| Author |
Message |
Daniel
Guest
|
 Posted:
Tue Oct 25, 2005 8:51 am Post subject:
LCS 2005, Communicator and NAT |
|
|
Hi,
we've got an irritating problem with our Live Communication Server 2005
setup. Just to give you an overview I'll quickly explain how our service is
setup:
We have one Live Communication Server 2005 Standard Edition installed on our
backend network (meaning behind a firewall where all our servers are placed).
Also, we have one Access Proxy installed on a machine which is placed on the
DMZ. The "backend" LCS and the Access Proxy are connected to each other via a
TLS-connection which runs on port 5061.
Now we have lots of outside users (mostly sales and consultants) which are
on the road and connect their Office Communicator clients to our Access
Proxy. All users at the HQ however, connect to the backend Live Communication
Server.
Connections between outside and inside users work just fine. Also, having
multiparty application sharing between only outside or only inside users also
works. However, multiparty application sharing/file transfer/voice does not
work if an outside user tries to connect to an inside user.
The question is: Why? My understand of all this is that the Access Proxy
should make it possible to tunnel all traffic thru one single port.
Completely exposing the Access Proxy to the internet (no firewall) doesnt
work either. We always get a warning that our firewall is not correctly
configured.
If all this is caused by the fact that people are running NAT I am wondering
what the meaning with an Access Proxy is. In that case we simply could expose
the backend machine to the Internet on port 5061 and have the very same
result.
Hopefully some of you guys have tips as we are quickly running tired of our
investment in this product. |
|
| Back to top |
|
 |
Tal
Guest
|
| Posted:
Tue Oct 25, 2005 12:51 pm Post subject:
Re: LCS 2005, Communicator and NAT |
|
|
what range of ports needed to enable VOIP for external to internal
users ? we're running LCS 2005 SP1 on the LAN, it has a real ip
translated to the real world. currently forwarded ports :
5060,5061,1503,6891-6900 .
IM works fine, desktop sharing isnt, so does VOIP. of course,
internal-to-internal conections are working, so its not a server miss
configuration. (no front end server in our case). |
|
| Back to top |
|
|
Herr Lehmann
Guest
|
| Posted:
Tue Oct 25, 2005 12:51 pm Post subject:
Re: LCS 2005, Communicator and NAT |
|
|
Hi,
file transfer is routed through the LCS. This should work by opening
ports 6891-6900/tcp.
Connections from outside to inside fail due to the NAT, which is not
happening in the SIP Payload. You'll need a VPN or a SIP (and TLS) aware
Firewall.
Ingate and Jasomi provide such solutions.
Best regards |
|
| Back to top |
|
|
Martin Pichler
Guest
|
| Posted:
Tue Oct 25, 2005 12:51 pm Post subject:
Re: LCS 2005, Communicator and NAT |
|
|
Hi,
the problem is that only the chat-messages run via the AP or the
backend server. All Communication like voice/video or app sharing is a
point to point communication, which cannot traverse NAT (unless UPNP is
enabled).
Unfortunately I have the same problem and no solution apart from VPNs
from the outside users...
Martin |
|
| Back to top |
|
|
Tal
Guest
|
| Posted:
Tue Oct 25, 2005 4:51 pm Post subject:
Re: LCS 2005, Communicator and NAT |
|
|
can you guide me where to look for those files ? is there a common
range that is used in most cases ? |
|
| Back to top |
|
|
Herr Lehmann
Guest
|
| Posted:
Tue Oct 25, 2005 4:51 pm Post subject:
Re: LCS 2005, Communicator and NAT |
|
|
Hi,
you'll need to translate the IP-addresses of the involved clients. If
you are able to do so, you have to open a portrange for udp.
The portrange can be chosen if you take a look in the .adm files of OC
or Messenger. (Group Policy or regedit)
Tal schrieb:
| Quote: | what range of ports needed to enable VOIP for external to internal
users ? we're running LCS 2005 SP1 on the LAN, it has a real ip
translated to the real world. currently forwarded ports :
5060,5061,1503,6891-6900 .
IM works fine, desktop sharing isnt, so does VOIP. of course,
internal-to-internal conections are working, so its not a server miss
configuration. (no front end server in our case).
|
|
|
| Back to top |
|
|
Tal
Guest
|
| Posted:
Tue Oct 25, 2005 4:51 pm Post subject:
Re: LCS 2005, Communicator and NAT |
|
|
| also, what ports needs to be enabled for desktop sharing ? |
|
| Back to top |
|
|
Herr Lehmann
Guest
|
| Posted:
Tue Oct 25, 2005 4:51 pm Post subject:
Re: LCS 2005, Communicator and NAT |
|
|
Tal schrieb:
| Quote: | also, what ports needs to be enabled for desktop sharing ?
It's 1503. |
You should take a look at your installation files, there you'll find
either the file communicator.adm or rtcclient.adm or take a look into
group policies if there is already something.
Here is a little assistance:
CLASS MACHINE:
It should be the same for oc or messenger except the path.
