1 / 44

Lync Deep Dive: Edge Media Connectivity with ICE

EXL412. Lync Deep Dive: Edge Media Connectivity with ICE. Thomas Binder UC Voice Architect – MCS Voice Center of Excellence Microsoft Corporation. Session Objectives and Takeaways. What is A/V Edge Server actually doing? How do we find the optimal media path? How do I read client logs?

tarannum
Download Presentation

Lync Deep Dive: Edge Media Connectivity with ICE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. EXL412 LyncDeep Dive: Edge Media Connectivity with ICE Thomas Binder UC Voice Architect – MCS Voice Center of Excellence Microsoft Corporation

  2. Session Objectives and Takeaways • What is A/V Edge Server actually doing? • How do we find the optimal media path? • How do I read client logs? • It’s interesting! • Understand call flows • It will help you troubleshoot!

  3. AgendaMedia connectivity through Edge (ICE) • Problems for media connectivity • Protocols for establishing media • Establishing a media session • Call flows • Q&A

  4. Thomas Binder • Thomas Binder • Austria, Vienna • Working on OCS/Lync since 2007 • MCS Voice Center of Excellence • tbinder@microsoft.com

  5. Whatyoushouldalreadyknow • Scope • 400 level • Limited to media scenarios • Assumptions • Basic understanding of SIP and RTP • Basic understanding of the Lync server roles • Basic understanding of a typical Lync topology

  6. Terms & Acronyms • Candidate • Possiblecombinationof IP addressandportformediachannel • ICE • Interactive Connectivity Establishment • TURN • TraversalUsing Relay NAT • STUN • Simple Traversal of UDP through NAT • Session Traversal Utilities for NAT

  7. NAT • Network Address Translation • Translates one or more internal addresses to one external address • General NAT/Firewall behavior • Allow connections from the private network • Blocks connection from the Internet • Security/usability tradeoff • Blocks attackers from harming your system • PROBLEM: Also blocks incoming signaling and media Home Internet Home NAT

  8. Corporate Firewalls • Though more scrutinized, goals are similar • Sharing of IP addresses • Controlling data traffic from the internet • Two firewalls isolate via perimeter network Work Internet Perimeter Network Outer FW Inner FW

  9. Private Computer Access Edge Internet Computer Signaling Solution • SIP Proxy resides outside NAT/FW • On the Internet, so always reachable • Access Edge is found using SRV lookup Internet NAT/Firewall Private Network

  10. Why is NAT Traversal a problem? • SIP signaling over TCP uses Access Edge • UDP media flows over separate channel • Pre-ICE endpoints uses local IPs & ports • No media can be sent between (a) and (w) INVITE m/c = a 200OK m/c = w Access Edge Home Work a w Outer FW Inner FW Home NAT

  11. Solution – STUN, TURN, ICE UDP TCP • Add a Media Relay (aka A/V Edge Server) • STUN reflects NAT addresses (b) and (e) • TURN relays media packets (c) (d) (x) (y) • ICE exchanges candidates (cand) and determines optimal media path • All three protocols based IETF standards INVITE m/c = a 200OK m/c = w Access Proxy Home Work cand=a,b,c,d,e cand=w,x,y a b c w STUN TURN Server (AV Edge) e d x y Outer FW Inner FW Home NAT

  12. ICE Reverse Proxy Remote, Federated and anonymous users Monitoring Edge Server Director Back End Front End SBA Archiving PSTN SBC Mediation Server Exchange UM AV Conferencing Gateway

  13. ICE Details • There are five phases for establishing a media path • During login • TURN Provisioning and Credentials (MRAS) • When establishing a call • Address Discovery (Allocation) • Address Exchange (SIP Invite/200OK) • Connectivity Checks • Candidate Promotion

  14. SIPRegister SIP Service MTLS MRAS A/V Edge Credentials for Remote Client 200 OK 200 OK Access Edge <hostName>edge.contoso.com <udpPort>3478 <tcpPort>443 <username> 77qq8yXccBc2lwOmFy <password> Wnujl0eo00YkV/5dg= <duration>480 ms-user-logon-data: RemoteUser <mrasUri>sip:Mras.contoso.com Lync FE Server <location>internet</location> Service 200OK Inner Firewall Outer Firewall Endpoint

  15. SIP Invite Credentials for Conferencing 200 OK Access Edge <hostName>avedge.contoso.com <udpPort>3478 <tcpPort>443 <username> 77qq8yXccBc2lwOF <password> Wnujl0eo00YkV/5g= <duration>480 Lync FE Server Service MTLS 200OK MRAS A/V Edge Outer Firewall Inner Firewall Endpoint

