Solved

LYNC 2010 via VPN

Posted on 2013-05-31
14
3,083 Views
Last Modified: 2013-12-01
We just got LYNC 2010 working in the office and aside from some tweaking, we're ready to roll out the client replacing Office Communicator.

I (and a few of the resident techs) connect via VPN to the firm network.  Everything else works seamlessly but cannot launch the LYNC2010 (or 2013) clients via VPN.

Get the error "There was a problem verifying the certificate from the server"

Some suggest manually importing the LYNC certificate from the server.  Haven't been able to identify which of hundred or so certs is the right one.

Am I on the right track?  We have no intention at this point to open up Lync to outside users (except for the 4 internal techs), so not contemplating an EDGE server at this time.

Any help appreciated/
0
Comment
Question by:FarrellFritz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
14 Comments
 
LVL 10

Expert Comment

by:Gajendra Rathod
ID: 39212562
Please push the Lync internal URL certificate to domain machine via. GPO

You can also manually download the certificate from Lync server IIS manger and then import on the machine in trusted root certificate.

Steps:
Export certificate from Lync Server Start | Administrative Tools | IIS | Server Certificate | Export |   Lync.pfx   save it.

Run | mmc | add or remove snap in | certificates | computer account | local computer |finish | OK | expand Certificate | Trusted Root Certification Authorities | Certificate | All task | Import | LYNC.pfx certificate.

Restart Client machine.
Open Microsoft Lync client 2010 and open option menu | Personal | Advanced | choose Auto Configuration | save OK.
0
 

Author Comment

by:FarrellFritz
ID: 39213759
Gajendra

The instructions you provided were concise and very easy to follow.

Unfortunately, still encountering the same error/problem
Get the error "There was a problem verifying the certificate from the server")

On the client the event log entry is:
-----------------------------------------------------------
The description for Event ID 5 from source Lync cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

Lync
ffmsapps2.domain.com
80090325
------------------------------------------------------------

Found no corresponding log entry on the server.

I think the 80090325 is the important bit but Googled that and nothing really added to what you had suggested.

(note: I renamed the domain name in the error but it correctly reflects the domain in the actual log entry).

Please let me know if you have any other suggestions.

Thanks for helping out!
0
 
LVL 10

Expert Comment

by:Gajendra Rathod
ID: 39213963
In case, machine is not into domain you need to download certificate chain.

On client machine, access blow

http://<ip-address-of-CA>/certsrv

Then enter your domain credentials.  

Download a CA Certificate, Certificate Chain or CRL.

Click on Certificate chain and install it.

Most it should resolve your certificate issue.

For troubleshooting,

Run Wireshark or Microsoft Network monitor tools to check the Lync client traffic.

Also enable logging in Lync 2010 client.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:FarrellFritz
ID: 39214370
Thanks but still no joy.

STRANGLEY, I am getitng a 404  error (Page not found) accessing the LYNC server using the URL http://10.0.40.5/crtsrv

I AM able to ping 10.0.40.5 when connected via VPN (and I am able to  UNC and RDP)

Thanks
0
 
LVL 10

Expert Comment

by:Gajendra Rathod
ID: 39214582
Let me know which kind of certificate you are using in Lync internal URL.

It is self-sign certificate or certificate issued by active directory.

In case certificate issued by active directory, please enter IP address your domain controller in above URL.
0
 

Accepted Solution

by:
FarrellFritz earned 0 total points
ID: 39226980
Gajendra

DIdnt forget about you/this.  We just ran inteo a snag.

First, it is a self-sign certificate.

I was able to access the domain controller but got this.

"The certificate enrollment page you are attempting to access cannot be used with this version of Windows."

It thinks I'm running Vista but actualy running windows 7.  Assume because server was built prior to W7.

Believe this to be unrelated issue but termporary roadblock in trying your latest suggestion (accessing via HTTP).  As soon as I figure this one out, will give it a shot.
0
 
LVL 10

Expert Comment

by:Gajendra Rathod
ID: 39231039
My apology, as it is self-sign certificate, domain controller chain certificate will not help.

Please run Wireshark or Microsoft Network monitor tools to check the Lync client traffic.

I think, compare the certificate at Lync client with VPN and without VPN.
0
 

Author Comment

by:FarrellFritz
ID: 39245702
I just ran across this article: http://support.microsoft.com/kb/2566790

I'm wondering if this would have anything to do with resolving our issue.

Thoughts?
0
 
LVL 10

Expert Comment

by:Gajendra Rathod
ID: 39248388
Please install Lync Connectivity Analyzer .

Using above tool to check the connectivity between client and server.
0
 

Author Comment

by:FarrellFritz
ID: 39285405
Tried installing the tool.  The test failed.  Thought we were onto something.  But tried running in the office (on a pc in teh domain with Lync working) and it failed there as well
0
 
LVL 10

Expert Comment

by:Gajendra Rathod
ID: 39603929
Lync certificate must have pool.sip_domain in Subject to alternate name.

If SIP domain and Local domain are different than SIP domain name must be added in Subject to Alternate address in your certificate,
0
 

Author Comment

by:FarrellFritz
ID: 39657344
Lync connectivity analyzer only available 64 bit.  All clients are 32Bit
0
 
LVL 10

Expert Comment

by:Gajendra Rathod
ID: 39677571
Lync connectivity analyzer also available 32 bit.
0
 

Author Closing Comment

by:FarrellFritz
ID: 39687884
While implementing the solution required a call to MS, the solution as stated was spot on.  Identifying the correct cert is the biggest challenge, but once done, works(ed) fine.  THANKS!
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This article describes how to import an Outlook PST file to Office 365 using a third party product to avoid Microsoft's Azure command line tool, saving you time.
The viewer will learn how to simulate a series of sales calls dependent on a single skill level and learn how to simulate a series of sales calls dependent on two skill levels. Simulating Independent Sales Calls: Enter .75 into cell C2 – “skill leve…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question