Edge NAT External IP

Similar Messages

• Edge 2013 External Wildcard Certificate

  Hi,
  I know this has been covered a number of times but I'd like something that's been posted more recently.
  We use Lync 2013 with a wildcard certificate on our edge external interface.  Everything works as expected and that's on version 5.0.8308.556
  I've recently deployed Lync 2013 at a customer site and when applying the certificate I'm unable to sign on externally or contact federated partners.  They're running 5.0.8308.577
  When testing from Lync connectivity tester I get the following:
  Attempting to resolve the host name blah.co.uk in DNS.
  The host name resolved successfully.
  Additional Details
  Testing TCP port 443 on host blah.co.uk to ensure it's listening and open.
  The port was opened successfully.
  Additional Details
  Testing the SSL certificate to make sure it's valid.
  The certificate passed all validation requirements.
  Additional Details
  Elapsed Time: 758 ms.
  Test Steps
  The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server blah.co.uk on port 443.
  The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
  Additional Details
  Validating the certificate name.
  The certificate name was validated successfully.
  Additional Details
  Certificate trust is being validated.
  The certificate is trusted and all certificates are present in the chain.
  Test Steps
  The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=*.blah.co.uk, OU=Domain Control Validated.
  One or more certificate chains were constructed successfully.
  Additional Details
  Analyzing the certificate chains for compatibility problems with versions of Windows.
  Potential compatibility problems were identified with some versions of Windows.
  Additional Details
  The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
  Elapsed Time: 4 ms.
  Testing the certificate date to confirm the certificate is valid.
  Date validation passed. The certificate hasn't expired.
  Additional Details
  The certificate is valid. NotBefore = 10/25/2013 2:46:03 PM, NotAfter = 10/25/2016 1:42:28 PM
  Elapsed Time: 0 ms.
  Testing remote connectivity for user [email protected] to the Microsoft Lync server.
  Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
   <label for="testSelectWizard_ctl12_ctl06_ctl03_tmmArrow">Tell
  me more about this issue and how to resolve it</label>
  Additional Details
  Couldn't sign in. Error: Error Message: Unknown error (0x80131500).
  Error Type: TlsFailureException.
  Elapsed Time: 1649 ms.
  Any help would be much appreciated!
  Thanks

  Hi,
  Wildcard certificate doesn’t support for Edge server (both external and internal interface). It is supported to use a public certificate for Edge external interface, for Edge internal interface typically use a private certificate issued by an internal certification
  authority.
  More details about certificate requirements for external user access:
  http://technet.microsoft.com/en-us/library/gg398920.aspx
  You can refer to the link below of “Wildcard Certificate Support”:
  http://technet.microsoft.com/en-us/library/hh202161.aspx
  Here is a similar case my help you:
  http://social.technet.microsoft.com/Forums/lync/en-US/6bd237eb-2e96-437b-b559-54cf95230417/lync-server-2013-edge-unknown-error-0x80131500-tlsfailureexception?forum=lyncdeploy
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• Wildcard Certifikate - Edge server/External web

  Hello,
  In our company we have deployed Lync 2013 CU4 with topology,
  Edge server - One for all roles a/v
  Front End - Standard with all roles
  All certs are form our internal CA, and it works for my domain users. But for all external users or skype we need external cert. We have one wildcard cert for our domain.
  So question is can we user wildcard cert for our Edge server, and exteranal serwis of front end.
  Front end i think can use that is on tech net: http://technet.microsoft.com/en-us/library/gg398094.aspx

