hello friends

is it possible to setup and configure lync mobility without reverse proxy at all, ??????? i have one frontend lync and one edge server at moment which works fine?

Note: im uuing public CA for lync and edge server?

i know it is recommended that we should use reverse proxy however due budget and cost issues i can not use at moment but what do you say about these steps ?

1) Internal Ip address of the FE(Front End must NAT with a Public Ip

2) lyncdiscover.yourdomain.com must resolve externally to the public ip natted to FE.

3) firewall must forward 443 request to port 4443

wil it work in my environment if follow it kindly cooperate this is very important me.????????

thanks

• Edited by GreeMann Thursday, February 02, 2012 4:04 PM

hi,

It is not possible to do mobility without reverse proxy.Even if you do ,it's a security threat.

• Proposed as answer by zzai Friday, January 25, 2013 7:58 AM

yes, it will work and yes, some consider it a security threat. But you can basically do it as you mentioned above, just make sure your firewall can do NAT and port forwarding (443->4443, etc) and it will work fine as I have it setup this way right now with no problems (including Mobility and Federation working etc)

Steve

• Proposed as answer by Greg Seeber Tuesday, February 28, 2012 9:05 PM

yes, it will work and yes, some consider it a security threat. But you can basically do it as you mentioned above, just make sure your firewall can do NAT and port forwarding (443->4443, etc) and it will work fine as I have it setup this way right now with no problems (including Mobility and Federation working etc)

Steve

Hello Scarr4:

what else should i consider before deployment ?

thanks

I think you've listed the key differences, mainly the port translation still needed from your firewall. Also, just make sure your SSL certs are in order so your external facing site on your FE server has a 3rd party cert or one that is trusted. I'm assuming you are just using one FE server. If not you should make sure you have the load balancing stuff figured out before you begin.

This is a good resource too

http://ucken.blogspot.com/2011/01/lync-external-web-services-without.html

Steve

hello,

1- i have one FE server (1NIC)and one edge server (4 NIC)  both server are using Public CA and working fine at moment do i need modify anything in edgeserver ...?

2- do i need to add Additional IP to lync FE server for binding of external web sites, why?

3- Port forwarding:

A- Lync FE Public IP; all 443 request should be redirected to 4443 and all 80 to 8080 and what about this should i do the same for lync FE internal IP as well?

B- you mean like this. if any 443 requests from external users come to Lync Public IP then in firewall we should configure redirection to lync Internal IP as 4443?

4- whether this would cause issues with sip and dialin and meet Lync traffic which shares the same public ip using port 443.  Also, do you know of anyone else using this configuration??????

please put a little bit more infomration in firewall section because i do belive all this configuring depends on firewall proper configurations

thanks

• Edited by GreeMann Saturday, February 04, 2012 3:45 PM

Hi GreeMann,

I do not have an edge server all of my portforwarding is to the FE server 4443, 443, 8080, 80 there may be extras that are not needed, I had a few issues with IIS missing a patch so I had setup a TMG server but that is not longer active.

1. nothing additional

2. No additional IP's

3. Did you say you have an edge server? port forwarding should go to edge server.

4. no issues as they are in different virtual directories.

Your best option is some trial and error configuration

Thanks,

Jeff

@@@GreeMann...

* No modification required at Edge Server...

* NO additional IP required for FE server..

* for your question 3 check below guide..

* Question 4 - NO

For firewall configuration (Cisco ASA) check below guide...

Lync Mobility without TMG reveser proxy is 100% possible.. I am using Lync mobility without TMG reverse proxy no issues observed so far.. But its recommende to use TMG  to publish simple URL's & Lync Discover for security reason...

Advantages Lync without TMG..

1. you can save one ssl cert...

2. easy to configure...  

check below guide to publish Simple URL's & Lync Mobility without TMG...

http://www.mytricks.in/2011/11/tutorial-microsoft-lync-edge-server.html

thank you from both you i will try to configure it and i will keep you updated for the result.

thanks greenman

I am in the same boat as the OP.  My only question is in regards to hairpinning the Mobility URL for internal users.  In MS documentation it states

"However, both the internal Mobility Service URL and the external Mobility Service URL are associated with the external Web Services FQDN. Therefore, regardless of whether a mobile device is internal or external to the network, the device always connects to the Microsoft Lync Server 2010 Mobility Service externally through the reverse proxy."

Sound like I need to create an A record for my external FE FQDN.  Should I point it to my internal or external (NATed) IP address.  I know by default the ASA will not like me hairpinning back into the outside interface.  

EDIT: It has come to my attention that since I am running without a reverse proxy all of my external services run under 8080 and 4443.  I port forward those externally.  Internally, if I wanted the ability to point directly to the external web services without going through the firewall I believe that I would need to change the Lync FE setup.  Add a second IP and bind the external web services to it under 80 and 443. Has anyone done the mobility service with this type of setup that can comment?

