Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Lync GAL (Address book) can't synchronize externally.

Posted on 2011-03-24
4
Medium Priority
?
10,831 Views
1 Endorsement
Last Modified: 2012-06-21
Hi,

I'll try to be as exact as possible. My problem is that users with a lync client connecting from home (externally) via our firewall and edge server are not able to download the GAL (Address Book).

domains are as follows:
INTERNAL AD DOMAIN:
company.local

EXTERNAL DOMAIN:
company.com

USER EMAIL/USER SIP :
@company.se
@company.dk
@company.fi
@company.no

Servers:
lyncsrv.company.local
1 ip address on internal network
certificate: lyncsrv.company.local

lyncedge.company.local (not joined in domain)
1 ip address on internal network
certificate: lyncedge.company.local

3 ip addresses on DMZ
certificate: sip.company.com SAN: sip.company.com, webconf.company.com


Certificates are all "real", provided by thawte. Since we don't have an interal AD CA server.

All users are using their email address based on country, as sign-in address.
All SRV records are correct both on internal DNS and external DNS.

I've read tons and tons of guides and it they all comes down to the same conclusion: reverse proxy.
But isn't that whe the edge server is acting as? Internal interface on lyncedge "talks" to lyncsrv.
No firewall issues here since they're both on the same subnet.

On lyncsrv there is two web servers, internal and external, where you can define the external FQDN in the topology builder.
Mine is both lyncsrv.company.local where internal is listening on 80 and 443 and external is listening on 8080 and 4443.
Both are using certificate lyncsrv.company.local.

When connecting from "inside" our corporate network everything works just fine, but when a user brings home his/her computer lync starts fine, you're able to do IM and Voice/video to those contacts already added.

But after a while an error message pops up saying: "cannot synchronize with the corporate address book. This may be because the proxy server in your web browser does not allow access to the address book......"

When holding down the ctrl-key + right click on the lync icon and clicking on "configuration information" a new window pops up.

"URL Internal from server: https://lyncsrv.company.local:443/abs/handler"
"URL External from server: https://lyncsrv.company.local:443/abs/handler"

"GAL STATUS: https://lyncsrv.company.local:443/abs/handler Cannot synchronize with the corporate address book......"

"GAL or server based search: GAL Search"

"Connected lync server: sip.company.com"

Any suggestions?

I've also added a picture explaining our setup.
Thanks,
Jonas


 Our Lync setup.
1
Comment
Question by:jetpak
  • 2
  • 2
4 Comments
 
LVL 12

Expert Comment

by:Jeff_Schertz
ID: 35206584
The Edge Server is NOT a reverse proxy and does not handle any HTTP or HTTPS traffic.  You must deploy an additional reverse proxy solution (e.g. ISA or TMG) to handle requests from the external clients to the External Web Services FQDNs for each Front End or Director server.  These HTTP/HTTPS requests are directed to the internal server's IIS 'external' web sites and provides for features like Address Book download or web query, distribution list expansion, web conferencing content upload and whiteboarding, in addition to access to the meet and dialin web pages.
0
 

Author Comment

by:jetpak
ID: 35229716
So what DNS record and firewall ports should be opened in our firewall then?
I thoght that you only needed to open up for sip.company.com, webconf.company.com and av.company.com pointing to the edge server?

IM, video and voice works all fine today. Only this little problem with GAL..

Thanks
Jonas
0
 

Author Comment

by:jetpak
ID: 35229722
Oh yeah, followed this guide while installing.
http://ocsguy.com/2010/11/21/deploying-an-edge-server-with-lync/

0
 
LVL 12

Accepted Solution

by:
Jeff_Schertz earned 2000 total points
ID: 35231507
In your Lync Topology you will have defined an External Web Services FQDN for the Front End server.  internal clients will connect to the internal Web Sites using the Front End Server/Poolname but Edge-connected clients will use the External Web Services FQDN.  This FQDN is what needs to be published outside, in addition to the Simple URLs (meet.contoso.com, dialin.contoso.com).  The reverse proxy certificate needs each of these names in the SAN and the traffic rule points to the 8080/4443 ports on the Front End server.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question