Hello everyone.. So i'm pretty new to lync and I'm trying to deploy in my company.   Currently i have it working internally just fine, however, the external part im having all sorts of issues.    i've followed some troubleshooting steps but i cant seem to be getting anywhere... so i was wondering if anyone could help.  

currently i have a FE server and an Edge server.   When i try the remote connection test i get the following error at the end.

I tried going to https://lyncdiscover.domain.org   and i get the following error:
server error  in "/" application

The resources canno be found.

description:   http 404. the resource you are looking for  (or one of its dependecies( could have been removed, had its name changed or is temporary unavailable ... etc

Requested URL: /autodiscover/autodiscoverservice.svc/root

my browser is validating he certificate as the https is green.    I dont know if it could be an issue with the RP? or just the site.  I'm using the IISARR as my reverse proxy and followed the steps on hte link below to set it up

http://blogs.technet.com/b/nexthop/archive/2013/02/19/using-iis-arr-as-a-reverse-proxy-for-lync-server-2013.aspx

I checked the mobility config adn the exposedwebURL is set to external.    

Thanks in advance for any help! 

• Edited by Red Fury Thursday, July 31, 2014 7:55 PM

What do you get in a web browser when you browse to https://lyncdiscover.domain.org/Autodiscover/AutodiscoverService.svc?

Have you published 80 -> 8080 and 443 -> 4443 then added as a server? This can easily be missed. In the doc you reference see figure 4 - make sure you selected "Add" before "Finish"

You can test the external site from internal by adding :4443 on the end of the URL e.g. https://lyncdiscover.domain.org:4443. Does that work?

Here's the complete connectivity test

What do you get in a web browser when you browse to https://lyncdiscover.domain.org/Autodiscover/AutodiscoverService.svc?

Have you published 80 -> 8080 and 443 -> 4443 then added as a server? This can easily be missed. In the doc you reference see figure 4 - make sure you selected "Add" before "Finish"

You can test the external site from internal by adding :4443 on the end of the URL e.g. https://lyncdiscover.domain.org:4443. Does that work?

Hi greg, thanks for the input.   I am not able to browse to http://ServerFQDN.domain.corp:8080/Autodiscover/AutodiscoverService.svc/root .. i get the same error.  The interesting thing is that internally the mobility is also not working now after i created a new topology..  Also, i went to the FE server's IIS and i dont see the "autodiscover" site in it.     could that be the issue? 

here's the error for :http://ServerFQDN.domain.corp:8080/Autodiscover/AutodiscoverService.svc/root

The resource cannot be found.

Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable.  Please review the following URL and make sure that it is spelled correctly.

Requested URL: /Autodiscover/AutodiscoverService.svc/root

---------------------------------------------------------------------------------------------------

Update!  I re-published the topology and then ran the setup or remove components wizard and then tried going to  http://lyncdiscover.domain.org i get a file download with the following message in it:

{"Root":{"Links":[{"href":"https:\/\/fqdn.domain.local\/Autodiscover\/AutodiscoverService.svc\/root?sipuri=","token":"Redirect"}]}}

if i go to https://lyncdiscover.domain.org/ i get prompted to download the file but it gives me an error that the file cannot be downloaded because the site is unavailable or cannot be found

After that i tried connecting internally and the mobile .. got prompted to install the cert and then the client just kept cycling trying to connect to the server a few times and then it said that the server was not found.. could it be a DNS issue at this point?

• Edited by Red Fury Monday, August 04, 2014 7:43 PM

Andrew, yes .. i did all the DNS entries as you recommended on your page.   When i browse from the phone to the lyncdiscover i dont get any errors..  when i do it externally, it shows the webservice.domain.org discovery and i connect to our wifi it shows the FE fqdn.

This is what i get from the remote connectivity, i assume that this issue might be related to the edge server. the cert has the lync-access.domain.org as SAN which is the external edge pool

Testing remote connectivity for user eborjas@eldercarealliance.org to the Microsoft Lync server. it almost look like the cert is not binded to port 443.. I assume that it should be binded to 4443, but im not sure how to bind the cert to the port without IIS in the edge server.
	Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
	Additional Details   Elapsed Time: 6253 ms.
	Test Steps   Attempting to resolve the host name lync-access.domain.org in DNS.   The host name resolved successfully.   Additional Details   IP addresses returned: 72.18.240.222 Elapsed Time: 200 ms. Testing TCP port 443 on host lync-access.domain.org to ensure it's listening and open.   The port was opened successfully.   Additional Details   Elapsed Time: 168 ms. Testing the SSL certificate to make sure it's valid.   The SSL certificate failed one or more certificate validation checks.   Additional Details   Elapsed Time: 5575 ms.   Test Steps   The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server lync-access.eldercarealliance.org on port 443.   The Microsoft Connectivity Analyzer wasn't able to obtain the remote SSL certificate.   Additional Details   The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation. Elapsed Time: 5532 ms.

• Edited by Red Fury Tuesday, August 05, 2014 9:05 PM

Greg, thank you for the reply. I'm not having issues with the RP..  Currently i do have the lyncdiscover pointing to the reverse proxy.. I am not having issues with the lyncdiscover at the moment..  currently PC's area able to login remotely without any issues, only Phone are the ones not bieing able to connect.      I do have a SAN cert on the reverse proxy with all the requirements listed on the kb u referenced to.  I am using that same public cert on the edge server.. you are saying that i should use a different one? 

The lync-access.elder.org contains the following SANs:

lync-access.domain.org

lyncdiscover.domain.org

lync.domain.com    ( im using the meet and dialin as "lync.domain.org/meet, lync.domain.org/dialin" ) to save $ on the cert and keep it at 5 SANs)

The issue that i'm having is with the edge server, Should i create a farm to point point that to the edge server in the RP?

the xx.18.240.222 address points to the edge server with the pool name lync-access.domain.org ..  the lyncdiscover, lync.domain and webservice all point to the reverse proxy which is a different IP .. 50.xx.xx.xx.  

This is what i get when i run the "get-csservice -webserver | fl autodiscover*

Those are the correct sites.

Thanks for your help!!

• Edited by Red Fury Wednesday, August 06, 2014 8:31 PM update

Hello greg..  So, i did the check and the port is listening..  but i'm not sure why it keeps picking up the internal edge cert instead of the public cert. i have my firewall translating 443 to 4443 for the edge server.. and  I have a IISARR doing reverse proxy for the FE server ..  I'm assuming at this point could be a routing issue ..  Do you know if there is a way to check to which port the certs are binded to without IIS ?    I did a netsh http show sslcert and it got me the internal cert binded to 4443

• Edited by Red Fury 17 hours 11 minutes ago

PAul, when i ping lync-access.doamin.org from the reverse proxy server it does resolve to the internal IP ..  i'm pretty sure i have a the external interface on the DMZ with the gateway and the internal interface without a gateway..  

So, you are saying that i should take a 2nd look at the DMZ and make sure that is segregated from the internal network?    in my internal DNS, should lync-access(sip.domain.org)  be resolving the the DMZ ip or to the public IP? 

• Edited by Red Fury 13 hours 45 minutes ago