Mobile clients can't connect externally

Im currently in the process of adding Mobility to our Lync server 2010 deployment as per http://blog.schertz.name/2011/12/deploying-the-lync-2010-mobility-service/ but am having some issues getting our mobile clients to connect when they are external.

We have a co-located front end (single-homed) being published through a TMG firewall, when our phones are connected via wifi everything is working fine, when externally they fail to connect.

Ive collected logs from the clients themselves and from the lync server logging tool and I am getting a 401 returned from autodiscover/autodiscoverservice.svc/root/user, specifically it is returning a The Web Ticket is invalid error.

Ive checked and double checked my TMG rule and confirmed that all the autodiscover and mcx services are returning the expected information but I am now at a bit of a loss as to where to go from here.

August 5th, 2013 11:01am

Hi,

Check the Reverse Proxy configuration is properly configured for Mobility.

http://technet.microsoft.com/en-us/library/hh690011.aspx

Free Windows Admin Tool Kit Click here and download it now
August 6th, 2013 2:59am

We adjusted our rule for the other Lync services that were already working, we have triple checked it and it all looks ok.   We have also tried to create a seperate rule with the same outcome.  The TMG logs show no denies just allows.
August 6th, 2013 3:26am

Hi Ecann,

Please execute the command test-csmcxp2pim to test the mobility service as a try.

Based on the error message, the issue could be occur due to reverse proxy issue. We can refer to the following article of configuring the reverse proxy for mobility to re-confirm whether the settings are set correctly:

http://technet.microsoft.com/en-us/library/hh690011.aspx

Please select the check box with the option "Forward the original host header instead of the actual one (specified in the internal site name field)".

Best Regards,

Eason Huang  
August 6th, 2013 4:20am

We definately have the tick in the "forward the original host header" box.  The command test-csmcxp2pim returns a success.

Our issue is exactly like the one mention above, but the solution does not work for us.

Free Windows Admin Tool Kit Click here and download it now
August 6th, 2013 5:15am

The remote connectivity analyzer may help: https://testexchangeconnectivity.com . Click the Lync/OCS tab and do the autodiscover test.

do you have multiple sip domains (eg; internally domain.local, externally domain.com) ? If yes then Lyncdiscover for your additional SIP domains needs to be set to HTTP in TMG.. I can't remember exactly where but there a line or paragraph in the mobility guide that mentions this.


August 6th, 2013 9:13am

The remote connectivity analyzer was successful for the lync autodiscover test.  

We don't have multiple sip domains.

Free Windows Admin Tool Kit Click here and download it now
August 6th, 2013 9:24am

Can you provide those logs please. Can you also confirm which CU is installed

Lets also check what's configured as the internal and external URL's

Get-CsService -PoolFqdn mylyncpool.domain.com -WebServer | Select-Object McxService* | fl


Next, grab a coffee and read through Lync Mobility Deep Dive

August 6th, 2013 9:44am

?xml version="1.0" encoding="utf-8"?>

<testresult status="Success" errorid="00000000-0000-0000-0000-000000000000" contentUrl="" testdescription="Testing connectivity to the Lync Autodiscover Web Service server for a secure connection on port 443 to obtain the root token." resultdescription="Connectivity to the Lync Autodiscover Web Service test successful." additionaldetails="">

  <children>

    <testresult status="Success" errorid="00000000-0000-0000-0000-000000000000" contentUrl="" testdescription="Attempting to test Autodiscover Web Service URL https://lyncdiscover.sedgemoor.gov.uk/Autodiscover/AutodiscoverService.svc/root." resultdescription="Autodiscover Web Service URL successfully tested." additionaldetails="">

      <children>

        <testresult status="Success" errorid="00000000-0000-0000-0000-000000000000" contentUrl="" testdescription="Attempting to resolve the host name lyncdiscover.sedgemoor.gov.uk in DNS." resultdescription="The host name resolved successfully." additionaldetails="IP addresses returned: 81.171.224.200">

