Remote Connectivity Test failed on Port 5061.

Hello,

I'm trying to deploy a Lync Server (Skype for business) at our business. I have 4 Servers:

Pool: SHCIM01.domain.net

Edge: SHDIM01.domain.net

Reverse Proxy: SHDIM02.domain.net

Office Web Apps: SHCIM02.domain.net

I am able to sign into Lync inside and outisde of my business on Desktops and Laptops with no issues but not mobile devices. On Mobile devices I get "We can't verify the certificate from the server. Please contact your support team".

When I run the Microsoft Connectivity analyzer with auto discover I get all Green Lights. When I run the analyzer on port 5061 I get the following:

"Testing remote connectivity to Microsoft Lync server through the Lync Access Edge server sip.domain.net on port 5061 to verify user jengelhart@domain.net can connect remotely.
Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
Tell me more about this issue and how to resolve it

Additional Details

Couldn't sign in. Error: Error Message: Unable to establish a connection..
Error Type: ConnectionFailureException.
.
Elapsed Time: 100098 ms."

When I run the connectivity Anazlyzer on port 443 I get a warning:

"Analyzing the certificate chains for compatibility problems with versions of Windows.
Potential compatibility problems were identified with some versions of Windows.

Additional Details

The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
Elapsed Time: 2 ms."

Does any one have any ideas what could be wrong? Please let me know if  I can provide more information for troubleshooting.

Thanks.

   

_sipinternaltls._tcp.domain.net -> SHCIM01.domain.net

_sipinternal._tcp.domain.net -> sip.domain.net

_sip._tls.domain.net -> sip.domain.net

_sip._tcp.domain.net -> sip.domain.net

sipinternal.domain.net -> sipinternal.domain.net

sip.domain.net -> sip.domain.net

sipexternal.domain.net -> SHDIM01 IP

sip.domain.net -> SHCIM01 IP

meet.domain.net -> SHCIM01 IP

dialin.domain.net -> SHCIM01 IP

admin.domain.net -> SHCIM01 IP

lyncdiscoverinternal.domain.net -> SHCIM01 IP

Lyncdiscover.domain.net -> External IP of Edge

Edge Cert (SHDIM01):

DNS Name=sip.domain.net (Access Edge Service)
DNS Name=wc.domain.net (Web Services)

Reverse Proxy Cert (SHDIM02):

DNS Name=SIP.domain.net
DNS Name=dialin.domain.net
DNS Name=lyncdiscover.domain.net
DNS Name=meet.domain.net
DNS Name=officewebapps.domain.net

Pool Cert (SHCIM01):

DNS Name=sip.domain.NET
DNS Name=SHCIM01.domain.NET
DNS Name=dialin.domain.net
DNS Name=meet.domain.net
DNS Name=skypeadmin.domain.net
DNS Name=LyncdiscoverInternal.domain.NET
DNS Name=Lyncdiscover.domain.NET




June 17th, 2015 12:32pm

If you go to https://lyncdiscover.domain.net externally, you will see xml output redirecting the mobile device to the Front End Lync External Web Services FQDN defined in the Topology, yours looks to be skype.domain.net. This name needs to be on the External SSL certificate and an External A record pointing to the same IP used for Meet/dial/lyncdiscover.

Note in your original post you included your domain name "Testing remote connectivity to Microsoft ... " I've removed that name from my response as it looks like you were trying to hide that info.

Free Windows Admin Tool Kit Click here and download it now
June 17th, 2015 1:28pm

Appreciate the reply!

Oh well about hiding the domain, I tried! :) thanks for letting me know!

That makes more sense. Does the External A record point to the Reverse proxy IP or the Edge Server? On the Cert for the Subject name Microsoft says "the Subject name you will use for the reverse proxy". I'm still a little confused. 

Thanks for the help

June 17th, 2015 2:34pm

The External A record for your external Front End web services (skype.domain.net) would point to the Reverse Proxy IP matching meet/dialin/lyncdiscover. Skype.domain.net also needs to be in the Reverse proxy Certificate's SA

Free Windows Admin Tool Kit Click here and download it now
June 17th, 2015 2:42pm

Thanks for getting back to me.