  Good morning,
  Using a wildcard certificate on Lync Edge server is not supported, and indeed will cause you problems.
  It also sounds like you are passing your Lync web services directly to your front end server. This is not recommended, and you should use a reverse proxy for this purpose. You would then place an external (public) certificate on that reverse proxy. So there's
  no need for a public cert on the front end in this scenario.
  You may consolidate the certificate requirements for reverse proxy and Edge onto a single multi-san certificate, and use that same certificate on both servers.
  OR
  If you use two separate certificates then it is supported to use a wildcard public certificate on the reverse proxy (web services), but your Edge certificate must be a separate multi-san certificate.
  Kind regards
  Ben
  Note: If you find a post informative, please mark it so using the arrow to the left. If it answers a question you've asked, please mark the thread as answered to aid others when they're looking for solutions to similar problems or queries.
  For Fun: Gecko-Studio | For Work:
  Nexus Open Systems

• Edge server external certificate CN

  For certification in edge external, some instructions said that CN is accessedge.contoso.com, and SAN includes accessedge.contoso.com and sip.contoso.com
  But in other instructions, it only needs sip.contoso.com as CN and SAN.
  I am confused, what is the purpose of accessedge.contoso.com ?

  Accessedge.contoso.com represents whatever name you choose for your external access edge role.  Sip.contoso.com will always be present as a SAN in the certificate as well.  So, you can take this route and have those two SANs in the certificate,
  or you can set the access edge FQDN to sip.contoso.com to save a SAN in your certificate.
  Really, the only purpose of having accessedge.contoso.com is to have a better naming convention that just reusing sip.contoso.com, or perhaps if you have multiple pools and want separate access edge names for each.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications

• Targeting Edge from external javascript file

  Is it possible to target adobe edge build from an external Javascript file? For instance, I click a button outside of the edge animate project and javascript tells Edge animate to "play()". What would that syntax be?

  Yes, it is.  Read this post for some background information and a sample.
  http://forums.adobe.com/message/5289458#5289458
  -Elaine

• NAT external to internal

  i am having trouble with NAT. it is my first try at this and need some help, please. I have a 2610 with 2 Fastethernet connections. fa1/0 is internal 10.10.10.1/24
  fa0/0 is external 66.73.xx.xx/26
  i can succsefully go internal out to external with the ip nat inside source list 1 int fa0/0 overload command.
  what is the command to allow external to internal. thanks

  I think these should help depending on your exact scenario.
  Static NAT
  ip nat inside source {static {esp local-ip interface type number | local-ip global-ip}} [extendable | mapping-id map-id | no-alias | no-payload | redundancy group-name | route-map | vrf name]
  no ip nat inside source {static {esp local-ip interface type number | local-ip global-ip}} [extendable | mapping-id map-id | no-alias | no-payload | redundancy group-name | route-map | vrf name]
  Port Static NAT
  ip nat inside source {static {tcp | udp {local-ip local-port global-ip global-port | interface global-port}} [extendable | mapping-id map-id | no-alias | no-payload | redundancy group-name | route-map | vrf name]
  no ip nat inside source {static {tcp | udp {local-ip local-port global-ip global-port | interface global-port}} [extendable | mapping-id map-id | no-alias | no-payload | redundancy group-name | route-map | vrf name]
  Here is the link to the doc for NAT for more details on NAT
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hiad_r/adr_i2h.htm#wp1178184

• Lync Edge Server External Private Certificate

  Hey GURUS!
  Please help me out:
  I'm having issues accessing Lync from external network.
  Mobile clients login fine, but computer clients fail to login.
  My current deployment consists in a single 2013 front-end and a single 2013 edge server.
  All servers have certificates from my internal CA.
  All servers have the root CA certificate installed in the trusted root certificate authority.
  I have 2 sip domains, and the edge certificate has both sip domains.
  However, when I test from test connectivity.microsoft.com, I get an error regarding the certificate chain.
  I can't understand why lync requires a intermediate certificate, if I don't have any published in my organisation.
  The certificate path goes: Root CA -> Certificate.
  Also, the lync discover test runs with no errors what so ever.
  This error on the edge didn't occur when I had lync 2010 running.
  Does anyone know how to solve this?
  Thanks!
  Andrey Santana
  edit: i forgot to upload the screenshot