POLICY !!PolicyPortRange
KEYNAME "Software\Policies\Microsoft\Communicator\PortRange"
VALUENAME "Enabled"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
EXPLAIN !!ExplainText_PortRange
PART !!MinSIPDynamicPort_VALUE NUMERIC
VALUENAME "MinSipDynamicPort"
DEFAULT 7100
MIN 1024
MAX 65535
END PART
PART !!MaxSIPDynamicPort_VALUE NUMERIC
VALUENAME "MaxSipDynamicPort"
DEFAULT 7103
MIN 1025
MAX 65535
END PART
PART !!MinMediaPort_VALUE NUMERIC
VALUENAME "MinMediaPort"
DEFAULT 5350
MIN 1024
MAX 65535
END PART
PART !!MaxMediaPort_VALUE NUMERIC
VALUENAME "MaxMediaPort"
DEFAULT 5353
MIN 1024
MAX 65535
END PART
END POLICY |
|
| Back to top |
|
|
Daniel
Guest
|
| Posted:
Tue Oct 25, 2005 8:51 pm Post subject:
Re: LCS 2005, Communicator and NAT |
|
|
Our office is currently sporting a firewall by Watchguard. Haven't got a clue
whether or not it supports SIP-traffic. It should support UPNP though.
However, how can we achieve what you are suggesting?
This is a example of the traffic flow when sending a message between Client
1 (at the local office) and Client 2 (sitting at another office with a tiny
soho firewall) as it looks right now:
Client 1 (inside our the corporate firewall) -> Internal LCS (on the backend
VLAN) -> Access Proxy (on the DMZ) -> Corporate Firewall -> SOHO Firewall ->
Client 2.
As I understand it right now Client 1 needs to be able to open a direct
connection to Client 2, which proves quite difficult since both Client 1 and
Client 2 are NATed.
I assume that it would be possible to allow Client 1 to use a port range on
the corporate firewall. The same could be configured on the SOHO firewall
behind which Client 2 is sitting, however, will this help in any way? My
first guess is no since neither firewall 1 and firewall 2 will be able to
exactly know from/to which internal the specified traffic should be routed.
Perhaps you guys have any ideas about this too?
"Herr Lehmann" wrote:
| Quote: | Hi,
file transfer is routed through the LCS. This should work by opening
ports 6891-6900/tcp.
Connections from outside to inside fail due to the NAT, which is not
happening in the SIP Payload. You'll need a VPN or a SIP (and TLS) aware
Firewall.
Ingate and Jasomi provide such solutions.
Best regards
|
|
|
| Back to top |
|
|
Herr Lehmann
Guest
|
| Posted:
Wed Oct 26, 2005 8:51 am Post subject:
Re: LCS 2005, Communicator and NAT |
|
|
Hi,
you should ask Watchguard, but I assume your firewall isn't capable.
It's SIP and TLS to support, which I think only a few products can
handle - if you use TLS, which is highly recommended.
However, you will not use UPnP by a corporate firewall!
| Quote: | Client 1 (inside our the corporate firewall) -> Internal LCS (on the backend
VLAN) -> Access Proxy (on the DMZ) -> Corporate Firewall -> SOHO Firewall -
Client 2.
|
For this, both firewall have to be sip-aware or and that is probably the
best solution you place a SIP/Media relay in the public internet. That
is called Far-End-NAT. It will solve the NAT for all parties involved.
(Jasomi or Ditech now and Ingate)
| Quote: | I assume that it would be possible to allow Client 1 to use a port range on
the corporate firewall. The same could be configured on the SOHO firewall
behind which Client 2 is sitting, however, will this help in any way? My
first guess is no since neither firewall 1 and firewall 2 will be able to
exactly know from/to which internal the specified traffic should be routed.
|
Honestly I'm not really sure how that happens, but I now a few things
and I would appreciate some explanations from one who knows about it:
A sip-aware fw knows wich ports are used for media and opens them dynamicly.
By using a sip/media relay all traffic comes/goes to one single ip which
may let the traffic reach the endpoints. I think it's a little tricky,
because of the change from tcp/tls to udp...
Best regards
HL |
|
| Back to top |
|
|
Daniel
Guest
|
| Posted:
Thu Oct 27, 2005 4:51 pm Post subject:
Re: LCS 2005, Communicator and NAT |
|
|
Alright, Watchguard just confirmed that both firewalls (Soho and Corporate)
are SIP-aware. So in theory it should be quite simple to make it work...
hopefully...
"Herr Lehmann" wrote:
| Quote: | Hi,
you should ask Watchguard, but I assume your firewall isn't capable.
It's SIP and TLS to support, which I think only a few products can
handle - if you use TLS, which is highly recommended.
However, you will not use UPnP by a corporate firewall!
Client 1 (inside our the corporate firewall) -> Internal LCS (on the backend
VLAN) -> Access Proxy (on the DMZ) -> Corporate Firewall -> SOHO Firewall -
Client 2.
For this, both firewall have to be sip-aware or and that is probably the
best solution you place a SIP/Media relay in the public internet. That
is called Far-End-NAT. It will solve the NAT for all parties involved.
(Jasomi or Ditech now and Ingate)
I assume that it would be possible to allow Client 1 to use a port range on
the corporate firewall. The same could be configured on the SOHO firewall
behind which Client 2 is sitting, however, will this help in any way? My
first guess is no since neither firewall 1 and firewall 2 will be able to
exactly know from/to which internal the specified traffic should be routed.
Honestly I'm not really sure how that happens, but I now a few things
and I would appreciate some explanations from one who knows about it:
A sip-aware fw knows wich ports are used for media and opens them dynamicly.
By using a sip/media relay all traffic comes/goes to one single ip which
may let the traffic reach the endpoints. I think it's a little tricky,
because of the change from tcp/tls to udp...
Best regards
HL
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in