Hello,

I'm trying to deploy a Lync Server (Skype for business) at our business. I have 4 Servers:

Pool: SHCIM01.domain.net

Edge: SHDIM01.domain.net

Reverse Proxy: SHDIM02.domain.net

Office Web Apps: SHCIM02.domain.net

I am able to sign into Lync inside and outisde of my business on Desktops and Laptops with no issues but not mobile devices. On Mobile devices I get "We can't verify the certificate from the server. Please contact your support team".

When I run the Microsoft Connectivity analyzer with auto discover I get all Green Lights. When I run the analyzer on port 5061 I get the following:

"Testing remote connectivity to Microsoft Lync server through the Lync Access Edge server sip.domain.net on port 5061 to verify user jengelhart@domain.net can connect remotely.
Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
Tell me more about this issue and how to resolve it

Additional Details

Couldn't sign in. Error: Error Message: Unable to establish a connection..
Error Type: ConnectionFailureException.
.
Elapsed Time: 100098 ms."

When I run the connectivity Anazlyzer on port 443 I get a warning:

"Analyzing the certificate chains for compatibility problems with versions of Windows.
Potential compatibility problems were identified with some versions of Windows.

Additional Details

The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
Elapsed Time: 2 ms."

Does any one have any ideas what could be wrong? Please let me know if  I can provide more information for troubleshooting.

Thanks.

   

_sipinternaltls._tcp.domain.net -> SHCIM01.domain.net

_sipinternal._tcp.domain.net -> sip.domain.net

_sip._tls.domain.net -> sip.domain.net

_sip._tcp.domain.net -> sip.domain.net

sipinternal.domain.net -> sipinternal.domain.net

sip.domain.net -> sip.domain.net

sipexternal.domain.net -> SHDIM01 IP

sip.domain.net -> SHCIM01 IP

meet.domain.net -> SHCIM01 IP

dialin.domain.net -> SHCIM01 IP

admin.domain.net -> SHCIM01 IP

lyncdiscoverinternal.domain.net -> SHCIM01 IP

Lyncdiscover.domain.net -> External IP of Edge

Edge Cert (SHDIM01):

DNS Name=sip.domain.net (Access Edge Service)
DNS Name=wc.domain.net (Web Services)

Reverse Proxy Cert (SHDIM02):

DNS Name=SIP.domain.net
DNS Name=dialin.domain.net
DNS Name=lyncdiscover.domain.net
DNS Name=meet.domain.net
DNS Name=officewebapps.domain.net

Pool Cert (SHCIM01):

DNS Name=sip.domain.NET
DNS Name=SHCIM01.domain.NET
DNS Name=dialin.domain.net
DNS Name=meet.domain.net
DNS Name=skypeadmin.domain.net
DNS Name=LyncdiscoverInternal.domain.NET
DNS Name=Lyncdiscover.domain.NET

• Edited by joengelhart Wednesday, June 17, 2015 2:58 AM

Just tried the mobile client again and I still get "can't verify the certificate" I just checked my SRV records on Godaddy and I show I have 

_sipfederationtls._tcp.domain.net pointing to sip.domain.net

_sip._tls.crista.net pointing to sip.domain.net

Sip.domain.net is pointing to my edge server SHDIM01.

Is that not correct?

• Edited by joengelhart Tuesday, June 16, 2015 7:27 PM

Hi joengelhart,

 

Looks like its a Skype for Business Server. Theres no SfB Server update released yet

I suggest you can install the certificate on the mobile and check if this is the problem.

 

Best regards,

Eric

Have you confirmed the policies under the Control Panel - Federation And External Access (External Access Policy & Access Edge Configuration)?

I have confirmed the policies are enabled on my global policy.

I installed the Comodo root cert and I still got a certificate error . However, I installed my internal IM server (Front-End) certificate on my phone and now I get:

Lync is attempting to redirect you to:

Issued By:: **Internal Root Server**

Subject:: SHCIM01.crista.net

Expires:: Date

Signature Algorithm:: Algorithm

When I click continue it takes me back to the sign in page with "An error occurred in Lync. Please retry.

Not sure if this mean anything. Just seems odd.

When trying to sign in using the mobile client, are you using the advanced settings and also adding your domain\userid for the user name?

