Solved

Lync 2010 Client - Can't Connect Externally

Posted on 2013-05-29
9
7,334 Views
Last Modified: 2013-06-22
I am unable to connect my Lync 2010 client from an external non-domain PC. Internal, in the domain works fine.

When I try to connect with auto-config, I get the error "There was a problem verifying the certificate from the server.". A look at the System Log shows that the client is looking for sipinternal.consoltechlab.com as well as sipexternal.consoltechlab.com on the certificate.

When I try to connect with a manual config, setting my external server name/IP address to access.consoltechlab.com, I get the error "Cannot sign in because the server is temporarily available". I have also tried access.consoltechlab.com:443.

Some additional details:

- I have a public SRV record in place for _sip._tls.consoltechlab.com, that points to access.consoltechlab.com.
- There is an "A" record in place for access.consoltechlab.com. It is the IP address of of the external interface of my Edge server.
- My Edge server's external interface is direct on the internet, with no firewall. Just the Windows Firewall, which has the necessary ports open.
- I have exported the root CA cert of my domain as well as the front end server's cert to my home PC.

I have attached to log file from the Lync client. Any help would be most appreciated. Thanks.
0
Comment
Question by:ronpiecyk
  • 4
  • 3
  • 2
9 Comments
 
LVL 12

Expert Comment

by:SreRaj
ID: 39206851
You should also be creating a user policy for allowing user remote access. After creating a user policy for remote access, you need to apply the policy to the user who requires remote access. You can use the Lync Server Management Shell cmdlet 'Get-CSExternalAccessPolicy' to see the policies configured in your environment.

Step by step: To create a user policy

Open Lync Server 2010 Control Panel.
Click External User Access, click Access Edge Policy
Click New, and then click User policy.
In Create Access Edge Policy, in the Name field, create a unique name that indicates what the user policy covers (for example, NoFederation for a user policy that does not enable communications with federated users).
Click the appropriate policy listed in the table, click Edit, and then click Modify.
To enable remote user access, select the Enable communications with remote users check box.
Click Commit

To configure a user policy for a specific user account

Open Lync Server 2010 Control Panel.
Click Users, and then search on the user account that you want to configure.
In the table that lists the search results, click the user account, click Edit, and then click Modify.
In Edit Lync Server User under Access Edge policy, select the user policy that you want to apply.

You can use Get-CsUser to verify whether the policy is applied to user.
0
 
LVL 12

Expert Comment

by:SreRaj
ID: 39207177
Also please test connectivity with https://www.testexchangeconnectivity.com/
0
 

Author Comment

by:ronpiecyk
ID: 39208050
I was using the GLOBAL External Access Policy, and had enabled it for remote users. For arguments sake, I just created a new user policy, called TEST, and enabled the same options. Then I went into my own account and added it under EXTERNAL ACCESS POLICY. I used Cs-GetUser to verify the policy was applied. Still same problem – doesn’t connect, and generates an error event ID 36884 in the SYSTEM log, with the message:

“The certificate received from the remote server does not contain the expected name. It is therefore not possible to determine whether we are connecting to the correct server. The server name we were expecting is sipexternal.consoltechlab.com. The SSL connection request has failed. The attached data contains the server certificate.”

Regarding the test connectivity site - For the LYNC SERVER REMOTE CONECTIVITY TEST, I have green lights on everything, except the last item - the section labeled "Testing remote connectivity for user rpiecyk@consoltechlab.com to the Microsoft Lync server." The message is:

Couldn't sign in. Error: Error Message: The certificate chain was issued by an authority that is not trusted. Error Type: TlsFailureException.
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 39209975
Are you trying to use an self signed or internal signed certificate for lync to connect remotely?

if it's so then it will not happen because Lync requires a public certificate in order to secure the remote connection between clients and Server.

You need to get  a public certificate for your Edge and for your Lync FE web services.

you will will publish the Front end web services via a reverse proxy and the Edge on another firewall that supports static NAT.

If you already have a public certificate for both edge and Fe. On your Lync topology, what's the sip settings for Edge server ? could you please provide these settings. it would be great if you could provide a screenshot on the edge left pane in the topology.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:ronpiecyk
ID: 39236219
I am under the impression that I can get this to work without a cert from a trusted public CA, so long as I have imported my internal CA's root cert into the trusted root store of the PC I am installing the client on. I have done so.

I am able to VPN in to my network, manually configure my client to point to the internal FQDN of my pool, which is FEPOOL.CONSOLTECHLAB.COM, and it connects fine. Auto-config however does not. It will yield back the error "There was a problem verifying the certificate from the server." Then a peak in the event logs show Errors 4 (application log) and 36884 (system log), which indicate the client PC was expecting to see sipexternal.consoltechlab.com and/or sipinternal.consoltechlab.com in the certificate.

Why is my client looking for sipexternal and sipinternal? Are these default names that the Lync client looks for when it can't find the name specified in the SRV record? My internal SRV record is _sipinternaltls._tcp.consoltechlab.com, and it points to port 5061 of sip.consoltechlab.com, which is an additional "A" record that points to the IP address of my front end pool (and the single server that is in that pool at the moment, lab-lyncfe.consoltechlab.com).

When I'm outside the network, with no VPN connection established, and set my client to auto-config, I get the same certificate error and event logs. If I set the client to manual and put in the address access.consoltechlab.com, I get the error "Cannot sign in because the server is temporarily unavailable. If the problem continues, please contact your support team." There is indeed a public DNS address for access.consoltechlab.com.

Any ideas, anyone? Getting desperate.
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 39237245
I am under the impression that I can get this to work without a cert from a trusted public CA, so long as I have imported my internal CA's root cert into the trusted root store of the PC I am installing the client on. I have done so.

I doubt that Lync client will connect if your certificate is not public trusted even if you imported the Root CA in your PC. but I haven't tested that to be honest however I think the way Lync was structured is based on strict security and encryption.

I am able to VPN in to my network, manually configure my client to point to the internal FQDN of my pool, which is FEPOOL.CONSOLTECHLAB.COM, and it connects fine. Auto-config however does not. It will yield back the error "There was a problem verifying the certificate from the server." Then a peak in the event logs show Errors 4 (application log) and 36884 (system log), which indicate the client PC was expecting to see sipexternal.consoltechlab.com and/or sipinternal.consoltechlab.com in the certificate.

I think your Internal DNS configuration look OK but there's a problem with your Public DNS configuration or Lync topology.

This is how Lync client works when you first try to connect:
When you hit Sign in Lync starts DNS query for the following.

A – lyncdiscover.domain.com
A – lyncdiscoverinternal.domain.com
SRV – _sipinternaltls._tcp.domain.com
SRV – _sip._tls.domain.com
A – sipinternal.domain.com
A – sip.domain.com
A – sip.domain.com

If Lync client can't access your edge through any of these then it fails and gives you an error message and you can tell what's the cause of the error from that message. but for troubleshooting you will need to use Wireshark or OCS logger tool.

If your public DNS configuration is correct then as I said it most likely a certificate issue. Lync would sign in remotely only if your certificate is public trusted and all requires SANs are included within the certificate and it has the correct common name for Edge e.g. sip.domain.com


To further help you with your problem before you try to log in please turn on OCS tool and check following components (collaboration - S4 - SIPSTACK - UserServices) and tick the allflags box on all of them.

From your PC where you want to login remotely with Lync Client run Wireshirk and start logging packets before you hit the Sign in button..

Attach all these logs here and we'll see what's causing the issue.
0
 

Accepted Solution

by:
ronpiecyk earned 0 total points
ID: 39253513
Figured it out. Wasn't able to resolve the front end pool name from from the Edge server. I had added the front end pool's server name to the Edge server's HOSTS file, but not the pool name. Once I did so, external connectivity was established, and all green lights in the Test Connectivity site.
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 39253832
If it's Enterprise edition then it should be the pool name unless you don't have DNS Load balancing deployed for HA.
0
 

Author Closing Comment

by:ronpiecyk
ID: 39267765
This was the answer.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
how to add IIS SMTP to handle application/Scanner relays into office 365.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now