  16. Demo Log Analysis: MRAS

  17. Allocate UDP Allocate TCP AddressDiscovery (AV) nic a c default MRAS a b b c candidate list c Media Relay d d e e UDP TCP local remote Endpoint NAT/Firewall

  18. Allocate TCP Address Discovery Desktop Sharing, File Transfer nic a c default a MRAS b c candidate list Media Relay b c UDP TCP local remote Endpoint NAT/Firewall

  19. UPNP: Add Port Map Other Address Discovery nic a b nic2 f d c default a g MRAS b c d c candidate list Media Relay e e f g local remote UDP TCP Endpoint NAT/Firewall

  20. SIP INVITE c :: a,b,c,d 183 Session Progress y :: w,x,y,z 200 OK y :: w,x,y,z Edge Edge Address Exchange nic nic a b x w local remote remote local y y c c default default w a a w x b b x candidate list candidate list y c c y z d d z c y d z SIP NAT/Firewall Endpoint Endpoint NAT/Firewall 21

  21. Demo Log Analysis: Candidates

  22. Lync Candidates [---------]:1 2 [---3--] [----4---] [------5-----] [-6-] [---7---------] [-------8---------------] a=candidate:1 1 UDP 2130706431 192.168.0.103 50012 typ host a=candidate:1 2 UDP 2130705918 192.168.0.103 50013 typ host a=candidate:2 1 UDP 2130705919 192.168.0.100 50036 typ host a=candidate:2 2 UDP 2130705406 192.168.0.100 50037 typ host a=candidate:3 1 TCP-PASS 6556159 94.245.124.238 59782 typ relayraddr 10.166.24.59 rport 50023 a=candidate:3 2 TCP-PASS 6556158 94.245.124.238 59782 typ relayraddr 10.166.24.59 rport 50023 a=candidate:4 1 UDP 16648703 94.245.124.238 50570 typ relayraddr 84.112.158.142 rport 50016 a=candidate:4 2 UDP 16648702 94.245.124.238 56248 typ relayraddr 84.112.158.142 rport 50017 a=candidate:5 1 TCP-ACT 7076351 94.245.124.238 59782 typ relayraddr 10.166.24.59 rport 50023 a=candidate:5 2 TCP-ACT 7075838 94.245.124.238 59782 typ relayraddr 10.166.24.59 rport 50023 a=candidate:6 1 TCP-ACT 1684797439 10.166.24.59 50023 typ srflxraddr 192.168.0.103 rport 50023 a=candidate:6 2 TCP-ACT 1684796926 10.166.24.59 50023 typ srflxraddr 192.168.0.103 rport 50023 a=candidate:7 1 UDP 1694234111 84.112.158.142 50016 typ srflxraddr 192.168.0.103 rport 50016 a=candidate:7 2 UDP 1694233598 84.112.158.142 50017 typ srflxraddr 192.168.0.103 rport 50017

  23. Connectivity Checks • Determine all possible UDP and TCP portpairings • STUN packetssentbetweenportpairs in order • STUN packet responseindicatesconnectivity • Stopcheckswhencandidate pair has bi-directionalconnectivity

  24. Candidate Promotion • Select highest order candidate with validated connectivity • Directbeforerelay • UDP before TCP • Send SIP invite, indicating only candidate is in SDP • 200 OK also contains only one candidate in SDP • Note there will be two candidates, one RTP and one RTCP • Media is redirected to flow on optimal, validated path

  25. Demo Log Analysis: Final Candidates

  26. Topology Access Edge Work1 Lync A/V MCU Mediation ExchangeUM Home1 Lync UDP 3478 TCP 443 UDP/TCP 50000 . . . . . . . . . UDP/TCP 59999 . . . Home2 Lync Work2 Lync Outer FW (no NAT) NAT/FW A/V Edge Inner FW

  27. A/V Edge Inner FW Outer FW (no NAT) Inside / Inside Access Edge w1 Work1 Lync A/V MCU Mediation ExchangeUM UDP 3478 TCP 443 UDP/TCP 50000 . . . . . . . . . UDP/TCP 59999 w1 w1 w2 Work2 Lync w2 w2

  28. Inside / Outside Access Edge h1 Home1 Lync w1 Work1 Lync A/V MCU Mediation ExchangeUM UDP 3478 TCP 443 h1 h1 UDP/TCP 50000 . . . . . . . . . UDP/TCP 59999 h1 h1 w1 w1 Outer FW (no NAT) A/V Edge Inner FW

  29. Outside / Outside Access Edge h1 Home1 Lync UDP 3478 TCP 443 h1 h1 UDP/TCP 50000 . . . . . . . . . UDP/TCP 59999 h2 h2 h2 Home2 Lync h2 h1 h2 h1 Outer FW (no NAT) A/V Edge Inner FW

