firewall
Home 1
Lync
Work 2
Lync
AV MCU
w2
AV Edge
2007
UDP/TCP
50,000
.
.
.
.
UDP/TCP
59,999
UDP 3478
TCP 443
w1
w1
w1
Work 1
Lync
AV MCUSlide32
AV Edge: Tunnel Mode
AV Edge
OCS R2/Lync
w2
UDP/TCP
50,000
.
.
.
.
UDP/TCP
59,999
UDP 3478
TCP 443
w2
Outer
Firewall
Outer
Firewall
Inner
Firewall
Inner
Firewall
Home 1
Lync
Work 2
Lync
AV MCU
w2
AV Edge
OCS R2/Lync
UDP/TCP
50,000
.
.
.
.
UDP/TCP
59,999
UDP 3478
TCP 443
w1
w1
w1
Work 1
Lync
AV MCUSlide33
Outer
Firewall
Outer
Firewall
AV Edge: Interop
AV Edge
OCS 2007
w2
UDP/TCP
50,000
.
.
.
.
UDP/TCP
59,999
UDP 3478
TCP 443
w2
Inner
Firewall
Inner
Firewall
Home 1
Lync
Work 2
Lync
AV MCU
w2
AV Edge
OCS R2/Lync
UDP/TCP
50,000
.
.
.
.
UDP/TCP
59,999
UDP 3478
TCP 443
w1
w1
w1
Work 1
Lync
AV MCUSlide34
Source Port
Destination Port
TCP
50,000-59,999TCP 443UDP 3478UDP 3478
Any
TCP 443
Any
UDP 3478
50,000 requirements - Minimum
OCS 2007
Requires
50,000-59,999 TCP/UDP outbound and inbound
OCS 2007 R2, Lync 2010, Lync 2013For compatibility with OCS 2007, 50,000-59,999 TCP/UDP outbound and inboundRequires “50,000-59,999 TCP outbound”
Source IP Destination IP A/V Edge service interfaceAny
A/V Edge service interfaceAnyAny
A/V Edge service interfaceAny
A/V Edge service interfaceSlide35
50,000 requirements - Optimal
Port range open
Port range closed
443 TCP
3478 UDP
50,000
port range
443 TCP
3478 UDP
50,000
port range
443 TCP
3478 UDP
50,000
port range
443 TCP
3478 UDP
50,000
port rangeSlide36
Edge Pool with DNS LB and NAT
443 TCP
3478 UDP
50,000
port range
443 TCP
3478 UDP
50,000
port range
Outer
Firewall
Inner
Firewall
External user might be behind firewall outside your control
Firewall MUST allow hairpin:
public IP to public IPSlide37
Certificate within Edge Pool
Outer
Firewall
Inner
Firewall
Endpoint
AV Edge
SIP
Register
SIP Service
Service
MRAS
Access
Edge
Front End
Server
AV Edge
MRAS
a
llocate UDP
a
llocate TCP
SIP
UDP
TCPSlide38
Troubleshoot?
Inbound provisioning without “MRAS”
AV Edge Server is not configured at pool
“MRAS” credentials not providedNo connectivity between Front End Server and AV Edge Server internal interface Wrong AV Edge Server FQDN? Firewall? Port 5062 TCP from FE to Edge requiredNo STUN/TURN candidatesNo connectivity between client and AV Edge Server on port 443 TCP and 3478 UDPWrong AV Edge Server FQDN?Firewall? Port 443 TCP and 3478 UDP from endpoint to Edge requiredHardware Load Balancer dropping/corrupting packets?
TURN candidates internal
NATed
IP address
AV Edge Server not aware of
of
external IP
addressSlide39
Where are the logs?
Lync 2013Activate “Turn on logging in Lync
”
%localappdata%\Microsoft\Office\15.0\Lync\TracingLync 2010 and earlierActivate “Turn on logging in Lync”Logs in “%userprofile%\tracing”Live MeetingHKEY_CURRENT_USER\Software\Microsoft\Tracing\uccp\LiveMeeting"EnableFileTracing"= DWORD:00000001Logs in “%userprofile
%\tracing
”Slide40
UccApilog.log search tips
MRASFinds
inband
provisioningMRAS requestMRAS provisioninga=candidateFinds candidate exchangea=remote-candidateFinds promoted candidates that were used for callSlide41
More tools
Synthetic transaction: Test-CsAVEdgeConnectivity
http
://technet.microsoft.com/en-us/library/jj205138.aspx Pre-Call Diagnosticshttp://technet.microsoft.com/en-us/library/dn451255.aspx PortQryhttp://www.microsoft.com/en-us/download/details.aspx?id=17148 Telnet
telnet <AV Edge internal FQDN> 5062
from Front End
telnet <AV Edge internal FQDN>
443
from internal client
telnet <AV Edge
external FQDN> 443 from external clientSlide42
Resources
Office Protocolshttp://msdn.microsoft.com/en-us/library/cc307432(v=office.12).
aspx
Lync 2013 Debugging Tool (includes snooper)http://www.microsoft.com/en-us/download/details.aspx?id=35453 Slide43
What is A/V Edge Server actually doing?