Hey, quick test against https://lyncdiscover.crista.net shows generic IIS page and not the expected JSON. Your Reverse Proxy mapping to Lync server is not correct at this moment.

Word of advice - always try to configure Mobility by starting via Internet connection and not internal (corp Wi-Fi). You will figure why later :-)

Drago

Nice catch Drago, lyncdiscover was working prior but was returning a web service url that didn't exist on the cert or external dns.

It was working yesterday. I'm starting to think I have a routing or firewall issue...My dual NICs in DNS are configured wrong or something :/ 

Any thoughts on how to resolve this....I've been trying to figure it out all morning

SHDIM02 is my reverse proxy

Farms:

dialin.crista.net

Server -> SHCIM01 

lyncdiscover.crista.net

Server -> SHCIM01

meet.crista.net

Server -> SHCIM01

skype.crista.net

Server -> SHCIM01

All set to port 8080 and 4443. Not sure what has changed since yesterday :(

Cert: skype.crista.net

DNS Name=skype.crista.net

DNS Name=dialin.crista.net

DNS Name=lyncdiscover.crista.net

DNS Name=meet.crista.net

DNS Name=officewebapps.crista.net

• Edited by joengelhart 12 hours 4 minutes ago

Are you using IIS arr? Take a look at: http://masteringlync.com/2013/02/12/using-iis-application-request-routing-arr-as-a-tmg-replacement/

Yep IIS arr. My config is setup the exact same way.

some tips for trouble shooting IIS ARR: http://blogs.technet.com/b/saleesh_nv/archive/2015/02/19/lync-2013-mobility-troubleshooting-tips.aspx

When I go to https://crista.net/autodiscover/autodiscoverservice.svc/root/ on the outside I get the root.json download

Am I correct in the fact that this was working yesterday? I wen through the trouble shooting and everything checks out.....

you should get the xml file if you just hit https://lyncdiscover.crista.net but instead there's a windows iis welcome page.

I do see the correct xml if I hit: https://lyncdiscover.crista.net/autodiscover/autodiscoverservice.svc/root/

and when I hit: https://skype.crista.net/Autodiscover/XFrame/XFrame.html I get a 502

Resolved the issue. Now I'm back to getting the root.json from lyncdiscover.crista.net. My mobile device is now just giving me a "Can't reach server" DNS issue? Should skype.crista.net be pointing to my Reverse proxy or my edge server? I see mixed things around the internet.

skype.crista.net should point to the reverse proxy IP (same as meet/dialin/lyncdiscover). I'm still seeing a 502 error hitting https://skype.crista.net/Autodiscover/XFrame/XFrame.html that needs to be corrected. 

Any thoughts on how to resolve this....I've been trying to figure it out all morning

SHDIM02 is my reverse proxy

Farms:

dialin.crista.net

Server -> SHCIM01 

lyncdiscover.crista.net

Server -> SHCIM01

meet.crista.net

Server -> SHCIM01

skype.crista.net

Server -> SHCIM01

All set to port 8080 and 4443. Not sure what has changed since yesterday :(

Cert: skype.crista.net

DNS Name=skype.crista.net

DNS Name=dialin.crista.net

DNS Name=lyncdiscover.crista.net

DNS Name=meet.crista.net

DNS Name=officewebapps.crista.net

• Edited by joengelhart Wednesday, June 17, 2015 7:24 PM

Hmm I see the same thing. I'm digging around online to see what would be the cause of that.....

Something else must be screwy. When I go to the meeting URL from outside I get the IIS page as well.... Not too sure what the issue is at this point as everything lines up. I'm not sure why the Proxy is passing through lyndiscover now but not the meet URL's.

Maybe the IIS ARR server is having issues resolving SHCIM01 to the correct IP? Also check if your internal root CA certificate is installed on the IIS ARR server.

So I made some changes on the internal DNS. Now on Mobile internally and externally I am now getting this error:

"We can't sign you in because your organization doesn't support this version of Lync. Please install Lync 2010 from your mobile store....

Really... :/

Internal DNS:

Lyncdiscoverinternal.crista.net -> pointing to front end server

Skype.crista.net -> pointing to Reverse Proxy

Correct right?

