I recently ran into a problem with Checkpoint Firewalls on a Lync 2010 deployment. The customer already had a single 2010 Front End and wished to enable external sign in over the internet as it did not work over their VPN solution (Direct Access). I installed the Edge server and Reverse Proxy but then encountered a strange issue where I was unable to sign in over the Edge server. Some of the troubleshooting steps I took (Thinking it was my fault):
- Verified Reverse Proxy worked correctly
- Verified all Edge services were started
- Verified all URLs and IP addresses in Topology Builder were correct
- Installed latest CU Updates on Edge and FE (including DB updates)
- Verified all root and intermediate certs were on Edge and FE in the correct stores
- Verified all certificates were correct
- Verified all ports were open using MS Port Query Tool and Edge Port Tester (Available here: http://www.mylynclab.com/2014/02/lync-edge-testing-suite-part-1-lync.html)
- Verified that all internal and public DNS entries were correct
- Verified CMS replication was working between FE and Edge.
- Verified time and time zone on Edge server
- Verified NIC config on Edge server and Static Routes.
Using OCSLogger and Snooper I was able to verify that the Lync client was hitting the Edge server but no SIP messages were hitting the Lync Front End. The following error could be seen on the Edge Server.
TL_ERROR(TF_DIAG) 2BD8.2798::02/11/2015-16:37:36.771.001d4d31 (SIPStack,SIPAdminLog::TraceDiagRecord:SIPAdminLog.cpp(143))$$begin_record LogType: diagnostic Severity: error Text: Message expired in the outbound queue before it could be sent SIP-Start-Line: SUBSCRIBE sip:user.domain SIP/2.0 SIP-Call-ID: 450156f49d2549ce91da9c1bd1699750 SIP-CSeq: 1 SUBSCRIBE Peer: edge.domain:5061 $$end_record
I should also mention the customers network config was outsourced so I had no access to the Firewalls or to view the rules. I then came across this post: http://lync2013blog.blogspot.co.uk/2014/04/lync2013-and-checkpoint-firewall.html
I asked the customers network support to look at that post and ensure that the firewalls were not doing any Layer 7 inspection of SIP traffic. Network support verified the rules had been implemented but Lync sign in still would not work. I then logged a case with MS Support and we went through the motions of troubleshooting. Their support guy came to the same conclusion that SIP messages were not getting from Edge to Front End and vice versa (Even though I could see the ports were open). The network support guy also verified he could not see any dropped packets between Edge and Front End.
To cut a long story short it turned out that network support had only changed the TCP/5061 rule on the perimeter firewall and not the firewall between Edge and Front End (used for Federation). As soon as they changed the rule on the inside Firewall Lync sign-in over Edge worked immediately.
So in summary if you are using Checkpoint Firewalls, the default rule of SIP 5061 will do layer 7 inspection of SIP and will not work with Lync. You need to ensure that you create a standard port of TCP 5061 on your perimeter firewall (For federation) and internal firewall (between internal Edge and Front End).