How do we find the optimal media path?
How do I read client logs?
It’s interesting!Understand call flowsIt will help you troubleshoot!
Session Objectives
And
Takeaways
Edge is awesome!Slide44
Related Content
CLNT402 Understanding Lync 2013 Mobile Media FlowsJames Ooi
Shyh
Wei, Kaushal Mehta CLNT300 Securing external and mobile access in Lync 2013 Francois Doremieux, Rui Maximo MEET402 Technical deep-dive into Lync-Skype VideoWilliam Looney, Senthil Velayutham, Carl OlivierWednesday, 8.30amMEET303 Lync Meetings and Edge? Why does it matter? Why do I need it? John WeberWednesday, 4pmMEET400 Meetings and Media - the detailed view Johan Delimon, Tommy ClarkeThursday, 10.45amSlide45Slide46
Monday, February 17
th
Exhibit
Hall Hours 6:00pm –
8:00pm
6:00pm
– 8:00pm Welcome
Reception
Tuesday
, February
18
th
Exhibit Hall Hours 8:00am – 9:00
am
(Breakfast), 10:30am – 5:00pm8:00am – 9:00am Breakfast
(Exhibit Hall) 9:00am –10:30am
General Session10:30am – 5:00pm Expo Hall
Hours11:00am – 12:15pm Sessions & Hands-on Labs12:15pm – 2:00pm Lunch
2:00pm – 5:00pm Sessions & Hands-on Labs
5:00pm – 7:00pm Ask the Experts
Wednesday, February 19th
Exhibit Hall Hours 10:30am – 4:30pm7:30am – 8:30am Breakfast
8:30am – 11:30am Sessions & Hands-on Labs10:30am – 4:30pm Expo Hall
Hours
11:30am – 1:00pm Lunch1:00pm – 5:45pm Sessions & Hands-on Labs6:30pm – 9:30pm Attendee PartyThursday, February 20thExhibit
Hall Hours 9:00am
– 12:00pm8:00am – 9:00am Breakfast9:00am – 12:00pm Expo Hall
Hours
9:00am – 12:15pm Sessions & Hands-on Labs12:15pm – 1:30pm Lunch and DeparturesSlide47
Ask the Experts
Location: Meal Hall located on Level 1 in
Pinyon
Ballroom 4-8
Tuesday, February 18
TABLE TOPICS:
Best
Practices, Business Value, Clients
&
Mobility, Lync
Meetings
and Video, Lync Online, Networking, Platform, Server & Manageability, Voice, Lync Feedback Sessions
Meet face-to-face with the
foremost
experts in the
Lync field
and ask
them the questions
that
have you stumped.Slide48
Location: Breakout rooms located on Level 1
5:00pm-7:00pm
GROUPS INCLUDE:
Manageability –
Pinyon
2
Meetings & Web Experiences –
Bluethorn
4-6
Mobility –
Bluethorn
7-9
Presence & Chat –
Pinyon
1
Voice & Video –
Bluethorn
1-3
Come participate in targeted Feedback Sessions to hear about the
high-priority feature asks and help us improve the next release!
Lync Feedback
These sessions are meant to be informational, providing an understanding of the workload and conversational, to discuss your user scenarios and desired improvements.Slide49
Birds of a Feather
Birds
of a Feather flock together! Join daily breakfast discussions of relevant topics by sitting in the separately designated areas of the Meal Hall.
Seating
will be sorted in a different way for each Birds of a Feather breakfast:
Wed
ne
sday, February 19:
Where are you from?
Asia/Pacific, Eastern & Central Europe, Latin America, Middle East & Africa, US (West, Central & East) and Canada, Western Europe
Thursday, February 20:
What is your interest?
Best Practices, Business Value, Clients & Mobility,
Lync Meetings and Video, Lync Online, Networking, Platform, Server & Manageability, VoiceSlide50
#LyncConf14
/
msftLYNC
/
microsoft-lync
/
MSFTLyncSlide51
Lync Launch Pad
You’ve
launched Lync.
Now
Launch this
.
MS Pavilion – Expo HallSlide52
Fill out evaluations
to win prizes
Fill out evaluations on
MyLync
or
MyLync
Mobile.
Prizes awarded daily.Slide53
©
2014
Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.