Remote Connectivity Test failed on Port 5061.

Hello,

I'm trying to deploy a Lync Server (Skype for business) at our business. I have 4 Servers:

Pool: SHCIM01.domain.net

Edge: SHDIM01.domain.net

Reverse Proxy: SHDIM02.domain.net

Office Web Apps: SHCIM02.domain.net

I am able to sign into Lync inside and outisde of my business on Desktops and Laptops with no issues but not mobile devices. On Mobile devices I get "We can't verify the certificate from the server. Please contact your support team".

When I run the Microsoft Connectivity analyzer with auto discover I get all Green Lights. When I run the analyzer on port 5061 I get the following:

"Testing remote connectivity to Microsoft Lync server through the Lync Access Edge server sip.domain.net on port 5061 to verify user jengelhart@domain.net can connect remotely.
Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
Tell me more about this issue and how to resolve it

Additional Details

Couldn't sign in. Error: Error Message: Unable to establish a connection..
Error Type: ConnectionFailureException.
.
Elapsed Time: 100098 ms."

When I run the connectivity Anazlyzer on port 443 I get a warning:

"Analyzing the certificate chains for compatibility problems with versions of Windows.
Potential compatibility problems were identified with some versions of Windows.

Additional Details

The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
Elapsed Time: 2 ms."

Does any one have any ideas what could be wrong? Please let me know if  I can provide more information for troubleshooting.

Thanks.

   

_sipinternaltls._tcp.domain.net -> SHCIM01.domain.net

_sipinternal._tcp.domain.net -> sip.domain.net

_sip._tls.domain.net -> sip.domain.net

_sip._tcp.domain.net -> sip.domain.net

sipinternal.domain.net -> sipinternal.domain.net

sip.domain.net -> sip.domain.net

sipexternal.domain.net -> SHDIM01 IP

sip.domain.net -> SHCIM01 IP

meet.domain.net -> SHCIM01 IP

dialin.domain.net -> SHCIM01 IP

admin.domain.net -> SHCIM01 IP

lyncdiscoverinternal.domain.net -> SHCIM01 IP

Lyncdiscover.domain.net -> External IP of Edge

Edge Cert (SHDIM01):

DNS Name=sip.domain.net (Access Edge Service)
DNS Name=wc.domain.net (Web Services)

Reverse Proxy Cert (SHDIM02):

DNS Name=SIP.domain.net
DNS Name=dialin.domain.net
DNS Name=lyncdiscover.domain.net
DNS Name=meet.domain.net
DNS Name=officewebapps.domain.net

Pool Cert (SHCIM01):

DNS Name=sip.domain.NET
DNS Name=SHCIM01.domain.NET
DNS Name=dialin.domain.net
DNS Name=meet.domain.net
DNS Name=skypeadmin.domain.net
DNS Name=LyncdiscoverInternal.domain.NET
DNS Name=Lyncdiscover.domain.NET




  • Edited by joengelhart Wednesday, June 17, 2015 2:58 AM
June 16th, 2015 4:20pm

Just tried the mobile client again and I still get "can't verify the certificate" I just checked my SRV records on Godaddy and I show I have 

_sipfederationtls._tcp.domain.net pointing to sip.domain.net

_sip._tls.crista.net pointing to sip.domain.net

Sip.domain.net is pointing to my edge server SHDIM01.

Is that not correct?


Free Windows Admin Tool Kit Click here and download it now
June 16th, 2015 7:21pm

Any thoughts on how to resolve this....I've been trying to figure it out all morning

SHDIM02 is my reverse proxy

Farms:

dialin.crista.net

Server -> SHCIM01 

lyncdiscover.crista.net

Server -> SHCIM01

meet.crista.net

Server -> SHCIM01

skype.crista.net

Server -> SHCIM01

All set to port 8080 and 4443. Not sure what has changed since yesterday :(

Cert: skype.crista.net

DNS Name=skype.crista.net

DNS Name=dialin.crista.net

DNS Name=lyncdiscover.crista.net

DNS Name=meet.crista.net

DNS Name=officewebapps.crista.net

  • Edited by joengelhart Wednesday, June 17, 2015 7:24 PM
June 17th, 2015 7:23pm

I've added the internal cert on my mobile and I still get: 

"We can't sign you in because your organization doesn't support this version of Lync. Please install Lync 2010 from your mobile store....'

from the inside and outside. I wasn't having this issue before on the outside. The outside had been working without any issues.