          <children />

        </testresult>

        <testresult status="Success" errorid="00000000-0000-0000-0000-000000000000" contentUrl="" testdescription="Testing TCP port 443 on host lyncdiscover.sedgemoor.gov.uk to ensure it's listening and open." resultdescription="The port was opened successfully." additionaldetails="">

          <children />

        </testresult>

        <testresult status="Success" errorid="734044ef-11c2-4e30-9ee6-450d49e9d92c" contentUrl="" testdescription="Testing the SSL certificate to make sure it's valid." resultdescription="The certificate passed all validation requirements." additionaldetails="">

          <children>

            <testresult status="Success" errorid="00000000-0000-0000-0000-000000000000" contentUrl="" testdescription="The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server lyncdiscover.sedgemoor.gov.uk on port 443." resultdescription="The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate." additionaldetails="Remote Certificate Subject: CN=*.sedgemoor.gov.uk, OU=IS, O=Sedgemoor District Council, L=Bridgwater, S=Somerset, C=GB, Issuer: CN=QuoVadis Global SSL ICA, OU=www.quovadisglobal.com, O=QuoVadis Limited, C=BM.">

              <children />

            </testresult>

            <testresult status="Success" errorid="00000000-0000-0000-0000-000000000000" contentUrl="" testdescription="Validating the certificate name." resultdescription="The certificate name was validated successfully." additionaldetails="The host name that was found, lyncdiscover.sedgemoor.gov.uk, is a wildcard certificate match for common name *.sedgemoor.gov.uk.">

              <children />

            </testresult>

            <testresult status="Success" errorid="00000000-0000-0000-0000-000000000000" contentUrl="" testdescription="Testing the certificate date to confirm the certificate is valid." resultdescription="Date validation passed. The certificate hasn't expired." additionaldetails="The certificate is valid. NotBefore = 5/2/2013 10:50:25 AM, NotAfter = 5/9/2014 12:00:00 AM">

              <children />

            </testresult>

          </children>

        </testresult>

        <testresult status="Success" errorid="00000000-0000-0000-0000-000000000000" contentUrl="" testdescription="Testing HTTP authentication methods for URL https://lyncdiscover.sedgemoor.gov.uk/Autodiscover/AutodiscoverService.svc/root/user." resultdescription="HTTP authentication methods successful." additionaldetails="Web Ticket URL found as expected and confirmed anonymous access isn't allowed.">

          <children />

        </testresult>

        <testresult status="Success" errorid="00000000-0000-0000-0000-000000000000" contentUrl="" testdescription="Testing HTTP content for URL https://lyncdiscover.sedgemoor.gov.uk/Autodiscover/AutodiscoverService.svc/root/domain has McxService.svc." resultdescription="Http Content is verified" additionaldetails="Found as expected McxService.svc and confirmed anonymous access not allowed.">

          <children />

        </testresult>

      </children>

    </testresult>

  </children>

</testresult>

Mobility services are at 4.0.7577.217

The powershell command returns what we would expect.

Free Windows Admin Tool Kit Click here and download it now
August 6th, 2013 9:56am

Hi
Have you used a wildcard certificate for reverse proxy?
Please refer to the following tips to troubleshooting External Lync Mobility.
http://blogs.technet.com/b/nexthop/archive/2012/02/21/troubleshooting-external-lync-mobility-connectivity-issues-step-by-step.aspx
August 22nd, 2013 8:19am

We are making progress, having opened the ports on our external firewall, we can now see the traffic hitting our TMG Server.  We have created the TMG rule as per above Instructions, HTTPS traffic is fine, but HTTP is being blocked by the default rule, even though we are listening for it in our rule.  Any ideas please?

Free Windows Admin Tool Kit Click here and download it now
August 28th, 2013 5:37am

We rebooted our TMG server this morning and the http traffic is now being allowed through.
August 29th, 2013 4:59am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics