Solved

Lync GAL (Address book) can't synchronize externally.

Posted on 2011-03-24
4
10,550 Views
1 Endorsement
Last Modified: 2012-06-21
Hi,

I'll try to be as exact as possible. My problem is that users with a lync client connecting from home (externally) via our firewall and edge server are not able to download the GAL (Address Book).

domains are as follows:
INTERNAL AD DOMAIN:
company.local

EXTERNAL DOMAIN:
company.com

USER EMAIL/USER SIP :
@company.se
@company.dk
@company.fi
@company.no

Servers:
lyncsrv.company.local
1 ip address on internal network
certificate: lyncsrv.company.local

lyncedge.company.local (not joined in domain)
1 ip address on internal network
certificate: lyncedge.company.local

3 ip addresses on DMZ
certificate: sip.company.com SAN: sip.company.com, webconf.company.com


Certificates are all "real", provided by thawte. Since we don't have an interal AD CA server.

All users are using their email address based on country, as sign-in address.
All SRV records are correct both on internal DNS and external DNS.

I've read tons and tons of guides and it they all comes down to the same conclusion: reverse proxy.
But isn't that whe the edge server is acting as? Internal interface on lyncedge "talks" to lyncsrv.
No firewall issues here since they're both on the same subnet.

On lyncsrv there is two web servers, internal and external, where you can define the external FQDN in the topology builder.
Mine is both lyncsrv.company.local where internal is listening on 80 and 443 and external is listening on 8080 and 4443.
Both are using certificate lyncsrv.company.local.

When connecting from "inside" our corporate network everything works just fine, but when a user brings home his/her computer lync starts fine, you're able to do IM and Voice/video to those contacts already added.

But after a while an error message pops up saying: "cannot synchronize with the corporate address book. This may be because the proxy server in your web browser does not allow access to the address book......"

When holding down the ctrl-key + right click on the lync icon and clicking on "configuration information" a new window pops up.

"URL Internal from server: https://lyncsrv.company.local:443/abs/handler"
"URL External from server: https://lyncsrv.company.local:443/abs/handler"

"GAL STATUS: https://lyncsrv.company.local:443/abs/handler Cannot synchronize with the corporate address book......"

"GAL or server based search: GAL Search"

"Connected lync server: sip.company.com"

Any suggestions?

I've also added a picture explaining our setup.
Thanks,
Jonas


 Our Lync setup.
1
Comment
Question by:jetpak
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 12

Expert Comment

by:Jeff_Schertz
ID: 35206584
The Edge Server is NOT a reverse proxy and does not handle any HTTP or HTTPS traffic.  You must deploy an additional reverse proxy solution (e.g. ISA or TMG) to handle requests from the external clients to the External Web Services FQDNs for each Front End or Director server.  These HTTP/HTTPS requests are directed to the internal server's IIS 'external' web sites and provides for features like Address Book download or web query, distribution list expansion, web conferencing content upload and whiteboarding, in addition to access to the meet and dialin web pages.
0
 

Author Comment

by:jetpak
ID: 35229716
So what DNS record and firewall ports should be opened in our firewall then?
I thoght that you only needed to open up for sip.company.com, webconf.company.com and av.company.com pointing to the edge server?

IM, video and voice works all fine today. Only this little problem with GAL..

Thanks
Jonas
0
 

Author Comment

by:jetpak
ID: 35229722
Oh yeah, followed this guide while installing.
http://ocsguy.com/2010/11/21/deploying-an-edge-server-with-lync/

0
 
LVL 12

Accepted Solution

by:
Jeff_Schertz earned 500 total points
ID: 35231507
In your Lync Topology you will have defined an External Web Services FQDN for the Front End server.  internal clients will connect to the internal Web Sites using the Front End Server/Poolname but Edge-connected clients will use the External Web Services FQDN.  This FQDN is what needs to be published outside, in addition to the Simple URLs (meet.contoso.com, dialin.contoso.com).  The reverse proxy certificate needs each of these names in the SAN and the traffic rule points to the 8080/4443 ports on the Front End server.
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ADFS Help 7 48
LDAPS Server 2012 R2 Error 0 6 60
Changing logon server question 5 64
DC dynamic port change? 1 17
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This article runs through the process of deploying a single EXE application selectively to a group of user.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question