Thanks, Rob

Rob,

Basically if you're supporting external users for mobility, Lync will redirect the internal users as well to the external URL (and the external website on the FE) as you've found. If you configure Lync to only support internal users however, you can direct mobile clients directly to the internal website on the FE and this will work.

I think there's a few options you have here:

• Get your internal clients to hit the external FQDN so it can translate the ports, and come into the external website.
• Reconfigure Lync to only support internal clients (probably not what you want to do).

I don't recommend adding another IP address to your FE and changing the ports as this marks a significant deviation from the way a Lync FE server works and would place you firmly in a Microsoft unsupported scenario.

Hello everyone,

i have a similar problem here. We want to enable mobility to internal users, but not to external users. We have just one FE server, without any Edge or ReverseProxy server. Till now we did not needed them. How now? I have installed mobility services as described in the MS documentation, except the reverse proxy part.

I want mobilty service available only to my internal network so i set Set-CsMcxConfiguration ExposedWebUrl Internal

I also modified the certificates with the needed lyncdiscoverinternal (lyncdiscover) SAN on WebServicesInternal role. The question arrise, do i need a public certificate for mobility service, even if i use it from internal network?

So far i see that it is possible to use mobility internal withour reverse proxy. Is it also possible without the edge server?

Hi Peter,

I do not have proxy or edge  and I am using an internal certificate but I have enabled external access.

If you are using self signed cert then make sure that the devices have the root cert installed.

Thanks,

Jeff

@PK2086,

IF you want to use Lync Mobility Internally then there is no need of Edge Server & TMG Server.

_Thanks

Hi All,

I have same problem here. I have only 3 servers,  1 is DC, 2 is Lync, 3 rd is Edge, users can access lync externally. but not able to login on lync Mobile. I have added 1 extra IP in my FE server and configured another IP address to IIS External Web site meeting and Dailin is working without any problem but Lync Discover is not working. I have public certificates. and i have added it on FE IIS External Website on port 80 /443.

Please suggest me how i can make t done without revers Proxy.

Thanks:

Amit

yes I have installed mobility services and i was able to logng in internal network after adding NAT and EDGE server i am not able to make login.

Please suggest me what i need to change.

Thanks

Amit

I was able to deploy Lync and Mobility Service without using reverse-proxy or public CA cert. So it is definitely possible. The catch is, that was just for me to play around with for a lab environment and didn't have enough resources in the lab to provision another server for the RP...

However, it is definitely not supported or recommended, especially for production environment for security reasons; you would be publishing Lync services directly from the Front End to externally connected clients.

 I know by default the ASA will not like me hairpinning back into the outside interface.

I have read many post which many people all wish to do the same thing.  Run Lync Mobility from Internally only without a Edge Server.  I have also read that there are people that are currently doing this.

Are there any users out ther that would be willing to put together a How-To on getting this working.  A step by step guide to run Lync Mobility from say android clients internally only.

I think this would be great help for several people.

Thanks

KJ

i would like to agree with the above.  I am having a hard time with a Lync 2013 install where I cannot get mobility to work without an RP.  This may be by design, but i dont understand how or why and would love to understand it better. 

Thanks to anyone willing to assist.  

Just thought I'd through in my experience so far... It seems that the traffic involved in the mobility clients (and all Lync 2013 clients) are SIP based (whatever that means). What I see is that the client isn't going over 443 but over 5061 against sip.domain.com. And what then happens is that the Lync server responds with the internal certificate lync.domain.internal which is invalid to an external user (non-domain user) and the connection fails.

Try for youself at https://www.testexchangeconnectivity.com/ , its a MS site for testing lots of external connectivity. Lync included.

When I generated a official certificate from digicert.com with ALL suggested SAN names included, everything worked without reverse proxy. This is becase I now have the server.domain.internal name included in the SAN list. FYI due to new cert standards, this will stop working 31.12.2013 (internal domain names in an official certificate).

We are publishing Lync 2010 to mobility clients successfully using a VPN profile on the iPhones and iPads. The VPN profile was already there for other applications and after configuring the internal only settings and DNS records we are successfully connecting from the iPhones.

The problem is that on the mobility client we receive errors accessing EWS: "Can't conenct to Exchange Web Server. You can try again later."

Our sip domain is ***.firm, our internal DNS zone is the same, but our email domain is ***.com. We don't want to use Edge so we have not published any external DNS records. The confusion is that we are successfully connected to Lync from the mobile devices but EWS still fails. MS wants us to publish an internal Autodiscover record but my ****.com domain is strictly external and publishing an autodiscover record externally would mean using at least UAG if not Edge as well.

MS said:

"Though the cas array is casma.****.net lync doesnt know the scps and it doesnt know the cas array. Lync uses the predefined urls such as  https://autodiscover.****.com/autodiscover/autodiscover.xml

So please confirm that the  autodiscover url is accessable through VPN on the mobile device. In the logs I could see that its not accessible."

Any suggestions? Thanks in advance.