Hair Pinning is enabled for skype.crista.net

is skype.crista.net pointing to my internal NIC on my RP?

Example:

Server for ReverseProxy:

SHDIM02.crista.net

DMZ NIC: 172.16.1.38

INTERNAL NIC: 10.10.1.38

Internal DNS Skype.crista.net -> 10.10.1.38

Server for FrontEnd:

SHCIM01.crista.net

INTERNAL NIC: 10.10.1.35

Internal DNS lyncdiscoverinternal.crista.net -> 10.10.1.35

I'm confused how I've gone backwards and am unable to connect on mobile from the outside.

Thanks for sticking with me on this


Free Windows Admin Tool Kit Click here and download it now
June 22nd, 2015 7:34pm

I have made that change and I'm thinking it's going to work but my outside Lync Test for mobile is failing again so something else need to be changed to get my outside clients working again and then I think my internal will be working...

June 22nd, 2015 9:14pm

Server Farm is as follows:

dialin.crista.net

Server: SHCIM01.CRISTA.NET  

Caching: disk cache is disabled

Proxy: Time-out is 600

Routing Rules: SSL offloading is disabled

lyncdiscover.crista.net

Server: SHCIM01.CRISTA.NET  

Caching: disk cache is disabled

Proxy: Time-out is 600

Routing Rules: SSL offloading is disabled

meet.crista.net

Server: SHCIM01.CRISTA.NET  

Caching: disk cache is disabled

Proxy: Time-out is 600

Routing Rules: SSL offloading is disabled

skype.crista.net

Server: SHCIM01.CRISTA.NET  

Caching: disk cache is disabled

Proxy: Time-out is 600

Routing Rules: SSL offloading is disabled

.

URL rewrite is as follows:

.

lyncdiscover.crista.net_loadbalacnce_SSL

Input: URL Path

Match: Matches

Pattern: (.*)

Action Type: Rewrite

Action URL: https://lyncdiscover.crista.net/{R:0}

Stop Processing: True

skype.crista.net_loadbalacnce_SSL

Input: URL Path

Match: Matches

Pattern: (.*)

Action Type: Rewrite

Action URL: https://skype.crista.net/{R:0}

Stop Processing: True

dialin.crista.net_loadbalacnce_SSL

Input: URL Path

Match: Matches

Pattern: (.*)

Action Type: Rewrite

Action URL: https://lyncdiscover.crista.net/{R:0}

Stop Processing: True

meet.crista.net_loadbalacnce_SSL

Input: URL Path

Match: Matches

Pattern: (.*)

Action Type: Rewrite

Action URL: Https://meet.crista.net/{R:0}

Stop Processing: True

On my laptop outside my network I'm getting a 403 - Forbidden: Access is denied





Free Windows Admin Tool Kit Click here and download it now
June 23rd, 2015 6:46pm

Thanks for the reply. Still struggling with this issue. I'm not real technical with IIS so I don't completely follow the logs but I'm working on shuffling through them. Appreciate any help.

2015-07-06 18:30:55 172.16.1.38 GET /ucwa/v1/applications/212244982991/events ack=244&low=300&medium=300&timeout=900&priority=1435683420&X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=94101804-6d8d-4317-8494-9bd30ab7b15f 443 - 10.250.32.37 ACOMO - 409 0 0 67437
2015-07-06 18:30:55 172.16.1.38 GET /ucwa/v1/applications/212244982991/events ack=244&low=15&medium=15&timeout=900&priority=1435683421&X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=86b58c1b-28c9-4960-bcab-08b14e20d22c 443 - 10.250.32.37 ACOMO - 200 0 0 937
2015-07-06 18:30:56 172.16.1.38 GET /ucwa/v1/applications/212244982991/people/contactsAndGroupsSubscription X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=e5de64d0-22c9-45aa-808f-b2d1d71c6a10 443 - 10.250.32.37 ACOMO - 200 0 0 0
2015-07-06 18:30:57 172.16.1.38 POST /ucwa/v1/applications/212244982991/people/presenceSubscriptions X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=5339ac80-858d-4200-b729-156376755f36 443 - 10.250.32.37 ACOMO - 201 0 0 46
2015-07-06 18:30:57 172.16.1.38 POST /ucwa/v1/applications/212244982991/people/contactsAndGroupsSubscription/startOrRefresh duration=60&X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=b336be39-c23c-450f-8e30-d4cc7ff0272b 443 - 10.250.32.37 ACOMO - 204 0 0 15
2015-07-06 18:30:58 172.16.1.38 GET /ucwa/v1/applications/212244982991/events ack=245&low=15&medium=15&timeout=900&priority=1435683422&X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=19feeba8-9b60-4d5f-91bb-acfa0e5a43fd 443 - 10.250.32.37 ACOMO - 200 0 0 2046
2015-07-06 18:30:59 172.16.1.38 POST /ucwa/v1/applications/212244982991/batch X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=aa9eca1f-9611-42f6-bd85-2a28ded6e560 443 - 10.250.32.37 ACOMO - 200 0 0 15
2015-07-06 18:30:59 172.16.1.38 POST /ucwa/v1/applications/212244982991/batch X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=7bd3ebbb-5765-4807-bde5-c5f1998ef638 443 - 10.250.32.37 ACOMO - 200 0 0 625
2015-07-06 18:30:59 172.16.1.38 GET /ucwa/v1/applications/212244982991/people/groups/nYZJrQA3cI6XoISD5lwidI6dpDziUQot_sY7Zy8_wsA= X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=f38596ce-7e09-42b5-96a1-293367812278 443 - 10.250.32.37 ACOMO - 200 0 0 15
2015-07-06 18:31:33 172.16.1.38 GET /ucwa/v1/applications/213595124232/events ack=14&low=1800&medium=1800&timeout=900&priority=1436126864&X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=bda19de2-774f-46ad-9263-0b79b271f512 443 - 70.199.174.27 Lync%202013/5.7.0.563+CFNetwork/711.3.18+Darwin/14.0.0 - 400 0 64 376969
2015-07-06 18:34:00 172.16.1.38 GET / X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=7e92953e-a1b5-40b8-92e3-97086517ba8a 443 - 184.77.255.85 Mozilla/5.0+(Windows+NT+10.0;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/43.0.2357.130+Safari/537.36 - 200 0 0 515
2015-07-06 18:34:04 172.16.1.38 GET /ucwa/v1/applications/212244982991/events ack=246&low=15&medium=15&timeout=900&priority=1435683423&X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=0d79e9a0-7019-4bc2-b895-02888c8c5192 443 - 10.250.32.37 ACOMO - 200 0 0 185812
2015-07-06 18:34:04 172.16.1.38 GET /ucwa/v1/applications/212244982991/people/mkerrick@crista.net/presence X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=bfce058b-3ddb-413e-b850-8dd64127279a 443 - 10.250.32.37 ACOMO - 200 0 0 15
2015-07-06 18:36:43 172.16.1.38 GET / - 80 - 184.77.255.85 Mozilla/5.0+(Windows+NT+10.0;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/43.0.2357.130+Safari/537.36 - 200 0 0 62
2015-07-06 18:36:43 172.16.1.38 GET /favicon.ico - 80 - 184.77.255.85 Mozilla/5.0+(Windows+NT+10.0;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/43.0.2357.130+Safari/537.36 http://lyncdiscover.crista.net/ 404 0 2 156
2015-07-06 18:36:54 172.16.1.38 GET / X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=612d3504-7e0b-4cb1-a39a-4afa2f5d97fa 443 - 184.77.255.85 Mozilla/5.0+(Windows+NT+10.0;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/43.0.2357.130+Safari/537.36 - 200 0 0 1874
2015-07-06 18:36:54 172.16.1.38 GET /favicon.ico X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=d6b460a0-3b1a-48be-a10c-57dc3e2fa1ed 443 - 184.77.255.85 Mozilla/5.0+(Windows+NT+10.0;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/43.0.2357.130+Safari/537.36 https://lyncdiscover.crista.net/ 200 0 0 140
