Solved

Lync GAL (Address book) can't synchronize externally.

Posted on 2011-03-24
4
10,331 Views
1 Endorsement
Last Modified: 2012-06-21
Hi,

I'll try to be as exact as possible. My problem is that users with a lync client connecting from home (externally) via our firewall and edge server are not able to download the GAL (Address Book).

domains are as follows:
INTERNAL AD DOMAIN:
company.local

EXTERNAL DOMAIN:
company.com

USER EMAIL/USER SIP :
@company.se
@company.dk
@company.fi
@company.no

Servers:
lyncsrv.company.local
1 ip address on internal network
certificate: lyncsrv.company.local

lyncedge.company.local (not joined in domain)
1 ip address on internal network
certificate: lyncedge.company.local

3 ip addresses on DMZ
certificate: sip.company.com SAN: sip.company.com, webconf.company.com


Certificates are all "real", provided by thawte. Since we don't have an interal AD CA server.

All users are using their email address based on country, as sign-in address.
All SRV records are correct both on internal DNS and external DNS.

I've read tons and tons of guides and it they all comes down to the same conclusion: reverse proxy.
But isn't that whe the edge server is acting as? Internal interface on lyncedge "talks" to lyncsrv.
No firewall issues here since they're both on the same subnet.

On lyncsrv there is two web servers, internal and external, where you can define the external FQDN in the topology builder.
Mine is both lyncsrv.company.local where internal is listening on 80 and 443 and external is listening on 8080 and 4443.
Both are using certificate lyncsrv.company.local.

When connecting from "inside" our corporate network everything works just fine, but when a user brings home his/her computer lync starts fine, you're able to do IM and Voice/video to those contacts already added.

But after a while an error message pops up saying: "cannot synchronize with the corporate address book. This may be because the proxy server in your web browser does not allow access to the address book......"

When holding down the ctrl-key + right click on the lync icon and clicking on "configuration information" a new window pops up.

"URL Internal from server: https://lyncsrv.company.local:443/abs/handler"
"URL External from server: https://lyncsrv.company.local:443/abs/handler"

"GAL STATUS: https://lyncsrv.company.local:443/abs/handler Cannot synchronize with the corporate address book......"

"GAL or server based search: GAL Search"

"Connected lync server: sip.company.com"

Any suggestions?

I've also added a picture explaining our setup.
Thanks,
Jonas


 Our Lync setup.
1
Comment
Question by:jetpak
  • 2
  • 2
4 Comments
 
LVL 12

Expert Comment

by:Jeff_Schertz
Comment Utility
The Edge Server is NOT a reverse proxy and does not handle any HTTP or HTTPS traffic.  You must deploy an additional reverse proxy solution (e.g. ISA or TMG) to handle requests from the external clients to the External Web Services FQDNs for each Front End or Director server.  These HTTP/HTTPS requests are directed to the internal server's IIS 'external' web sites and provides for features like Address Book download or web query, distribution list expansion, web conferencing content upload and whiteboarding, in addition to access to the meet and dialin web pages.
0
 

Author Comment

by:jetpak
Comment Utility
So what DNS record and firewall ports should be opened in our firewall then?
I thoght that you only needed to open up for sip.company.com, webconf.company.com and av.company.com pointing to the edge server?

IM, video and voice works all fine today. Only this little problem with GAL..

Thanks
Jonas
0
 

Author Comment

by:jetpak
Comment Utility
Oh yeah, followed this guide while installing.
http://ocsguy.com/2010/11/21/deploying-an-edge-server-with-lync/

0
 
LVL 12

Accepted Solution

by:
Jeff_Schertz earned 500 total points
Comment Utility
In your Lync Topology you will have defined an External Web Services FQDN for the Front End server.  internal clients will connect to the internal Web Sites using the Front End Server/Poolname but Edge-connected clients will use the External Web Services FQDN.  This FQDN is what needs to be published outside, in addition to the Simple URLs (meet.contoso.com, dialin.contoso.com).  The reverse proxy certificate needs each of these names in the SAN and the traffic rule points to the 8080/4443 ports on the Front End server.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
The goal of the tutorial is to teach the user how to instant message and make a video call in Skype.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now