External, remote Lync clients cannot sign-in, mobile clients sign-in okay (Network Steve Forum)

External, remote Lync clients cannot sign-in, mobile clients sign-in okay

Hi all,

I'm having an issue which is burning my brain.

One day, suddenly, my users complained that they could not sign into Lync while working from home. I noticed that internal clients displayed a warning message "server issues are affecting calls. Try signing out and back in again" and "Limited External Calling" this was accompanied by a red exclamation mark on the system tray(notification area) Lync icon.

I've searched high and low for a solution but have not found none. Many issues described online were due to misconfigured DNS but DNS is configured fine all relevant entries already present. Nothing has changed on DNS regardless so it cannot be DNS. This problem happened suddenly as well, DNS does not remove entries by itself does it?

Anyway, so I checked the EDGE server and noticed that the Internal certificate has expired. "Yes!" I thought, thinking renewing this expired certificate will remedy the issue. It did not. I then also noticed that the External certificate (DigiCert) had some issue and that it was disabled. I used the DigiCert utility to fix this disabled certificate but alas, still no dice!

I am at a loss to explain what is going on and don't know where to troubleshoot. I'm checking Event Viewer on all servers in question but this is no good.

Some of the sign in errors as seen by external users include:

1) "There was a problem verifying the certificate from the server" (this particular error disappeared after I renewed the expired certificate)

2) "Lync couldn't find a Lync Server for OURDOMAIN.com. There might be an issue with the Domain Name System (DNS) configuration for your domain. Please contact your support team."

3) "We're having trouble connecting to the server. If this continues, please contact your support team."

4) "The server is temporarily unavailable. If the problem continues, please contact your support team."

I have tried manually entering the server details in the client but this does not work at all, same symptoms.

Is there anyone who may have some insight or have some troubleshooting tips for me? I'm despondent regarding this issue at the moment!

Background:

We have a main Lync server on the domain and an EDGE server which is not on the domain. Additionally, we have a TMG Firewall server handling external communications so I'm not sure where to troubleshoot either! One interesting point is that when I join our EDGE server to the domain (I had to do this in order to renew the expired certificate), the warning message on the internal Lync clients "server issues are affecting calls. Try signing out and back in again" goes away. This message comes back as soon as I remove the EDGE server from the domain again. External clients keep on having problems signing in.

Also, very strange, is that mobile users (iPhone, Samsung etc...) using the mobile client has no problems at all!

Thanks for reading
Steven

January 14th, 2015 6:17pm

Hi Steven,

Seeing that your certificates have expired and you have renewed them on the Edge server, have you also done this for the TMG server? There is likely an SSL certificate on the TMG rule pointing to your front end pool this certificate is usually the same as the edge server external certificate.

Have you also checked to see if the internal front end server certificate has expired if so please renew that one as well.

I would highly recommend never joining the edge server to the domain. The best way to renew your edge server certificate is to fire up the deployment wizard on the edge server and do an offline certificate request. Then copy that request to your internal CA and complete the request. Then copy the new cert to your edge server and complete using the deployment wizard.

If all else fails I would recommend starting OcsLogger on the front end servers and the edge and retrieving logs during an external client logging in.

Thank you,

Tylor

Edited by TylorM Wednesday, January 14, 2015 4:10 PM

Free Windows Admin Tool Kit Click here and download it now

January 14th, 2015 7:10pm

Hi Steven,

Have you also checked to see if the internal front end server certificate has expired if so please renew that one as well.

If all else fails I would recommend starting OcsLogger on the front end servers and the edge and retrieving logs during an external client logging in.

Thank you,

Tylor

Edited by TylorM Wednesday, January 14, 2015 4:10 PM

January 14th, 2015 7:10pm

Hello Taylor, thank you for the speedy reply.

Yes, I have checked the certificate on the EDGE server. I found it here... TMG Firewall--->Firewall Policy--->Selecting and double clicking the relevant policy--->Listener--->Properties--->Certificates. It was indeed the same Digicert certificate found on the external NIC on the EDGE server as you said. It had a big red cross to it, signifying an issue. Once I rectified this with the Digicert utility, this changed to a big green checkmark.

As for the internal Lync server, will this certificate be in the certmgr.msc console or the Deployment Wizard? In the deployment wizard, I see two certificates but both a valid and enabled. They do expired in 5 months so I'll make a note! Neither of them is that same certificate that expired on the Edge server...

I did try to run the Deployment Wizard to renew the certificate before joining it to the domain but I did not succeed in doing this no matter what I tried. Step 3 to request and assign certificates was greyed out with the message "Not available: Local machine not present in local configuration store." But oh well...

OCSLogger? I have not heard of this tool before. Is this the same as the Lync Server Logging Tool? The latter is kind of hard to interpret and grasp. What I have also used is the "Microsoft Lync Connectivity Analyser" but this tool gives whack results. Gives the ALL GREEN when I run the tool from within our domain, even when I select "External (Internet)" at the Network Access option. When I run this tool from home, I get a plethora of errors but it also gives the "Your deployment meets the minimum requirements for Lync Windows Store App." message so I'm baffled once again.

Cheers for the tool suggestion, I'll research it and give it a go to see if the logs elucidate any useful info, thanks a lot!

