01-08-2016 07:47 AM
Palo’s
I have searched, read these forums and have gone through many manuals, suggestions from the Internet regarding Palo (2020 Series) configuration to secure Lync 2013 / Skype Business 2015: but still experiencing some issues with how to setup our Firewall for Federation access.
From a company perspective, our Lync is working great, our external road warriors can use Lync via VPN or Publically with all functions.
The issues come up where we have Federated (open or controlled either way) with external users / other companies. Seems there is a configuration issue somewhere on our Palo where:
A Federated User:
So, our Lync is setup as close to Microsoft guides as possible, using 3x public IP’s per service. It’s the 3rd IP (av.domain.com) service that needs ports (tcp/udp/rtp) 50,000-59,999, 3478, 5061 and 443/80.
We even gone as far as using an “any” rule to test if its our Edge Server, but its not Edge… something we missed… Has anyone successfully deployed Lync 2013 / Skype Business 2015 using App-ID level? Can you share your settings just for Lync/Skype.
Greatly appreciated
01-10-2016 06:08 PM
Hi,
Could you post the MS guide/specifications and your topology for Lync 2013. A few questions:
1. Are you doing any decryption on the traffic?
2. STUN protocol is working properly?
3. my-lync-video and my-lync-audio applications are allowed?
4. Does the Lync Call and desktop sharing work if bypass PA?
I would suggest to open a case with Technical Support to look into this.
BR
01-11-2016 10:32 AM - edited 01-11-2016 10:48 AM
Abjain,
Configs in General... note we do not use DNS for natting, this was optional..
Based on Microsoft Ports, we know the App-ID related to Lync, but... should we use ports or App-ID's?
Keeping in mind the App-ID "sip" uses port 5060, and there is an OLD OCS app-ID for port 5061.
1. Are you doing any decryption on the traffic? NO
2. STUN protocol is working properly? YES
3. my-lync-video and my-lync-audio applications are allowed? YES
4. Does the Lync Call and desktop sharing work if bypass PA? YES
01-11-2016 04:58 PM
Hi,
There are a lot of components involved, so I would suggest opening a case with TAC as per your time zone and have them take a look. If 'any' rule did not help, it has to be something else, like a ALG issue or something.
BR
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