Correct but the mobile device needs to trust the certificate used for lyncdiscoverinternal and your firewall must allow hair pinning for skype.crista.net

I've added the internal cert on my mobile and I still get: 

"We can't sign you in because your organization doesn't support this version of Lync. Please install Lync 2010 from your mobile store....'

from the inside and outside. I wasn't having this issue before on the outside. The outside had been working without any issues.

Hair Pinning is enabled for skype.crista.net

is skype.crista.net pointing to my internal NIC on my RP?

Example:

Server for ReverseProxy:

SHDIM02.crista.net

DMZ NIC: 172.16.1.38

INTERNAL NIC: 10.10.1.38

Internal DNS Skype.crista.net -> 10.10.1.38

Server for FrontEnd:

SHCIM01.crista.net

INTERNAL NIC: 10.10.1.35

Internal DNS lyncdiscoverinternal.crista.net -> 10.10.1.35

I'm confused how I've gone backwards and am unable to connect on mobile from the outside.

Thanks for sticking with me on this

• Edited by joengelhart 11 hours 48 minutes ago

skype.crista.net should point to the public IP of your reverse proxy, this is why hair pinning needs to be allowed on the firewall.

I have made that change and I'm thinking it's going to work but my outside Lync Test for mobile is failing again so something else need to be changed to get my outside clients working again and then I think my internal will be working...

• Edited by joengelhart 10 hours 6 minutes ago

I've added the internal cert on my mobile and I still get: 

"We can't sign you in because your organization doesn't support this version of Lync. Please install Lync 2010 from your mobile store....'

from the inside and outside. I wasn't having this issue before on the outside. The outside had been working without any issues.

Hair Pinning is enabled for skype.crista.net

is skype.crista.net pointing to my internal NIC on my RP?

Example:

Server for ReverseProxy:

SHDIM02.crista.net

DMZ NIC: 172.16.1.38

INTERNAL NIC: 10.10.1.38

Internal DNS Skype.crista.net -> 10.10.1.38

Server for FrontEnd:

SHCIM01.crista.net

INTERNAL NIC: 10.10.1.35

Internal DNS lyncdiscoverinternal.crista.net -> 10.10.1.35

I'm confused how I've gone backwards and am unable to connect on mobile from the outside.

Thanks for sticking with me on this

• Edited by joengelhart Monday, June 22, 2015 7:34 PM

I have made that change and I'm thinking it's going to work but my outside Lync Test for mobile is failing again so something else need to be changed to get my outside clients working again and then I think my internal will be working...

• Edited by joengelhart Monday, June 22, 2015 9:17 PM

Server Farm is as follows:

dialin.crista.net

Server: SHCIM01.CRISTA.NET  

Caching: disk cache is disabled

Proxy: Time-out is 600

Routing Rules: SSL offloading is disabled

lyncdiscover.crista.net

Server: SHCIM01.CRISTA.NET  

Caching: disk cache is disabled

Proxy: Time-out is 600

Routing Rules: SSL offloading is disabled

meet.crista.net

Server: SHCIM01.CRISTA.NET  

Caching: disk cache is disabled

Proxy: Time-out is 600

Routing Rules: SSL offloading is disabled

skype.crista.net

Server: SHCIM01.CRISTA.NET  

Caching: disk cache is disabled

Proxy: Time-out is 600

Routing Rules: SSL offloading is disabled

.

URL rewrite is as follows:

.

lyncdiscover.crista.net_loadbalacnce_SSL

Input: URL Path

Match: Matches

Pattern: (.*)

Action Type: Rewrite

Action URL: https://lyncdiscover.crista.net/{R:0}

Stop Processing: True

skype.crista.net_loadbalacnce_SSL

Input: URL Path

Match: Matches

Pattern: (.*)

Action Type: Rewrite

Action URL: https://skype.crista.net/{R:0}

Stop Processing: True

dialin.crista.net_loadbalacnce_SSL

Input: URL Path

Match: Matches

Pattern: (.*)

Action Type: Rewrite

Action URL: https://lyncdiscover.crista.net/{R:0}

Stop Processing: True

meet.crista.net_loadbalacnce_SSL

Input: URL Path

Match: Matches

Pattern: (.*)

Action Type: Rewrite

Action URL: Https://meet.crista.net/{R:0}

Stop Processing: True

On my laptop outside my network I'm getting a 403 - Forbidden: Access is denied

• Edited by joengelhart Tuesday, June 23, 2015 6:47 PM