Solved

LYNC 2010 via VPN

Posted on 2013-05-31
14
2,929 Views
Last Modified: 2013-12-01
We just got LYNC 2010 working in the office and aside from some tweaking, we're ready to roll out the client replacing Office Communicator.

I (and a few of the resident techs) connect via VPN to the firm network.  Everything else works seamlessly but cannot launch the LYNC2010 (or 2013) clients via VPN.

Get the error "There was a problem verifying the certificate from the server"

Some suggest manually importing the LYNC certificate from the server.  Haven't been able to identify which of hundred or so certs is the right one.

Am I on the right track?  We have no intention at this point to open up Lync to outside users (except for the 4 internal techs), so not contemplating an EDGE server at this time.

Any help appreciated/
0
Comment
Question by:FarrellFritz
  • 7
  • 7
14 Comments
 
LVL 10

Expert Comment

by:Gajendra Rathod
ID: 39212562
Please push the Lync internal URL certificate to domain machine via. GPO

You can also manually download the certificate from Lync server IIS manger and then import on the machine in trusted root certificate.

Steps:
Export certificate from Lync Server Start | Administrative Tools | IIS | Server Certificate | Export |   Lync.pfx   save it.

Run | mmc | add or remove snap in | certificates | computer account | local computer |finish | OK | expand Certificate | Trusted Root Certification Authorities | Certificate | All task | Import | LYNC.pfx certificate.

Restart Client machine.
Open Microsoft Lync client 2010 and open option menu | Personal | Advanced | choose Auto Configuration | save OK.
0
 

Author Comment

by:FarrellFritz
ID: 39213759
Gajendra

The instructions you provided were concise and very easy to follow.

Unfortunately, still encountering the same error/problem
Get the error "There was a problem verifying the certificate from the server")

On the client the event log entry is:
-----------------------------------------------------------
The description for Event ID 5 from source Lync cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

Lync
ffmsapps2.domain.com
80090325
------------------------------------------------------------

Found no corresponding log entry on the server.

I think the 80090325 is the important bit but Googled that and nothing really added to what you had suggested.

(note: I renamed the domain name in the error but it correctly reflects the domain in the actual log entry).

Please let me know if you have any other suggestions.

Thanks for helping out!
0
 
LVL 10

Expert Comment

by:Gajendra Rathod
ID: 39213963
In case, machine is not into domain you need to download certificate chain.

On client machine, access blow

http://<ip-address-of-CA>/certsrv

Then enter your domain credentials.  

Download a CA Certificate, Certificate Chain or CRL.

Click on Certificate chain and install it.

Most it should resolve your certificate issue.

For troubleshooting,

Run Wireshark or Microsoft Network monitor tools to check the Lync client traffic.

Also enable logging in Lync 2010 client.
0
 

Author Comment

by:FarrellFritz
ID: 39214370
Thanks but still no joy.

STRANGLEY, I am getitng a 404  error (Page not found) accessing the LYNC server using the URL http://10.0.40.5/crtsrv

I AM able to ping 10.0.40.5 when connected via VPN (and I am able to  UNC and RDP)

Thanks
0
 
LVL 10

Expert Comment

by:Gajendra Rathod
ID: 39214582
Let me know which kind of certificate you are using in Lync internal URL.

It is self-sign certificate or certificate issued by active directory.

In case certificate issued by active directory, please enter IP address your domain controller in above URL.
0
 

Accepted Solution

by:
FarrellFritz earned 0 total points
ID: 39226980
Gajendra

DIdnt forget about you/this.  We just ran inteo a snag.

First, it is a self-sign certificate.

I was able to access the domain controller but got this.

"The certificate enrollment page you are attempting to access cannot be used with this version of Windows."

It thinks I'm running Vista but actualy running windows 7.  Assume because server was built prior to W7.

Believe this to be unrelated issue but termporary roadblock in trying your latest suggestion (accessing via HTTP).  As soon as I figure this one out, will give it a shot.
0
 
LVL 10

Expert Comment

by:Gajendra Rathod
ID: 39231039
My apology, as it is self-sign certificate, domain controller chain certificate will not help.

Please run Wireshark or Microsoft Network monitor tools to check the Lync client traffic.

I think, compare the certificate at Lync client with VPN and without VPN.
0
Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

 

Author Comment

by:FarrellFritz
ID: 39245702
I just ran across this article: http://support.microsoft.com/kb/2566790

I'm wondering if this would have anything to do with resolving our issue.

Thoughts?
0
 
LVL 10

Expert Comment

by:Gajendra Rathod
ID: 39248388
Please install Lync Connectivity Analyzer .

Using above tool to check the connectivity between client and server.
0
 

Author Comment

by:FarrellFritz
ID: 39285405
Tried installing the tool.  The test failed.  Thought we were onto something.  But tried running in the office (on a pc in teh domain with Lync working) and it failed there as well
0
 
LVL 10

Expert Comment

by:Gajendra Rathod
ID: 39603929
Lync certificate must have pool.sip_domain in Subject to alternate name.

If SIP domain and Local domain are different than SIP domain name must be added in Subject to Alternate address in your certificate,
0
 

Author Comment

by:FarrellFritz
ID: 39657344
Lync connectivity analyzer only available 64 bit.  All clients are 32Bit
0
 
LVL 10

Expert Comment

by:Gajendra Rathod
ID: 39677571
Lync connectivity analyzer also available 32 bit.
0
 

Author Closing Comment

by:FarrellFritz
ID: 39687884
While implementing the solution required a call to MS, the solution as stated was spot on.  Identifying the correct cert is the biggest challenge, but once done, works(ed) fine.  THANKS!
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
A procedure for exporting installed hotfix details of remote computers using powershell
The goal of the tutorial is to teach the user how to instant message and make a video call in Skype.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now