Remote Connectivity Test failed on Port 5061. (Network Steve Forum)

Remote Connectivity Test failed on Port 5061.

Hello,

I'm trying to deploy a Lync Server (Skype for business) at our business. I have 4 Servers:

Pool: SHCIM01.domain.net

Edge: SHDIM01.domain.net

Reverse Proxy: SHDIM02.domain.net

Office Web Apps: SHCIM02.domain.net

I am able to sign into Lync inside and outisde of my business on Desktops and Laptops with no issues but not mobile devices. On Mobile devices I get "We can't verify the certificate from the server. Please contact your support team".

When I run the Microsoft Connectivity analyzer with auto discover I get all Green Lights. When I run the analyzer on port 5061 I get the following:

"Testing remote connectivity to Microsoft Lync server through the Lync Access Edge server sip.domain.net on port 5061 to verify user jengelhart@domain.net can connect remotely.
Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
Tell me more about this issue and how to resolve it

Additional Details

Couldn't sign in. Error: Error Message: Unable to establish a connection..
Error Type: ConnectionFailureException.
.
Elapsed Time: 100098 ms."

When I run the connectivity Anazlyzer on port 443 I get a warning:

"Analyzing the certificate chains for compatibility problems with versions of Windows.
Potential compatibility problems were identified with some versions of Windows.

Additional Details

The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
Elapsed Time: 2 ms."

Does any one have any ideas what could be wrong? Please let me know if I can provide more information for troubleshooting.

Thanks.

_sipinternaltls._tcp.domain.net -> SHCIM01.domain.net

_sipinternal._tcp.domain.net -> sip.domain.net

_sip._tls.domain.net -> sip.domain.net

_sip._tcp.domain.net -> sip.domain.net

sipinternal.domain.net -> sipinternal.domain.net

sip.domain.net -> sip.domain.net

sipexternal.domain.net -> SHDIM01 IP

sip.domain.net -> SHCIM01 IP

meet.domain.net -> SHCIM01 IP

dialin.domain.net -> SHCIM01 IP

admin.domain.net -> SHCIM01 IP

lyncdiscoverinternal.domain.net -> SHCIM01 IP

Lyncdiscover.domain.net -> External IP of Edge

Edge Cert (SHDIM01):

DNS Name=sip.domain.net (Access Edge Service)
DNS Name=wc.domain.net (Web Services)

Reverse Proxy Cert (SHDIM02):

DNS Name=SIP.domain.net
DNS Name=dialin.domain.net
DNS Name=lyncdiscover.domain.net
DNS Name=meet.domain.net
DNS Name=officewebapps.domain.net

Pool Cert (SHCIM01):

DNS Name=sip.domain.NET
DNS Name=SHCIM01.domain.NET
DNS Name=dialin.domain.net
DNS Name=meet.domain.net
DNS Name=skypeadmin.domain.net
DNS Name=LyncdiscoverInternal.domain.NET
DNS Name=Lyncdiscover.domain.NET

Edited by joengelhart Wednesday, June 17, 2015 2:58 AM

June 16th, 2015 4:20pm

Just tried the mobile client again and I still get "can't verify the certificate" I just checked my SRV records on Godaddy and I show I have

_sipfederationtls._tcp.domain.net pointing to sip.domain.net

_sip._tls.crista.net pointing to sip.domain.net

Sip.domain.net is pointing to my edge server SHDIM01.

Is that not correct?

Edited by joengelhart Tuesday, June 16, 2015 7:27 PM

Free Windows Admin Tool Kit Click here and download it now

June 16th, 2015 7:21pm

Any thoughts on how to resolve this....I've been trying to figure it out all morning

SHDIM02 is my reverse proxy

Farms:

dialin.crista.net

Server -> SHCIM01

lyncdiscover.crista.net

Server -> SHCIM01

meet.crista.net

Server -> SHCIM01

skype.crista.net

Server -> SHCIM01

All set to port 8080 and 4443. Not sure what has changed since yesterday :(

Cert: skype.crista.net

DNS Name=skype.crista.net

DNS Name=dialin.crista.net

DNS Name=lyncdiscover.crista.net

DNS Name=meet.crista.net

DNS Name=officewebapps.crista.net

Edited by joengelhart Wednesday, June 17, 2015 7:24 PM

June 17th, 2015 7:23pm

I do have the root CA cert on the ARR server. Mobile was working from outside my network with no issues. Inside my network I'm getting two different errors:

"We can't sign you in because your organization doesn't support this version of Lync. Please install Lync 2010 from your mobile store"

The other is the typical "Cannot verify cert" error

The reason I say mobile was working is because now I'm getting the "Doesn not support message".

The only thing I changed was the DNS entry internal for skype.crista.net to point to the Reverse proxy on the inside.

What is with the flapping results..... :/

Free Windows Admin Tool Kit Click here and download it now

June 19th, 2015 8:04pm

If using the mobile device internally you will hit lyncdiscoverinternal.domain.com off your Front End, chances are the mobile device doesn't have your internal Root CA certificate to trust this connection.

After that it will be redirected to use your External Web services url skype.crista.net, make sure you can access https://skype.crista.net internally as your firewall may block hair pinning.

