We ended up doing a trace using the Lync Server 2010 Logging Tool. Here are the step-by-step instructions for troubleshooting it:
- Install the Lync Server 2010 Resource Kit if you haven't already (http://www.microsoft.com/downloads/en/details.aspx?FamilyID=80cc5ce7-970d-4fd2-8731-d5d7d0829266)
- From the Lync Server 2010 Edge, open the Logging Tool.
- Enable S4, set the Level to "All", and turn on "All Flags" for the Flags section.
- Enable SIPStack and set the Level and Flags to the same as above.
- Get ready to place a call and be sure you have one test subject inside your network (behind the Edge server) and another person outside the organization (in front of the Edge server).
- Click the Start Logging button.
- Place the phone call or start a sharing session.
- Wait for it to fail and then click the Stop Logging button
- Click the Analyze Log Files button
- Click the Analyze button
You should now have a capture of the SIP messages which will tell you how the call was trying to be established.
- In the search window at the top, type in "INVITE" and hit Enter.
- Click on the INVITE sip:in the trace and scroll down the window on the right.
- Locate the area in blue where it states "a=candidate". You should see a 'candidate' entry for each IP bound to your local PC along with the Edge server's audio/video conferencing IP.
The Lync client will attempt to 'nail up the audio' between the path of least resistance. For example, if someone was on the same subnet (172.16.130.x) then a direct connection would be made between the two of us for audio/video and desktop sharing. If not, the next IP is tried. If you have your Edge server configured properly you should see the public IP. In my case I did not. My issue stemmed from a topology configuration which was incorrect.
When building the topology for your Lync Edge server, you'll be asked if your public IP is using NAT. In the section where this is discussed, other options are available which lead a person to believe the public IP they're talking about has to do with the Access Edge role and not A/V Edge.
My SIP trace showed the INVITE with a candidate IP of my Access Edge role which lead me to realize the issue and change it. Specifically I had to open Topology Builder, expand the Edge Pool section, click on the Edge server, then click Edit Properties. The top section has a checkbox for "NAT enabled public IP address used". This is very poorly worded and should be changed for future builds. The text should read "Use NAT for your Audio/Video Edge public IP" or "Enter the public IP for your Audio/Video Edge role if you're using NAT".
Thinking about it more and more I understand why there is only one entry for a public IP and not one for Access Edge or Web Conferencing Edge. It's just not very clear.
Anyway, I hope this helps a few of you out there with Lync Server 2010 Edge implementations.