  Thiago,
  The certificates from the Front End / Reverse Proxy are also from the internal CA and I don't get the error, it actually runs successfully.
  Andrey
  How did you test the certificates from the Front End and Reverse Proxy Server?
  The public website connectivity.microsoft.com need a public certificate.
  But if you use private certificate in lab, it could work as long as you install the Root CA certificate on client computer.
  Lisa Zheng
  TechNet Community Support

• AV Edge NAT Configuration for UDP 3478 with Federated Partners (FTURN)

  For A/V media to be relayed between two (NAT'd) federated partners edge servers over UDP 3478 "Tunnel Mode", must the NAT be configured so that the source port not be changed on an inbound packet.
  In Converse:
  If the NAT changes the source port of an inbound packet, will it break/prevent UDP "Tunnel Mode"? (thus forcing media connectivity by other connectivity points)
  Edge Server  Sends  (source) x.x.x.x:3478 (dest) x.x.x.x:3478  ---->  NAT Device ---->
  (source) x.x.x.x:6000 (dest) x.x.x.x:3478 ---> Received at Destination Edge Server.

  Hi MGMNVA,
  I don’t think this can work.
  On the other hand, if the remote Edge server sends the traffic to your Edge server, how the traffic reaches and communicates with your Edge Server ?
  Remote Edge Server 
  Sends  (source) x.x.x.x:3478 (dest) x.x.x.x:3478 
  ---------> Your NAT Device (Firewall) ---------> ?? （Where the traffic will be forwarded to ?）
  Best regards,
  Eric
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Loop between animation on edge and external slider

  Hello guys, anyone can share me a snippet for ,i have a div where is my animation maked non edge , i need when this animation finish load in the same div a slider gallery maked with a external plugin on jquery i am thinking on lazy load cos is like 120 photos each one 1920x815 pixels, when the gallery finish load again my animation and then the  gallery looping betwen both. I am more designer than programmer so i need a hand guys. Thans for all
  pd. Sorry for my bad english :)

  Hi,
  I usually just add the Reverse Proxy and Edge SAN's to the same public cert, but thats just me. There is no problem using a cert across Edge and a separate cert across RP. If you do, remember to mark the cert as exportable when requesting.
  Edge Public Cert
  The easiest way to do this is to add a multi-server Edge pool in the Topology builder. Add your Edge servers to this pool. You will find that when running through step 3 of the Deployment Wizard the cert SAN's will be populated with the Pool FQDN's for access,
  Web Conf and AV. 
  You dont need to add access1 and access2 etc.
  So perhaps your Edge cert will look more like this:-
  Public Edge Cert
  SN
  -access.const.com
  SAN
  -access.const.com
  -sip.const.com
  -conf.const.com
  I would just add the Reverse Proxy SAN's to that as follows:-
  SAN
  webext.const.com
  meet.const.com
  dialin.const.com
  Lyncdiscover.const.com
  You will see that I dropped all the .local entries. This is no longer permitted (.local on a public cert).
  What else is required externally?
  Public DNS, unless your DMZ DNS is resolving queries from the internet it won't do.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
  Lync Sorted blog

• Control a text field in Edge with external CSS

  I have embedded an edge file in my html page.
  Inside the edge file, a text field with a class name of "text"
  <!doctype html>
  <html>
  <head>
  <meta charset="UTF-8">
  <title>Untitled Document</title>
  <style type="text/css">
  #Stage .text     {
            color: #FFFFFF;
            font-family: Impact, Haettenschweiler, "Franklin Gothic Bold", "Arial Black", sans-serif;
            text-align: center;
            font-size: 300px;
  </style>
  </head>
  <body>
  <object id="EdgeID" type="text/html" width="420" height="420" data-dw-widget="Edge" data="Untitled-1/Assets/Untitled-1.html">
  </object>
  </body>
  </html>
  Should this not make my text in EDGE appear in white once loaded in the html page?
  Any help would be greatly appreciated, I know I have achieved this before but I cant remember how.
  Steve

  Wow! After all my searching and just after posting this I figured out the solution! I originally had { MERGEFIELD Field_Name \# # } But then I just removed everything after the field name, as is normal for any other text field, so not indicating it was
  a number, and now it shows up correctly even if the number (from a Text formatted field in Excel) is longer than 15 digits. Hope this helps anyone else who has a problem. I did not use DDE to solve this problem.