Just to confirm Mobility is now working externally? And what about testconnectivity?

June 19th, 2015 10:33pm

Correct. lyndiscoverinternal.crista.net resolves to my Front End server. My device does not have the internal Root CA cert on it. I expect to be able to use mobile devices with out it. Is that correct?

I am able to get to https://skype.crista.net internally, I just get a 403 forbidden access error.

Correct. Mobility is now working externally without an issue . When I run the Connectivity analyzer under the mobile profile on the outside I pass the HTTPS. For the HTTP I still get "Server discovery failed for secured external channel against https://lyncdiscover.crista.net"

Stang that HTTP fails.

Free Windows Admin Tool Kit Click here and download it now

June 19th, 2015 11:19pm

Lyncdiscoverinternal.crista.net does resolve to my Front End Server. My mobile does not have our root cert. I expect to be able to sign in without it?

Skype.crista.net does pull up inside my network I just get a 403 Forbidden Access message.

Mobility is now working externally and when I run the Lync Connectivity Analyzer I get a pass on the HTTPS test but a fail on the HTTP. I'm assuming this is because I don't have a proxy rule setup for HTTP.

June 19th, 2015 11:23pm

Looks like you're getting closer.

I see a 500 error for: https://skype.crista.net/Autodiscover/XFrame/XFrame.html which should just load a blank page that says "Hide me"

as for the HTTP tests, I wouldn't worry about that if https is good.

Internally skype.crista.net has to resolve to the reverse proxy as it has to hit the front end on 4443, so if the record is just pointing directly to the front end internally it will be using 443.

lyncdiscoverinternal.crista.net will be an issue for internal mobile devices if the device doesn't trust the root that is listed on the certificate. Are you able to install this root cert into your device to test?

Free Windows Admin Tool Kit Click here and download it now

June 20th, 2015 3:45pm

I've added the internal cert on my mobile and I still get:

"We can't sign you in because your organization doesn't support this version of Lync. Please install Lync 2010 from your mobile store....'

from the inside and outside. I wasn't having this issue before on the outside. The outside had been working without any issues.

Hair Pinning is enabled for skype.crista.net

is skype.crista.net pointing to my internal NIC on my RP?

Example:

Server for ReverseProxy:

SHDIM02.crista.net

DMZ NIC: 172.16.1.38

INTERNAL NIC: 10.10.1.38

Internal DNS Skype.crista.net -> 10.10.1.38

Server for FrontEnd:

SHCIM01.crista.net

INTERNAL NIC: 10.10.1.35

Internal DNS lyncdiscoverinternal.crista.net -> 10.10.1.35

I'm confused how I've gone backwards and am unable to connect on mobile from the outside.

Thanks for sticking with me on this

Edited by joengelhart Monday, June 22, 2015 7:34 PM

June 22nd, 2015 7:34pm

I have made that change and I'm thinking it's going to work but my outside Lync Test for mobile is failing again so something else need to be changed to get my outside clients working again and then I think my internal will be working...

Edited by joengelhart Monday, June 22, 2015 9:17 PM

Free Windows Admin Tool Kit Click here and download it now

June 22nd, 2015 9:14pm

Server Farm is as follows:

dialin.crista.net

Server: SHCIM01.CRISTA.NET

Caching: disk cache is disabled

Proxy: Time-out is 600

Routing Rules: SSL offloading is disabled

lyncdiscover.crista.net

Server: SHCIM01.CRISTA.NET

Caching: disk cache is disabled

Proxy: Time-out is 600

Routing Rules: SSL offloading is disabled

meet.crista.net

Server: SHCIM01.CRISTA.NET

Caching: disk cache is disabled

Proxy: Time-out is 600

Routing Rules: SSL offloading is disabled

skype.crista.net

Server: SHCIM01.CRISTA.NET

Caching: disk cache is disabled

Proxy: Time-out is 600

Routing Rules: SSL offloading is disabled

URL rewrite is as follows:

lyncdiscover.crista.net_loadbalacnce_SSL

Input: URL Path

Match: Matches

Pattern: (.*)

Action Type: Rewrite

Action URL: https://lyncdiscover.crista.net/{R:0}

Stop Processing: True

skype.crista.net_loadbalacnce_SSL

Input: URL Path

Match: Matches

Pattern: (.*)

Action Type: Rewrite

Action URL: https://skype.crista.net/{R:0}

Stop Processing: True

dialin.crista.net_loadbalacnce_SSL

Input: URL Path

Match: Matches

Pattern: (.*)

Action Type: Rewrite

Action URL: https://lyncdiscover.crista.net/{R:0}

Stop Processing: True

meet.crista.net_loadbalacnce_SSL

Input: URL Path

Match: Matches

Pattern: (.*)

Action Type: Rewrite

Action URL: Https://meet.crista.net/{R:0}

Stop Processing: True

On my laptop outside my network I'm getting a 403 - Forbidden: Access is denied

Edited by joengelhart Tuesday, June 23, 2015 6:47 PM

June 23rd, 2015 6:46pm

This topic is archived. No further replies will be accepted.