  30. A/V Edge Communication 2007-2007 Access Proxy Access Proxy Work1 Lync A/V MCU w1 w2 Work2 Lync A/V MCU UDP 3478 TCP 443 UDP 3478 TCP 443 UDP/TCP 50000 . . . . . . . . . UDP/TCP 59999 UDP/TCP 50000 . . . . . . . . . UDP/TCP 59999 w1 w2 w1 w2 2007 Edge 2007 Edge Outer FWs (no NAT) Inner FW Inner FW

  31. A/V Edge Communication Tunnel Mode Access Proxy Access Proxy Work1 Lync A/V MCU w1 w2 Work2 Lync A/V MCU UDP 3478 TCP 443 UDP 3478 TCP 443 UDP/TCP 50000 . . . . . . . . . UDP/TCP 59999 UDP/TCP 50000 . . . . . . . . . UDP/TCP 59999 w1 w2 w1 w2 R2/Lync Edge R2/Lync Edge Outer FWs (no NAT) Inner FW Inner FW

  32. A/V Edge Communication 2007 Interop Access Proxy Access Proxy Work1 Lync A/V MCU w1 w2 Work2 Lync A/V MCU UDP 3478 TCP 443 UDP 3478 TCP 443 UDP/TCP 50000 . . . . . . . . . UDP/TCP 59999 UDP/TCP 50000 . . . . . . . . . UDP/TCP 59999 w1 w2 w1 w2 R2/Lync Edge 2007 Edge Outer FWs (no NAT) Inner FW Inner FW

  33. 50,000 Port Range Minimum Requirements • OCS 2007 A/V Edge • UDP 3478, TCP 443 inbound • UDP/TCP 50,000-59,999 inbound/outbound • R2/Lync A/V Edge • UDP 3478, TCP 443 inbound • UDP 3478 to UDP 3478 outbound • TCP 50,000-59,999 to TCP 443 • UDP/TCP 50,000-59,999 inbound/outbound • Interop with OCS 2007 Edges

  34. 50,000 Port RangeOptimalConfiguration • Port range open • Port rangeclosed 443 TCP 3478 UDP 443 TCP 3478 UDP 50,000 port range 50,000 port range 443 TCP 3478 UDP 443 TCP 3478 UDP 50,000 port range 50,000 port range

  35. SIP Service SIP Register Allocate UDP Allocate TCP Load Balancer Usage Outside Access Edge Lync FE Server Issue A/V Auth A/V Edge A/V Auth Service UDP TCP TLS A/V Edge External Firewall Load Balancers Internal Firewall Lync

  36. Troubleshoot? • Inbound provisioning without “MRAS” • AV Edge Server is not configuredatpool • “MRAS” credentials not provided • Noconnectivitybetween Front End Server andAv Edge Server internalinterface • Wrong AV Edge Server FQDN? • Firewall? • No STUN/TURN candidates • Noconnectivitybetweenclientand AV Edge Server on port 443 TCP and 3478 UDP • Wrong AV Edge Server FQDN? • Firewall? • TURN candidatesinternalNATed IP address • AV Edge Server not awareofofexternal IP address

  37. Logs • Wheretogetlogsfrom • Lync/Office Communicator • Activate “Turn on logging in Lync” • Logs in “%userprofile%/tracing” • Live Meeting • HKEY_CURRENT_USER\Software\Microsoft\Tracing\uccp\LiveMeeting • "EnableFileTracing"= DWORD:00000001 • Logs in “%userprofile%/tracing”

  38. ICE Phases with UCCP Log Tips

  39. In Review: Session Objectives and Takeaways • What is A/V Edge Server actually doing? • How do we find the optimal media path? • How do I read client logs? • Hopefully it was interesting! • Understand call flows • It will help you troubleshoot!

  40. Related Content • EXL411: Best Practices in Securing Your Microsoft Lync Server 2010 Edge Servers EXL33-HOL: Deploying a Microsoft Lync Server 2010 Architecture Product Demo Stations: Friday 13:00-15:00 70-664: TS: Microsoft Lync Server 2010, Configuring 70-665: PRO: Microsoft Lync Server 2010, Administrator Find Me Later At…

  41. Resources Learning TechNet • Connect. Share. Discuss. • Microsoft Certification & Training Resources http://europe.msteched.com www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers • http://microsoft.com/technet http://microsoft.com/msdn

  42. Evaluations Submit your evals online http://europe.msteched.com/sessions

  43. tbinder@microsoft.com © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related