I also have a problem getting Mobility working externally. 

All other features seem to be working just fine. I have run several tests as well as the Best Practices utility and resolved all of the issues listed. When I attempt to connect I get the usual failure "An Error has occurred" message. I am listing all of the typical results from the suggested steps I have taken below.

First, here is the answer to the normal questions asked in this case:

a. I am using a single certificate for everything.
b. The Publishing rule "Web Farm" is in the certificate along with all the public names
c. Authentication delegation is set to "No delegation, but clients may authenticate directly".
d. Root CA and public CA are trusted by TMG

I noticed that when I attempt to connect TMG says "page must be viewed over secure channel". The logs on the client return authentication errors. And finally the mobile client appears to try lyncdiscoverinternal and jumps to pool01 instead of trying lyncdiscover next. If I hard set the client to lyncdiscover instead of autodiscover, it just spins and never times out or fails... nothing happens.

Can you help? I would be glad to run anything you need for testing. See current results below:

 Get-CsMcxConfiguration

Identity                       : Global
SessionExpirationInterval      : 259200
SessionShortExpirationInterval : 3600
ExposedWebURL                  : External
PushNotificationProxyUri       : sip:push@push.lync.com

---------------

Get-CsMobilityPolicy

Identity           : Global
Description        : 
EnableOutsideVoice : True
EnableMobility     : True

---------------

Get-CsPushNotificationConfiguration

Identity                               : Global
EnableApplePushNotificationService     : True
EnableMicrosoftPushNotificationService : True

---------------

Get-CsAutodiscoverConfiguration
Identity : Global
WebLinks : {}

---------------

Test-CsMcxPushNotification -AccessEdgeFqdn "edge.domain.com"

TargetFqdn : 
Result     : Success
Latency    : 00:00:00
Error      : 
Diagnosis  : 

---------------

Test-CsMcxP2PIM -TargetFqdn "lyncdiscover.domain.com"

TargetUri  : https://pool01.domain.com:443/mcx
TargetFqdn : lyncdiscover.domain.com
Result     : Failure
Latency    : 00:00:00
Error      : ERROR - No response received for Web-Ticket service.
             Inner Exception:The HTTP request is unauthorized with client authe
             ntication scheme 'Ntlm'. The authentication header received from t
             he server was 'Negotiate,NTLM'.
             Inner Exception:The remote server returned an error: (401) Unautho
             rized.

Diagnosis  :

---------------

FROM RProxy on TMG

Allowed Connection 
TOL-LTCLRP1 4/9/2012 1:15:07 PM 
Log type: Web Proxy (Reverse) 
Status: 403 Forbidden 
Rule: Lync Multi-Server Web Rule 
Source: External (166.249.XXX.XXX:5065) 
Destination: Local Host (10.60.XXX.XX:4443) 
Request: GET http://lyncdiscover.domain.com/?sipuri=sip:user1@domain.com 
Filter information: Req ID: 0b6925c6; Compression: client=No, server=No, compress rate=0% decompress rate=0% 
Protocol: https 
User: anonymous 
 Additional information 
Client agent: ACOMO
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x40000000 (Response should not be cached.)
Processing time: 1 MIME type: text/html 
 
-THEN-

Failed Connection Attempt
TOL-LTCLRP1 4/9/2012 1:15:07 PM 
Log type: Web Proxy (Reverse) 
Status: 12311 The page must be viewed over a secure channel (Secure Sockets Layer (SSL)). Contact the server administrator.  
Rule: Lync Multi-Server Web Rule 
Source: External (166.249.XXX.XXX:8030) 
Destination: Local Host (192.168.XXX.XXX:80) 
Request: GET http://lyncdiscover.lakeshoretoltest.com/ 
Filter information: Req ID: 0b6925d3; Compression: client=No, server=No, compress rate=0% decompress rate=0% 
Protocol: http 
User: anonymous 
 Additional information 
Client agent: ACOMO
Object source: (No source information is available.)
Cache info: 0x0
Processing time: 1 MIME type:  

---------------

ALL ERRORS From Android Client

Apr 9, 2012 1:15:04 PM ERROR HttpConnection: java.net.UnknownHostException: Unable to resolve host "lyncdiscoverinternal.domain.com": No address associated with hostname
Apr 9, 2012 1:15:04 PM ERROR TRANSPORT /mnt/hgfs/marvin_LyncRTM/dev/como/android/proxy/CHttpConnection.cpp/166:CHttpConnection exception: java.net.UnknownHostException
Apr 9, 2012 1:15:04 PM ERROR HttpConnection: java.net.UnknownHostException: Unable to resolve host "lyncdiscoverinternal.domain.com": No address associated with hostname
Apr 9, 2012 1:15:04 PM ERROR TRANSPORT /mnt/hgfs/marvin_LyncRTM/dev/como/android/proxy/CHttpConnection.cpp/166:CHttpConnection exception: java.net.UnknownHostException
Apr 9, 2012 1:15:04 PM ERROR APPLICATION /mnt/hgfs/marvin_LyncRTM/dev/como/applicationLayer/infrastructure/private/CUcwaAutoDiscoveryGetUserUrlOperation.cpp/322:Request failed.  Error - E2-2-1
Apr 9, 2012 1:15:04 PM ERROR APPLICATION /mnt/hgfs/marvin_LyncRTM/dev/como/applicationLayer/infrastructure/private/CUcwaAutoDiscoveryGetUserUrlOperation.cpp/322:Request failed.  Error - E2-3-15
Apr 9, 2012 1:15:05 PM ERROR APPLICATION /mnt/hgfs/marvin_LyncRTM/dev/como/applicationLayer/infrastructure/private/CUcwaAutoDiscoveryServiceRetrialWrapper.cpp/348:Auto-discovery failed. Analysing the failure
Apr 9, 2012 1:15:05 PM ERROR APPLICATION /mnt/hgfs/marvin_LyncRTM/dev/como/applicationLayer/infrastructure/private/CLogonSession.cpp/1050:Auto-discovery failed, aborting sign-in!
Apr 9, 2012 1:15:05 PM ERROR APPLICATION /mnt/hgfs/marvin_LyncRTM/dev/como/applicationLayer/objectModel/private/CAlertReporter.cpp/52:Alert received! Type 16384, level 0, error E2-3-15, context ''
Apr 9, 2012 1:15:28 PM ERROR HttpConnection: java.net.UnknownHostException: Unable to resolve host "pool01.domain.com": No address associated with hostname
Apr 9, 2012 1:15:28 PM ERROR TRANSPORT /mnt/hgfs/marvin_LyncRTM/dev/como/android/proxy/CHttpConnection.cpp/166:CHttpConnection exception: java.net.UnknownHostException
Apr 9, 2012 1:15:28 PM ERROR TRANSPORT /mnt/hgfs/marvin_LyncRTM/dev/como/transport/authenticationResolver/private/CAuthenticationResolver.cpp/554:Unable to get the meta data for server url https://pool01.domain.com:443/groupexpansion/service.svc

Hi,

Check you have done all the things step by step according to Deploying the Lync 2010 Mobility Service.

Check your external access configuration is correct.

If you select HTTPS for Lync Autodiscover, remember that certificate on the reverse proxy web listener should be updated to include the new lyncdiscover.<sipdomain> FQDN.

Regards,

Lisa

I have done everything in the 'Deploying the Lync 2010 Mobility Service' document. Keep in mind that it is working perfectly on the internal network. 

I have checked the external access configuration is correct. Meet and Dialin are working.

The web listener certificate has been updated. Remember that I am using a single certificate for everything. That certificate has SAN for:

• pool
• sip
• webconf
• av
• rp
• dialin
• meet
• servers in FE Pool
• servers in Edge Pool
• admin
• lyncdiscover
• lyncdiscoverinternal

If it were a TMG certificate error, wouldn't TMG say that in the logs?

MORE TEST RESULTS:

Get-CsService -Webserver |fl *Mcx*

McxSipPrimaryListeningPort  : 5086
McxSipExternalListeningPort : 5087
McxServiceExternalUri       : https://pool01.domain.com/Mcx/McxService.svc
McxServiceInternalUri       : https://pool01.domain.com/Mcx/McxService.svc

---------------

Using the Mobile tester on the Remote Connectivity Analyzer here: https://www.testocsconnectivity.com

• Resolve the host name lyncdiscover.domain.com in DNS = Success
  
• Testing TCP Port 443 on host lyncdiscover.domain.com = Success
• Testing SSLCertificate for validity = Success
• Testing Http Authentication Methods for URL https://lyncdiscover.domain.com:443 = Success

• Testing Http Content for URL https://lyncdiscover.domain.com:443/... = FAILED!
  Additional Details: Initial Anonymous HTTP(s) request failed but Anonymous is a supported Authentication Method for this scenario

---------------

Is any of this helping?

Hi,

The internal & external webservices should not point to the same FQDN.

And after you have changed either of them, update your Reverse Proxy Configuration.

Regards,

Lisa

• Marked as answer by Ramon E. Rodgers Sr., MCITP, MCTS, CCA, APlus Friday, April 13, 2012 8:45 PM

Hi,

Any updates?

Regards,

Lisa

I have the same problem..

i can login via internal but not from external.

i try to browse https://lyncdiscover.domain.com/mcx/mcxservice.svc and get 403 - Forbidden: Access is denied.

which is lyncdiscover it pointing to TMG and will be redirect from 443 to 4443 and send it to Frontend.

i have a feeling about this error make me cant login from external user via mobile. but i dont know how to fix it..

Sorry it took so long to reply, I had to add the external web URL to my certificate at the public CA. That took some time.

You were right on the money! Thank you for your help! Once I set the web service to have internal and external URLs, fixed DNS, and re-keyed my certificates to include the new external URL, it came up right away!

Thanks again!

Hi Ramon

I have a few questions:

- How did you set the Web Service to have internal and external URLs?

- What did you fix in DNS?

- what ext URL did you include in your pubic cert?

I have repeated a number or proceses to achieve this, but I don't have a TMG Reverse Proxy in place

I do however have all test run successfully through my port forwarding etc and natting through my firewall via port 443

any detail would be good

thanks

No response received for Web-Ticket service.

Inner Exception:The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the server was 'Negotiate,NTLM'.

Inner Exception:The remote server returned an error: (401)Unauthorized.

Please help on this error