Free Windows Admin Tool Kit Click here and download it now

January 14th, 2015 8:22pm

Hi Steven,

TMG Firewall server external communications is nothing to do with Edge server external access. Your mobile access traffic will be routed through TMG firewall. As you are able login thru mobile devices, it seems your TMG firewall rule is fine. What version of Lync you are running? Whether you are running Lync 2010 or 2013, you can enable logging (Lync 2010..seperate logging on each server, 2013.. centralized logging) and trace the errors.

Edge server needs to be in DMZ and not recommended to join any domain. Did you check all firewall rules?

January 14th, 2015 8:40pm

Hi FnanFne,

Can you run the Microsoft Remote Connectivity Analyzer and post the results here ?

Best regards,

Eric

Free Windows Admin Tool Kit Click here and download it now

January 15th, 2015 12:21pm

Thank you for this insight, very helpful! Now I can at least disregard the TMG server, narrowing it down to only two suspect servers!

The main internal Lync server is 2013 and the Edge server is 2010. As for Logging, is this the "Lync Server Logging Tool" you speak of or is there another better way? I have not checked the Firewall rules before as I'm sure it is fine. I am the only person with suitable credentials to make these changes like this and so I didn't give it much thought. Can rules sporadically disable?

January 15th, 2015 2:23pm

Hi Eric.

I've run this in the past but did not find extensive information. I have therefore decided to use the specific "Microsoft Lync Connectivity Analyzer" tool but this did not elucidate helpful info as it was reporting strange info. Fortunately, the results from "Microsoft Remote Connectivity Analyzer" is not that large so here it is...

---------------------------------

Testing remote connectivity for user steven@yyyy.com to the Microsoft Lync server.
Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.

Additional Details

Elapsed Time: 22376 ms.

Test Steps

Attempting to resolve the host name sip.telappliant.com in DNS.
The host name resolved successfully.

Additional Details

IP addresses returned: ppp.ppp.ppp.ppp
Elapsed Time: 324 ms.
Testing TCP port 443 on host sip.yyyy.com to ensure it's listening and open.
The specified port is either blocked, not listening, or not producing the expected response.
Tell me more about this issue and how to resolve it

Additional Details

A network error occurred while communicating with the remote host.
Elapsed Time: 21478 ms

---------------------------------
*I have omitted some info like our domain and external IP address...
---------------------------------

In light on the above results, I have checked the firewall rules on the internal- and external Lync servers.

For inbound rules on the External Lync Edge server, I can see there are 3 rules in place for port 443 but only two are enabled;

1) Secure Socket Tunneling Protocol (SSTP-In) --> disabled
2) World Wide Web Services (HTTPS Traffic-In) --> enabled
3) BranchCache Hosted Cache Server (HTTP-In) --> enabled

For inbound rules on the Internal Lync server, I can see there are 4 rules in place for port 443 but only two are enabled;

1) Secure Socket Tunneling Protocol (SSTP-In) --> disabled
2) World Wide Web Services (HTTPS Traffic-In) --> enabled
3) BranchCache Hosted Cache Server (HTTP-In) --> disabled
4) CS TCP443 --> enabled

So I'm again not sure if it's a firewall problem but will let you provide your input if you can!

Edited by FnanFne Thursday, January 15, 2015 1:18 PM Italicised the log...

Free Windows Admin Tool Kit Click here and download it now

January 15th, 2015 2:39pm

Hi Eric.

---------------------------------

---------------------------------
*I have omitted some info like our domain and external IP address...
---------------------------------

In light on the above results, I have checked the firewall rules on the internal- and external Lync servers.

For inbound rules on the External Lync Edge server, I can see there are 3 rules in place for port 443 but only two are enabled;

1) Secure Socket Tunneling Protocol (SSTP-In) --> disabled
2) World Wide Web Services (HTTPS Traffic-In) --> enabled
3) BranchCache Hosted Cache Server (HTTP-In) --> enabled

For inbound rules on the Internal Lync server, I can see there are 4 rules in place for port 443 but only two are enabled;

1) Secure Socket Tunneling Protocol (SSTP-In) --> disabled
2) World Wide Web Services (HTTPS Traffic-In) --> enabled
3) BranchCache Hosted Cache Server (HTTP-In) --> disabled
4) CS TCP443 --> enabled

So I'm again not sure if it's a firewall problem but will let you provide your input if you can!

Edited by FnanFne Thursday, January 15, 2015 1:18 PM Italicised the log...

January 15th, 2015 2:39pm

Anyone else with some useful suggestions here?

I tried using the Lync Server Logging Tool but could not generate ANY logs. Not sure if the tool is broken or if I'm not using it in the correct place...

Thanks for reading...

Free Windows Admin Tool Kit Click here and download it now

January 19th, 2015 12:57pm

Hi FanFne,

What is the port that you defined in topology for access edge ?

If you use a single IP and FQDN for Access Edge, Web Conferencing Edge service and A/V Edge services, you must specify a different port number for each of the edge services (recommended port settings: 5061 for Access Edge service, 444 for Web Conferencing Edge service, and 443 for A/V Edge service).

Best regards,

Eric

January 25th, 2015 7:15pm

This topic is archived. No further replies will be accepted.