Firewalls and UCMA applications
Posted: July 2nd, 2012 | Author: Michael | Filed under: UCMA 3.0 | Tags: 504, firewall, timeout, troubleshooting, UCMA | 1 Comment »If you’ve worked with UCMA for a while, it’s likely that you’ve had at least one incident where firewall settings caused issues with a UCMA application. Since firewall configuration seems to be one of the most common sources of mysterious troubles with UCMA applications, I thought I would write up a few notes about this in the hope that it will save someone a long and frustrating troubleshooting session.
There are two issues that firewalls can cause for UCMA applications. The first, and most common, happens when the firewall blocks incoming connections on the application’s listening port, which you define when you provision the trusted application using Lync Management Shell. If the firewall is blocking incoming connections on this port, the UCMA application will never know that Lync Server is trying to send it a call. Usually the way this manifests itself is that calls or IMs to the application don’t go through, and time out with a 504 error. If your application is load balanced, and the issue is affecting only one server, you may instead get long delays before the call fails over to the working server.
What often confuses people who are trying to debug this problem is that the event handler for incoming calls will never fire in the UCMA application. The call never makes it to the UCMA application at all.
If you see this behaviour, check Windows Firewall or whatever firewall is protecting the application server, and ensure that it is allowing incoming TCP connections on the UCMA application’s listening port.
Opening just the listening port may not fix the problem if your application needs to handle audio, video, or app sharing calls. For these types of calls, Lync uses one or more ports in the range 1024 – 65535. If the firewall is blocking the ports your application is trying to use for media, you may see calls connect and then immediately fail when the media doesn’t go through.
In general, if you’re having trouble establishing calls to your UCMA application, firewall configuration should be one of the first things you check. Of course, please make sure that any changes you make, especially in production environments, don’t create security issues!
For me it seems that UCMA stack is clever enough to automatically open the selected RTP and RTCP ports when SIP session is established. What we generally do is just to open the TCP port provisioned for MTLS. No problem with the media streams afterwards.