2015-07-06 18:37:09 172.16.1.38 GET / X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=dad3b094-a3d1-4b2e-80e6-12f80482b68d 443 - 184.77.255.85 Mozilla/5.0+(Windows+NT+10.0;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/43.0.2357.130+Safari/537.36 - 403 0 0 62
2015-07-06 18:37:12 172.16.1.38 GET / X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=250eaf5c-1c15-4f3b-b321-3f9ddf20d5ec 443 - 184.77.255.85 Mozilla/5.0+(Windows+NT+10.0;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/43.0.2357.130+Safari/537.36 - 200 0 0 10687
2015-07-06 18:37:12 172.16.1.38 GET /favicon.ico X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=d997b7d0-81ba-4202-a5c6-d450b4cf4dc3 443 - 184.77.255.85 Mozilla/5.0+(Windows+NT+10.0;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/43.0.2357.130+Safari/537.36 https://meet.crista.net/ 200 0 0 62
2015-07-06 18:37:57 172.16.1.38 GET / X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=9f28a83f-4e0f-4e45-9606-fce320f7ccd2 443 - 184.77.255.85 Mozilla/5.0+(Windows+NT+10.0;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/43.0.2357.130+Safari/537.36 - 200 0 0 62
2015-07-06 18:38:17 172.16.1.38 GET /ucwa/v1/applications/212244982991/events ack=247&low=15&medium=15&timeout=900&priority=1435683424&X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=dda07d91-acc1-431c-98c6-bdacac654926 443 - 10.250.32.37 ACOMO - 200 0 0 252687
2015-07-06 18:38:17 172.16.1.38 POST /ucwa/v1/applications/212244982991/batch X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=43616c7e-17e5-49eb-adb1-89f1a63310ab 443 - 10.250.32.37 ACOMO - 200 0 0 15
2015-07-06 18:38:52 172.16.1.38 GET /ucwa/v1/applications/212244982991/events ack=248&low=15&medium=15&timeout=900&priority=1435683425&X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=c4a717f0-9cc0-44d3-b9ff-003b618c2ac3 443 - 10.250.32.37 ACOMO - 200 0 0 35109
2015-07-06 18:38:52 172.16.1.38 GET /ucwa/v1/applications/212244982991/people/dbrooks@crista.net/presence X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=be29695e-92a1-4a43-a271-fe5261f89ad4 443 - 10.250.32.37 ACOMO - 200 0 0 15
2015-07-06 18:41:05 172.16.1.38 GET /ucwa/v1/applications/212244982991/events ack=249&low=300&medium=300&timeout=900&priority=1435683426&X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=f4b698e5-b380-49a8-b677-d1e62adb0517 443 - 10.250.32.37 ACOMO - 200 0 0 133250
2015-07-06 18:41:17 172.16.1.38 GET /ucwa/v1/applications/213595124232/events ack=14&low=1800&medium=1800&timeout=900&priority=1436126865&X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=0a20114f-9c97-4401-ba35-3a9033007681 443 - 70.199.174.27 Lync%202013/5.7.0.563+CFNetwork/711.3.18+Darwin/14.0.0 - 400 0 64 583047
2015-07-06 18:43:44 172.16.1.38 GET / X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=39b5c209-4d6e-4c5d-95e0-1a444cb5f2da 443 - 184.77.255.85 Mozilla/5.0+(Windows+NT+10.0;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/43.0.2357.130+Safari/537.36 - 200 0 0 140
2015-07-06 18:43:45 172.16.1.38 GET / X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=4f6581ab-1264-44c4-a6c1-182144e38ee1 443 - 184.77.255.85 Mozilla/5.0+(Windows+NT+10.0;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/43.0.2357.130+Safari/537.36 - 200 0 0 78
2015-07-06 18:43:45 172.16.1.38 GET / X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=5ddc031f-0077-496a-85fc-e6a48d891e41 443 - 184.77.255.85 Mozilla/5.0+(Windows+NT+10.0;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/43.0.2357.130+Safari/537.36 - 200 0 0 93
2015-07-06 18:43:54 172.16.1.38 GET / X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=e9901b16-1826-4fc5-a52e-f260418f46f5 443 - 184.77.255.85 Mozilla/5.0+(Windows+NT+10.0;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko - 200 0 0 62
2015-07-06 18:43:55 172.16.1.38 GET / X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=0c409253-ec1e-4417-b2ef-826f22cdc0c8 443 - 184.77.255.85 Mozilla/5.0+(Windows+NT+10.0;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko - 200 0 0 78

July 6th, 2015 2:51pm

Joe, perhaps it is time to look other options for Reverse Proxy. Take a look at this article:http://www.lynclog.com/2015/06/kemp-loadmaster-as-reverse-proxy-for.html (the three most resent I would say.)

Drago

Free Windows Admin Tool Kit Click here and download it now
July 6th, 2015 4:37pm

Thanks for the advice. Unfortunately I need to stick with IIS and not go 3rd party. I think I'm going to try to rebuild the reverse proxy server before giving up.

Thanks

July 6th, 2015 9:48pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics