• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3379
  • Last Modified:

LYNC 2010 via VPN

We just got LYNC 2010 working in the office and aside from some tweaking, we're ready to roll out the client replacing Office Communicator.

I (and a few of the resident techs) connect via VPN to the firm network.  Everything else works seamlessly but cannot launch the LYNC2010 (or 2013) clients via VPN.

Get the error "There was a problem verifying the certificate from the server"

Some suggest manually importing the LYNC certificate from the server.  Haven't been able to identify which of hundred or so certs is the right one.

Am I on the right track?  We have no intention at this point to open up Lync to outside users (except for the 4 internal techs), so not contemplating an EDGE server at this time.

Any help appreciated/
0
FarrellFritz
Asked:
FarrellFritz
  • 7
  • 7
1 Solution
 
Gajendra RathodCommented:
Please push the Lync internal URL certificate to domain machine via. GPO

You can also manually download the certificate from Lync server IIS manger and then import on the machine in trusted root certificate.

Steps:
Export certificate from Lync Server Start | Administrative Tools | IIS | Server Certificate | Export |   Lync.pfx   save it.

Run | mmc | add or remove snap in | certificates | computer account | local computer |finish | OK | expand Certificate | Trusted Root Certification Authorities | Certificate | All task | Import | LYNC.pfx certificate.

Restart Client machine.
Open Microsoft Lync client 2010 and open option menu | Personal | Advanced | choose Auto Configuration | save OK.
0
 
FarrellFritzAuthor Commented:
Gajendra

The instructions you provided were concise and very easy to follow.

Unfortunately, still encountering the same error/problem
Get the error "There was a problem verifying the certificate from the server")

On the client the event log entry is:
-----------------------------------------------------------
The description for Event ID 5 from source Lync cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

Lync
ffmsapps2.domain.com
80090325
------------------------------------------------------------

Found no corresponding log entry on the server.

I think the 80090325 is the important bit but Googled that and nothing really added to what you had suggested.

(note: I renamed the domain name in the error but it correctly reflects the domain in the actual log entry).

Please let me know if you have any other suggestions.

Thanks for helping out!
0
 
Gajendra RathodCommented:
In case, machine is not into domain you need to download certificate chain.

On client machine, access blow

http://<ip-address-of-CA>/certsrv

Then enter your domain credentials.  

Download a CA Certificate, Certificate Chain or CRL.

Click on Certificate chain and install it.

Most it should resolve your certificate issue.

For troubleshooting,

Run Wireshark or Microsoft Network monitor tools to check the Lync client traffic.

Also enable logging in Lync 2010 client.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
FarrellFritzAuthor Commented:
Thanks but still no joy.

STRANGLEY, I am getitng a 404  error (Page not found) accessing the LYNC server using the URL http://10.0.40.5/crtsrv

I AM able to ping 10.0.40.5 when connected via VPN (and I am able to  UNC and RDP)

Thanks
0
 
Gajendra RathodCommented:
Let me know which kind of certificate you are using in Lync internal URL.

It is self-sign certificate or certificate issued by active directory.

In case certificate issued by active directory, please enter IP address your domain controller in above URL.
0
 
FarrellFritzAuthor Commented:
Gajendra

DIdnt forget about you/this.  We just ran inteo a snag.

First, it is a self-sign certificate.

I was able to access the domain controller but got this.

"The certificate enrollment page you are attempting to access cannot be used with this version of Windows."

It thinks I'm running Vista but actualy running windows 7.  Assume because server was built prior to W7.

Believe this to be unrelated issue but termporary roadblock in trying your latest suggestion (accessing via HTTP).  As soon as I figure this one out, will give it a shot.
0
 
Gajendra RathodCommented:
My apology, as it is self-sign certificate, domain controller chain certificate will not help.

Please run Wireshark or Microsoft Network monitor tools to check the Lync client traffic.

I think, compare the certificate at Lync client with VPN and without VPN.
0
 
FarrellFritzAuthor Commented:
I just ran across this article: http://support.microsoft.com/kb/2566790

I'm wondering if this would have anything to do with resolving our issue.

Thoughts?
0
 
Gajendra RathodCommented:
Please install Lync Connectivity Analyzer .

Using above tool to check the connectivity between client and server.
0
 
FarrellFritzAuthor Commented:
Tried installing the tool.  The test failed.  Thought we were onto something.  But tried running in the office (on a pc in teh domain with Lync working) and it failed there as well
0
 
Gajendra RathodCommented:
Lync certificate must have pool.sip_domain in Subject to alternate name.

If SIP domain and Local domain are different than SIP domain name must be added in Subject to Alternate address in your certificate,
0
 
FarrellFritzAuthor Commented:
Lync connectivity analyzer only available 64 bit.  All clients are 32Bit
0
 
Gajendra RathodCommented:
Lync connectivity analyzer also available 32 bit.
0
 
FarrellFritzAuthor Commented:
While implementing the solution required a call to MS, the solution as stated was spot on.  Identifying the correct cert is the biggest challenge, but once done, works(ed) fine.  THANKS!
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 7
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now