Remote Connectivity Test failed on Port 5061.

Hello,

I'm trying to deploy a Lync Server (Skype for business) at our business. I have 4 Servers:

Pool: SHCIM01.domain.net

Edge: SHDIM01.domain.net

Reverse Proxy: SHDIM02.domain.net

Office Web Apps: SHCIM02.domain.net

I am able to sign into Lync inside and outisde of my business on Desktops and Laptops with no issues but not mobile devices. On Mobile devices I get "We can't verify the certificate from the server. Please contact your support team".

When I run the Microsoft Connectivity analyzer with auto discover I get all Green Lights. When I run the analyzer on port 5061 I get the following:

"Testing remote connectivity to Microsoft Lync server through the Lync Access Edge server sip.domain.net on port 5061 to verify user jengelhart@domain.net can connect remotely.
Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
Tell me more about this issue and how to resolve it

Additional Details

Couldn't sign in. Error: Error Message: Unable to establish a connection..
Error Type: ConnectionFailureException.
.
Elapsed Time: 100098 ms."

When I run the connectivity Anazlyzer on port 443 I get a warning:

"Analyzing the certificate chains for compatibility problems with versions of Windows.
Potential compatibility problems were identified with some versions of Windows.

Additional Details

The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
Elapsed Time: 2 ms."

Does any one have any ideas what could be wrong? Please let me know if  I can provide more information for troubleshooting.

Thanks.

   

_sipinternaltls._tcp.domain.net -> SHCIM01.domain.net

_sipinternal._tcp.domain.net -> sip.domain.net

_sip._tls.domain.net -> sip.domain.net

_sip._tcp.domain.net -> sip.domain.net

sipinternal.domain.net -> sipinternal.domain.net

sip.domain.net -> sip.domain.net

sipexternal.domain.net -> SHDIM01 IP

sip.domain.net -> SHCIM01 IP

meet.domain.net -> SHCIM01 IP

dialin.domain.net -> SHCIM01 IP

admin.domain.net -> SHCIM01 IP

lyncdiscoverinternal.domain.net -> SHCIM01 IP

Lyncdiscover.domain.net -> External IP of Edge

Edge Cert (SHDIM01):

DNS Name=sip.domain.net (Access Edge Service)
DNS Name=wc.domain.net (Web Services)

Reverse Proxy Cert (SHDIM02):

DNS Name=SIP.domain.net
DNS Name=dialin.domain.net
DNS Name=lyncdiscover.domain.net
DNS Name=meet.domain.net
DNS Name=officewebapps.domain.net

Pool Cert (SHCIM01):

DNS Name=sip.domain.NET
DNS Name=SHCIM01.domain.NET
DNS Name=dialin.domain.net
DNS Name=meet.domain.net
DNS Name=skypeadmin.domain.net
DNS Name=LyncdiscoverInternal.domain.NET
DNS Name=Lyncdiscover.domain.NET




  • Edited by joengelhart Wednesday, June 17, 2015 2:58 AM
June 16th, 2015 4:20pm

Just tried the mobile client again and I still get "can't verify the certificate" I just checked my SRV records on Godaddy and I show I have 

_sipfederationtls._tcp.domain.net pointing to sip.domain.net

_sip._tls.crista.net pointing to sip.domain.net

Sip.domain.net is pointing to my edge server SHDIM01.

Is that not correct?


Free Windows Admin Tool Kit Click here and download it now
June 16th, 2015 7:21pm

Any thoughts on how to resolve this....I've been trying to figure it out all morning

SHDIM02 is my reverse proxy

Farms:

dialin.crista.net

Server -> SHCIM01 

lyncdiscover.crista.net

Server -> SHCIM01

meet.crista.net

Server -> SHCIM01

skype.crista.net

Server -> SHCIM01

All set to port 8080 and 4443. Not sure what has changed since yesterday :(

Cert: skype.crista.net

DNS Name=skype.crista.net

DNS Name=dialin.crista.net

DNS Name=lyncdiscover.crista.net

DNS Name=meet.crista.net

DNS Name=officewebapps.crista.net

  • Edited by joengelhart Wednesday, June 17, 2015 7:24 PM
June 17th, 2015 7:23pm

I've added the internal cert on my mobile and I still get: 

"We can't sign you in because your organization doesn't support this version of Lync. Please install Lync 2010 from your mobile store....'

from the inside and outside. I wasn't having this issue before on the outside. The outside had been working without any issues.

Hair Pinning is enabled for skype.crista.net

is skype.crista.net pointing to my internal NIC on my RP?

Example:

Server for ReverseProxy:

SHDIM02.crista.net

DMZ NIC: 172.16.1.38

INTERNAL NIC: 10.10.1.38

Internal DNS Skype.crista.net -> 10.10.1.38

Server for FrontEnd:

SHCIM01.crista.net

INTERNAL NIC: 10.10.1.35

Internal DNS lyncdiscoverinternal.crista.net -> 10.10.1.35

I'm confused how I've gone backwards and am unable to connect on mobile from the outside.

Thanks for sticking with me on this


Free Windows Admin Tool Kit Click here and download it now
June 22nd, 2015 7:34pm

I have made that change and I'm thinking it's going to work but my outside Lync Test for mobile is failing again so something else need to be changed to get my outside clients working again and then I think my internal will be working...

June 22nd, 2015 9:14pm

Server Farm is as follows:

dialin.crista.net

Server: SHCIM01.CRISTA.NET  

Caching: disk cache is disabled

Proxy: Time-out is 600

Routing Rules: SSL offloading is disabled

lyncdiscover.crista.net

Server: SHCIM01.CRISTA.NET  

Caching: disk cache is disabled

Proxy: Time-out is 600

Routing Rules: SSL offloading is disabled

meet.crista.net

Server: SHCIM01.CRISTA.NET  

Caching: disk cache is disabled

Proxy: Time-out is 600

Routing Rules: SSL offloading is disabled

skype.crista.net

Server: SHCIM01.CRISTA.NET  

Caching: disk cache is disabled

Proxy: Time-out is 600

Routing Rules: SSL offloading is disabled

.

URL rewrite is as follows:

.

lyncdiscover.crista.net_loadbalacnce_SSL

Input: URL Path

Match: Matches

Pattern: (.*)

Action Type: Rewrite

Action URL: https://lyncdiscover.crista.net/{R:0}

Stop Processing: True

skype.crista.net_loadbalacnce_SSL

Input: URL Path

Match: Matches

Pattern: (.*)

Action Type: Rewrite

Action URL: https://skype.crista.net/{R:0}

Stop Processing: True

dialin.crista.net_loadbalacnce_SSL

Input: URL Path

Match: Matches

Pattern: (.*)

Action Type: Rewrite

Action URL: https://lyncdiscover.crista.net/{R:0}

Stop Processing: True

meet.crista.net_loadbalacnce_SSL

Input: URL Path

Match: Matches

Pattern: (.*)

Action Type: Rewrite

Action URL: Https://meet.crista.net/{R:0}

Stop Processing: True

On my laptop outside my network I'm getting a 403 - Forbidden: Access is denied





Free Windows Admin Tool Kit Click here and download it now
June 23rd, 2015 6:46pm

Would anyone be able to tell me if I have my NIC's setup correctly on the Reverse proxy and what the needed routes would be?

Reverse proxy:

DMZ NIC:

172.16.1.38

255.255.255.192

172.16.1.1

Internal NIC:

10.10.1.38

255.255.254.0

No Gateway

No DNS

Skype Server Ip: 10.10.1.35

Thanks

July 9th, 2015 12:01pm

You don't need static route since your Reverse Proxy internal NIC IP and the server IP are on the same subnet.

Free Windows Admin Tool Kit Click here and download it now
July 9th, 2015 12:19pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics