Lync 2013 mobility, external access doesn't work

Hello all, 

Deployment and DNS

I've deployed front end, edge and reverse proxy. 

On the front end : default, web internal, web external are using same cert from internal CA.

edge is using 1 private IP and NAT'd. access edge, a/v, webconf name is sip.contoso.com. primary sip domain is contoso.com and additional(my local sip domain) is contoso.local.

edge internal is using certificate with CN=edge.contoso.local from internal CA.

edge external and RP are using same certificate from digicert. (CN=sip.contoso.com, SAN: sip.contoso.com, extweb.contoso.com, lyncdiscover.contoso.com, contoso.com )

Edge, RP, Front end servers are in same subnet. I know that is not recommended but it will work. 

TMG has 1 rule : from - external, to- lyncfe.contoso.local (FE), public name: extweb.contoso.com, contoso.com, lyncdiscover.contoso.com, bridging: redirects to 8080 and 4443, Listener 80,443 and selected digicert public cert(imported from edge external interface) on RP public IP. 

Problem: 

www.testocsconnectivity.com responds succeed in port 5061. But doesn't work on 443 :

Testing the SSL certificate to make sure it's valid.
  The SSL certificate failed one or more certificate validation checks.
 
Test Steps
 
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server sip.contoso.mn on port 443.
  The Microsoft Connectivity Analyzer wasn't able to obtain the remote SSL certificate.
 
Additional Details
  The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.

Also doesn't on autodiscover: 

Testing HTTP authentication methods for URL https://lyncdiscover.contoso.com/Autodiscover/AutodiscoverService.svc/root/user.
  HTTP authentication test failed.
   <label for="testSelectWizard_ctl12_ctl06_ctl00_ctl03_tmmArrow">Tell me more about this issue and how to resolve it</label>
 
Additional Details
 

An HTTP 403 error was received because ISA Server denied the specified URL.
Headers received:
Connection: close
Pragma: no-cache
Content-Length: 2040
Cache-Control: no-cache
Content-Type: text/html

http://frontend FQDN/dialin and meet works, but not on https://extweb.contoso.com/dialin and meet.

Question:

  1. Is it possible to use RP and edge are using same public ca certificate? - my case
  2. Does Front end's web external interface have to use public ca? - little bit confused on this
  3. Does my TMG configured & works properly? 
  4. What should I do then? 

Any help would be gurrreitly appreciated! :)




June 28th, 2013 9:12am

1 - yes although not best practice you may use the same SAN certificate for edge and RP provided are required names are there

2 - no, the front-end external web services do not require the public cert.

3 - seems your TMG configuration needs being checked (see the 403 error) - please post details about your publishing rules to help troubleshoot.

Free Windows Admin Tool Kit Click here and download it now
June 28th, 2013 10:56am

Oops I determined that my Reverse proxy rule doesn't work when I test rule : 

lyncfe.contoso.local

https://extweb.contoso.com, lync.contoso.com, lyncdiscover all public name on the ports 8080 and 443 fails. Does it mean RP can't connect with front end? 

June 28th, 2013 10:58am

I suggest you step-by-step review your publishing rules carefully through a good resource like:

http://www.jaapwesselius.com/2012/12/21/publish-lync-2013-services-in-tmg-2010/

also note, destination traffic to the FE server from the reverse proxy is for port 4443 and not 443

Free Windows Admin Tool Kit Click here and download it now
June 28th, 2013 11:03am

Deleted my TMG configuration and followed above link. Still doesn't work : 

This webpage is not available

Yes I mistyped. 4443



June 28th, 2013 11:44am

Did you already installed the certs (root and intermediate) from your internal CA on your reverse proxy?

I remember i had the same problem a while ago and it was solved by installing the certs on my RP.

Free Windows Admin Tool Kit Click here and download it now
June 28th, 2013 11:58am

Have installed all trusted root certificates from local CA to edge, front end, reverse proxy. 

After that I lync front end service not starting :\ yep I made it worst 

http://blogs.technet.com/b/lync_tips_and_tricks/archive/2012/12/21/lync-2013-not-starting-on-windows-2012.aspx It's because installing intermediate certs on trusted root certs problem. But don't know which one is trusted root and intermediate 

June 28th, 2013 1:23pm

http://lyncinsider.com/lync-server-2013/moving-to-lync-server-2013-error-on-the-front-end-part-7/ created new registry key and it worked! my front end service started. 

But external access and mobility still doesn't work. Is it possible to have an error on Front end server's IIS? or edge server IIS?

Free Windows Admin Tool Kit Click here and download it now
June 28th, 2013 1:39pm

The Wync iPhone client will probably work OK.

Search for Wync in the Itunes app store.

June 28th, 2013 3:08pm

Hi,

1. Edge, RP, Front end servers are in same subnet. Edge and PR must have two network interface and it is supported to set internal interface of them and front end in the same subnet.

2. Since you used a single FQDN and IP for three edge external services, testocsconnectivity assumed that external edge interface used three FQDN with different port for three edge external services. Therefore you can ignore the  error message in testocsconnectivity.

3. You can use a same public CA certificate for external interfaces of RP and Edge, but this is not recommended.

4. Since Lync external access and lync mobility are handled by different component and services, I recommended you troubleshoot lync external access issue first. As lync remote client would through edge services, please refer to the tips in the following link to narrow down the cause of the issue. http://blogs.technet.com/b/nexthop/archive/2011/12/07/useful-tips-for-testing-your-lync-edge-server.aspx

Please tell us the result after checking DNS, certificate and port.

5. Lync mobility would through reverse proxy reverse proxy and it would not connect edge server. Here is a great blog how to configure reverse proxy for Lync Server. Please double check if the configuration you did is correct.

http://social.technet.microsoft.com/wiki/contents/articles/9807.how-to-configure-forefront-tmg-2010-as-reverse-proxy-for-lync-server-2010.aspx

Lync Server Internal Web Site: configured on ports 80 and 443, responsible for providing services to internal customers

Lync Server External Web: configured on ports 8080 and 4443, a site that should be published by the Reverse Proxy

TMG's role in this scenario is to direct Internet traffic from ports 80/HTTP and 443/HTTPS to 8080/HTTP and 4443/HTTPS in external web of Lync Server Fron

Free Windows Admin Tool Kit Click here and download it now
July 1st, 2013 6:22am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics