Skype for Business problem after migrating from ASA to PA-820

L4 Transporter

Skype for Business problem after migrating from ASA to PA-820

We  encountered with the problem of Skype for Business application , it needs to say
that all another applications are working well, but after migration from Cisco ASA to
PA-820 we  saw only tcp-rst-from-server message from remote server to local server for
Skype or for clients too without of local server... no matter what..  it's very
strange behaviour , as soon as we put again Cisco ASA in the place back , all starting
working fine..

L7 Applicator

Re: Skype for Business problem after migrating from ASA to PA-820

Hello,

Skype is a major pain. What we found is that it needs a lot of apps and even some on non-standard ports.

 

image.pngimage.pngimage.pngimage.png

 

That is what we have setup from external to our internal edge/arr servers. 

 

Hope that helps.

L4 Transporter

Re: Skype for Business problem after migrating from ASA to PA-820

Do we need allow these apps and services from outside to inside traffic?

L7 Applicator

Re: Skype for Business problem after migrating from ASA to PA-820

Honestly it depends on where you are allowing traffic to/from. However this is what we found to allow federation to other companies lync/skyp servers.

 

https://support.starleaf.com/managing/cloud/firewall-and-bandwidth-information/firewall-configuratio...

 

 

L4 Transporter

Re: Skype for Business problem after migrating from ASA to PA-820

But we have allow any any rules.

So i guess allow any any must work in such situation

L7 Applicator

Re: Skype for Business problem after migrating from ASA to PA-820

Hello,

What we found was that some of hte applications were using non standard ports. So on your any any rules, make sure to set the Service to ANY as well instead of hte Application-Default'

 

image.png

 

Regards,

L4 Transporter

Re: Skype for Business problem after migrating from ASA to PA-820

yes we did it

it is any any

L7 Applicator

Re: Skype for Business problem after migrating from ASA to PA-820

@Radmin_85

Was this ASA to PA migration a 1:1 migration or are there little topoligy / routingchanges? The skype telated DNS entries are also sometimes leading to problems. For example some time ago I was troubleshooting a situation where skype calls/conferences to external partners simpliy did not work and as always everyone thought the firewall is the problem ... till we found a wrong DNS entrie which made the clients in the internal network think they are external, so skype was trying to connect to the external IP of the skype edge server where the result was the connection did not work ... after the DNS entry was deleted (this one should only be available from external) everything was working fine ...

L4 Transporter

Re: Skype for Business problem after migrating from ASA to PA-820

Skype for business in my opinion, is not fit for purpose. It may be fine in a small business that does not care about securoity and allows any old connection in and out. But in this modern world of security it requires so many services, ports, kludges and workarounds that it makes it unreliable and insecure.

 

Microsoft need to tidy it all up.

 

We just about have it working now.

 

Rob

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!