One of my clients had a problem with their Skype for Business Edge server. The federation was configured, but every time they tried to start Skype call with federated company, they were not able to connect. The error that I found in the Monitoring server was: “A federated call failed to establish due to a media connectivity failure where both endpoints are internal”.
At the same time, file transfer and desktop sharing would not work neither.
Usually when you search the Internet for this specific error, you find that there are routing issues. I checked and double checked the Edge and everything was setup correctly. The client told me that they are sure that NAT and Routes on the firewall were setup correctly, after all, IM with federated companies worked.
After some more troubleshooting, I found the issue with their firewall. When I opened the IE and ran “What Is My IP” through the search box, it displayed an IP address that belonged to my client, but it was not the one that was assigned to the Access interface of the Edge server.
It appeared that the destination NAT is setup properly, but because traffic is generated in both directions, they also needed a source NAT from the Skype for Business Edge and Revers Proxy servers that matches the public IP addresses assigned to Skype for Business Edge and Reverse Proxy servers.
On most firewalls, the source and destination NAT can be combined. Vendor terminology differs, but it’s often referred to as a 1:1 or Static NAT. It’s important that this is setup for both the Skype for Business Edge and Reverse Proxy servers. It is also advised that the public IP used for these servers not be shared with other servers. This will simplify the NAT setup and there should be no need to specify port/protocols, but rather include port/protocol in the translation.
After the firewall was modified, everything worked. We tested Skype calls, IM, desktop sharing, and file transfer and did not find any issues anymore.