If I'm understanding correctly this is what I have done:

I have set the A record for skype.domain.net to point to the reverse Proxy IP. I also reissued my cert with the following:

CN: skype.domain.net

DNS Name=Skype.crista.net
DNS Name=dialin.crista.net
DNS Name=lyncdiscover.crista.net
DNS Name=meet.crista.net
DNS Name=officewebapps.crista.net

Should I have a Server Farm that points skype.domain.net to anything?

As you can see I have gotten myself lost

June 17th, 2015 2:56pm
The reverse proxy should send skype.domain.net (443) to the front end on port 4443 internally just like dialin/meet/lyncdiscover
Free Windows Admin Tool Kit Click here and download it now
June 17th, 2015 3:00pm

Hmm I have all the set right but I'm getting:

  Testing the SSL certificate to make sure it's valid.
  The SSL certificate failed one or more certificate validation checks.
 
Additional Details
 
Elapsed Time: 95 ms.
 
Test Steps
 
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server sip.domain.net on port 5061.
  The Microsoft Connectivity Analyzer wasn't able to obtain the remote SSL certificate.
 
Additional Details
 
The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
Elapsed Time: 49 ms.

Thoughts? Thanks for your time

June 17th, 2015 3:06pm

Have you tried the mobile client again?

Also looks like you don't have the following external srv records:

  Checking Lync SRV records.

    _sip._tls.crista.net:

       No record found

       

    _sipfederationtls._tcp.crista.net:

       No record found

Free Windows Admin Tool Kit Click here and download it now
June 17th, 2015 3:13pm

Just tried the mobile client again and I still get "can't verify the certificate" I just checked my SRV records on Godaddy and I show I have 

_sipfederationtls._tcp.domain.net pointing to sip.domain.net

_sip._tls.crista.net pointing to sip.domain.net

Sip.domain.net is pointing to my edge server SHDIM01.

Is that not correct?


June 17th, 2015 3:33pm

I re-ran the test and now I'm getting


Testing remote connectivity for user jengelhart@domain.net to the Microsoft Lync server.
Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
Tell me more about this issue and how to resolve it

Additional Details

Couldn't sign in. Error: Error Message: Unable to establish a connection..
Error Type: ConnectionFailureException.
.
Elapsed Time: 100221 ms.

Free Windows Admin Tool Kit Click here and download it now
June 17th, 2015 3:39pm

Not seeing the SRV records yet, but yes the srv records should point to sip.crista.net, which resolves to the ip of your access service on your edge server.

Make sure the ports in the srv are correct: https://technet.microsoft.com/en-us/library/jj205025(v=ocs.15).as

June 17th, 2015 3:39pm

You can ignore the warning about the certificate chains from the MS Test site, looking at http://digicert.com/help shows the chains are good.

Make sure your user account used in the testing has remote access: https://technet.microsoft.com/en-us/library/gg520995(v=ocs.15).aspx

Also check the mobility policy: https://technet.microsoft.com/en-us/library/hh690018(v=ocs.15).aspx

Free Windows Admin Tool Kit Click here and download it now
June 17th, 2015 3:44pm
http://mxtoolbox.com/SuperTool.aspx?action=srv%3a_sip._tls.crista.net&run=networktools still not seeing your srv records.
June 17th, 2015 3:49pm

I did have a port incorrectly set to 5061 instead of 443. They now read

_sipfederationtls._tcp.domain.net 5061 pointing to sip.domain.net

_sip._tls.crista.net 443 pointing to sip.domain.net

I'm getting two different results at the moment when running the Analyzer tool

This one:

Testing remote connectivity for user jengelhart@domain.net to the Microsoft Lync server.
Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
Tell me more about this issue and how to resolve it

Additional Details

Couldn't sign in. Error: Error Message: Unable to establish a connection..
Error Type: ConnectionFailureException.
.
Elapsed Time: 100221 ms.

And other times I get this:

  Testing the SSL certificate to make sure it's valid.
  The SSL certificate failed one or more certificate validation checks.
 
Additional Details
 
Elapsed Time: 95 ms.
 
Test Steps
 
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server sip.domain.net on port 5061.
  The Microsoft Connectivity Analyzer wasn't able to obtain the remote SSL certificate.
 
Additional Details
 
The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
Elapsed Time: 49 ms.

