I am unable to get our SRX220 to fully support Skype 4 Business desktop sharing in a branch office. Skype4B calls, internet access etc. works without any problems, only desktop sharing fails 9 of 10 times.
For testing purposes the SRX has a minimum config with NAT between an external zone and internal zone generated by the install wizard.
Under flow I have no-syn-check and no-sequence-check. The SIP ALG is disabled. All other settings are default to keep things simple. No licenses for UTM or IDS are enabled.
I have tried the releases 12.1X45-D50, 12.1X46D45 and even 12.3X48D25 to test the new SIP ALG TCP support.
Replacing the SRX with a cheap consumer router/firewall that does simple NAT and a default config works without problems.
Any suggestions to get the SRX to support Skype4B\Lync working are highly appreciated.
To understand the problem and resolve it we need to first understand the packet flow for the Skype4B desktop sharing. By that I means we need to know the source/destion IP/ Ports that are used and the conenctions made in what direction i.e. from Untrust to Trust or from Trust to Untrust.
Apart from the above inforamtion we also need to know if there are any dynamic ports communicated between the source and destination which are needed to be open for this to work.
Hence please share the above information if you are aware of it. Also you can take flow traceoptions on the SRX to understand where the packets are getting dropped on SRX if at all they are getting dropped on SRX>
Configruation for Flow traceoptions:-
set security flow traceoptions file S4B-test size 1m files 5
set security flow traceoptions flag basic-datapath
set security flow traceoptions flag packet-drops
set security flow traceoptions packet-filter pf1 source-address <source_ip> destiantion-address<dest_ip>
set security flow traceoptions packet-filter pf2 source-address <source_ip> destiantion-address<dest_ip> ----- > (This is for tracting the revers traffic so please use NATed Ip addersses for source and destiantion if any)
You can view the above logs with the help of the command "show log S4B-test".
Thanks, Pulkit Bhandari
Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too.
Don't know if it will help or not. There's a lot of hoops I will have to jump through to get the modification on the production firewall, so if someone else runs across the issue and this helps, let me know.