• Problems with SNOM 7XX phones and presence of Lync Edge server

  Hi to all,
  we have this problem, this is the scenario (two Lync 2013 st ed. servers):
  - lync 2013 FE server have internal IP address 172.21.212.XXX with internal gateway 172.21.212.254
  - lync 2013 edge server have two network interface:
  First INTERFACE: 3 IPs in 172.21.30.XXX (Access, web and A/V Edge) for external connection with 172.21.30.254 and internal gateway (IP NAT with public IP)
  Second INTERFACE: IP 172.21.212.XXX for internal connection without gateway
  - snom 7XX (50 phones) are connect to the lync server and all internal call works fine. All phones are in an internal dedicated network 172.21.218.XXX with default gateway 172.21.218.254
  - when making external call with 7XX SNOM phones, the call was routed to Trunk COLT with Lync Mediation server and all works fine.
  - when Lync Mediation server receive a call from our trunk COLT we have this situation:
  All Lync 2013 clients work fine, audio is OK, (network 172.21.216.XXX)
  Polycom CX3000 work fine audio is OK (network 172.21.218.XXX)
  SNOM 710, 720, 760  FW 8.8.2.16 UC series,  phones ring but NO SOUNDS from the phones and after a few seconds "Call failed due to network issues."
  The only way to solve the problem is to disable the connection with Lync Edge server (remove gateway 172.21.30.254)
  BUT this is not the solution because now we have no connection with INTERNET (skype, web conferencing doesen't work without edge gateway)
  Why SNOM phones try to use the EDGE gateway to connect the call? Why doesn't use Lync Mediation server?
  Can you help us to find a solution?
  Thanks
  Aurelio

  Hi,
  Thanks to all for yours support.
  Today, we have done some test (no employee in office today
  J) and we have solved the problems.
  The old implementation have had this configuration:
  - the phone numbers have had a no E.164 format compliant: for all users number, the phone number have had this format TEL:012345XYZW ; EXT=XYZW with the normalization
  rules:
  Starting digits: 01234567
  Length: At least 8 digits
  Digit to remove: 0
  Digit to add: nothing
  Pattern to match ^(01234567\d*)$
  All worked fine with this previous configuration:
  Lync 2010 std with only mediation server function + Lync 2013 std front-end with all the others functions and Lync 2013 std Edge server for external connection with
  Lync client Skype world, BUT we have had disabled in SNOM phones ICE function because if ICE was enabled no voice can we hear from the phones.
  After dismissed Lync 2010 with only a Lync 2013 infrastructure, this configuration don’t permit to use edge server because with ICE enabled or disabled no voice from
  SNOM phones.
  Today we have done this operation:
  Setting in Lync 2013 control panel all number for all users, in E.164 format compliant:
  The phone number now have this format TEL:+39012345XYZW ; EXT=XYZW and we have deleted the previous normalization roles.
  We have added this role for the EXT numbers:
  Name: Routing Interno
  Starting Digits: XY
  Length: Exactly 4 (i.e. XYZW)
  Digit to remove 0
  Digit to add: +39012345
  Pattern to match: ^(XY\d(2))$
  Translation rule: +39012345$1
  Internal extension = checked
  And now all work fine.
  We have solved another problem:
  Lync client 2013 can't find new users:
  all new Lync users are not discovered from Lync 2013 client, probably because this setting is present with Lync 2010:
  PS C:\> Get-CsAddressBookConfiguration
  Identity                  
  : Global
  RunTimeOfDay              
  : 1:30 AM
  KeepDuration              
  : 30
  SynchronizePollingInterval : 00:00:30
  MaxDeltaFileSizePercentage : 20
  UseNormalizationRules     
  : True
  IgnoreGenericRules        
  : False
  EnableFileGeneration      
  : True
  With only Lync 2013 servers we have changed
  IgnoreGenericRules to True
  To set UseNormalizationRules and IgnoreGenericRules to true for Lynk 2013 infrastructure.
  http://technet.microsoft.com/en-us/library/jj205160.aspx
  For us all the problems are SOLVED!
  Aurelio

• Lync 2013 - Address Book Synchronization Issues for External Users

  I recently deployed Lync Server 2013 in my organization. Everything works fine except for the address book synchronizing issues and the mobility access. I would really appreciate if someone could share their knowledge as I have done lot of troubleshooting,
  not sure if I have missed something. Please note my setup below for the External Web Services.
  Lync Front End:
  Listening: 8080 4443
  Published: 80 443
  I have published my External Web Services URL and the following ports are open: 4443, 443, 8080
  When I look at the Lync Client Configuration, ABS Server External URL is pointing to https://lyncexternalweb.domain.com:443/abs/handler. However, GAL Status is still pointing to my internal Front End FQDN: https://internal.domain.com:443/abs/handler.  
  For machines that are joined to the domain, the address books synchronizes with no issues. For machines that are not joined to the domain and for external users, GALContacts and GALContacts.DB files are not event generated for the users profiles. 

  Hi Anthony,
  Please note the findings below:
  1. I was checking the Lync Client configuration on one of the PC that is not joined to the domain, still on the domain network via site to site VPN connection. I noticed that the Connected Lync Server varies: sipinternal.domain.com, sipexternal.domain.com,
  lync.domain.com (Pointing to the Edge Server IP).  
  2. Edge Server External Settings: Single IP address with the FQDN set to lync.domain.com for all 3 services and the following ports configured. Access Edge Service: 5061, Web Conferencing Edge Service: 444, A/V Edge Service: 443 with NAT enabled public
  IPv4 address. I have checked the replication status between the Front End and Edge Server, it is up to date.
  3. In regard to the https://lyncdiscover.domain.com, I don't have the lyncdiscover.domain.com published, but it is pointing to the NAT enabled public IPv4 address which is assigned for A/V Edge Services.
  4. For the port forwarding, I am using the Cisco Meraki router. 
  Please advise if there are there is something that I am missing.
  Thanks!

• LYNC 2010 Edge server deployment issues

  I've been able to install LYNC and have the meet and dialin function working properly internal/external. I'm attempting to test setting up external access to the client with an edge server. All seems to install properly etc with no errors being thrown my
  way. But in the services i have a few that will not start with the below errors. Can anyone point me to a deployment scenario with an edge server how-to?
  Any help would be greatly appreciated.
  The Lync Server Access Edge service terminated with service-specific error %%-1008124918.
  The Lync Server Web Conferencing Edge service terminated with the following error:
  The requested address is not valid in its context.

  Hi every body, I am trying to do  a
  proof of concept before we buy the public Certificate for my Edge server but I have this error..
  I have the same error as you guys (1008124918 )
  Here is my setup
  Active directory with a CA on it. ( I used this CA for my Front-End, and for both Internal/External Edge Certificate )
  FrontEnd ;
  -In the domain
  -192.168.16.55 255.255.255.0
  ==
  Edge:
  Inside NIC : 192.168.16.57 255.255.255.0, no gateway
  Outside NIC (dmz ) : 192.168.18.80 255.255.255.0   . Gateway 192.168.18.0
  The edge is not in the domain.
  ==
  My Public IP : 69.70.xx.xx
  =====================
  In the wizzard for the edge-pool
  I choose:
  -Single computer pool
  I check :
  - Use a single FQDN & IP
  -Enable federation ( port 5061 )
  -The external IP address of this edge pool is translated by Nat
  external fqdn : sip.OurCie.com / 5061 Port
  Internal IP : 192.168.16.57
  External IP ( for sip access, web conf, A/V Edge services )  : 192.168.18.80
  Public IP used by nat : 69.70.xx.xx
  =====================
  So when I start the service I have this error code :  Windows could not start the Lync Server Access Edge....code : 1008124918
  in the eventvwr here is ther error that I have :
  Transport TLS has failed to start on local ip : 69.70.xx.xx at port 5061
  cause: config error, low system ressources or another proram is using this port
  can also happen if the ip address has become invalid
  Any idea ?

• External Drive No Longer Recognized

  I have a DiskGo Edge 500GB external hard drive that will no longer mount on my computer. It was dropped from about two feet, and no longer pops up on my desktop. Originally, when I launched Disk Utility, it would appear on the sidebar, but after about five minutes it failed to show up. I booted into a Leopard Install DVD and ran Disk Utility form there, and it appeared there, but still would not show up when logged in. Running the Data Rescue 3 program was no help, as it didn't even appear as a drive to repair.
  The drive still emits a soft hum when connected, and there are no visible signs of wear. Any ideas?

  All of a sudden it is now being recognized by Disk Utility again. However, if I click on it, I just get the rainbow wheel.
  Terminal displays it through diskutil list, and this is the information when I type diskutil info /dev/disk2:
  Device Identifier: disk2
  Device Node: /dev/disk2
  Part Of Whole: disk2
  Device / Media Name: FUJITSU MJA2500BH G2 Media
  Volume Name:
  Escaped with Unicode:
  Mounted: No
  File System: None
  Partition Type: FDiskpartitionscheme
  Bootable: Not bootable
  Media Type: Generic
  Protocol: USB
  SMART Status: Not Supported
  Total Size: 500.1 GB (500107862016 Bytes) (exactly 976773168 512-Byte-Blocks)
  Volume Free Space: Not Applicable
  Read-Only Media: No
  Read-Only Volume: Not applicable (no filesystem)
  Ejectable: Yes
  Whole: Yes
  Internal: No
  OS 9 Drivers: No

• Receiving error when signing into Lync 2013 Externally "There was a problem verifying the certificate from the server"

  I have gone through multiple forums and just about everyone states install the Root CA on the machine trying to connect.
  I have installed the Root CA on this machine as it is not on the domain and is not inside the domain. It is installed in the Trusted Root CA folder.
  I run the test connectivity microsoft tester and this is what i receive:
  Testing remote connectivity to Microsoft Lync server through the Lync Access Edge server sip.netrixit.com on port 5061 to verify user [email protected] can connect remotely.
  Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
   <label for="testSelectWizard_ctl12_ctl06_ctl03_tmmArrow">Tell
  me more about this issue and how to resolve it</label>
  Additional Details
  Couldn't sign in. Error: Error Message: Unknown error (0x80131500).
  Error Type: TlsFailureException
  Any insight would be helpful.

  Here is certificate you have your edge server external interface for sip.netrixit.com
  Common name: *.netrixit.com
  SANs: *.netrixit.com, netrixit.com
  Valid from January 30, 2014 to January 30, 2015
  Issuer: Go Daddy Secure Certification Authority
  As per Wildcard certificate support in Lync Server 2013
  http://technet.microsoft.com/en-us/library/hh202161.aspx
  Server roles that are not support for WildCard Certificate 
  Internal server roles (including, but not limited to the Mediation Server, Archiving and Monitoring Server, Survivable Branch Appliance, or Survivable Branch Server)
  External Edge Server interfaces
  Internal Edge Server
  Please change the certificate on edge server external interface 
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer"
  Regards Edwin Anthony Joseph