Free Windows Admin Tool Kit Click here and download it now
June 17th, 2015 4:04pm

just to confirm

_sipfederationtls._tcp.domain.net 5061 pointing to sip.domain.net

_sip._tls.crista.net 443 pointing to sip.domain.net

you actually mean

_sipfederationtls._tcp.domain.net 5061 pointing to sip.crista.net

_sip._tls.crista.net 443 pointing to sip.crista.net

June 17th, 2015 4:12pm

Correct. Sip.crista.net

Service records look like they are working now. Small typo. Looked a million times and didn't catch it in godaddy

Free Windows Admin Tool Kit Click here and download it now
June 17th, 2015 4:23pm

Geez. Its working now. I get a pass on 5061 with just a warning about the cert chain.

Still no go on the mobile. Thanks for hanging around and helping me out

June 17th, 2015 4:25pm

SRV and autodiscover looks good, when you run the testconnectivity again what do you see under: Testing remote connectivity for user jengelhart@crista.net to the Microsoft Lync server?

Any luck with mobile sign in?

Free Windows Admin Tool Kit Click here and download it now
June 17th, 2015 4:27pm

I'm getting mixed results now. A second ago I had all green. Now I'm getting:

Testing remote connectivity for user jengelhart@crista.net to the Microsoft Lync server.
  Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
  Tell me more about this issue and how to resolve it
 
Additional Details
 
Couldn't sign in. Error: Error Message: The operation failed after several attempts..
Error Type: RegisterException.
Deregister Reason: None.
.
Elapsed Time: 337 ms.

June 17th, 2015 4:29pm
DNS could still be replicating, what about from the phone?
Free Windows Admin Tool Kit Click here and download it now
June 17th, 2015 4:32pm

Phone is still giving me the same crap about 

"we can't verify the certificate from the server"

I have the Connectivity Analyzer installed on my computer and ran it as Network Access External (I'm on a 4g unit) with "Lync Mobile 2013 App" selected and I get:

Starting automatic disocery for secure (HTTPS) external channel

server dsicovery failed for secured external channel against https://lyncdiscover.crista.net

Starting automatic disocery for unsecure (HTTP) external channel

server dsicovery failed for unsecured external channel against http://lyncdiscover.crista.net

I tried putting in the server address just to be sure it wasn't an autodiscovery thing and I still get the same error.

This thing is a beast

June 17th, 2015 4:39pm

Have you applied the latest CU to your servers? https://support.microsoft.com/en-us/kb/2809243 if running RTM you'll have issues with the Lync Mobility 2013 client.

Free Windows Admin Tool Kit Click here and download it now
June 17th, 2015 4:43pm
I tried to do that earlier. Maybe I'm not understanding how to use the tool but when I run it, it just comes up blank with a grayed out "Install Updates" option...I'm fully patched?
June 17th, 2015 4:57pm
Are you seeing green checks for latest version when running the update installer (Edge and front end)?
Free Windows Admin Tool Kit Click here and download it now
June 17th, 2015 5:09pm

I actually don't see anything. Here is what I get:

http://postimg.org/image/t9q1n8z9b/

June 17th, 2015 6:01pm
Can you confirm that I don't need to install any sort of cert on my mobile device?
Free Windows Admin Tool Kit Click here and download it now
June 17th, 2015 6:14pm

Hi joengelhart,

 

Please run Test-CsDatabase cmdlet to check if the databases are up-to-date.

The tables below list the back end database versions for RTM as well as each cumulative update:


 

In addition, please try to install the root certificate of COMODO on the Mobile and then test if the Lync works.

 

Best regards,

Eric

June 17th, 2015 10:57pm

I see some numbers match some numbers don't....

Thanks,

Josh

SqlServerFqdn            : SHCIM01.CRISTA.NET
SqlInstanceName          : rtc
DatabaseName             : rtcxds
DatabaseHighAvailability : None
DataSource               : SHCIM01.CRISTA.NET\rtc
SQLServerVersion         : 12.0.2000 RTM Express Edition (64-bit)
ExpectedVersion          : 15.13.9
InstalledVersion         : 15.13.9
Succeed                  : True

SqlServerFqdn            : SHCIM01.CRISTA.NET
SqlInstanceName          : rtc
DatabaseName             : rtcshared
DatabaseHighAvailability : None
DataSource               : SHCIM01.CRISTA.NET\rtc
SQLServerVersion         : 12.0.2000 RTM Express Edition (64-bit)
ExpectedVersion          : 5.0.1
InstalledVersion         : 5.0.1
Succeed                  : True

SqlServerFqdn            : SHCIM01.CRISTA.NET
SqlInstanceName          : rtc
DatabaseName             : rtcab
DatabaseHighAvailability : None
DataSource               : SHCIM01.CRISTA.NET\rtc
SQLServerVersion         : 12.0.2000 RTM Express Edition (64-bit)
ExpectedVersion          : 62.42.12
InstalledVersion         : 62.42.12
Succeed                  : True

SqlServerFqdn            : SHCIM01.CRISTA.NET
SqlInstanceName          : rtc
DatabaseName             : rgsconfig
DatabaseHighAvailability : None
DataSource               : SHCIM01.CRISTA.NET\rtc
SQLServerVersion         : 12.0.2000 RTM Express Edition (64-bit)
ExpectedVersion          : 5.5.1
InstalledVersion         : 5.5.1
Succeed                  : True

SqlServerFqdn            : SHCIM01.CRISTA.NET
SqlInstanceName          : rtc
DatabaseName             : rgsdyn
DatabaseHighAvailability : None
DataSource               : SHCIM01.CRISTA.NET\rtc
SQLServerVersion         : 12.0.2000 RTM Express Edition (64-bit)
ExpectedVersion          : 2.2.1
InstalledVersion         : 2.2.1
Succeed                  : True

SqlServerFqdn            : SHCIM01.CRISTA.NET
SqlInstanceName          : rtc
DatabaseName             : cpsdyn
DatabaseHighAvailability : None
DataSource               : SHCIM01.CRISTA.NET\rtc
SQLServerVersion         : 12.0.2000 RTM Express Edition (64-bit)
ExpectedVersion          : 1.1.2
InstalledVersion         : 1.1.2
Succeed                  : True

SqlServerFqdn            : SHCIM01.CRISTA.NET
SqlInstanceName          : rtc
DatabaseName             : xds
DatabaseHighAvailability : None
DataSource               : SHCIM01.CRISTA.NET\rtc
SQLServerVersion         : 12.0.2000 RTM Express Edition (64-bit)
ExpectedVersion          : 10.15.4
InstalledVersion         : 10.15.4
Succeed                  : True

SqlServerFqdn            : SHCIM01.CRISTA.NET
SqlInstanceName          : rtc
DatabaseName             : lis
DatabaseHighAvailability : None
DataSource               : SHCIM01.CRISTA.NET\rtc
SQLServerVersion         : 12.0.2000 RTM Express Edition (64-bit)
ExpectedVersion          : 3.1.1
InstalledVersion         : 3.1.1
Succeed                  : True

SqlServerFqdn            :
SqlInstanceName          : rtc
DatabaseName             : mgc
DatabaseHighAvailability : None
DataSource               : SHCIM01.CRISTA.NET\rtc
SQLServerVersion         : 12.0.2000 RTM Express Edition (64-bit)
ExpectedVersion          : 1.42.1
InstalledVersion         : 1.42.1
Succeed                  : True

SqlServerFqdn            : (local)
SqlInstanceName          : rtclocal
DatabaseName             : rtc
DatabaseHighAvailability : None
DataSource               : (local)\rtclocal
SQLServerVersion         : 12.0.2000 RTM Express Edition (64-bit)
ExpectedVersion          : 125.34.20
InstalledVersion         : 125.34.20
Succeed                  : True

SqlServerFqdn            : (local)
SqlInstanceName          : lynclocal
DatabaseName             : lyss
DatabaseHighAvailability : None
DataSource               : (local)\lynclocal
SQLServerVersion         : 12.0.2000 RTM Express Edition (64-bit)
ExpectedVersion          : 12.36.5
InstalledVersion         : 12.36.5
Succeed                  : True

SqlServerFqdn            : (local)
SqlInstanceName          : rtclocal
DatabaseName             : xds
DatabaseHighAvailability : None
DataSource               : (local)\rtclocal
SQLServerVersion         : 12.0.2000 RTM Express Edition (64-bit)
ExpectedVersion          : 10.15.4
InstalledVersion         : 10.15.4
Succeed                  : True

Free Windows Admin Tool Kit Click here and download it now
June 17th, 2015 11:14pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics